The state of cross-chain crime 2025: Contemporary risks, trends & best practices to counter them PDF Free Download
1 / 60/60
100%
Contemporary risks, trends
& best practices to counter them
The state of
cross-chain
crime 2025
Executive Summary .......................................................................... 4
Introduction .................................................................................. 5
What to expect in this report .................................................................. 5
Contemporary risks, trends and new features to counter them ................................7
What do we mean by “cross-chain crime”? ................................................... 8
Chain-hopping ...................................................................................9
New Elliptic features to counter cross-chain crime ............................................10
Automating cross-chain bridge tracing .........................................................10
Case study 1 - Chain hopping .....................................................................11
Industry-leading blockchain and asset coverage ...............................................12
Case study 2 - Chain hopping ...................................................................14
Case study 3 - High-risk & contextual asset coverage ...........................................15
The scale of cross-chain crime ..................................................................16
Cross-chain crime, North Korea and sanctions ..................................................17
DEXs, Bridges and Coin Swap Services: Key trends & developments ...........................18
Decentralized exchanges .....................................................................19
Cross-chain crime trends of DEXs ................................................................20
Recent developments ............................................................................20
Recent case studies ..............................................................................20
Case study 4 - Preparation for onward laundering ..............................................21
Case study 5 - Swapping assets for utility .......................................................24
Cross-chain bridges ........................................................................ 25
Cross-chain crime trends of bridges .............................................................26
Recent developments ............................................................................26
Case study 6 - Accessing future laundering services ............................................27
Case study 7 - Chain hopping ...................................................................28
Contents
State of Cross-chain Crime in 2025
2
Coin swap services ..........................................................................30
The backend of coin swap services ..............................................................30
Emerging developments and sanctions risks ....................................................31
The illicit coin swap ecosystem ..................................................................32
Case study 8 - US sectoral sanctions ............................................................33
Case study 9 - Increased use by North Korea ....................................................34
Blurred lines and risks involving other services ..............................................36
Case study 10 - Gas fee nancing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Case study 11 - Use of all three cross-Chain services ............................................38
Case study 12 - Centralized gas fee nancing .................................................. 40
Guide: Fighting cross-chain crime with Elliptic ................................................41
Our solutions ................................................................................ 42
Screening for multi-asset or multi-chain risk exposure ......................................45
Conclusion: the power of holistic investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
State of Cross-chain Crime in 2025
3
Growing innovation and global adoption has cemented the future
of crypto as an ecosystem spanning an ever-growing number of
blockchains and cryptoassets. It is becoming more crucial now than ever
before to ensure that the expanding base of consumers and benecial
innovation across the industry remains protected from criminal activity.
The growth in the number of crypto projects, blockchains and assets is increasingly being exploited by illicit
actors – including those involved with hacks, scams, darknet activity and sanctions evasion. These threat
actors use cross-chain money laundering techniques to obfuscate their transaction trails and make their
detection more difcult.
To that end, Elliptic has been the pioneer of cross-chain blockchain analytics technologies, releasing
its holistic screening capabilities in 2022 – the rst of their kind. Since then, we have developed further
capabilities to match the growth of cross-chain crime, most notably:
• The ability to automatically trace through cross-chain bridges, signicantly reducing the costs and
manual effort required for complex investigations
• Coverage of an industry-leading 50+ blockchains, enabling the most comprehensive detection of risk
across the cryptoasset ecosystem
This report introduces these capabilities, as well as the latest illicit trends, for all compliance teams,
regulators, nancial services and law enforcement investigators seeking to detect and mitigate cross-
chain crime. Specically, in terms of emerging risks, this report nds that:
• Cross-chain criminal and high-risk activity – namely that which is perpetrated by swapping assets
through decentralized exchanges, cross-chain bridges or coin swap services – has exceeded
$21.8 billion. This is up from our previous 2023 estimate of $7 billion and 2022 estimate of $4 billion
• One of the most prolic threat actors is North Korea, responsible for around 12% of our $21.8 billion
estimate. DPRK hackers are increasingly using sophisticated cross-chain methods to launder the
proceeds of their crypto hacks
• Around 33% of complex cross-chain investigations involve more than three blockchains. Meanwhile,
27% involve over ve, and 20% span more than ten
• Emerging cross-chain crime trends include industrialized scamming activity, including crypto
investment scams and memecoin rug pulls, as well as sectoral sanctions risks
This report ends with an actionable guide explaining how Elliptic’s solutions – including new features such
as automated cross-chain tracing – can be used to establish an effective multichain screening program
that upscales compliance and investigative capabilities.
Executive Summary
State of Cross-chain Crime in 2025
4
Introduction
Starting with Bitcoin in 2009 and Ethereum in 2013, the number of blockchains and individual assets in
active operation has grown exponentially. Consequently, swapping between assets or across chains has
become a typical aspect of crypto activity.
Most cross-chain or cross-asset activity happens for legitimate reasons. However, the presence of
anonymous cross-chain services in an increasingly multichain ecosystem presents risks in terms of
criminal activity, money laundering and sanctions evasion.
For example, it is now commonplace for a single crypto wallet – particularly an Ethereum Virtual Machine
(EVM) compatible one – to possibly hold thousands of assets across multiple blockchains. Screening such
a wallet for illicit exposure in just one or a few assets does not provide a complete overview of risk.
Furthermore, criminals are increasingly relying on “chain-hopping”, namely swapping assets in quick
succession, to knock investigators off the trail due to the hours of manual work required to follow the funds.
Irrespective of whether it is low-level criminality or sophisticated high-value incidents, this practice has
become commonplace across all types of crime.
Given the growing adoption of crypto and increasing integration with nancial systems, these risks affect
both virtual asset and traditional nancial services. However, they also present opportunities; At Elliptic, we
have introduced new blockchain analytics capabilities, discussed throughout this report, to turn criminals’
cross-chain obfuscation attempts into a liability, revealing new leads into their money laundering activities
What to expect in this report
This report serves as an update to our 2022 and 2023 State of Cross-chain Crime reports and includes
the following:
An overview on the main cross-chain crime risks in the contemporary cryptoasset ecosystem and
the scale thereof,
An introduction to notable new Elliptic blockchain analytics features that enable compliance
professionals, regulators and law enforcement investigators to scale up their detection and
mitigation of contemporary cross-chain crime risks,
An update on new developments regarding anonymous cross-chain services, namely
decentralized exchanges, cross-chain bridges and coin swap services,
A guide on how to use Elliptic’s blockchain analytics solutions, including our holistic screening
and automated cross-chain bridge tracing functions, to establish comprehensive cross-chain
compliance and investigations capabilities.
1.
2.
3.
4.
State of Cross-chain Crime in 2025
5
Look out for the following resources as you navigate this report:
Red ags and warning signals
Warnings describe signicant issues and trends in criminal behavior. Red ag indicators are
common traits of such behavior that can be observed either on- or off-chain and give an
indication that suspicious activity is occurring.
Diagrams and owcharts
Illustrations, diagrams, graphs and charts are included throughout to help you visualize the
nature and scale of blockchain activities associated with discussed entities, trends and risks.
Case studies
This is a predominantly case study-driven report, highlighting the contemporary risks and
trends associated with cross-chain crime. You will nd case studies involving both major and
small-scale illicit activity and learn how cross-chain crime relates to them all.
Key controls and best practices
You will nd guides on how to operationalize blockchain analytics – including new features
we have released in Elliptic’s solutions since our last report – to maintain a robust anti-money
laundering, counter-terrorist nancing and sanctions compliance regime.
Elliptic blockchain analytics
You will nd blockchain investigation graphs, insights and guides on how you can leverage
Elliptic’s holistic-enabled transaction monitoring, wallet screening, entity due diligence and
investigative solutions to detect and mitigate cross-chain crime at scale.
State of Cross-chain Crime in 2025
6
Contemporary
risks, trends and
new features to
counter them
What do we mean by “cross-chain crime”?
The ability to swap cryptoassets between different assets, tokens and blockchains is a routine service
provided by numerous virtual asset exchanges and other such institutions. Most swaps occur for legitimate
reasons and in any case, many of these centralized services require know-your-customer checks and
have controls in place to mitigate suspicious activity.
However, anonymous services that offer cross-asset or cross-chain swaps also remain widely popular.
Most still exist for legitimate purposes and illicit exposure constitutes a very minor portion of their activity.
Some may even implement some controls to avoid illicit funds and cooperate with law enforcement.
However, others might actively operate on dark web forums and cater willingly to illicit actors.
Typically, these services will fall into one of three categories, which are:
• Decentralized exchanges (DEXs) – decentralized nance (DeFi) protocols that automatically swap
between assets on the same blockchain using liquidity pools
• Cross-chain bridges – also DeFi protocols, designed to swap assets on one blockchain to another.
They typically “lock” the assets being swapped in a smart contract on the origin blockchain and
release the equivalent amount on the destination blockchain
• Coin swap services – also referred to as “instant swap exchanges” – are centralized services that swap
between assets or blockchains anonymously through bespoke websites or Telegram channels. They
are popular among dark web communities
An illicit actor may engage with cross-asset or cross-chain swaps for reasons such as:
• Obfuscation – the illicit actor may wish to swap their assets multiple times across different assets or
blockchains (known as “chain-hopping”) to confuse investigators. This is discussed in more detail overleaf
• Accessing other laundering opportunities – some criminal assets may originate in somewhat
obscure assets or blockchains. Illicit actors may swap them to more utilizable assets to access further
laundering services or enjoy their proceeds of crime
• Avoiding freezable assets – some assets, for example the stablecoins Tether (USDT) and USD Coin
(USDC), can be frozen by their issuers. Illicit actors will therefore engage in cross-asset swaps, often as
soon as possible, to avoid holding freezable assets
• Gas fee nancing – engaging with tokens on a blockchain typically requires a certain amount of the
blockchain’s native token (e.g. ETH on Ethereum or TRX on Tron) to pay the transaction (“gas”) fees.
Illicit actors will often swap small amounts of tokens to the blockchain’s native asset to ensure they
have enough to cover these fees
State of Cross-chain Crime in 2025
8
Chain-hopping
Chain-hopping involves the swapping of assets across blockchains, or to other assets on the
same blockchain.
At face value, a single swap of assets from one asset/blockchain to the other is not a cause for concern
and will most likely reect routine crypto activity. However, when crypto is split across several blockchains
(structured chain-hopping) and/or swapped successively several times across different blockchains
(multi-hop chain hopping), the likelihood of suspicious activity increases – especially given that such activity
often incurs signicant transaction fees and has little practical purpose other than to confuse on-chain trails.
Chain-hopping has been highlighted as a money laundering concern by regulatory institutions since the
early 2020s, when it was explicitly mentioned as a risk by the Financial Action Task Force (FATF) – a concern
repeated also in its more recent targeted virtual asset updates.
Red-ag indicators consistent with suspicious chain-hopping activity include:
• Both structured and multi-hop chain-hopping is used. Case Study 1, introduced a little later,
shows a case where both techniques are employed simultaneously
• Assets are often swapped in quick succession
• Assets are swapped with little regard for signicant transaction costs
• Assets are swapped using anonymous bridges or high-risk no-KYC exchanges, rather than
compliant VASPs
• Assets are swapped to different assets but then end up back in the asset of origin, demonstrating
little practical purpose other than obfuscation
The aim of chain-hopping is to lose investigators in complex trails, forcing them to manually trace
through bridges and match transactions from blockchain to blockchain. The next section introduces
new blockchain analytics capabilities implemented in Elliptic solutions to automate the tracing of chain-
hopping activity, saving investigators signicant time and effort.
WHAT DO WE MEAN BY “CROSS-CHAIN CRIME”?
State of Cross-chain Crime in 2025
9
New Elliptic features to counter
cross-chain crime
In 2022, Elliptic became the rst blockchain analytics solution to enable holistic screening, allowing
transactions and wallets to be screened, monitored and traced across multiple chains at once. Since then,
we have constantly updated our capabilities to ensure that compliance professionals and investigators
can effectively detect and mitigate emerging risks at scale. We elaborate on two of our capabilities below.
Automating cross-chain bridge tracing
Cross-chain bridges, which lock a user’s crypto on one blockchain and release the equivalent amount
(minus commission) on another, have traditionally required manual tracing to identify the source and
destination of swaps. Coupled with cases where an illicit actor splits or “structures” their cross-chain
swaps over several bridging transactions, this manual tracing can often be arduous, high-effort and
time-consuming.
To automate tracing through cross-chain bridges, Elliptic has implemented virtual value transfer events
(VVTEs), which link the destination of a bridging transaction to its source without the need for manual
investigation. Over 300 bridging combinations are covered by our VVTE capabilities, saving investigators
substantial amounts of time and effort.
The example below shows an exchange hack that occurred on the Ethereum blockchain. Immediately after
the incident, the hacker bridged the assets to Bitcoin, after which funds were mingled through successive
intermediary wallets before eventually being deposited into a mixer and privacy wallet service. The entire
investigation is plottable through a single click in Elliptic’s solutions – negating the need for manual tracing
through the bridge by matching individual transaction IDs, values or timestamps.
The case study overleaf illustrates the efciency savings enabled by VVTEs, particularly for complex
investigations that involve multiple hops across multiple chains. Further case studies will reinforce these
capabilities later on in this report. The guide at the end of the report will walk through how to use VVTEs
during an investigation.
State of Cross-chain Crime in 2025
10
CASE STUDY 1 - CHAIN HOPPING
The power of virtual value transfer events (VVTEs)
The graph below, produced using our blockchain forensics solution Elliptic Investigator, shows a wallet
suspected to be controlled by North Korea, having initially laundered its funds through a CoinJoin mixing
service. These funds originate from a $75 million hack of an exchange in 2025.
The funds were bridged successively from Bitcoin to Ethereum, then to Arbitrum and then to Base, before
being sent through another service to Tron – a clear example of structured chain-hopping in action,
designed to waste investigators’ time. A total of 48 identical virtual transfer events are visible on the graph
– underscoring the considerable efciency savings in being able to plot them automatically at once rather
than manually and individually.
This case also underscores the importance of wide asset and network coverage (discussed next): were the
hackers to bridge to a blockchain not covered by Elliptic, it would have not been possible to automatically
trace through their transactions.
NEW ELLIPTIC FEATURES TO COUNTER CROSS-CHAIN CRIME
State of Cross-chain Crime in 2025
11
Industry-leading blockchain and asset coverage
As of June 2025, Elliptic covers over 50 blockchains, the most in the blockchain analytics industry. Having
the widest available asset and blockchain coverage ensures that screening for risk is as comprehensive
as possible.
This becomes an even more crucial capability given the exponential growth of the number of blockchains
and cryptoassets, combined with the ability of wallets to hold thousands of different assets over several
blockchains at once. As the chart below shows, our internal analytics suggest that crypto investigations
now routinely involve several blockchains.
Shows investigations featuring 3 or more nodes plotted on their graphs.
In practical terms, this matters for a number of reasons:
• Were a wallet or entity to hold 100 different tokens, but the origin of just one of those tokens were a
sanctioned entity, a wallet screening or entity due diligence tool not covering that token would overlook
this risk – even if it supported all the 99 other assets. An actual example of such a case – which is not
uncommon – is provided in the nal section of this report
• Inversely, criminals may intentionally structure funds across several different tokens for the sake of
making their tracing more difcult. If a blockchain analytics solution does not support one or more
of these assets, the investigation may need to become manual, time-consuming and potentially
unfeasible. An example of this structured chain-hoping typology was shown in the previous case study
(Case Study 1), and another example is discussed in Case Study 2
• Some assets or blockchains may be tailored to specic activities or jurisdictions that are high risk or
of special regulatory concern. For example, our Stellar blockchain coverage includes support of the
Digital Myanmar Kyat (DMMK) and nUSDT, two blockchain-based central bank digital currencies issued
by Myanmar’s rebel National Unity Government (NUG) to procure arms for their civil war effort and
conduct routine government operations such as tax collection. Case Study 3 shows how our coverage
of such assets provides greater visibility over such activities and contextual risks
NEW ELLIPTIC FEATURES TO COUNTER CROSS-CHAIN CRIME
State of Cross-chain Crime in 2025
12
Elliptic Investigator shows a North Korea-linked hack (which implies an additional sanctions risk) that encompasses 226
different assets over 26 blockchains – underscoring the multichain nature of modern crypto crime.
Elliptic has consistently broadened – and continues to broaden – its coverage to encompass as much
on-chain risk as possible (see chart below). The nal section of this report provides further practical
examples of how to operationalize our industry-leading coverage to visualize, detect and mitigate
cross-chain illicit activity.
NEW ELLIPTIC FEATURES TO COUNTER CROSS-CHAIN CRIME
State of Cross-chain Crime in 2025
13
CASE STUDY 2 - CHAIN HOPPING
West Mercia fraudster launders funds across 90 cryptoassets
West Mercia Police in the United Kingdom announced in May 2025 that it had secured its rst conviction
related to crypto following a complex multichain investigation.
The individual in question had stolen £150,000 (~$200,000) through theft and fraud. The investigation,
started in 2022, found that they had laundered the stolen funds by rst investing them into crypto. The
funds were then dispersed across 90 different cryptoassets, over multiple blockchains, before being used
to nance a gambling habit.
The individual received three suspended prison sentences ranging from 8-24 months.
“This case marks West Mercia Police’s rst successful
cryptoasset tracing investigation to reach court and
demonstrates the complexity of such investigations and
importantly how cryptoassets analysis can support other
departments in securing positive outcomes for victims.”
Detective Chief Inspector Matt Mcnelis, Cybercrime Unit Lead.
Being a “rst of its kind” investigation for West Mercia Police, the complex nature of the case reveals a
number of trends consistent with the state of cross-chain crime:
• Cross-chain crime is not reserved for only sophisticated criminals engaging in million-dollar incidents.
Smaller-scale proceeds of crime are also routinely laundered cross-chain, underscoring that chain-
hopping is now the norm, not the exception
• Accessing close to 100 assets and multiple blockchains is fast becoming standard practice for crypto
money laundering schemes
• Crypto was the preferred medium for money laundering in this case despite the proceeds of crime
originating in at. This underscores that traditional nancial institutions have a part to play in guarding
against cross-chain crime
• Blockchain analytics capabilities where 90+ assets can be easily traced automatically and at-scale
are crucial for solving these cases efciently
NEW ELLIPTIC FEATURES TO COUNTER CROSS-CHAIN CRIME
State of Cross-chain Crime in 2025
14
CASE STUDY 3 - HIGH-RISK & CONTEXTUAL ASSET COVERAGE
Tracing Myanmar Civil War fundraising & tax collection
To facilitate aid and fundraising to maintain their civil war against the military Junta, the rebel National
Unity Government (NUG) of Myanmar has issued two cryptoassets, namely the Digital Kyat (DMMK,
pegged 1:1 with the Myanmar Kyat) and the nUSDT (pegged 1:1 with the US Dollar). Donations, totalling over
$15 million, are predominantly solicited through NUG-allied armed groups via social media and sent
through a dedicated payments app called NUGPay.
Besides the nancing of arms, the NUG intends to use DMMK as a central bank digital currency to facilitate
routine economic transactions in territory under its control. For example, the payment of tax to the Internal
Revenue Department of the NUG Ministry of Finance is possible through NUGPay. You can read more about
our in-depth research into DMMK/nUSDT here.
Our coverage of these assets allows for the tracing and monitoring of conict nancing in a high-risk
jurisdiction, parts of which are also known to be major hubs of organized crime and scam operations.
Additionally, though Myanmar’s NUG represents a unique context, it is also indicative of potential future
capabilities that other jurisdictions may offer as worldwide crypto adoption continues to expand, and more
nancial services are offered through cryptoassets. The ability to monitor taxation via blockchain analytics,
for example, has the benet of allowing regulators to detect and mitigate nancial crimes such as tax
evasion and corruption.
The Investigator graph below shows donations owing into and then being dispersed by the NUG Ministry
of Defence (left). It also shows taxpayers sending DMMK to the Internal Revenue Department (right). These
examples underscore one potentially high-risk and one novel crypto use case, respectively, that can be
traced via Elliptic due to our coverage of DMMK/nUSDT.
Myanmar civil war nancing via the DMMK/nUSDT through the NUG Ministry of Defence (left) and
DMMK tax collection by the NUG Internal Revenue Department (right).
NEW ELLIPTIC FEATURES TO COUNTER CROSS-CHAIN CRIME
State of Cross-chain Crime in 2025
15
The scale of cross-chain crime
In our inaugural 2022 report, we estimated that $4 billion in illicit and high-risk funds were swapped
through DEXs, bridges and coin swap services. This grew to $7 billion by July 2023.
In late 2022, we predicted that by May 2025, these gures would grow to between $9-14 billion. However,
our estimate is now a much more substantial $21.8 billion – far exceeding our projections and emphasizing
how cross-chain operations have become the norm for illicit actors. This updated gure also considers our
coverage of over 20 more blockchains and 100s of more assets. See the “Methodology” section at the end
of this report for details.
No type of crime is exempt from cross-chain activity. In particular, we note an increase in cross-chain risks
associated with scams, mirroring the rise of industrial-scale fraud across the world since the COVID-19
pandemic. We also note a rise in cross-chain obfuscation associated with the proceeds of online gambling
– an activity illegal in many jurisdictions. Authorities’ focus on gambling has increased in recent months
and years, particularly after the betting craze during the 2024 US elections.
Major isolated incidents, such as the $1.46 billion North Korean hack of Bybit in February 2025, are also
reected in the signicant use of dark web services in the same month for the laundering of those
proceeds. Sanctions evasion, especially North Korea-related crypto activity, continues to be one of the
biggest risks when it comes to monitoring cross-chain activity. The nature of these risks is explored
further overleaf.
Note: some crypto hacks are classed as “sanctioned” due to their perpetration by North Korea.
NEW ELLIPTIC FEATURES TO COUNTER CROSS-CHAIN CRIME
State of Cross-chain Crime in 2025
16
Cross-chain crime, North Korea and sanctions
The previous chart underscores the sanctions evasion risks posed by close to $4 billion worth of cross-
chain activity. The vast majority of these sanctions risks originate from North Korea and sanctioned
exchanges. Though constituting a relatively minor proportion of funds, we note that terrorist groups have
become more sophisticated in terms of cross-chain crypto operations and pose an outsized regulatory
and national security risk.
North Korean activity has an outsized impact on our gures – demonstrating how the world’s most
sophisticated hackers make extensive use of cross-chain obfuscation techniques. Over $2.7 billion of our
$21.8 billion estimation – around 12% – can be attributed to North Korean crypto hacks. The chart below
shows how their cross-chain activity has grown since 2023.
Besides North Korean activity, almost $300 million worth of funds obfuscated through cross-chain services
originated from Iranian crypto services, which are under United States sectoral sanctions. Notable cross-
chain exposure is also observed for sanctioned exchanges Garantex and Bitpapa, the former of which was
seized with help from Elliptic’s internal data in March 2025. This report will also discuss sectoral sanctions
risks associated with coin swap services and cross-chain illicit activity associated with the annexed
regions of Ukraine.
Smaller-scale cross-chain crime, for example that which involves terrorist nancing, should still not be
ignored. Cross-chain investigations have the potential to reveal important insights about perpetrators
and the wider infrastructure behind threat actors even if the amounts involved are comparably low. Case
studies will demonstrate these capabilities in due course.
NEW ELLIPTIC FEATURES TO COUNTER CROSS-CHAIN CRIME
State of Cross-chain Crime in 2025
17
DEXs, Bridges
and Coin
Swap Services:
Key trends &
developments
Decentralized exchanges
Decentralized exchanges (DEXs) are a type of decentralized application (dApp) built as smart contracts on
blockchains like Ethereum. These smart contracts enable users to trade tokens directly with one another
without the need for a centralized intermediary. The trade terms are dened by smart contracts that
operate liquidity pools that make the swaps possible.
While DEXs facilitate token swaps, they are generally limited to assets existing on the same blockchain. This
sets them apart from cross-chain bridges. However, the distinction is becoming less clear as new services
offer native cross-asset swaps (see Case Study 8).
DEXs are often referred to as automated market makers (AMMs) because they use smart contracts to
automatically carry out buy and sell orders based on asset liquidity and pricing algorithms. This model
differs signicantly from centralized exchanges (CEXs), which manage the trade process, custody user
assets during transactions and control pricing and execution.
Because users always retain custody of their cryptoassets when using DEXs, they are often considered to
offer greater security. However, unlike CEXs, DEXs do not support direct conversions between crypto and
at currencies.
Examples of DEX interfaces: Uniswap (left) and CoW Protocol (right).
State of Cross-chain Crime in 2025
19
Cross-chain crime trends of DEXs
In our last report, we identied a range of illicit and high-risk use cases of DEXs that varied in their
sophistication and intent. These trends remain relevant today and include:
• Preparation for onward laundering – if a criminal steals assets in a highly specic token, for example
the token of a DeFi protocol they have hacked or a scam token that they have rug-pulled, they will
often seek to exchange it to a more liquid asset for onward laundering
• Swapping out of freezable assets – such as USDT and USDC
• Exploitation of limit order functionalities – these are functionalities on some DEXs that allow users to
buy or sell certain assets for predetermined prices and timeframes
• The use of complex derivative offerings – these are products offered on some DEXs that can
complicate trades and obfuscate cross-chain activity
• Gas fee nancing – Elliptic has observed that some high-risk actors, including terrorist organizations,
use DEXs to procure the native asset on a blockchain to continue transacting in stablecoins. Reserves
of the blockchain’s native asset is required for transaction (“gas”) fees
• Swapping assets for utility – criminals may swap more specic assets to more utilizable ones such as
stablecoins to engage in a variety of activities, such as trading or DeFi investments
Recent developments
Since 2023, numerous regulatory developments and technological enhancements have impacted DEXs.
These all have implications on how DEXs continue to operate and their AML responsibilities. They include:
• Financial Action Task Force (FATF) virtual asset targeted updates since 2019 note that a DEX and its
operator may qualify as a virtual asset service provider (VASP) if they exercise a degree of control over
the exchanging of assets (i.e. if these functions are not fully decentralized)
• There has been a rise of permissioned liquidity pools on some DEXs that only allow “whitelisted”
(e.g. KYC-approved) users to participate in the swapping of assets
Recent case studies
The case studies below illustrate some growing contemporary risks involving DEXs, namely rug pulls
originating from the 2024-25 memecoin craze and ongoing decentralized nance (DeFi) security breaches
and money laundering risks.
DECENTRALIZED EXCHANGES
State of Cross-chain Crime in 2025
20
CASE STUDY 4 - PREPARATION FOR ONWARD LAUNDERING
DEX used to cash out proceeds of a memecoin rug pull
Since mid-2024, speculative trading of memecoins has soared, bringing tokens such as “Fartcoin” to
prominence due to substantial market capitalization. Even US President Donald Trump and First Lady
Melania Trump have launched memecoins.
Scammers have capitalized on these trends to launch memecoins that they then cash out once a high
enough liquidity and valuation has been reached. Typically, alleged scammers have partnered with
inuencers and celebrities to release memecoins in their name, hoping that the hype will drive up the price.
Notable examples include the HAWK TUAH token – named after the inuencer of the same nickname, and a
coin released by Simon Leviev, otherwise known as the Tinder Swindler.
DEXs are commonly used to perpetrate memecoin scams, as it is DEX liquidity pools that allow victims to
purchase these coins and provide enough liquidity of another asset for the scammer to eventually dump
their memecoin supply and cash out.
The diagram below shows the typical set-up:
As mentioned, even world leaders have become involved in memecoins. On February 14th 2025, Argentinian
President Javier Milei seemingly unknowingly tweeted support to a project called $LIBRA, which later rug
pulled (i.e. exit scammed). The project had been claiming to support small projects and businesses in the
country through funding from its cryptocurrency on the Solana blockchain. Within a few hours of Milei’s
tweet, the price of $LIBRA had crashed. Milei deleted his original tweet and disavowed the project.
DECENTRALIZED EXCHANGES
State of Cross-chain Crime in 2025
21
The website of the $LIBRA project (top) and Milei’s tweets both promoting and disavowing the project (bottom).
The main liquidity pool allowing victims to purchase $LIBRA was a Solana DEX called Meteora. Between
Milei’s two tweets, the token’s market capitalization surged to $4.5 billion. Soon after, a number of Solana
addresses with signicant holdings began draining the liquidity pool of Solana and USDC, crashing the
token’s price. The amount withdrawn was almost $100 million. On March 18th, a lawsuit was led with the
Supreme Court of New York, naming Meteora, among others, as defendants.
The image below shows one alleged $LIBRA wallet progressively adding $LIBRA and removing $SOL from
the liquidity pool over 15 transactions during the exit scam.
DECENTRALIZED EXCHANGES
State of Cross-chain Crime in 2025
22
Source: solscan.io. “SPL Token” = $LIBRA.
The chart below shows the effect of these transactions over time, gradually diminishing the value of $LIBRA
while netting the scammer almost $13 million in native SOL, mostly from one transaction (pXq3d2… in the
above screenshot).
DECENTRALIZED EXCHANGES
State of Cross-chain Crime in 2025
23
CASE STUDY 5 - SWAPPING ASSETS FOR UTILITY
DEX usage following the $200 million Cetus Network exploit
Cetus, considered the largest liquidity provider DEX on the SUI blockchain, experienced a security incident in
May 2025. Within minutes, hackers were able to withdraw substantial sums on multiple tokens by exploiting
an apparent vulnerability in the protocol’s smart contracts.
The Cetus user interface.
Elliptic calculates that the combined value of the native $SUI token and other tokens stolen in this exploit
equate to over $200 million, though a portion of the stolen funds are made up of tokens whose values fell
signicantly following the theft.
The exploiter rst used a DEX to swap USDT to USDC – both stablecoins that are capable of being frozen.
Together with the USDC already stolen, these funds were then bridged to Ethereum. It is possible that
USDT was initially swapped to USDC to obtain more favorable bridging fees for the swap to the Ethereum
blockchain.
The exploiter then used another DEX aggregator to swap the USDC to ETH, likely to avoid the freezing of
funds. The Investigator graph below shows the use of DEXs on both blockchains.
DECENTRALIZED EXCHANGES
State of Cross-chain Crime in 2025
24
Cross-chain bridges
A cross-chain bridge is a service that enables users to transfer tokens from one blockchain to another.
While the level of centralization varies across different bridges, most rely on smart contracts to manage
these transfers.
When bridging an asset (Asset A) from one blockchain to another (Asset B), the bridge typically locks Asset
A and issues the user an equivalent amount of Asset B on the destination chain. Asset B is minted from a
reserve of tokens that were previously locked by users moving funds in the opposite direction. This process
is known as “lock-and-mint,” which remains the dominant model in cross-chain bridge designs.
Some bridges also allow users to convert an asset into a tokenized or “wrapped” version of itself on the
destination chain. For example, one can bridge BTC from the Bitcoin blockchain to receive BTC.b on
Avalanche or WBTC on Ethereum. These wrapped tokens can then be used for various purposes, including
investing in DeFi protocols and NFT marketplaces, while maintaining a peg to the original asset value.
Elliptic estimates that cross-chain bridges have facilitated the swap of over $680 billion worth of
cryptoassets, as shown in the chart below. Their popularity has increased since 2024, in line with the growth
of active blockchains observed since that year. This indicates that less than 0.8% of bridged assets since
our last report are proceeds of crime, and underscores the need for balanced measures when addressing
industry risks while safeguarding innovation.
Note: Bridge-to-bridge transfers have been excluded to avoid double-counting.
State of Cross-chain Crime in 2025
25
Examples of cross-chain bridge interfaces: ZKsync Bridge (left) and Synapse Protocol (right).
Cross-chain crime trends of bridges
Criminals may opt to bridge illicit assets for a number of reasons, including:
• Chain-hopping: The rapid and repeated swapping of assets from one blockchain to another is
designed to obfuscate the laundering trail and force investigators to undertake manual time-
consuming investigations to trace across blockchains. With our VVTE capabilities, this risk can be
signicantly mitigated
• Accessing further laundering services: If the proceeds of crime originate from a more obscure
blockchain, a criminal may want to bridge it to a more popular blockchain such as Bitcoin or Ethereum
to access additional obfuscation services, such as mixers or CoinJoin wallets
Recent developments
Following a series of high-prole hacks of bridges in 2022 and 2023, more recent bridge projects have
prioritized building added security and compliance into their protocols. These include permissionless
interoperability layers, interchain security modules and zk-SNARKs to avoid the use of exploitable smart
contract intermediaries.
This comes alongside ongoing regulatory activity that continues to target high-risk blockchain ecosystems
and developers. For example, the WAVES blockchain has been associated with numerous sanctioned
Russian entities and individuals, heightening the regulatory risks of bridges servicing such blockchains.
An already mentioned development is our ability to trace through bridges using VVTEs – the benet of
which is explored further in the following case studies.
CROSS-CHAIN BRIDGES
State of Cross-chain Crime in 2025
26
CASE STUDY 6 - ACCESSING FUTURE LAUNDERING SERVICES
North Korea gives itself away through bridging error
In January 2024, when DeFi platform Hector Network was hacked by North Korea for $5.5 million. The hackers
quickly set about bridging their proceeds, originating in ETH, to BNB Coin – the native token of the BNB Smart
Chain. Over 20 swaps, in batches of $20,000-$60,000, were initiated using separate destination BNB wallets.
This was likely an attempt to obfuscate their activity by structuring the funds over several smaller-value
cross-chain swaps, rather than swapping all the funds at once, in the hope that it would take investigators
20 times longer to identify all the destination addresses.
Elliptic’s VVTE capabilities were nevertheless able to identify, in a single click, that all the funds were ultimately
sent through the mixer Tornado Cash on the BNB Smart Chain, which was sanctioned at the time – an example
of both chain-hopping and the “accessing further laundering services” typology occurring consecutively.
Additionally, Investigator’s VVTE functionality identied a bridging transaction where stolen ETH was
bridged to a BNB address that was also used to receive some of the funds from Tornado Cash. This mistake
revealed the possible location of some of the funds after being mixed, which was separately conrmed
by Elliptic’s internal investigators. That bridging transaction is shown in pink rather than blue in the below
graph – indicating the importance of VVTEs for identifying criminal mistakes and critical leads during
investigations.
CROSS-CHAIN BRIDGES
State of Cross-chain Crime in 2025
27
CASE STUDY 7 - CHAIN HOPPING
Investment scam starts chain hopping while still operating
CBEX (a.k.a. Crypto Bridge Exchange) was an investment scam, mainly targeting victims in Nigeria and
Kenya, while claiming to be a legitimate crypto investment platform and exchange.
CBEX collapsed and halted withdrawals in April 2025, after which the Nigerian Securities and Exchange
Commission posted a notice that they were aware of the scheme engaging in unregulated activities.
Some promoters have allegedly surrendered to authorities.
CBEX’s digital app and website interfaces, as advertised.
CBEX’s on-chain activity suggests that the perpetrators were openly engaging in sophisticated cross-
chain money laundering even while the scam was still active and claiming to be a legitimate investment
platform. Elliptic has identied over 100 cross-chain bridging transactions from CBEX hot wallets on the
Tron blockchain to Ethereum, and then back to Tron again – a practice both costly and of little purpose
other than to obfuscate the trail.
The Investigator graph shows a non-exhaustive sample of these bridging transactions. The 1st stage shows
funds swapping from Tron to Ethereum. The 2nd stage shows funds swapping back to Tron. This activity has
been ongoing since at least October 2024, well before CBEX’s collapse.
CROSS-CHAIN BRIDGES
State of Cross-chain Crime in 2025
28
Funds were sent in large batches to numerous centralized exchanges after both the rst and second
batch of bridging, emphasizing the importance of being able to screen cross-chain risk exposure. One
noteworthy entity that also received funds is Huione Pay, a Cambodian-based service heavily associated
with the laundering of scam proceeds.
The volume of these transactions, as well as interactions with services such as Huione Pay, suggest that the
funds may have been comingled with proceeds of other high-risk activities by third party brokers or money
launderers on behalf of CBEX.
Huione Pay, which was designated as a §311 Primary Money Laundering Concern by the US Financial
Crimes Enforcement Network (FinCEN) in May 2025, will be discussed later as an example underscoring the
importance of cross-chain entity due diligence.
The Investigator graph below shows a simplied version of what is otherwise a complex investigation,
clustering each stage of bridging and viewing aggregate ows to laundering destinations. Transactions in
Ethereum and Tron are shown in blue and red respectively.
Also shown are considerable transfers to and from a Tron-based DEX for the purposes of swapping USDT
to TRX. This is required to nance the considerable gas fees needed for such large-scale bridging activity.
Alongside the aggregate ows, one example transaction is shown between CBEX and the DEX, involving the
swapping of $10,000 worth of USDT to TRX.
The wallets and entities depicted in this graph are non-exhaustive – only entities receiving major volumes
from associated wallets are shown.
CROSS-CHAIN BRIDGES
State of Cross-chain Crime in 2025
29
Coin swap services
Unlike DEXs or bridges, coin swap services are centralized (not smart contract-based) entities that are also
often known as “instant swap exchanges”. They typically exist in the form of a bespoke website or Telegram
channel. A user will be able to swap from one cryptocurrency to another – either within or across chains –
all without submitting any KYC information.
Coin swap services may vary in terms of their compliance and user base. Some major coin swap services,
while anonymous, cater to typical DeFi traders and may have some AML screening capabilities to freeze
funds from illicit sources. They may also cooperate with law enforcement and provide details of swaps
undertaken by suspect users.
Other services may openly cater to illicit audiences and advertize their services on cybercrime forums.
Some may still request users to “clean” illicit funds before sending it through their service. Others may
openly state their willingness to accept “dirty” funds and may take an additional commission for the risk.
A key attraction of many coin swap services is their offering of Monero, a popular privacy coin.
Most illicit-facing coin swaps are Russian-language services. Some also provide cash-to-crypto services in
Eastern Europe, Turkey, Russia, Ukraine, Belarus and Central Asia.
The backend of coin swap services
Coin swap services may operate in two distinct ways:
• Self-hosted services: The coin swap service builds up liquidity of certain assets and fulls orders
through its own unhosted wallets, similar to a Hawala model. They may occasionally trade on
centralized exchanges to bolster reserves of assets in which they are running low
• Nested services: These coin swap services are essentially accounts opened on a larger centralized
VASP. They are operated by an individual or entity that uses the liquidity and exchange functions
on that VASP to service incoming orders. In this scenario, the operator essentially acts as a “mule”
or a buffer between the users of the service and the actual exchange, thereby saving the user from
submitting KYC information to the VASP themselves. The operator takes additional commission for the
heightened risk in which they place themselves
State of Cross-chain Crime in 2025
30
Our previous 2023 State of cross-chain crime report (pages 30-50) contains a detailed deep dive into the
Russian coin swap service ecosystem, much of which remains relevant today.
A coin swap service web user interface (left) and a Telegram-based service (right).
Emerging developments and sanctions risks
Coin swap services present a number of heightened risks, including:
• Privacy coins: As privacy coins such as Monero continue to be delisted on mainstream exchanges, coin
swap services are increasingly becoming a key way for users to access such assets. However, liquidity
issues continue to limit the ability of high-level criminals to obtain large volumes of privacy coins
• Direct transfers to Russian banking services: Many coin swap services offer conversions of crypto to
and from Russian bank accounts and digital at payment wallets. Many of these nancial services are
on global sanctions lists following the invasion of Ukraine
• Heavy exposure to historic sanctioned activity: A large volume of incoming funds into coin swap
services originate from the likes of former darknet market Hydra and Garantex, which was often used
by self-hosted services to source liquidity. Since both Hydra and Garantex have been disrupted, the
associated risks have decreased, though historical exposure remains
• Sectoral sanctions risks: Many coin swap services offer physical cash deposit options in regions under
sectoral sanctions by the US, including the annexed regions of Crimea, Donetsk, Luhansk, Kherson and
Zaporizhzhia in Ukraine. One such service is shown in Case Study 8
• Increasing use by North Korea: Amid continuing enforcement actions against mixers and a growing
consciousness toward compliance in DeFi, North Korea has increasingly been looking at coin swap
services to launder their funds. Few services exist that can handle the liquidity required to launder North
Korea’s major hacks, but Case Study 9 discusses one such instance
COIN SWAP SERVICES
State of Cross-chain Crime in 2025
31
The illicit coin swap ecosystem
Unlike DEXs and bridges, which are typically associated with the laundering of crypto hacks and scams,
coin swap services are preferred more by criminals associated with ransomware, darknet markets and
credit card fraud (“carding”). Numerous military fundraisers also use coin swap services to nance Russian
troops and mercenaries in Ukraine.
Around 25% of all illicit and high-risk activity we observe owing through coin swap services relates to
online gambling, which is illegal or heavily regulated in many jurisdictions. Crypto-accepting online
gambling services, many of which lack mainstream licenses to operate, have been associated with
numerous illicit activities such as money laundering through rigged bets, running rigged amateur games
involving minors and undisclosed token promotions through inuencers.
Russian-speaking and Southeast Asian gambling sites have been at the forefront of those implicated,
with the latter being heavily associated with “pig butchering” scams and drug trafcking originating from
the region.
A dark web forum advertisement for a coin swap service that willingly accepts “dirty” BTC.
Arising from their popularity with darknet market buyers and sellers, some coin swap services also offer
“treasure” dumps of cash in Russia and Eastern Europe. Treasure dumps involve cash being buried or
placed in a secure pre-determined location by the client or operator, in exchange for crypto. These dumps
are later dug up by the counterparty.
Elliptic has also observed coin swap services offering money counting services under armed escort in or
around Moscow.
COIN SWAP SERVICES
State of Cross-chain Crime in 2025
32
CASE STUDY 8 - US SECTORAL SANCTIONS
Crimea-based coin swap service processes criminal funds
Services in the annexed regions of Ukraine have been targeted by both Ukrainian and US law enforcement,
culminating in a series of raids and seizures even before the full-scale invasion. To not compromise any
ongoing investigations, we have chosen not to name any services.
Elliptic has identied a coin swap service that has indicated to Russian coin swap aggregator Bestchange
that it offers conversion services in Simferopol, Crimea’s second-largest city, among other regions. The
service ofcially claims to be registered in the Marshall Islands.
The service’s web interface (left) and a generic “AML” policy placed to imply legitimacy (right).
This service is popular with a range of criminal actors, shown in the Investigator graph below. These involve
sanctioned darknet market Hydra, the Warzone remote access trojan, Conti ransomware, as well as
darknet markets Herbs of Serbia, OMG!OMG! and Shkaf.
We have also noticed withdrawals being sent to this service from an online gambling site associated with
high-risk activities that is subject to criminal proceedings in various jurisdictions, having lost its license in
the UK for running bets on allegedly rigged amateur sporting events involving children.
COIN SWAP SERVICES
State of Cross-chain Crime in 2025
33
CASE STUDY 9 - INCREASED USE BY NORTH KOREA
Bybit hackers launder record-breaking haul through eXch
On February 21st 2025, the largest theft in history occurred when crypto exchange Bybit was hacked
by North Korea-attributed hackers, losing $1.46 billion. With North Korea’s traditional preferred money
laundering services (e.g. Tornado Cash) all lacking the liquidity to process such a large volume of funds,
they turned to a coin swap service called eXch.
Around $200 million of the stolen funds were sent through eXch – a service previously operating under a
company registered in Belize, a known corporate secrecy haven. The service has, in the past, been used to
launder the proceeds of numerous high-prole hacks, though it has openly refused to block the funds or
work with law enforcement.
The eXch interface (left) and their post-Bybit hack announcements (right).
Following the Bybit hack, eXch took a combative approach, asking Bybit for “… a clear explanation as
to why we should consider providing assistance to an organization that has actively undermined our
reputation.” In public, they simply posted, “The wheel has come full circle”. The service noted that Bybit had
agged funds originating from eXch as “high risk” in the past, leading to their animosity.
Amid growing scrutiny, eXch eventually announced that it would shut down on May 1st 2025, having
apparently been made aware of alleged attempts to sanction and prosecute its administrators for
“money laundering and terrorism”.
COIN SWAP SERVICES
State of Cross-chain Crime in 2025
34
On April 30, the internet crime branch of Frankfurt’s Public Prosecutor’s Ofce, along with Germany’s Federal
Criminal Police Ofce (BKA) and the Dutch Fiscal Information and Investigation Service (FIOD), seized the
infrastructure of eXch, approximately 8 terabytes of data and around $38.2 million in cryptocurrency.
The seizure notice (left) and a forum post apparently posted by the FIOD informing eXch followers
of the enforcement action (right).
In the past, eXch publicly refused to co-operate with law enforcement regarding inows of $17.7 million
originating from a 2017 hack of Parity Wallet, and $400,000 originating from a hack of Bitbrowser. A
portion of funds stolen from FixedFloat in 2024 were also laundered through eXch, which again refused to
cooperate with law enforcement.
The chart below shows the proportion of illicit funds owing through eXch since June 2019. Elliptic has
conducted a deep dive into the rise and fall of this service, which you can read here.
COIN SWAP SERVICES
State of Cross-chain Crime in 2025
35
Blurred lines and risks involving other services
Although this report only considers DEXs, bridges and coin swap services, we have noted that these
services are becoming increasingly indistinguishable and that cross-chain crime typologies extend also
to KYC-compliant centralized services. Though these services (e.g. centralized exchanges) will typically
cooperate with law enforcement and likely have a compliance regime in place to prevent cross-chain
crime within their platform, the typologies in this report remain relevant to them.
The rst of the following three case studies illustrates the overlap between modern DEX and bridge
protocols. It shows how criminals may use protocols historically associated with bridging to full DEX
swaps, and vice versa – blurring the lines between distinct typologies associated with each type of service.
The second case shows a complex laundering scheme that utilizes all three services – namely DEXs,
bridges and coin swap services – in fast succession. The nal case shows how the typologies discussed in
this report can also be useful during investigations of centralized exchange activity.
CASE STUDY 10 - GAS FEE FINANCING
Blurring the lines between DEXs, bridges and blockchains
Jaysh al-Adl is a separatist Jihadist group in the Iranian province of Sistan and Baluchestan. It claims to
advocate for the Baloch people – a Sunni Muslim minority in Iran that constitutes 90% of the province.
Though Iran accuses Saudi Arabia and the US of nancing the group, the US has designated it as a terrorist
organization since 2010 and has sanctioned key members.
Jaysh al-Adl posting images of its ghters (left) and crypto donation addresses (right).
Jaysh al-Adl began accepting crypto in early 2024, receiving its rst donation in April. Since then, its wallets
have only raised just under $2,000 in cryptoassets. As of May 2025, only six crypto donations appear to
have been received by the group.
State of Cross-chain Crime in 2025
36
BLURRED LINES AND RISKS INVOLVING OTHER SERVICES
The Investigator graph below shows Jaysh al-Adl’s donation wallet interacting with a DeFi platform to
switch TRX – the native asset on the Tron blockchain, to BNB Coin. In this case, all transactions occurred on
the BNB Smart Chain, and the TRX in question is in fact a BEP-20 token on the BNB Smart Chain designed to
improve interoperability with the Tron blockchain.
The DeFi platform used offers a DEX aggregator – a smart contract-based service that automatically
identies the most efcient DEXs to swap assets for minimal fees. In this instance, the platform reroutes the
terrorist funds through two separate DEXs to obtain the best rates for the swap – indicating the emergence
of a secondary sanctions and terrorist nancing risk through this indirect exposure.
The donation wallet also has signicant exposure to a second wallet, likely an afliate of the group, which
interacts with the same DeFi platform to swap BEP-ETH (another BEP-20 token designed to improve
interoperability with the Ethereum blockchain) to native BNB Coin.
The same afliate also interacts, twice, with a cross-chain bridge, but uses it as a DEX to swap a total of
100 USDT on the BNB Smart Chain to BNB Coin, without switching chains. All transfers are of small value,
indicating that the purpose of these transactions is to have enough BNB Coin to pay gas fees.
This case study shows that cross-chain bridges and DEXs need not be used for distinct reasons; both
the DEX aggregator and cross-chain bridge protocols are being used for the same purpose of swapping
assets within the same blockchain. Investigators should be aware of these possibilities when drawing leads
or conclusions from cross-chain tracing.
State of Cross-chain Crime in 2025
37
CASE STUDY 11 - USE OF ALL THREE CROSS-CHAIN SERVICES
AI-enabled crypto drainer uses bridge for obfuscation
A crypto drainer is a scam-as-a-service tool that provides scammers (afliates) with infrastructure to run
phishing scams. This infrastructure may include pre-designed scam websites and smart contracts that
are coded to steal victims’ funds and then split them between the drainer operator and afliate.
Elliptic has investigated a drainer called “CryptoGrab” that claims to use articial intelligence to develop
crypto investment sites. It then sells these sites – along with backend smart contracts – to “afliates”.
Proceeds are typically split 70-30%, with 30% taken by CryptoGrab.
Fake crypto scam sites, allegedly generated by AI, in the CryptoGrab drainer catalog.
Elliptic’s analysis of CryptoGrab wallets suggest that operators have received over 2,400 variants of
crypto tokens across more than six major blockchains, from over 10,000 users. Operators have also posted
guidance to afliates – apparently suggested by “AML professionals” – on how to bypass AML-compliant
exchanges and instead use brokers in Dubai. The advice includes how to use Islamic phrasing and
amateur crypto terms to disguise their true origins and intentions.
BLURRED LINES AND RISKS INVOLVING OTHER SERVICES
State of Cross-chain Crime in 2025
38
Many of the 2,400+ tokens obtained by CryptoGrab are obscure and of low-value – meaning that neither
legitimate nor illicit mainstream services are likely to process them. This has meant that both afliates
and operators have rst made extensive use of DEXs to swap these tokens into mainstream ones such as
stablecoins or ETH – essentially preparing them for laundering.
After preparing the funds, CryptoGrab operators rst structure the proceeds into batches of Ether, typically
worth between $50,000-$60,000. They are then sent through a bridge to a layer 2 scaling solution. In
conformity with the rapid nature of typical chain-hopping, funds are sent back through to the Ethereum
blockchain within a couple of hours.
Finally, funds are sent through two coin swap services. This case study demonstrates the use of all three
cross-chain services – namely DEXs, bridges, and coin swap services, successively. The Investigator chart
below shows the cross-chain bridging process.
BLURRED LINES AND RISKS INVOLVING OTHER SERVICES
State of Cross-chain Crime in 2025
39
CASE STUDY 12 - CENTRALIZED GAS FEE FINANCING
Drug cartel launders funds back to Mexico through crypto
This case study shows a conrmed drug trafcking case, where perpetrators used a centralized exchange
to nance gas fees to carry out money laundering operations across multiple blockchains. Noticing this
typology was crucial in uncovering their on-chain footprint.
Drug cartels do not typically use crypto to launder the proceeds of drug sales. However, in instances that
they do, their on-chain footprint can offer numerous insights into their wider activities and organizational
structure – a notable advantage of blockchain transparency.
In one case, a professional money laundering organization (PMLO) associated with a drug cartel was
contracted to pick up multiple “drops” of cash that were proceeds of drug trafcking in the US. These drops
were arranged undercover by the Drug Enforcement Agency (DEA).
The cash was converted to USDT and then eventually pooled into a centralized exchange account owned
by one of the PMLO operators. This operator was then tasked with dispersing these funds to addresses
designated by the cartel. At this stage, cartels typically convert the crypto back into cash, often at a
discount throughout Latin America given their illicit origin.
In this case, investigators noticed that the account pooling the funds from drops was also nancing the
gas fees of PMLO associates tasked with the initial deposits, including other operatives associated with
separate drops. This typology was used to identify other addresses linked to those operatives by tracing
small payments in native ETH or TRX tokens sent from the pooling account – uncovering the on-chain
footprint of the larger cross-chain PMLO operation.
The investigator chart below shows the on-chain PMLO ecosystem uncovered by this investigation,
including the gas fee nancing activity that helped unveil associated wallets. You can read more about
this case in the associated civil forfeiture complaint.
BLURRED LINES AND RISKS INVOLVING OTHER SERVICES
State of Cross-chain Crime in 2025
40
Guide:
Fighting cross-
chain crime
with Elliptic
Our solutions
All of Elliptic’s blockchain analytics are “holistic” (i.e. multi-asset and multi-chain) enabled.
They complement an effective compliance and investigations regime in different ways:
Elliptic Navigator
Fully automated real-time cryptoasset transaction
monitoring that traces funds across blockchains and
assets. Navigator identies links to illicit activity to deliver
leading anti-money laundering compliance and protects
your business from nancial crime.
Elliptic Lens
Screens crypto wallets in real-time and protects your
business from nancial crime. Uncovers links to illicit
activity with holistic risk proles of a wallet that takes into
account all transactions across all major blockchains
and assets.
Elliptic Discovery
Assesses nancial crime risk when engaging with
crypto exchanges, custodians, and other cryptoasset
businesses. Provides insights into the risk of coin
swap services and entities suspected to operate
from sanctioned or high-risk jurisdictions, which can
assist compliance strategies and law enforcement
investigations.
Elliptic Investigator
Conducts single-click investigations across blockchains
and assets with ease. Instantly visualizes the ow of
crypto funds through wallets, entities and transactions to
nd meaningful evidence quickly and reduces the time
and resources needed to close cases.
State of Cross-chain Crime in 2025
42
The power of holistic screening
and investigations
A holistic blockchain analytics solution is one that can screen all assets involved in a certain address or
transaction at once, without requiring you to open separate investigations or screen the same address for
each asset separately.
For example, if an Ethereum address holds ETH, USDT and DAI, our holistic solutions will consider all these
assets at once, negating the need to screen the address three times for each asset.
There are three core advantages of our holistic blockchain analytics solutions:
If one asset of many in a wallet is from an illicit source
Suppose you are a crypto exchange screening an Ethereum wallet containing multiple assets. In this wallet,
the native ETH being sent to your exchange may be clean. However, this does not necessarily mean the
wallet is low risk. The other assets in this wallet, for example the USDT, may have originated from a high-risk
source, such as a North Korean Lazarus Group hack.
Screening only the ETH exposure, or only some assets, is therefore insufcient, as it does not give a full risk
prole of the wallet. Since a wallet may hold 100s of assets, holistic screening capabilities with wide asset
and blockchain coverage allows for a single screening to capture risks associated with all assets at once –
avoiding repetitive screenings or compliance issues.
If a suspect has bridged assets from another blockchain
Suppose again you are a crypto exchange considering whether to allow an ETH deposit from an address.
A non-holistic screening tool may show that the funds originate from a cross-chain bridge. However,
this does not provide details on where the assets originated from before being bridged to the Ethereum
blockchain. Cross-chain tracing (VVTE) capabilities become crucial in these cases for observing any illicit
activity that may have occurred on the blockchain(s) of origin.
State of Cross-chain Crime in 2025
43
If you need to conduct due diligence on a service
Suppose, once more, that you are a crypto exchange or a nancial service and that another crypto service
is seeking to establish a relationship with you. This may be to use your wallet infrastructure to operate a
nested service, or to open a bank account, respectively. In another scenario, you may notice that a user is
interacting with this service at suspicious volumes.
In these scenarios, you may wish to conduct due diligence on this service. Elliptic Discovery can provide an
overview of the illicit and sanctions exposure of crypto services on all blockchains on which they operate. It
will also provide details on whether KYC information is collected, whether privacy coins are offered, and the
jurisdiction(s) in which they operate.
Therefore, should the service be heavily exposed to sanctioned, illicit or terrorist locations or activity, you
will be able to identify this and refuse association accordingly.
To illustrate the abundance of assets and blockchains that typical illicit actors are now engaged with, the
Investigator graph below shows some transactions to and from the sanctioned Wagner Group-afliated
Task Force Rusich mercenaries operating on behalf of Russia in Ukraine – emphasizing the importance of
wide network coverage.
THE POWER OF HOLISTIC SCREENING AND INVESTIGATIONS
State of Cross-chain Crime in 2025
44
Screening for multi-asset or
multi-chain risk exposure
Elliptic Lens and Navigator can screen wallets and transactions for risk respectively, across all assets
involved. Both Lens and Navigator provide summary graphs showing the risk exposure of the screened
transaction or wallet, respectively.
The guides below detail how these features can be used to screen for cross-chain risks.
Using Elliptic Navigator
As a virtual asset service provider, you will be monitoring scores of incoming and outgoing transactions
to and from user accounts. Our API provides the ability to monitor these transactions at scale, with our
Navigator app itself available for more in-depth analytics.
Suppose you are screening a transaction of $1,001.26 worth of MATIC, the native token of the Polygon
blockchain, being deposited by a wallet into your exchange. The interface below shows the screened
transaction. Navigator has identied this transaction as high risk due to a two-hop exposure to a hack
associated with North Korea.
The risk score provided is based on congurable risk rules, customized according to your risk appetite. Our
example risk rules in the above visualization automatically score any exposure to sanctioned activity, no
matter how minor, with the maximum score of ten.
Navigator also provides a risk graph, showing the nature of the exposure of this transaction to any high-
risk origins. The graph below – which can be automatically opened in our Investigator solution for further
analysis – shows that funds are two hops away from the DPRK hack.
State of Cross-chain Crime in 2025
45
Although our transaction of interest concerns $1,001.26 worth of MATIC, looking at the origin of only this
MATIC would have caused us to miss the exposure to North Korea. This is because the funds that the input
wallet received from the hack are not in MATIC but on a different blockchain entirely – namely the XDC
Network. This can be identied by selecting the transaction two hops back on the graph.
As mentioned, screening for the origin of only the asset involved in a given transaction is insufcient.
The origin of any asset that the depositing wallet has interacted with must be screened to accurately
gauge the risks of accepting funds from that wallet. Holistic-enabled transaction monitoring solutions like
Navigator are therefore critical.
SCREENING FOR MULTI-ASSET OR MULTI-CHAIN RISK EXPOSURE
State of Cross-chain Crime in 2025
46
Navigator also shows a proportional overview of the source of funds, again covering all assets associated
with the input wallet and not just the one involved in the transaction:
This example shows how the ability to screen newer and emerging assets and networks is becoming
increasingly crucial for ensuring maximum compliance and risk coverage, as crime and sanctions risks are
no longer limited to traditional blockchains. Elliptic remains committed to expanding its already industry-
leading coverage of 50+ blockchains to ensure that risks that involve emerging blockchain projects (such
as in this example) can be captured and agged effectively.
Using Elliptic Lens
Compliance teams and investigators will often need to understand the risk prole of a certain wallet or
entity. Elliptic Lens provides a risk report based on both incoming and outgoing activity associated with a
wallet (or a cluster of wallets that belong to the same entity). This risk report will consider all assets that we
support with which the wallet or entity has interacted.
As in Elliptic Navigator, the risk report is based on congurable risk rules that can vary according to your risk
appetite, including factors such as exposure or jurisdictions of origin.
Suppose you are investigating an address, “0x74b...”. You may be interested in nding out if:
• You are a compliance professional and have noticed that there are consistent incoming or outgoing
transfers between accounts at your institution and this address
• You are a law enforcement investigator and this wallet has appeared during an enforcement raid or
another investigation
• You are in traditional nancial compliance and this wallet belongs to one of your clients, and you wish
to ascertain the source of wealth
SCREENING FOR MULTI-ASSET OR MULTI-CHAIN RISK EXPOSURE
State of Cross-chain Crime in 2025
47
The wallet “0x74b....” has interacted with nine assets across both Ethereum and the BNB Smart Chain. A
non-holistic wallet screening tool would need nine screenings, one for each asset, to obtain the complete
risk picture from this wallet. However, since Elliptic Lens is holistic-enabled, one screening considers
incoming and outgoing risk exposure across all nine assets at once:
Elliptic’s copilot, our AI-enabled assistant, provides a summary of the risk screen for both the source and
destination of funds. In this case, Lens has indicated a high risk score of ten for the destination of funds
from this wallet, with heavy exposure to sanctioned activity. Elliptic’s copilot provides a summary of these
sanctioned actors and the degree to which the screened wallet is exposed to them:
SCREENING FOR MULTI-ASSET OR MULTI-CHAIN RISK EXPOSURE
State of Cross-chain Crime in 2025
48
Like Navigator, visual risk graphs show the nature of exposure between the screened wallet and entities of
interest. For example, the graph below shows a direct transfer (likely a donation) from this wallet to MOO
“Veche”, a Russian military fundraiser procuring drones for troops and mercenaries in Ukraine, as described
by the middle Elliptic’s copilot summary above. MOO “Veche” is a US-sanctioned entity and operates in
Luhansk, which is an additional sectoral sanctions risk.
Notice that the exposure to MOO “Veche” occurs in USDT on the Ethereum blockchain. If a non-holistic
solution were, for example, used to screen this wallet for activity in BNB Coin only, this sanctions risk would
have been missed.
SCREENING FOR MULTI-ASSET OR MULTI-CHAIN RISK EXPOSURE
State of Cross-chain Crime in 2025
49
Using Elliptic Discovery
Virtual asset services tend to support several different assets and blockchains. Therefore, being able to
conduct due diligence on them holistically rather than one asset at a time is crucial for cost and time
efciency. Holistic entity due diligence is particularly useful if:
• You are a compliance professional and wish to ascertain whether you would like to authorize
transactions to and from a service
• You are a law enforcement investigator and you are investigating the activity of a suspicious service
to check for AML/CFT deciencies or sanctions evasion
• You are a regulator and you want to check if a service is complying with regulations, or you want to
ascertain whether it is eligible for a virtual asset license in your jurisdiction
• You are a nancial institution and a service wants to open a bank account with you
Suppose, for one of the reasons above, you are looking into an entity called “Huione Pay”, which we already
mentioned briey in Case Study 7. Searching the name in Elliptic Discovery reveals both on-chain and off-
chain information about this entity.
The off-chain corporate information reveals that the entity is based in Cambodia, where its banking license
has been withdrawn. In addition, Elliptic has designated this entity as a “Dark Service”, contributing to its
maximum risk score of 10.
This example has been chosen because Elliptic has investigated this entity in depth, identifying it as a key
money laundering service for pig butchering-related activity. Huione Pay is also known to have applied for
licenses and incorporation in multiple jurisdictions – underscoring the importance of entity due diligence. On
1 May 2025, the US Financial Crimes Enforcement Network (FinCEN) proposed a new rule to designate Huione
Group as a §311 Primary Money Laundering Concern, after which the entity began winding down its operations.
Much of the $12 billion+ illicit funds identied by Elliptic Discovery originate from dark vendor shops and
other dark services. Many of these sell goods and services designed for scammers and were part of the
Huione Guarantee marketplace, prior to its shutdown by Telegram.
SCREENING FOR MULTI-ASSET OR MULTI-CHAIN RISK EXPOSURE
State of Cross-chain Crime in 2025
50
Among these vendors, Elliptic has identied the sale of money laundering services, leaked information
about high-net-worth individuals, AI deepfake tools, detention and torture equipment positioned towards
human trafcking situations and scam crypto investment sites.
A summary of Huione Pay’s high-risk activity across all blockchains, over the month leading up to the screening,
provided by Discovery. Exposure within three hops is shown.
Elliptic Discovery is able to produce summary graphs, such as the one below, showing the incoming
volumes of illicit funds to the screened entity over time. Users of Discovery can adjust for time periods,
types of illicit activity, counterparty locations (e.g. sectoral sanctions), number of hops, incoming /
outgoing exposure, among other variables based on their risk appetite.
These summaries provide an overview of incoming and outgoing funds across all assets with which a
service operates, negating the need to conduct due diligence one asset at a time.
A congurable Elliptic Discovery summary graph shows incoming illicit funds across all blockchains
and assets into Huione Pay over time, providing an overview of risk.
SCREENING FOR MULTI-ASSET OR MULTI-CHAIN RISK EXPOSURE
State of Cross-chain Crime in 2025
51
Using Elliptic Investigator
Elliptic Investigator is a powerful solution allowing cross-chain investigations to be conducted seamlessly
and at scale. Since our last report in 2023 and as already discussed, a number of crucial features have
been added to the solution that are designed to signicantly reduce the time and cost of investigations.
These features, already introduced through case studies, include:
• Virtual value transfer event (VVTE) capabilities to trace through bridges: allows funds to be traced
across blockchains through over 300 bridging combinations
• Transaction-based tracing: Although ascertaining aggregate ows (i.e. the combined volume of all
transactions) between wallets is useful, some investigations may be interested in specic transactions.
Identifying gas fee nancing (see Case Studies 10 and 12) is one such use case
• Plotting of custom addresses within clusters: Though Elliptic clusters addresses that it determines to be
part of the same wallet or entity, more granular investigations might need to separate specic addresses
from their wider ownership – for example to ascertain the specic deposit addresses within a VASP
• Behavioral detection: the ability for our solutions to automatically detect some types of high risk
activity, such as peel chains, mixer-rst funding and scam activity, to inform investigators without the
need for them to identify these behaviors manually
As with all other solutions, a single Investigator graph is able to display activity across 50+ blockchains,
without the need to open a separate investigation for each asset. To illustrate these capabilities and their
utility, we re-create below an investigation that identies the nancing of a Russian military fundraiser –
involving bridges and behavioral detection ags.
Suppose you are a DeFi protocol, and a user has initiated a withdrawal to an address that has been
marked by Elliptic as having been initially funded by a mixer:
SCREENING FOR MULTI-ASSET OR MULTI-CHAIN RISK EXPOSURE
State of Cross-chain Crime in 2025
52
“Mixer-rst funding” suggests that this wallet address nanced its gas fees anonymously through a mixer.
As Case Studies 10 and 12 have shown, all wallets need a certain amount of a blockchain’s native token
to pay transaction fees. Often, these are obtained through centralized services, DEXs or bridges. Cases
where a mixer is used do not necessarily indicate illicit activity but suggest that the owner of the wallet
is particularly privacy-focused. In some circumstances, particularly if other risk indicators exist, this may
constitute a red ag.
The aggregate value of all ows between the suspect and the DeFi protocol, as shown in the previous
visualization, suggests the suspect sent $128,700 to the protocol and received $120,700 back. These ows
involve both ETH and renBTC. To understand what is happening, we can plot these ows by individual
transaction, as below:
Plotting out the individual transactions shows that, through three separate deposits and withdrawals
between 21-24 November 2022, the suspect used the DeFi protocol to swap ETH for renBTC. RenBTC is a
wrapped version of Bitcoin on the Ethereum blockchain used to swap assets to the Bitcoin blockchain via
renBridge – a bridge that was sunset following the collapse of FTX and Alameda Research in 2022.
We also notice that the mixer used to fund the suspect wallet was Tornado Cash, on the same day that
sanctions were imposed on it by the US (they were later lifted in March 2025).
At this stage of the investigation, it is clear that the suspect is intending to swap assets from ETH to
Bitcoin through renBridge, as this is the primary utility of the renBTC token. True enough, we observe a
ow of $108,531 to renBridge, shown in the investigator graph overleaf. In this situation, assuming our
VVTE capability was not available, an investigator would have to manually match Ethereum deposits into
renBridge with equivalent Bitcoin withdrawals.
The work involved would multiply in terms of time and effort involved depending on how many swaps the
suspect had made with renBridge.
SCREENING FOR MULTI-ASSET OR MULTI-CHAIN RISK EXPOSURE
State of Cross-chain Crime in 2025
53
The ability for VVTEs to directly trace through bridges, however, negates this need. Looking at the outward
exposure of this suspect will reveal that funds have ended up in numerous illicit and high-risk destinations
on both the Bitcoin and Ethereum blockchain, including darknet markets, wallets associated with theft,
known criminals and three Russian military fundraisers.
These exposures already factor in the use of a bridge to reach Bitcoin from Ethereum.
One of the Russian military fundraisers receiving a sizable amount is Peter ZoV, a St. Petersburg-based
arms proliferation initiative. Peter ZoV is one of the most successful crypto-accepting Russian military
fundraisers, raising almost $800,000 in donations.
SCREENING FOR MULTI-ASSET OR MULTI-CHAIN RISK EXPOSURE
State of Cross-chain Crime in 2025
54
The screenshots below show some Telegram posts from Peter ZoV showcasing the efforts of their
fundraising. The Investigator graph thereafter shows the complete investigation, having clicked “Add”
beside “Peter Zov” in the exposure visualization above.
Examples of Telegram-based fundraising activity by Peter ZoV.
In the visualization below, the blue transactions depict the VVTEs, automatically plotted to show funds
being bridged from Ethereum to Bitcoin via renBridge. The transaction timestamps suggest that most
funds sat dormant for over a year afterwards, being donated in 2024.
SCREENING FOR MULTI-ASSET OR MULTI-CHAIN RISK EXPOSURE
State of Cross-chain Crime in 2025
55
Though this guide went through the conduct of this investigation in detail, the actual production of
the graph above can be done in as little as three steps without the need to manually consider the
involvement of a cross-chain bridge, namely:
1. Plot the suspect’s wallet on the graph (and, optionally, the ows or individual transactions from
Tornado Cash and the DeFi protocol)
2. Check the outgoing exposure tab for illicit or high-risk destinations
3. Click “add” next to “Peter ZoV” to plot the VVTEs and subsequent transactions between the suspect
and Peter ZoV
Alternatively, investigators can selectively identify and plot relevant VVTEs through Investigator’s “virtual
transactions” tab, which lists all bridging transactions associated with a wallet. This is shown in the
interface below.
SCREENING FOR MULTI-ASSET OR MULTI-CHAIN RISK EXPOSURE
State of Cross-chain Crime in 2025
56
Using these steps, we can complete the investigation by identifying numerous other notable destinations
post-bridge, including an exchange and three other Russian military fundraisers. The bridging of funds
to a centralized exchange suggests, from the perspective of a law enforcement investigation, that KYC
information about this suspect or an afliate might exist.
We also note other obfuscation techniques in this suspect’s donation activity, including the use of peeling
chains – another behaviour automatically detected and agged in Investigator.
The Investigator graph below shows the complete investigation, with additional destinations beyond Peter
ZoV also plotted. Transaction timestamps are removed for visual simplicity.
SCREENING FOR MULTI-ASSET OR MULTI-CHAIN RISK EXPOSURE
State of Cross-chain Crime in 2025
57
Conclusion: the power of holistic investigations
Whether you are a virtual asset service compliance professional, a law enforcement investigator, a
regulator or a nancial institution facing the growing reality of crypto adoption, cross-chain blockchain
analytics is now the industry standard.
The growing adoption of crypto worldwide, as well as regulatory developments in the US and beyond,
conrm that crypto is here to stay. That means it is our duty now more than ever to ensure that our
ecosystem is safe and accessible to everyone, and is protected from bad actors that seek to disrupt
benecial innovation.
Elliptic’s pioneering of the rst holistic solutions in the market, coverage of 50+ blockchains and the ability
to automatically trace through over 300 bridging combinations underscores our resolve to partner with all
stakeholders to negate the risk of cross-chain crime. Criminals are increasingly targeting and operating
within emerging blockchains and obscure tokens – emphasizing the importance of our industry-leading
asset and network coverage.
With almost 27% of cross-chain investigations now involving more than ve blockchains – and 20%
more than ten, features such as virtual value transfer events (VVTEs) ensure that our solutions can
reduce complex investigations or screening tasks from hours to seconds. These efciency savings are
compounded by features such as congurable risk rules, Elliptic’s copilot, transaction-based tracing and
behavioral detection – all demonstrated throughout this report through real-world case studies.
The growing nature of cross-chain crime – now estimated to exceed $21.8 billion, underscores the
importance of upscaling our capabilities to investigate these threats.
It also ensures that virtual asset businesses and nancial services are protected from growing threats and
trends that involve cross-chain crime, such as ongoing North Korean activity, conict-related fundraising,
sectoral sanctions and crypto scams.
You can nd out more about our industry-leading solutions and how they can help you stay ahead of
these trends at www.elliptic.co/holistic. You can also contact us to schedule a demo.
We also recommend you check out our blog and resources pages, which also contain a wealth of material
about up-to-date crypto crime risks, trends, typologies and regulatory updates.
State of Cross-chain Crime in 2025
58
A P P E N D I X
Methodology
Elliptic’s dataset – which has documented crypto crime and expanded since 2013 – was used to calculate
the USD value of illicit crypto owing into DEXs, bridges and coin swap services.
Our old pre-July 2023 gures ($7 billion) consider an unlimited number of hops. Since then, for the
purposes of calculations within this report, we only include illicit activity originating from a maximum of
three hops away from a DEX, bridge or coin swap service. This also applies for $1.5 billion in pre-July 2023
criminal activity that has since been identied retrospectively. We have opted to do this purely for this
report to ensure statistics are as relevant and robust as possible. Elliptic’s internal exposure calculation
methodology is otherwise based on unlimited hops.
This gure double-counts illicit funds that have been swapped multiple times. We consider this important
as it is essential to the criminal typology: assets are often subject to chain-hopping several times in fast
succession to obtain maximum obfuscation.
Elliptic calculates the USD value of these transactions according to the exchange rate at the time of their
occurrence. All assets covered by Elliptic’s holistic blockchain analytics capabilities are included in the
calculations. Although we cover these blockchains, our gures exclude Bitcoin Cash, Horizen and Zcash.
Elliptic is not responsible for the accuracy of any data presented from external sources.
The difference between the $7 billion of cross-chain crime identied in our previous report and the
$21.8 billion estimate that covers up to and including May 2025 arises due to:
• The inclusion of more assets and blockchains – and thus criminality occurring on them – both since
and before July 2023
• Criminality that has occurred prior to July 2023 (the cut-off date for data analysis for our last report)
that has been identied retrospectively
• Illicit or high-risk activity that has occurred between July 2023 and May 2025
• Crypto owing in and/or out of entities that have since been sanctioned, seized or declared criminal by
relevant agencies (or, in the case of Tornado Cash, delisted)
Some illicit or high-risk activity included in our calculations may not be criminalized in some jurisdictions.
Examples include gambling services, marijuana vendor shops and entities that have been sanctioned by
some jurisdictions but not others.
We have anonymized some services throughout this report to not inadvertently advertise them or
disrupt any ongoing law enforcement investigations. Law enforcement readers may get in touch at
investigations@elliptic.co to receive details about the identity of any service discussed in this report.
State of Cross-chain Crime in 2025
59
Contact us for a demo
or sign up to our newsletter
to stay updated about our
latest research.
Connect on LinkedIn
Follow us on X
Contact us at hello@elliptic.co
elliptic.co
About Elliptic
Elliptic is the global leader in cryptoasset risk management
for crypto businesses, governments and nancial institutions
worldwide. Recognized as a WEF Technology Pioneer and backed
by investors including J.P. Morgan, Wells Fargo Strategic Capital,
SBI Group and Santander Innoventures, Elliptic has assessed risk
on transactions worth several trillion dollars, uncovering activities
related to money laundering, terrorist fundraising, fraud and other
nancial crimes. Elliptic is headquartered in London with ofces in
New York, Singapore and Tokyo.
LONDON • TOKYO • NEW YORK • SINGAPORE
