Lessons From Another Year of Crypto Crime

This week, I spent some time with the latest Crypto Crime Report from TRM Labs. In a sentence, the key takeaway of the report is that crypto crime is no longer “new,” experimental, or chaotic. It’s settling into patterns that increasingly resemble the broader financial crime landscape.

That’s both reassuring and uncomfortable.

The myth of “crypto = crime” continues to erode

One of the most important contextual points in the report is that illicit activity still represents a small fraction of overall on-chain volume. Despite high-profile hacks and enforcement actions, the vast majority of crypto activity remains legitimate.

Crypto crime remains a persistent and adaptive problem, shaped by the same incentives and constraints we see in traditional finance. In other words, criminals don’t need crypto to be dominant. They just need it to be useful.

What’s actually growing: speed, not sophistication

Another recurring theme is that many crypto crimes are becoming faster rather than more complex.

The report highlights:

• rapid movement of funds immediately after hacks,

• quick cross-chain hops to fragment visibility,

• short dwell times before assets are laundered or cashed out.

Criminals are optimising for time, knowing that the first few hours after an incident matter most. Whilst post-event analysis still has value, real-time or near-real-time controls increasingly determine whether losses are contained or amplified.

Risk concentration in DeFi

DeFi continues to feature prominently in loss figures, particularly in relation to exploits, hacks, and protocol-level vulnerabilities. At the same time, the authors are careful not to frame DeFi as inherently criminal.

The real issue is where safeguards are weakest.

Open protocols, unaudited smart contracts, and experimental governance models create environments where:

• mistakes are irreversible,

• controls are minimal,

• and incentives favour speed over caution.

In that sense, DeFi can be viewed as a stress test for governance. As we know, criminals follow where the governance is weakest.

Sanctions, state actors, and geopolitics remain a constant

One of the more sobering sections of the report deals with state-linked activity, including sanctioned jurisdictions and groups using crypto opportunistically.

Sanctioned actors continue to probe for gaps, often using:

• small volumes,

• indirect routes,

• layering through mixers or intermediaries.

As discussed in prior newsletters, the above highlights the idea that crypto is supplementing traditional sanctions evasion, especially where speed, deniability, and cross-border reach are useful.

The human factor hasn’t gone away

Human weakness remains one of the most consistent drivers of crypto crime, despite all the focus on the tech.

The report repeatedly points to:

• social engineering,

• compromised credentials,

• insider access,

• poor operational security.

In other words, many losses happen because of the error in human judgement, as opposed to technical failures. Surprising? Not really. This is a very familiar conclusion for anyone who’s worked in AML or fraud.

Technology evolves. Human psychology doesn’t.

Why this matters for financial institutions

For banks, VASPs, and payment firms, the takeaway is that crypto crime is maturing into something recognisable.

The implications are practical:

• stronger emphasis on real-time monitoring,

• better integration between fraud, AML, cyber, and sanctions teams,

• less reliance on static risk scores,

• more focus on behavioural patterns and context.

In short, crypto risk needs to be treated as part of the institution’s core financial crime framework, not an exotic add-on.

A closing thought

The practical takeaway from this report is straightforward. Effective controls in the crypto space depend less on discovering new typologies and more on how quickly institutions can observe, assess, and act on emerging behaviour.

That puts pressure on a few familiar areas: real-time monitoring rather than post-event review, tighter coordination between fraud, AML, cyber and sanctions teams, and clear escalation paths when activity looks unusual even if it doesn’t breach a threshold. It also reinforces the importance of analyst judgment, particularly in the early stages of an incident, when speed matters more than certainty.

As always, if this report is circulating internally and sparking questions about how your own controls stack up, I’m very happy to compare notes.

Thanks for reading,
Alexey