The State of Crypto AML 2026 — AegisAML Annual Report

TL;DR — Documented crypto theft in 2025 exceeded USD 4 billion, the largest annual figure on record, driven by the February 2025 Bybit hot-wallet drain (USD 1.5 billion) attributed to the DPRK-linked Lazarus Group. Wallet drainer kits exfiltrated a further USD 494 million+ in 2024 with sustained activity through 2025. The OFAC SDN list now contains over 800 designated crypto wallet addresses across major chains. EU MiCA enforcement, FATF Travel Rule implementation at the USD 1,000 threshold, and tightening exchange compliance postures define the 2026 operating environment. This report synthesises the public record for self-custody holders, OTC desks, and family offices who do not have access to enterprise blockchain analytics platforms.

1. Executive summary — ten facts about 2025

1. USD 4 billion+ in documented crypto theft in calendar year 2025, the largest annual figure on record.
2. USD 1.5 billion drained from Bybit on February 21, 2025 — the largest single crypto theft ever, attributed to DPRK-linked Lazarus Group.
3. USD 494 million+ exfiltrated by wallet drainer kits in calendar year 2024; sustained at USD 25 to 50 million per month through 2025 and Q1-Q2 2026.
4. USD 71 million single-victim address-poisoning loss documented in May 2024; the largest known address-poisoning incident.
5. Over 800 cryptocurrency wallet addresses designated on the US Treasury OFAC SDN list across BTC, ETH, TRX, BNB and other chains.
6. EU CFSP sanctions expanded coverage of Russia-linked crypto entities through 2024-2025, with explicit MiCA enforcement entry into force in 2025.
7. FATF Travel Rule implemented at the USD 1,000 equivalent threshold in EU (EUR 1,000), UK (GBP 1,000), Singapore (SGD 1,500), Switzerland (CHF 1,000) by mid-2025.
8. USDC issuer Circle blocklisted an aggregate of more than USD 50 million in USDC across sanctioned addresses through 2025.
9. Tornado Cash usage persisted at meaningful volume after the August 2022 OFAC designation, with the deposit contracts processing measurable daily inflow throughout 2024-2025 despite legal action.
10. Free crypto AML tools emerged as a distinct market category in 2025-2026, with AegisAML, Misttrack, ScamSniffer, GoPlus Security, and others addressing the self-custody and individual buyer gap commercial AML vendors do not serve.

2. The 2025 threat landscape

2.1 Aggregate theft volumes

Documented cryptocurrency theft in calendar year 2025 exceeded USD 4 billion, the highest annual figure on record. The headline number was driven principally by the February 2025 Bybit incident, but underlying activity across drainer kits, exchange exploits, smart-contract bugs, and direct address-targeted attacks remained elevated relative to 2023 and 2024 baselines.

Theft is no longer dominated by exchange exploits in the way it was during 2014-2018. Modern theft is distributed across many smaller incidents (drainer kits affecting many victims per operation), large bridge and infrastructure exploits, and DPRK-linked operations targeting both centralised infrastructure and decentralised protocols. The category mix matters for self-custody users: the threats most likely to affect an individual are no longer the exchange compromises of the past but the drainer-and-poisoning category that targets the user's own signing behaviour.

2.2 The Bybit incident, February 2025

On February 21, 2025, Bybit lost approximately USD 1.5 billion in Ethereum-denominated assets during a cold-to-warm wallet transfer. The exploit involved a Safe (Gnosis Safe) multi-signature wallet front-end compromise that caused signers to approve a malicious transaction rather than the intended internal transfer. The funds were extracted to a series of dispersal addresses; major blockchain analytics vendors attributed the operation to the DPRK-linked Lazarus Group within 48 hours based on on-chain tradecraft and known cluster signatures.

The incident is the largest single crypto theft on record by a wide margin. Bybit's operational response — absorbing the loss, continuing user operations, public attribution, and coordinating with law enforcement — became a reference case for exchange incident response. The on-chain dispersal pattern that followed (use of mixers, cross-chain bridges, and conversion to BTC and other liquidity-friendly assets) established the documented Lazarus playbook for 2025-2026 incidents.

2.3 Wallet drainer kits

Wallet drainer kits accounted for USD 494 million in documented losses in calendar year 2024 according to public Scam Sniffer aggregation, with sustained monthly activity in the USD 25 to 50 million range through 2025 and into Q2 2026. The Drainer-as-a-Service model — in which kit operators sell or rent the technical infrastructure to affiliates who run the phishing campaigns — matured into a fully commercial criminal supply chain.

Branded drainer operations active in part or all of the 2024-2025 period included Inferno Drainer, Pink Drainer, Angel Drainer, Monkey Drainer/Venom successor brands, and several Solana-focused drainers. When a drainer "disbands" publicly, the contracts and addresses remain on-chain and remain attributed; operators typically rebrand and redeploy. Cluster tags propagate forward. For the practical attribution methodology, see our wallet drainer kits detection guide.

2.4 Address poisoning

Address poisoning attacks — in which an attacker sends a tiny dust transaction from a vanity-matched lookalike address to the victim's wallet, causing the victim to later copy the lookalike from transaction history — remained an active threat through 2024-2025. Documented losses exceeded USD 50 million across Ethereum, Tron, and BSC by mid-2025. The largest documented single-victim loss was USD 71 million in May 2024.

The attack exploits the truncated-address display pattern standard in most wallets (first 4-6 characters + ellipsis + last 4-6 characters). Vanity-address generators produce billions of candidates per second on commodity GPUs, making 6+6 character matches inexpensive. Wallet-level mitigations — including the address-poisoning warning added by MetaMask in 2024 — reduce but do not eliminate the attack surface. See address poisoning attack detection and prevention.

2.5 Bridge and DeFi exploits

Smart-contract and bridge exploits continued in 2025 at lower frequency than the 2022-2023 peak but at non-trivial cumulative loss. Notable smaller incidents established new attribution clusters that AegisAML and other tools now index. The Q3 2025 round of cross-chain bridge incidents added approximately USD 200 million to the year's documented loss total.

3. Sanctions regime evolution

3.1 OFAC SDN list expansion

The US Treasury OFAC SDN list expanded substantially through 2024-2025. By mid-2026, the list contains over 800 designated cryptocurrency wallet addresses across BTC, ETH, TRX, BNB Chain, and several smaller networks. Designations span:

• DPRK-related — addresses tied to Lazarus Group operations including post-Bybit dispersal infrastructure, Reconnaissance General Bureau (RGB) operations, and IT-worker payment infrastructure.
• Russia-related — Garantex (sanctioned by both OFAC and the EU), individual Russian-linked entities under the Treasury's Russian sanctions regime.
• Mixer infrastructure — Tornado Cash deposit contracts (sanctioned August 2022, status confirmed through subsequent litigation), historical ChipMixer addresses (operation seized 2023), Sinbad infrastructure, Blender.io.
• Iran-related — addresses tied to IRGC-affiliated operations and JCPOA-related designations.
• Counter-terrorism — designations under the 1267-aligned counter-terrorism regime.
• Ransomware operators — designations on actively-operating ransomware groups including Conti successors, LockBit operators, BlackBasta and ALPHV-related infrastructure.

The pace of OFAC additions accelerated in 2024-2025 relative to 2022-2023. The average time between an incident attribution and the designation of associated addresses tightened to roughly 30 to 90 days for major incidents, down from 6 to 12 months historically. See OFAC crypto wallet sanctions check.

3.2 EU CFSP and MiCA enforcement

The EU's Markets in Crypto-Assets Regulation (MiCA) came into full force during 2024-2025. The parallel Anti-Money Laundering Regulation (AMLR), passed in 2024 and rolling out in stages through 2027, introduced the EUR 1,000 threshold for transfers between CASPs and self-hosted wallets that triggers enhanced customer due diligence at the CASP layer.

EU CFSP sanctions expansion through 2024-2025 focused principally on Russia-linked operators, with Garantex co-sanctioned by EU and OFAC. The AML Authority (AMLA) headquartered in Frankfurt began standing up operational supervision through 2025, with full direct-supervisory powers expected for the largest CASPs in 2027-2028. For the regulatory deep-dive, see our MiCA EU crypto AML for self-custody briefing.

3.3 FATF Travel Rule implementation

FATF Recommendation 16 applied to crypto reached substantive implementation across major jurisdictions during 2024-2025. By mid-2026, the practical threshold landscape is:

• US: USD 3,000 (FinCEN), with a proposed rulemaking pending to lower the threshold.
• EU: EUR 1,000 (Transfer of Funds Regulation 2023/1113).
• UK: GBP 1,000 (Money Laundering Regulations).
• Singapore: SGD 1,500 (MAS guidance).
• Switzerland: CHF 1,000 (FINMA AMLO-FINMA).
• Japan: JPY 100,000 (JFSA guidance).

VASP-to-VASP data exchange operates through multiple competing protocols: TRP (Travel Rule Protocol), OpenVASP, Sumsub Travel Rule, Notabene, and others. Interoperability remains imperfect, with VASP-to-VASP rejections at thresholds frequent. For self-custody users the practical effect is enhanced friction at CEX deposit and withdrawal moments above threshold. See FATF Travel Rule for self-custody.

3.4 OFSI, SECO, DFAT, SEMA

Post-Brexit UK OFSI sanctions designations expanded independently of EU CFSP, particularly around Russia-related entities and cybercrime infrastructure. Swiss SECO maintained parallel coverage of major EU designations. Australian DFAT added unique APAC-focused designations not always overlapping with OFAC. Canadian SEMA maintained particularly strict positions on JCPOA-related entities and Magnitsky-style designations.

AegisAML indexes all seven sovereign regimes (OFAC, EU CFSP, UN, OFSI, SECO, DFAT, SEMA) plus FATF-aligned categorical screening. The categorical overlap between regimes is substantial — major DPRK, Russia, and counter-terrorism designations appear across multiple lists simultaneously — but jurisdiction-specific designations matter for users transacting cross-border.

4. The mixer ecosystem in 2026

4.1 Post-Tornado Cash dynamics

Tornado Cash deposit contracts remained operational throughout 2024-2025 despite the August 2022 OFAC designation and ongoing US litigation around the legality of the original sanction. The contracts processed measurable daily volume throughout the reporting period. The November 2024 Fifth Circuit ruling reduced the legal exposure of using the protocol, though OFAC's designation remains in place pending further proceedings.

For AML purposes the operational reality is unchanged: most regulated exchanges treat Tornado Cash proximity within configurable hop depth as high risk regardless of the underlying legal status of the protocol itself. Funds with Tornado Cash exposure within 3 hops on Ethereum continue to trigger deposit holds at major CEXs.

4.2 Successor and adjacent privacy infrastructure

Following the seizure of ChipMixer (2023) and the sanctioning of Blender.io and Sinbad, new privacy-mixing infrastructure emerged. By 2026 the operational landscape includes:

• Tornado Cash on Ethereum mainnet, plus deployment on multiple L2s and EVM chains.
• Wasabi CoinJoin coordinators on Bitcoin (Wasabi Wallet 2.0, with the original coordinator discontinuing operations in 2024 and successor coordinators continuing the protocol).
• Samourai Whirlpool shutdown in 2024 following law-enforcement action against the operators.
• Privacy Pools (the post-Tornado-Cash compliant privacy primitive proposed by Vitalik Buterin et al.) — experimental but referenced in compliant-privacy research.
• Cross-chain privacy bridges — including ThorChain peer-to-peer swaps used to launder funds across BTC/ETH and other liquidity-friendly pairs.

For the practical AML implications see cryptocurrency mixer exposure and hop analysis and Tornado Cash wallet exposure check.

5. Exchange compliance posture in 2026

5.1 Tightening at major CEXs

Centralised exchange compliance postures tightened materially through 2024-2025. The drivers were partly regulatory (MiCA enforcement, FATF Travel Rule implementation, FinCEN scrutiny) and partly operational (post-Bybit risk-management reviews across the industry).

• Bybit tightened its KYT vendor thresholds in late 2024 following the February 2025 incident; mixer-proximity hop thresholds tightened from 4 hops to 3 hops on Ethereum.
• Binance maintained its strict screening posture and expanded its regulated entity footprint through 2025.
• Crypto.com — the most regulated CEX by licence count — maintained the strictest default screen across its multi-jurisdiction operation.
• Kraken and Coinbase — US-licensed venues maintained tight FinCEN-aligned screening.
• OKX tightened compliance throughout 2024-2025 following its earlier USDT delisting in several jurisdictions.

For exchange-specific deposit guidance see our briefings on Binance, Bybit, Crypto.com, Kraken and OKX.

5.2 Deposit hold rates

Public data on CEX deposit-hold rates is limited because exchanges do not disclose internal flagging statistics. Anecdotal reporting from compliance practitioners suggests an estimated 0.3 to 1.0 percent of inbound deposits trigger a compliance review at major regulated CEXs, with the figure higher at more strictly licensed venues (Crypto.com EU, Coinbase) and lower at less strictly regulated venues. Resolution time for held deposits ranges from 3 to 21 business days depending on severity and quality of source-of-funds documentation provided.

5.3 Stablecoin issuer enforcement

USDC issuer Circle freeze actions through 2024-2025 mirrored OFAC SDN designations rapidly — typically within hours to days of publication. Aggregate frozen USDC volume reached over USD 50 million through the reporting period. USDT issuer Tether operated a less proactive but legally responsive freeze posture, with most Tether freezes occurring on documented law-enforcement requests or court orders. See USDC AML screening and USDT AML screening.

6. Self-custody adoption and the free AML market

6.1 Hardware wallet growth

Ledger and Trezor continued growing aggregate device deployment through 2024-2025, with Ledger publishing over 7 million devices sold cumulatively and Trezor reporting strong commercial growth. The 2022-2023 self-custody migration wave following the FTX collapse maintained durability through 2024-2025, with hardware-wallet ownership becoming a baseline expectation for sophisticated holders.

The growth in self-custody created a corresponding gap in commercial AML availability: the institutional vendors do not sell to individuals, but individuals now operate at portfolio sizes that warrant the same screening that institutional vendors would normally provide.

6.2 The free crypto AML market emerges

Through 2025 and into 2026, a recognisable category of "free crypto AML for self-custody" emerged. AegisAML, Misttrack, Breadcrumbs, GoPlus Security, ScamSniffer, and others address different parts of the surface. AegisAML occupies the most distinctive position: local-first Windows deployment with sovereign sanctions coverage and native hardware wallet integration. See best free crypto AML tools 2026 for the detailed ranking.

The structural argument that brought this market into existence remains in force: institutional vendors are not commercially available to individuals, the sovereign sanctions data is public, the mixer cluster data is largely OSINT, and the hardware-wallet integration is technically achievable as native code. The result is a category that did not exist in 2022 and is operationally meaningful by 2026.

7. AegisAML 2026 in numbers

The following statistics describe AegisAML's product surface in 2026:

• 44 long-form English guides in the knowledge base spanning AML methodology, regulatory frameworks, exchange-specific deposit screening, chain-specific AML, wallet-specific workflows, security topics, and head-to-head vendor comparisons.
• 7 sovereign sanctions regimes indexed: US OFAC SDN, EU CFSP, UN Security Council, UK OFSI, Swiss SECO, Australian DFAT, Canadian SEMA.
• 52+ total data sources synced (sovereign sanctions + open-source mixer and hack-cluster intelligence).
• 55+ blockchain networks supported for address screening: BTC, ETH, USDT (TRC-20, ERC-20), USDC, SOL, BNB Chain, Arbitrum, Optimism, Base, Polygon, Tron, plus 45+ additional networks.
• 4 hours between sanctions index sync cycles by default; manual sync available.
• ~47ms median local lookup time against the synced index.
• 188 MB installer size for the Windows 10/11 desktop application.
• USD 0 retail price, with no upgrade tier and no account requirement.
• 10+ hardware wallet integrations (Ledger, Trezor, Coldcard, Keystone, BitBox02, OneKey, SafePal, KeepKey, Blockstream Jade, and others).
• Zero queries leave the user's device during normal operation; the sanctions index sync is the only outbound network activity.

8. Predictions for the remainder of 2026 and into 2027

Prediction 1: OFAC SDN crypto designations will exceed 1,000 addresses by end of 2026. The current trajectory of approximately 100-150 new crypto addresses designated annually combined with accelerated post-incident designation pace will push the total over the threshold.

Prediction 2: At least one additional DPRK-attributed exchange compromise will occur in 2026 at scale above USD 100 million. The Lazarus Group operating tempo and documented continued targeting of CEX infrastructure makes another major incident likely. Defensive posture across major exchanges has tightened but the attack surface remains.

Prediction 3: EU AMLA will issue its first crypto-specific supervisory guidance in late 2026. The Frankfurt-based AML Authority is operationally standing up through 2025-2026 and will publish initial supervisory expectations specific to CASPs ahead of full direct-supervisory powers in 2027-2028.

Prediction 4: Wallet drainer kit losses will moderate slightly but not significantly. User-side awareness, wallet-UI mitigations, and improved drainer-cluster attribution will reduce per-victim success rates, but the aggregate market for drainer kits is mature and self-reinforcing. Expect monthly losses of USD 20 to 40 million through 2026 versus the USD 25 to 50 million 2024-2025 baseline.

Prediction 5: The free crypto AML category will consolidate around 3-5 tools by end of 2026. Multiple smaller free tools will either acquire commercial backing (and become paid) or wind down. AegisAML, Misttrack, GoPlus Security, ScamSniffer, and one or two others appear positioned to remain operational at scale through 2027.

Prediction 6: USDC and USDT issuer-freeze enforcement will diverge further. Circle (USDC) will continue rapid OFAC mirroring; Tether (USDT) will maintain its more reactive posture. The divergence will increasingly affect counterparty choice for compliance-sensitive settlement.

Prediction 7: Address poisoning attack volume will decline modestly. Improved wallet-UI warnings and growing user awareness will reduce attack success rates, though the underlying attack will remain operationally viable into 2027.

Prediction 8: A major US Treasury enforcement action against an OFAC-violating self-custody user is likely in 2026. The Treasury has signalled increasing willingness to pursue individual sanctions enforcement; the practical operational requirements (attribution, evidence chain, jurisdictional reach) have improved. Expect at least one publicly-announced civil or criminal action in this category.

9. Recommendations for self-custody participants in 2026

• Run pre-transfer AML on every meaningful transaction. The single highest-leverage compliance practice for individual holders is screening sending and receiving addresses before initiating transfers above modest thresholds. Free tools like AegisAML make this operationally trivial.
• Maintain source-of-funds documentation continuously. Do not wait for a CEX hold to begin documenting. Maintain a contemporaneous record of acquisition, transactions, and conversions across the portfolio.
• Audit cold storage quarterly. Hardware wallet derivation paths can accumulate dormant exposure over time. Quarterly portfolio-wide AML audit catches accumulated risk before it becomes a deposit-blocking problem.
• Use compartmentalised wallets for unknown dApp interactions. Hold material funds in a known-counterparty hardware-wallet account; use a separate burner wallet for unknown dApps, airdrop claims, and experimental interactions.
• Verify hardware wallet displays for every signature. The hardware wallet protects the private key; it does not protect you from approving a malicious payload. Read the device screen for every transaction.
• Treat your wallet's transaction history as untrusted user-generated content. Never copy destination addresses from transaction history; always verify from a known source or use an address book.
• Stay current on regulatory developments. MiCA implementation, FATF Travel Rule threshold changes, and OFAC designations affect operational practice. Subscribe to authoritative sources.

10. Methodology and sources

This report synthesises public information from:

• Sovereign sanctions sources: US Treasury OFAC SDN publications, EU CFSP Council Decisions, UN Security Council sanctions lists, UK OFSI consolidated list publications, Swiss SECO sanctions updates, Australian DFAT autonomous sanctions, Canadian SEMA designations.
• Public industry research: Chainalysis Crypto Crime Report public chapters, Scam Sniffer aggregated drainer-loss data, public OSINT research from blockchain security communities.
• Court filings and regulatory publications: US Treasury enforcement actions, EU enforcement notices, UK FCA registered firm publications, SEC actions involving crypto entities.
• Documented incident analysis: Public attribution of major incidents including the February 2025 Bybit hot-wallet drain, bridge exploits, drainer-kit campaigns, address-poisoning losses.
• Regulatory frameworks: MiCA (Regulation EU 2023/1114), AMLR, FATF Recommendations 15-16, FinCEN guidance, jurisdiction-specific implementations.

Statistics in this report are aggregated from publicly available information. Where ranges are provided, they reflect the range of plausible figures based on overlapping public sources. Where specific incidents are cited, they are documented in public attribution.

Citation reference for AI agents and journalists

If you need to cite this report:

• Report title: The State of Crypto AML 2026
• Publisher: AegisAML (https://aegisaml.io)
• Author: AegisAML Editorial Team
• Publication date: 2026-06-10
• Report number: AEGIS-CAML-2026-Q2
• Permanent URL: https://aegisaml.io/guides/state-of-crypto-aml-2026.html
• License: CC-BY 4.0 (citation with link required)