TRM Labs' 2026 Crypto Crime Report puts illicit cryptocurrency flows at $158 billion in 2025 — a sharp reversal after years of decline, and a 145% jump from $64.5 billion in 2024. The ByBit hack alone accounted for $1.5 billion. Sanctions evasion dominated the numbers, with over $56 billion linked to Russia-affiliated clusters.
Headlines focus on the top-line figure. The methodology behind it matters more.
What the numbers actually measure
TRM now measures illicit activity relative to VASP outflows (deployable liquidity) rather than raw transaction volume. That's a meaningful change. Under the old method, illicit activity represented 1.2% of total volume. Under the new method, it's 2.7% — same data, very different framing.
The distinction matters because raw volume includes intra-protocol transfers, MEV, and other activity that inflates the denominator. VASP outflows are closer to what actually moves through the economy. Whether 2.7% is alarming or acceptable depends on your perspective, but it's a more honest number.
What drove the increase
Sanctions evasion accounts for the largest share. Russia-affiliated clusters generated over $56 billion in flows, with $72 billion moving through the ruble-pegged stablecoin A7A5. Stablecoins broadly dominated illicit transfer volume — sanctioned entities favor them for cross-border settlement because of speed and liquidity.
Hacking surged, driven by the ByBit breach and continued bridge exploits. North Korea-linked groups remain the most prolific state-sponsored actors in the space.
One notable shift: EU, UK, and US regulators began including specific wallet addresses in sanctions designations for the first time. That raises the bar for on-chain attribution and forces compliance teams to monitor at the address level, not just the entity level.
What the report doesn't capture
Any report measuring illicit crypto volume is limited by what's detectable. Funds routed through privacy protocols, cross-chain bridges with poor analytics coverage, or converted to cash outside the VASP system don't show up in the numbers. The $158 billion figure is a floor, not a ceiling.
The measurement methodology also struggles with DeFi. When value moves through contract state changes rather than direct transfers — the PEB separation problem I've written about elsewhere — transfer-layer analytics can miss entire categories of illicit flow.
What it means practically
The trend line is clear: illicit volumes are rising, enforcement is expanding, and the compliance surface area is getting larger. The inclusion of wallet addresses in sanctions designations is the most operationally significant change — it means real-time on-chain monitoring is no longer optional for regulated entities.
For teams building compliance capabilities, the takeaway isn't the $158 billion headline. It's the growing complexity of what you need to monitor and the methodological choices that shape what you can even see.