Full Report
In 2025, Chinese-language organizations laundered on average $44 million in illicit crypto each day, amounting to $16.1 billion.
Analysis Summary
# Incident Report: Large-Scale Illicit Cryptocurrency Laundering by Chinese Networks in 2025
## Executive Summary
Throughout 2025, China-language organizations became highly professionalized actors in the global illicit finance landscape, laundering an estimated \$16.1 billion in cryptocurrency, averaging \$44 million daily. This activity represents approximately 20% of all on-chain illicit funds processed globally. The primary progression involved leveraging professionalized, cross-border operations supported by escrow/guarantee platforms and money mules, culminating in substantial financial impact before targeted regulatory responses led to platform migration.
## Incident Details
- **Discovery Date:** Ongoing, with analysis culminating in a January 2026 report.
- **Incident Date:** Calendar Year 2025 (Ongoing activity throughout the year).
- **Affected Organization:** Various global criminal enterprises utilizing these laundering services; specific victims of underlying cybercrime (scams, hacks) are numerous and unspecified.
- **Sector:** Financial Technology (Cryptocurrency Services), Organized Crime, Cybercrime-as-a-Service.
- **Geography:** Global operations, with organizational roots and coordination primarily linked to Chinese-language organizations; significant activity observed across Southeast Asia nexus points (e.g., Cambodia).
## Timeline of Events
### Initial Access (to the Illicit Ecosystem)
- **Date/Time:** Ongoing throughout 2025.
- **Vector:** Criminal groups utilized funds derived from activities like **pig butchering scams**, **hacking campaigns**, **exploit attacks**, and **general cybercrime**.
- **Details:** Attackers gained access to the illicit funding stream via compromised end-users or organized scam operations that generated the initial cryptocurrency victims lost.
### Lateral Movement (Within the Laundering Scheme)
- **Date/Time:** Continuous process following funding generation.
- **Vector:** Use of **money mules** and sophisticated **Black Operations ("Black Ops") services**.
- **Details:** Funds were moved across various wallets, often involving **swapping services** to convert crypto into multiple assets, obscuring the original source before being passed to end-customers of transnational organized crime groups.
### Data Exfiltration/Impact
- **Date/Time:** Throughout 2025.
- **Vector:** N/A (This is a financial crime event, not a traditional data breach).
- **Details:** The impact centers on the successful laundering of **\$16.1 billion** in illicit cryptocurrency, diverting it from legitimate detection and seizure channels.
### Detection & Response
- **Date/Time:** Ongoing monitoring by Chainalysis and regulatory bodies throughout 2025; specific actions noted in late 2025.
- **Vector:** Blockchain analytics, regulatory enforcement actions (e.g., U.S. Treasury sanctions).
- **Details:** Response included U.S. Treasury sanctions against entities like the Cambodia-based Huione Group and the Prince Group, as well as government action (Cambodian license revocation). The criminal element responded by migrating services to alternative platforms.
## Attack Methodology (Financial Crime Focus)
- **Initial Access:** Acquisition of illicit crypto via **pig butchering scams**, **exploit attacks**, and **hacking campaigns**.
- **Persistence (Service Continuity):** Reliance on **"guarantee" platforms** (escrow marketplaces) to ensure service reliability and client trust.
- **Privilege Escalation:** N/A (Not applicable in ransomware/intrusion sense).
- **Defense Evasion:** Rapid migration across platforms following regulatory pressure (e.g., moving off platforms targeted by sanctions).
- **Credential Access:** N/A (Focus on asset movement, not network credentials).
- **Discovery:** N/A (Focus on operationalizing existing illicit funds).
- **Lateral Movement:** Use of **money mules** and Black Ops services to distribute and mix funds.
- **Collection:** Aggregation of illicit funds using specialized crypto wallets and swapping services.
- **Exfiltration:** Conversion and transfer of laundered crypto to beneficiaries of organized crime groups.
- **Impact:** Successful washing of **\$16.1 billion** into the financial system.
## Impact Assessment
- **Financial:** **\$16.1 billion** laundered successfully in 2025. This represents 20% of all illicit crypto laundered globally (\$82 billion total).
- **Data Breach:** None reported (Financial crime focus).
- **Operational:** High operational efficiency achieved by laundering networks, allowing them to service transnational organized crime across Europe and North America effectively.
- **Reputational:** Significant blow to the perceived security and auditability of the cryptocurrency ecosystem.
## Indicators of Compromise
*Note: This incident relates to financial network activity, not network intrusionIndicators are focused on suspicious financial behaviors.*
- **Network Indicators (Defanged):**
- High frequency of transactions linked to known suspicious escrow service addresses.
- Sudden, high-volume inflows/outflows associated with addresses flagged by Chainalysis during known scam cycles (e.g., associated with identified **pig butchering** operations).
- **File Indicators:** N/A
- **Behavioral Indicators:**
- Use of crypto-swapping services specifically to convert high volumes of initial crypto (e.g., BTC/ETH) into privacy coins or mixers.
- High traffic patterns routed through services advertised on Telegram groups offering "guarantee" escrow protection.
## Response Actions
- **Containment Measures:** U.S. Treasury enforcement actions, including sanctions against key actors like the Prince Group and Huione Group associates (October 2025).
- **Eradication Steps:** Revocation of operating licenses for key entities (e.g., Cambodian government took action against Huione).
- **Recovery Actions:** Seizure of vast sums of digital assets (\$15 billion worth of Bitcoin seized from Chen Zhi).
## Lessons Learned
- **Professionalization:** Criminal laundering networks have rapidly professionalized into multi-billion dollar, cross-border operations offering competitive, efficient services.
- **Fungibility of Platforms:** Success in targeting one laundering channel (e.g., Huione) results in immediate migration to alternative, unregulated or less-policed platforms, highlighting the need for continuous monitoring across the ecosystem rather than isolated entity targeting.
- **Cross-Border Coordination:** Regulatory efforts, such as U.S. Treasury sanctions, can disrupt specific nodes, but global coordination is essential due to the transnational nature of these groups.
## Recommendations
- **Proactive Sanction Targeting:** Regulators must focus on identifying and sanctioning the escrow/marketplace platforms that provide the core trust and infrastructure for these laundering services.
- **Continuous Blockchain Intelligence:** Investment in real-time blockchain analytics is necessary to track instantaneous migration patterns between service providers.
- **Information Sharing:** Enhance intelligence sharing regarding the tactics used by Chinese-language money laundering networks to service cybercrime globally, especially concerning "guarantee" services advertised on encrypted messaging apps.