Illicit Volumes Portend Record Year as On-Chain Crime Becomes Increasingly Diverse and Professionalized

In recent years, cryptocurrency has become increasingly mainstream. Although illicit activity on-chain previously revolved heavily around cybercrime, cryptocurrency is now also being used to fund and facilitate all kinds of threats, ranging from national security to consumer protection. As cryptocurrency has gained greater acceptance, illicit on-chain activity, too, has become more varied. For example, some illicit actors primarily operate off-chain, but move funds on-chain for laundering.

We report on certain defined categories — stolen funds, darknet markets, and ransomware, to name a few — on an annual basis. However, with the diversification of crypto crime to include all types of crime, the on-chain illicit ecosystem has witnessed increasing professionalization, with a broadening array of illicit actor organizations and networks using cryptocurrency, as well as increased complexity in their operations. In particular, we have seen the emergence of large-scale on-chain services that provide infrastructure for numerous types of illicit actors to help them launder their ill-gotten crypto.

How are these developments playing out on-chain? Let’s take a look at the data and high-level trends.

According to our metrics today, it looks like 2024 saw a drop in value received by illicit cryptocurrency addresses to a total of $40.9 billion. However, 2024 was likely a record year for inflows to illicit actors as these figures are lower-bound estimates based on inflows to the illicit addresses we’ve identified up to today.

A year from now, these totals will be higher, as we identify more illicit addresses and incorporate their historic activity into our estimates. For instance, when we published last year’s Crypto Crime Report, we reported $24.2 billion for 2023. One year later, our updated estimate for 2023 is $46.1 billion. Much of that growth came from various types of illicit actor organizations, such as vendors operating through Huione, which provide on-chain infrastructure and laundering services for high-risk and illicit actors.

It stands to reason that 2024’s illicit cryptocurrency volume will exceed that of 2023. Since 2020, our annual estimates of illicit activity — which include both evidentiary attributions and Chainalysis Signals data — have grown by an average of 25% between annual reporting periods. Assuming a similar growth rate between now and next year’s Crypto Crime Report, our annual totals for 2024 could surpass the $51 billion threshold.

In general, our totals exclude revenue from non-crypto-native crime, such as traditional drug trafficking and other crimes in which crypto may be used as a means of payment or laundering. Such transactions are virtually indistinguishable from licit transactions in on-chain data, although law enforcement with off-chain information can still investigate these crimes using Chainalysis solutions. In cases where we’re able to confirm such information, we count the transactions as illicit in our data. For example, since the conviction of FTX’s former CEO of fraud, our 2022 figures have included the $8.7 billion in creditor claims against the exchange. However, there are almost certainly many instances where we do not have such confirmation, and therefore the numbers would not be reflected in our totals.

How big was crypto crime in 2024?

• $40.9 billion received by illicit addresses known today, but we estimate the total may be closer to $51 billion given historical trends
• 0.14% of total on-chain transaction volume

Estimates of illicit transaction activity DO include:

• Funds sent to addresses we’ve identified as illicit
• Funds stolen in crypto hacks

Estimates of illicit transaction activity DO NOT include:

• Funds sent to addresses we have not yet identified as illicit. Why? Because we don’t know that they’re illicit yet. But we update our numbers on a rolling basis as we make more identifications.
• Funds derived from non-crypto-native crime, except for cases brought to our attention by customers. Why? Because these transactions are impossible to validate as illicit without more information.
• Funds associated with extremist groups. Why? Because the definition of what constitutes extremism is often subject to interpretation and inconsistent across jurisdictions.
• Funds associated with crypto platforms accused of fraud, absent convictions in court. Why? Because only a judge and jury can make that determination.
• Transaction volumes associated with potential market manipulation. Why? Because our research heuristics are designed to catch suspected instances of market manipulation based on on-chain behavior, but aren’t definitive.

At the time of this publication, we see a reduction in absolute value of illicit activity year-over-year (YoY); however, based on historical growth rates, we suspect that this number will eventually exceed last year’s total as our data attributions improve. In addition, our estimate for the share of all attributed crypto transaction volume associated with illicit activity, depicted below, also fell to 0.14% from 0.61% in 2023. Similarly, we expect this share to rise over time, although historically these rates consistently remain below 1%. [1]

As we initially shared in our mid-year crypto crime update, another important update this year is that we’ve begun to factor suspected illicit activity into our total estimates for certain crime types, based on Signals data. Previously, our estimates included only totals tied to addresses for which we had supporting documentation demonstrating that they belong to a certain illicit entity. Signals leverages on-chain data and heuristics to identify the suspected category for a particular unknown address or cluster of addresses, with confidence levels ranging from likely to almost certain. The introduction of Signals not only grows our estimates of certain illicit activity categories over time, but also enables us to refine previous years’ estimates, given more time has passed to collect inputs and understand on-chain patterns of suspicious activity. As bad actors continue to evolve their tactics, so too will our methods of detecting and disrupting them.

We are also seeing a continued trend vis-à-vis the types of assets involved in crypto crime.

Through 2021, BTC was unequivocally the cryptocurrency of choice among cybercriminals, likely due to its high liquidity. Since then, however, we have observed a steady diversification away from BTC, with stablecoins now occupying the majority of all illicit transaction volume (63% of all illicit transactions). This new reality is part of a broader ecosystem trend in which stablecoins also occupy a sizable percentage of all crypto activity, demonstrated by total growth YoY in stablecoin activity around 77%. In our 2024 Geography of Cryptocurrency report, we covered the wide array of practical use cases for stablecoins in a range of markets, such as storing value, sending remittances, facilitating cross-border payments, and international trade. Additionally, stablecoin issuers often freeze funds if they are made aware of their use by illicit actors. For example, Tether has frozen addresses of concern linked to scams, terrorist financing, and sanctions evasion, which can make stablecoins a poor tool for the transfer of value by illicit actors.

Nonetheless, despite these ecosystem-wide trends, some forms of crypto crime, such as ransomware and darknet market (DNM) sales, remain BTC-dominated. The popular privacy coin Monero, although an increasingly important part of the DNM ecosystem, is not included in the analysis for this report. Other illicit activity, such as scamming or laundering stolen funds, often take a more eclectic approach and spread out across all asset types. Others, such as transactions associated with sanctioned entities, have shifted primarily to stablecoins. Sanctioned entities, including individuals operating in sanctioned jurisdictions, often have a greater incentive to use stablecoins due to challenges otherwise accessing the U.S. dollar through traditional means amid a desire to benefit from its stability.

Below, we’ll take a closer look at three key trends that defined crypto crime in 2024 and will be important to watch going forward.

Stolen funds and scams still prolific

Stolen funds increased by approximately 21% YoY to $2.2 billion. Although the largest share of stolen funds was robbed from decentralized finance (DeFi) services, centralized services were the most targeted in Q2 and Q3. Private key compromises accounted for the largest share (43.8%) of stolen crypto in 2024, with North Korean hackers stealing more from crypto platforms than ever before: $1.34 billion, representing 61% of the total amount stolen for the year. Some of these events appear to be linked to North Korean IT workers, who have been increasingly infiltrating crypto and web3 companies, compromising their networks, and using sophisticated tactics, techniques, and procedures (TTPs).

High- and low-tech fraud and scams were prolific in 2024, with high-yield investment scams and pig butchering representing the most successful fraud and scam types. We have also observed the increasing use of artificial intelligence (AI) in the fraud and scams space, such as in highly personalized sextortion attacks. This use of AI is consistent with a broader trend across a range of illicit cybercrimes, as services have emerged that leverage AI to bypass know-your-customer (KYC) requirements. Fraud and scam operators are also leveraging guarantee services such as Huione (discussed below), while crypto ATM scams are a growing concern, especially as they relate to elder fraud.

Ransomware still front and center, darknet markets and fraud shop volumes on the decline

Ransomware has continued to see revenues in the hundreds of millions of dollars, but a number of large, multilateral law enforcement disruptions coupled with decreased victim appetite to pay ransoms have made a dent in the ecosystem. 2024 has nonetheless been a productive year, as attack volume was relatively sustained and some ransomware groups have still managed to eke out payments — albeit in lower amounts.

DNMs received $2 billion as opposed to close to $2.3 billion in 2023, while fraud shop volume is down by slightly more than half at $220.1 million. This marked decline for fraud shops is due in part to a large U.S.-Dutch takedown of Universal Anonymous Payment System (UAPS), a crypto payment processor that facilitated transactions for hundreds of fraud shops, including Brian Dumps and Faceless.

Crypto crime landscape increasingly diverse and professionalized

An array of illicit actors, including transnational organized crime groups, are increasingly leveraging cryptocurrency for traditional crime types, such as drug trafficking, gambling, intellectual property theft, money laundering, human and wildlife trafficking, and violent crime. Furthermore, some criminal networks are resorting to crypto to facilitate polycrime, or multiple crime types. Indeed, of the total $40.9 billion received by illicit crypto addresses in 2024, $10.8 billion was received by “illicit-actor org,” our catch-all term for wallets of services and individuals both directly committing cybercrime like hacking, extortion, trafficking, or scams, as well as those facilitating this activity by selling the underlying infrastructure, tools, and services needed to commit crime and profit, including laundering-as-a-service.

Perhaps no entity better illustrates the professionalization of the crypto crime ecosystem than the online marketplace Huione Guarantee. As we highlighted in our 2024 mid-year crypto crime update, Huione and all vendors operating on their platform have processed more than $70 billion in crypto transactions since 2021. This platform has provided infrastructure which facilitates the sale of scam technology and processed on-chain transactions for pig butchering and other fraud and scams, addresses reported as stolen funds, sanctioned entities such as the Russian exchange Garantex, fraud shops, child sexual abuse material, and Chinese-language gambling sites and casinos, among others.

End notes:

[1]Transaction volume is a measure of all attributed economic activity, a proxy for funds changing hands. We have tweaked our methodology this year to include only transactions involving at least one attributed entity, while removing peel chains, internal service transactions, transactions between two personal wallets, change, and any other type of transaction that would not count as an economic transaction between distinct economic actors.

This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein. 

This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.

Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.