Criminal actors pulled in $158 billion in digital assets last year, which marked a sudden increase in the value of illicit activity after years of decline, according to a report released by TRM Labs analyzing 2025 data.

However, the rise in the total still represents an ongoing decline in the percentage of overall crypto activity linked to bad actors (1.2% of volume), the report published Wednesday said, and the bad guys behind it are increasingly professional state-backed operations supported by sophisticated infrastructure.

"We saw roughly four trillion dollars in stablecoin activity in 2025, which tells you how fast the lawful ecosystem is growing," said Ari Redbord, global head of policy for TRM. "Even with that growth, illicit activity still made up only about 1.2% of total volume. That said, that 1.2% is existential and pretty much all I think about — ransomware attacks on hospitals, seniors losing life savings to scams, and state actors like North Korea using crypto to fund weapons programs."

The report lands as illicit-finance use of crypto is a central point being debated by U.S. lawmakers working on the crypto market structure legislation. Democrats have insisted on more stringent shields against criminality than were present in earlier drafts of the bill being considered in two Senate committees. So far, the two parties haven't been able to come together on a version that satisfies both, despite a hearing still set for Thursday in the Senate Agriculture Committee. If that hearing happens, illicit finance will remain front and center.

A big spike in sanctions-tied crypto activity was "overwhelmingly driven by Russia-linked flows," according to TRM, which said $72 billion was run through the ruble-backed stablecoin A7A5 and that the wallet cluster known as A7 could be connected to more than $39 billion in Russian sanctions evasion.

"While Russia-linked networks largely drove sanctions-related crypto volume, the more consequential shift was the institutionalization of crypto rails by other sanctioned actors," the report noted, citing activity in Venezuela and China.

As for crypto hacking, those incidents made off with nearly $3 billion in 2025, which was a higher dollar amount than the previous year, though about half of it was accounted for by the single February attack on Bybit. While hacks and exploits totaled 150 thefts for the year, the damage was heavily weighted to a handful of larger incidents.

"Sophisticated actors, particularly those linked to North Korea (DPRK), are no longer just exploiting code — they are compromising the operational foundations of crypto asset services and the ecosystems around them," the report said. Infrastructure attacks resulted in most of the losses.

North Korean hacking operations are using "Chinese laundromats" to pass stolen assets into the hands of subcontracted launderers who use chain-hopping and fragmentation to complicate tracking, according to TRM. "This professionalization complicates recovery, as the faster stolen assets can be routed through layered intermediaries, the narrower the window for interdiction," the report said.