On January 8, 2026, Chainalysis published the 11th edition of the Crypto Crime Report — the industry's densest annual document on illicit cryptocurrency flows. The headline number was received by the market with a mix of gravity and discomfort that the sector already recognizes: illicit addresses received at least US$ 154 billion in 2025, a 162% increase over the previous year. Sanctioned entities alone absorbed US$ 104 billion — an increase of 694% in twelve months. Crypto crime has become industrialized.
But the number that matters for the Brazilian reader is not in the executive summary. It's buried in the Human Trafficking chapter, on page six, in a list of five countries: "significant cryptocurrency flows originating from Brazil, the United States, the United Kingdom, Spain, and Australia". Brazil appears in the Chainalysis 2026 report. It appears in the wrong chapter. And nobody — government, regulator, industry, mainstream press — is looking at this.
The global portrait of crypto crime in 2025
The report's aggregates establish four major blocks. Scams: US$ 17 billion in 2025, against US$ 12 billion in 2024 — a 42% increase, with average payout per victim jumping 253% to US$ 2,764. Sanctions: US$ 104 billion to sanctioned entities, a 694% increase, capturing the year when nation-states effectively embedded crypto in strategic infrastructure. Ransomware: US$ 820 million in payments, an 8% decrease in the aggregate, but median payment increasing 368% to US$ 59,556 — a combination the report classifies as "industrial fragmentation". Human trafficking: hundreds of millions in identified flows, an 85% increase year-over-year.
The macro reading is clear: crypto crime is not just growing in volume; it's specializing. Smaller actors gained professional tools (AI multiplies revenue by 4.5x, according to the report itself), state actors entered at industrial scale, and ransomware shifted from being dominated by a handful of groups to fragmenting across 85 active operations. It's the chronicle of crime's maturation on the crypto rail — a maturation that coincides, ironically, with the maturation of the legitimate market, as we demonstrated in the US$ 321 Billion Stablecoin Era.
The new frontier: nation-states plugged into the rail
The 694% surge in values received by sanctioned entities is the report's most uncomfortable data point. Three state-flagged operations explain almost all of the number.
Iran (US$ 7.78 billion in 2025). The Iranian Revolutionary Guard Corps (IRGC) dominated the local crypto ecosystem, accounting for more than 50% of the value received through the fourth quarter. The report documents transfers of "more than US$ 3 billion to support regional militia networks, facilitate oil sales, and acquire dual-use equipment". The most serious finding: leaked documents confirm the direct involvement of Iran's Central Bank in purchasing stablecoins via brokers. When we published the analysis on Iran's crypto toll at the Strait of Hormuz, the thesis was that crypto had become geopolitical infrastructure. The 2026 report confirms the hypothesis with state balance sheet numbers.
Russia (token A7A5). The ruble-backed stablecoin moved US$ 93.3 billion in less than a year, functioning as a settlement layer for sanctioned entities. The trading pattern is particularly revealing — concentration on business days, absence of retail behavior — suggesting use as a corporate payment instrument, not as a speculative asset. The report documents an "Instant Swapper" that converts sanctioned rubles into mainstream stablecoins, closing the evasion cycle.
North Korea (more than US$ 2 billion stolen in 2025). The most lucrative year in the history of North Korea's hacker program. The Bybit attack alone in February 2025 totaled US$ 1.5 billion — the largest documented digital theft to date. The data converges with everything ON3X had been covering: the Black April in DeFi with US$ 606 million, the Lazarus Mach-O Man malware on macOS targeting crypto executives, the Drift Protocol case with US$ 285 million. North Korea has ceased being a lateral threat and become a consolidated player.
Scams, AI, and the Prince Group case
The US$ 17 billion in scams in 2025 came from a combination of pig butchering, high-yield investment programs (HYIP), impersonation (with 1,400% year-over-year growth), and romance fraud increasingly automated by artificial intelligence. The most revealing finding: scams with AI provider connections extract on average US$ 3.2 million per operation against US$ 719k without AI — a 4.5x difference. AI also enables operating 9x more simultaneous transactions. It's automated industrial scale.
The Prince Group case concentrates the narrative. A Cambodian operation that ran forced labor compounds in Cambodia and Myanmar, was subject to US$ 15 billion forfeiture by the United States and designation of 146 targets by OFAC in October 2025. In parallel, the United Kingdom recovered 61,000 BTC (approximately £5 billion) from Yadi Zhang, in one of the largest cryptocurrency asset seizures in history. The Smishing Triad (Chinese SMS phishing network) reached more than one million victims via E-ZPass scams. Lighthouse, a phishing-as-a-service platform, generated US$ 1.5 million in crypto deposits.
The 1,400% jump in impersonation deserves note. It means scammers are using voice cloning and visual identity tools to impersonate government agencies and private companies at scale impossible two years ago. The playbook is available on darknet for less than US$ 200.
Ransomware fragmented into 85 groups
Total payments in 2025 fell 8% to US$ 820 million — the first decline in three years. But the aggregate number masks the true change. The median payment per incident jumped 368% to US$ 59,556. Claimed attacks increased 50%. The rate of victims who actually paid fell to 28%, a historic low. The "centralized RaaS" model gave way to fragmentation: analyses converge around 85 active groups, against a handful of dominant ones two years ago.
This is confirmation of what ON3X had already advanced in February based on partial data from Chainalysis itself. The decentralization of crime has a side effect: small groups demand smaller ransoms, but attack more targets. For companies with precarious infrastructure, the risk calculation changed — there is no longer a single cartel to negotiate with; there are dozens, and each practices its own price.
Where Brazil appears (and why it matters)
The Human Trafficking chapter is the crux of the story. The report identifies Southeast Asia — Cambodia, Myanmar, Laos — as the primary hub for networks that combine forced labor, sexual exploitation, and trafficking to feed pig butchering operations at scale. Networks operate via Telegram, integrated with financial guarantee services (Tudou, Xinbi) and criminal organizations like the Fully Light Group. Stablecoins dominate due to stability and ease of conversion. Approximately half of transactions classified as "international escort" exceed US$ 10,000.
The data that matters is the geographic origin of flows. The report lists, nominally, five countries: United States, United Kingdom, Brazil, Spain, and Australia. It means that Brazilian residents — individuals, in statistically significant volume — are sending crypto to infrastructures that finance human trafficking operations in Southeast Asia. It's not marginal volume. It's volume sufficient for Chainalysis to name the country, alongside economies three to ten times larger.
The United Kingdom responded by sanctioning Xinbi in March — one of the guarantee-platforms cited in the report. Brazil has no correlating action. Brazil also has no public national mapping of outflow. VECERT mapped 29.8 TB of Brazilian data leaked in just 90 days and identified 32 active threat actors, but the focus of domestic mapping is exfiltration — what leaves here in the form of stolen data. The outflow of financial flows to international criminal infrastructures has no equivalent public mapping.
In other words: Brazil is being categorized as financing infrastructure by an American company in a report read by global regulators, and the Brazilian regulator has no instrument of its own to confirm, contest, or act on the data. We live the irony of discovering our exposure to international crime via a foreign company — Chainalysis, an editorial partner of ON3X, is also the source that places us on the list. Critical reading is necessary regardless of business relationships.
Stablecoin at the center of the crime map
The Chainalysis 2026 report insists on a number that ON3X has been highlighting for weeks: stablecoins dominate illicit volume. The instrument that enabled legitimate use cases — cross-border payments, institutional settlement, hedge against volatile currencies — is the same one that enabled Russia's A7A5, Iran's IRGC, and human trafficking infrastructure in Southeast Asia. The choice is one of design: stability, transferability, low friction. The same three properties that serve legitimate commerce serve the illicit.
The Tillis-Alsobrooks compromise in the CLARITY Act has a positive side effect here. When American regulation forces the "buy and use" model — rewards tied to actual use, not idle balance — each use becomes a traceable friction point. The externality is unknown to the senators themselves, but operationally significant: yield regulation on stablecoins reinforces the surface for flow monitoring. It doesn't solve the crypto crime problem, but it forces each movement to leave a more explicit trail.
The Brazilian threat intelligence gap
The report exposes a structural vacuum: Latin America depends almost exclusively on external sources — Chainalysis, TRM Labs, Elliptic — to understand its own illicit crypto flows. There is no Brazilian equivalent with public mandate, annual cadence, and methodological depth. VECERT, the primary source followed by ON3X in cybersecurity, operates in the private sector and focuses on domestic incidents. CVM, COAF, and BCB operate sensitive data, but without open publication with the granularity of the Chainalysis report. Federal Police investigate individual cases, but without a public aggregate map.
The result is informational asymmetry: Brazilian regulators reading about Brazil in an American PDF. State prosecutors discovering there is relevant outflow to Southeast Asia at an international event presentation. Mainstream press covering the headline and missing chapter six. Argentina, Mexico, and Colombia are moving to fill this gap in their own jurisdictions. Brazil has not yet.
The ON3X perspective
Three readings to metabolize the Chainalysis 2026 report with a Brazilian lens:
- Brazil needs to build its own capacity for crypto threat intelligence — waiting for international partners to map the national landscape is institutional abdication. Chainalysis is an editorial partner of ON3X and the best global source of its kind, but the work of mapping Brazilian flows belongs to Brazilian institutions. CVM, COAF, BCB, Federal Police, and Public Ministry have the data. What's missing is annual public cadence with methodological depth equivalent to it. Without it, we continue depending on foreign PDFs to understand ourselves. VECERT has been building this layer in the private sector, but the Brazilian public sector still doesn't have a corresponding piece.
- The thesis of "nation-state plugged into crypto" ceased to be hypothesis — it became established geopolitical axis. Iran, Russia, and North Korea operate at industrial scale. A7A5 moved US$ 93.3 billion in less than a year. IRGC dominated half the Iranian market. DPRK closed 2025 with US$ 2 billion in thefts. The next five years will require compliance sophistication as advanced as evasion is today — and that means regulated exchanges and institutions need to treat on-chain analysis as an operational layer, not as point audit. For the Brazilian crypto sector, this is an opportunity to export service, if there is investment now.
- Stablecoin remains at the center of the crypto crime map until "buy and use" generalizes globally. The Brazilian exchange model — Resolution 521, equalization to exchange — has a positive side effect here by forcing traceability of each international operation. If CVM and RFB can transform data collected by the exchange framework into active intelligence, Brazil can transition from the Human Trafficking chapter (flow origin) to a chapter on best practices in the 2027 report. The window is open — it depends on execution.
Frequently Asked Questions
How much crypto crime happened in 2025 according to Chainalysis?
Illicit addresses received at least US$ 154 billion — a 162% year-over-year increase. The main blocks were: US$ 104 billion to sanctioned entities (+694%), US$ 17 billion in scams, US$ 820 million in ransomware, and hundreds of millions in human trafficking flows. The report was published on January 8, 2026.
What explains the 694% increase in values received by sanctioned entities?
Three state operations. Iran (US$ 7.78 billion, IRGC dominated half the market, with the Central Bank buying stablecoins). Russia (A7A5 token backed by rubles moved US$ 93.3 billion in less than a year). North Korea (more than US$ 2 billion stolen, with the Bybit attack totaling US$ 1.5 billion). Combined, these three actors account for almost all the aggregate surge.
Does Brazil appear in the report?
Yes — in the Human Trafficking chapter. The report lists United States, United Kingdom, Brazil, Spain, and Australia as countries of significant origin for crypto flows destined to human trafficking networks operating in Southeast Asia. Global volume grew 85% year-over-year. No correlating public regulatory action by Brazil to date.
Who are the main state actors using crypto to evade sanctions?
Iran (via IRGC and Central Bank), Russia (via A7A5 stablecoin), and North Korea (via Lazarus Group and equivalents). The report documents US$ 104 billion in aggregate flows to sanctioned entities in 2025, with strong concentration in these three actors. American enforcement has shifted to an "infrastructure-centric" approach — attacking hosting providers, exchanges, and OTC brokers instead of individual wallets.
How can the Brazilian crypto sector respond to Brazil's positioning in the report?
By building national crypto threat intelligence capacity — public, with annual cadence and methodological depth equivalent to Chainalysis. Today the private sector (VECERT in cybersecurity) and public sector (CVM, COAF, BCB, Federal Police) operate sensitive data without consolidated publication. The opportunity window exists: Brazilian exchanges with mature compliance can export regional service, and the Brazilian exchange framework (Resolution 521) already forces traceability that can become active intelligence.