Stablecoins Outpace Bitcoin in Illicit Crypto Activities

Introduction: The Transformation of Illicit Cryptocurrency Utilization

The archetype of the clandestine hacker, ensconced in the shadows and accumulating Bitcoin within the confines of a dark web wallet, has become an anachronism. As of 2025, there has been a decisive pivot in the locus of the illicit cryptocurrency economy, transitioning from the inherent volatility associated with Bitcoin to a more stable, dollar-pegged shadow financial system.

Recent data from Chainalysis, disseminated via CryptoSlate, elucidates that stablecoins constituted an overwhelming 84% of the $154 billion in illicit transaction volume recorded last year. This statistic underscores a paradigm shift in risk assessment towards programmable currencies, which have increasingly become the medium of choice for illicit enterprises.

This structural evolution has facilitated the scaling of “laundering-as-a-service” operations by sophisticated Chinese money laundering networks while enabling nation-states such as North Korea, Russia, and Iran to circumvent Western sanctions through these newly established financial conduits.

The Decline of Bitcoin’s Primacy in Illicit Transactions

A salient observation from the 2025 data is the pronounced decline of Bitcoin as the preeminent currency utilized in criminal activities. Historically, Bitcoin has been synonymous with illicit online transactions; however, its supremacy has waned progressively since 2020.

As evidenced by the accompanying chart delineating illicit activity from 2020 to 2025, Bitcoin’s share of nefarious flows has diminished year on year, whereas stablecoins have ascended to dominate this sector:

This trend is not merely coincidental; it reflects broader movements within the legitimate cryptocurrency ecosystem where stablecoins are becoming increasingly prevalent due to their operational advantages—namely, enhanced cross-border transferability, reduced volatility relative to assets such as Bitcoin or Ethereum, and greater utility within decentralized finance (DeFi) applications. These attributes have rendered stablecoins an attractive vehicle for sophisticated criminal organizations.

The transition away from Bitcoin signifies a modernization of financial crime methodologies. By utilizing assets tethered to the US dollar, criminal entities are effectively engaging with a shadow iteration of conventional banking systems. This system operates with the velocity afforded by digital technology while remaining largely insulated from direct regulatory oversight by US authorities. The “dollarization” of criminal finance allows cartels and state actors to conduct transactions using a stable unit of account devoid of exposure to the erratic price fluctuations characteristic of other cryptocurrencies.

The Geopolitical Implications of Cryptocurrency Utilization

If one were to delineate the timeline into distinct phases, it becomes apparent that the period spanning from 2009 to 2019 can be characterized as the “Early Days” of fringe cybercriminal activity. The subsequent years from 2020 to 2024 witnessed a phase of “Professionalization,” culminating in 2025’s emergence of what may be termed “Wave 3”: Large-scale state-sponsored activity. This transitional phase indicates that geopolitics has now migrated onto blockchain platforms.

Governments are increasingly leveraging professional services originally tailored for cybercriminals, while simultaneously erecting bespoke infrastructures aimed at evading sanctions on an expansive scale. Notably, Russia has exemplified this trend through its utilization of state-backed digital assets for sanctions evasion. Following legislative measures introduced in 2024 to facilitate such activities, Russia launched its ruble-backed A7A5 token in February 2025. Within a mere year, this token facilitated transactions exceeding $93.3 billion, affording Russian entities the means to circumvent global banking frameworks and transfer value across borders independent from SWIFT or Western correspondent banks.

In parallel, Iranian proxy networks have consistently exploited blockchain technology for illicit financial maneuvers. Confirmed wallets identified in sanctions designations indicate that Iranian-aligned entities have engaged in money laundering activities and illicit oil sales amounting to over $2 billion.

Related Reading

US Sanctions Indicate Iran’s Oil-for-Crypto Operations Have Transacted Over $100 Million Between 2023 and 2025

The U.S. Treasury Department reports that two individuals orchestrated funds routing through layered fronts, exposing any U.S.-connected counterparties to severe penalties.

Sep 17, 2025·Oluwapelumi Adejumo

Despite various military setbacks, Iranian-aligned terrorist organizations—including Hezbollah and Hamas—have increasingly turned to cryptocurrency at unprecedented scales. Furthermore, North Korea reported its most devastating year thus far in terms of cybercrime; DPRK-affiliated hackers successfully siphoned approximately $2 billion during 2025. The most notable incident contributing to this figure was the February exploitation of Bybit, resulting in losses nearing $1.5 billion—a record-setting event within cryptocurrency history.

The Industrialization of Money Laundering Practices

The upsurge in illicit transaction volumes is significantly bolstered by the emergence of Chinese Money Laundering Networks (CMLNs), which have become formidable players within the illicit on-chain ecosystem. These networks have substantially diversified and professionalized criminal operations associated with cryptocurrencies.

Building upon frameworks established by previous operations such as Huione Guarantee, CMLNs have constructed comprehensive criminal enterprises capable of providing specialized “laundering-as-a-service” offerings. Their clientele spans a wide spectrum—from individual fraudsters and scam operators to state-backed hackers from North Korea and financiers of terrorism.

Related Reading

North Korean IT Personnel Reportedly Secured $17 Million This Year with Transactions Linked to Circle Accounts

North Korean IT operatives breached cryptocurrency security measures, highlighting vulnerabilities within U.S.-based exchanges and stablecoin applications.

Jul 2, 2025·Oluwapelumi Adejumo

A pivotal trend observed in 2025 is the heightened dependency among both illicit actors and nation-states on infrastructure providers delivering comprehensive “full-stack” services. These entities have evolved from niche hosting resellers into integrated platforms capable of offering domain registration services alongside bulletproof hosting specifically tailored to endure law enforcement interventions and sanction enforcement actions. Through provision of resilient technical infrastructures, these entities augment the operational reach of malicious cyber activities by allowing financially motivated criminals and state-aligned actors to sustain their operations amidst ongoing attempts at network dismantlement by law enforcement agencies.

The Convergence of Digital and Physical Threats

While discussions surrounding cryptocurrency crime predominantly emphasize digital theft and laundering operations, developments throughout 2025 have starkly illustrated that on-chain activities are increasingly converging with violent criminal acts occurring within physical realms. Specifically, human trafficking syndicates have begun utilizing cryptocurrency for financial logistics purposes—effectively facilitating anonymous cross-border movement of proceeds derived from their nefarious activities.

An even more disconcerting trend is the reported escalation in physical coercion attacks; perpetrators are employing violence as a means to compel victims into transferring assets. Notably, these assaults are frequently timed strategically with peaks in cryptocurrency valuations to maximize potential gains from thefts.