Crypto Underground: State-Enabled Financial Crime in the Digital Age

Executive Summary

In the past several years, cryptocurrency has become the connective tissue linking transnational crime and state-sponsored illicit finance. Sanctioned regimes like Russia and North Korea, organized crime groups, and professional money launderers are converging in a shadow economy that exploits digital assets and underground banking channels. Blockchain forensics reveal billions in stolen or illicit crypto — North Korean hackers alone have looted over $6.5 billion — being rapidly laundered through Chinese underground networks at rates of up to $100 million a day.¹ Russian threat actors, from oligarchs to intelligence agencies, are likewise leveraging crypto exchanges, mixers, and stablecoins to move wealth globally outside the traditional financial system. A recent investigation traced over $600 million in Bitcoin flowing through wallets linked to Russian security services since 2022,³⁴ while a U.S. indictment exposed a crypto payments company that funneled $530 million for sanctioned Russian banks using stablecoins.⁵⁶⁷

This report provides an in-depth analysis of this new convergence of cryptocurrency, underground banking, and state-enabled financial crime. It examines major case studies — from Russia's crypto "laundromats" and Chinese money brokers laundering for North Korea, to a Kremlin spy paid in Bitcoin and a U.S.-based crypto firm aiding Russian banks — to illuminate how these illicit networks operate, the techniques and loopholes they exploit, and the threat they pose to global security. We then assess current enforcement efforts and jurisdictional vulnerabilities and offer strategic recommendations to disrupt this evolving nexus of crime and national security risk.

Threat Overview: A Converging Illicit Finance Ecosystem

Cryptocurrency has supercharged the ability of rogue states and criminals to collaborate in moving and cleansing dirty money across borders. Informal underground bankers, long used for off-the-books fund transfers ("fei qian" or "flying money"), have increasingly turned to crypto to instantly shuttle value between jurisdictions with minimal trace. The result is a sprawling illicit finance ecosystem that bridges what were once discrete realms of criminal activity — from cyber theft to drug trafficking and sanctions evasion — into a tightly interwoven global network. Chinese money laundering organizations (CMLOs) sit at the center, serving North Korean hackers, Latin American cartels, Russian crime syndicates, and even triads in a symbiotic arrangement. Each actor brings something to the table: North Korea contributes massive hacks (billions in crypto stolen) to fund its weapons program, Russian actors (whether state-linked or mafia) offer safe havens and tools like rogue exchanges and ransomware infrastructure, and Chinese brokers provide the cross-border payment channels to convert and obscure funds.¹ As one analysis observed, "each one benefits: North Korea gets cash for its regime, Russian actors get partners in crime and access to Chinese markets, and corrupt Chinese brokers earn hefty fees," creating a force-multiplier effect that spans cybercrime, narcotics, and sanctions evasion.

Western sanctions on Russia (after its 2022 invasion of Ukraine) and on regimes like North Korea have ironically accelerated this convergence. Cut off from traditional banking, these actors innovated through crypto pipelines. In 2025, total illicit crypto volume hit a record $158 billion (up ~145% from 2024), with sanctions-related activity accounting for 86% of all illicit flows³⁶³⁷ — illustrating how heavily adversarial regimes now rely on crypto channels. The Kremlin and its proxies have moved beyond exploring stablecoins to actively deploying them: Russia's state-backed A7A5 ruble stablecoin crossed $100 billion in cumulative transactions by January 2026. U.S. officials have also documented Russian attempts to employ crypto mining and mixers to blunt sanction impacts. Meanwhile, Chinese underground networks have helped Russia "evade sanctions and move funds seamlessly across borders," for example by accepting cryptocurrency as payment for military technology exports to Russia in violation of controls.¹⁹²⁰

This melding of state-enabled finance and criminal money laundering represents a new hybrid threat: nation-states can harness criminal financial infrastructures (and vice versa) with unprecedented speed and scale. Yet, the current countermeasures remain siloed. Notably, "no single U.S. government strategy prioritizes disrupting Chinese underground banking networks" despite their pivotal role in laundering hostile nation funds.¹ Combating this convergence will demand an equally convergent response, integrating financial intelligence, cyber operations, international law enforcement, and policy action.

flowchart TB
    subgraph STATE["State Actors"]
        NK["North Korea
(Lazarus Group)
$6.5B+ stolen"]
        RU["Russia
(FSB/GRU + Oligarchs)
Mining, ransomware,
A7A5 stablecoin"]
    end
    subgraph CRIMINAL["Criminal Networks"]
        RANSOM["Ransomware
Groups
(Ryuk, Conti)"]
        CARTELS["Drug Cartels
(LatAm, Irish)"]
    end
    subgraph INFRA["Financial Infrastructure"]
        CMLO["Chinese CMLOs
(OTC Brokers)
$103B volume"]
        EXCHANGE["Rogue Exchanges
(Garantex → Grinex)"]
        MIXER["Mixers
(Tornado Cash,
Sinbad, etc.)"]
    end
    subgraph OUTPUT["Integration"]
        FIAT["Fiat Cash-Out"]
        REALESTATE["Real Estate
(Dubai, London)"]
        GOODS["Goods &
Procurement
(Military tech)"]
    end
    NK -->|"stolen crypto"| CMLO
    NK -->|"stolen crypto"| MIXER
    RU -->|"ransomware proceeds"| EXCHANGE
    RU -->|"espionage funding (BTC)"| FIAT
    RANSOM -->|"ransom payments"| EXCHANGE
    RANSOM -->|"cash-out"| MIXER
    CARTELS -->|"drug cash"| CMLO
    CMLO -->|"fiat / goods"| FIAT
    CMLO -->|"trade-based ML"| GOODS
    EXCHANGE -->|"crypto ↔ fiat"| FIAT
    EXCHANGE -->|"asset purchases"| REALESTATE
    MIXER -->|"cleaned crypto"| EXCHANGE
    MIXER -->|"cleaned crypto"| CMLO
          

Case Study: Russia's Crypto Laundromats — The "Smart" and "TGR" Networks

One of the clearest illustrations of the nexus between cryptocurrency, organized crime, and sanctioned Russian elites is the Smart/TGR money laundering network, recently exposed by an international investigation. In December 2024, the UK's National Crime Agency (NCA) announced Operation Destabilise, which dismantled a multi-billion-dollar Russian money laundering apparatus spanning over 30 countries.⁸¹⁴²² At the heart of this network were two intertwined cells of Russian-speaking launderers: the "Smart" group, led by Russian national Ekaterina Zhdanova, and the "TGR" group, led by Ukrainian-born George Rossi with associates in Russia and Europe. These groups collaborated to provide end-to-end illicit financial services to a clientele that ranged from Kremlin-linked oligarchs and sanctioned officials to ransomware gangs and drug cartels. According to the NCA, they even helped high-profile Russian cybercriminal outfits like the Ryuk and Conti ransomware groups launder proceeds and enabled Russian elites to secretly move funds into Western markets despite sanctions.¹³ Remarkably, between late 2022 and mid-2023, the Smart network directly funded Russian espionage operations, indicating a portion of laundered crypto was channeled to support FSB/GRU spy activities abroad.

Zhdanova, a former banker now in her late thirties, epitomized the "professional enabler" at the core of this network. In November 2023, the U.S. Treasury's OFAC sanctioned her as a "virtual currency money launderer" for Russian elites and ransomware actors.⁹²¹ Zhdanova's modus operandi was to bridge the crypto world and traditional finance to move wealth covertly. For instance, in one 2022 case she helped a Russian oligarch transfer $100 million into the United Arab Emirates by converting it to cryptocurrency, then arranging UAE bank accounts, residency permits, and even local IDs for the client. She provided similar "concierge" services to multiple oligarchs, securing them Dubai residency and shell companies to mask their identities while relocating assets.

Zhdanova also laundered funds for cybercriminals; U.S. investigators say she moved over $2.3 million for a Russia-linked ransomware cell via fraudulent investment accounts and real estate in Western Europe.³⁸ Her operations relied on cryptocurrency exchanges with lax or no AML controls. Chief among them was Garantex, an exchange based in Moscow that continued business unabated despite U.S. sanctions in 2022.²³ Zhdanova routinely funneled crypto through Garantex — which accounted for the majority of sanctions-related crypto transaction volume in 2022–2023 — and other high-risk exchanges that ask few questions. By cashing out at these compliant platforms, she could convert crypto back to fiat with minimal oversight.

Zhdanova further leveraged front companies and luxury assets to integrate illicit funds. She partnered with other launderers worldwide and even co-owned a luxury watch dealership with offices globally, giving her clients a veneer of legitimate international business.

Importantly, Zhdanova did not act alone — she led the "Smart" cell as part of a broader syndicate. The NCA identified her partners as Khadzhi-Murat Magomedov and Nikita Krasnov on the Smart side, and noted Smart worked in tandem with the "TGR Group" run by Rossi and Elena Chirkinyan, among others. TGR established a spiderweb of companies across jurisdictions: e.g. TGR Corporate Concierge LTD in London and TGR DWC-LLC in Dubai (UAE), which offered services to "obscure the source of ill-gotten funds" for elites.¹⁵ They even set up shell firms as far afield as Thailand and a Wyoming LLC in the US to aid their schemes. Such entities were used to open bank accounts, process foreign exchange, and purchase assets on behalf of clients while concealing the true beneficiaries.

Both Smart and TGR excelled at swapping cash for crypto across borders to evade detection. According to investigators, these networks would collect bulk cash (for example, drug trafficking proceeds in the UK), quickly convert the cash into cryptocurrency (often U.S. dollar-pegged stablecoins like Tether) using underground brokers or unregistered exchanges, and then make the equivalent crypto value available to clients overseas. This effectively "teleports" illicit cash into another country without any physical cross-border movement of money. In reverse, they could accept crypto from a sanctioned Russian client, pay out an equivalent in cash in London (to buy property, luxury goods, etc.), and later settle the difference among themselves. Such mirror transactions and swaps allowed funds to leap between jurisdictions with virtually no bank wires or paper trail.

Ultimately, the Smart/TGR network enabled clients — whether sanctioned Russian oligarchs, cybercriminal gangs, or even Irish cartels — to access the global financial system and hard assets while sidestepping authorities. Russian elites covertly purchased real estate in places like London and Spain through these channels, their crypto converted into luxury apartments titled under shell companies. (One investigation found over 100 members of the Russian elite owned Dubai properties, underscoring this trend.)¹⁰¹¹ The NCA's takedown of the network was substantial: 84 arrests at initial announcement (December 2024), with seizures of over €20 million in cash and crypto. OFAC simultaneously sanctioned key TGR figures and entities across Russia, the UK, UAE, and Thailand.

Yet, many of the network's structural elements remain as potential loopholes. Dubai continues to attract illicit Russian wealth due to its "slippery" regulations — in 2022 a leak revealed hundreds of sanctioned politicians and criminals holding luxury real estate there.²⁹⁴⁶ And new intermediaries can replace those arrested. The Smart and TGR case shows how agile and far-reaching modern laundering rings have become, fusing crypto anonymity with old-school methods (shell companies, bulk cash smuggling) to service both criminals and states. It also foreshadowed the merging of Russia's covert state operations with these illicit finance networks — a theme we explore further in the espionage case study below.

Case Study: Chinese Money Laundering Networks and North Korea's Crypto Windfall

Another critical node in the convergence of underground finance and state crime is the role of Chinese money laundering organizations (CMLOs) in cleaning funds for North Korea and other threat actors. North Korea's hacking units (most famously the Lazarus Group) have, over the past several years, stolen over $6.5 billion in cryptocurrency from exchanges and DeFi platforms to help fund Pyongyang's nuclear weapons and missile programs.² However, turning that digital loot into usable cash or goods — without triggering global sanctions — requires a sophisticated laundering pipeline. Enter the underground Chinese "shadow banking" networks. These networks, some inheriting the centuries-old "fei qian" system of informal transfers, now operate as a "parallel banking system" for criminals worldwide. Crucially, they have embraced crypto as a fast, pseudonymous settlement mechanism to move value across borders for clients like North Korean hackers, Mexican cartels, and Russian syndicates.

%%{init: {'theme': 'dark', 'themeVariables': {'xyChart': {'backgroundColor': '#111114', 'titleColor': '#e4e4e7', 'xAxisLabelColor': '#a1a1aa', 'yAxisLabelColor': '#a1a1aa', 'plotColorPalette': '#c0272d'}}}}%%
xychart-beta
    title "North Korean Crypto Theft — Annual Totals"
    x-axis ["2017", "2018", "2019", "2020", "2021", "2022", "2023", "2024", "2025"]
    y-axis "USD (Billions)" 0 --> 2.5
    bar [0.03, 0.05, 0.27, 0.30, 0.43, 1.70, 0.66, 1.34, 2.02]
          

A typical Chinese underground banking scheme works via OTC (over-the-counter) brokers who facilitate currency swaps without formal remittances. For example, a cartel operative in Los Angeles will hand over thousands in drug cash to a local Chinese broker. Instead of physically moving that cash, the broker's counterpart in China will "mirror" the transaction by delivering an equivalent sum (minus commission) in Chinese renminbi to the cartel's contacts in, say, Shanghai — often using crypto or other off-ledger methods to settle accounts. No cross-border wire occurs; dollars stay in the U.S. and RMB stay in China, avoiding bank reporting. The broker in China then recycles the dollars via trade: purchasing consumer goods or chemicals in China, exporting them to Latin America, and selling them to recoup the funds in local currency. This kind of trade-based money laundering combined with crypto transfers is highly effective at moving criminal profits under regulators' radar.

North Korea's regime has taken full advantage of these Chinese-facilitated corridors. Blockchain intelligence shows that North Korean operatives rely heavily on China-based OTC crypto brokers and financial facilitators to wash stolen crypto into fiat or commodities. In April 2023, the U.S. unsealed a federal indictment charging a North Korean banker (Sim Hyon-Sop of the Foreign Trade Bank) and three Chinese cryptocurrency OTC brokers with conspiring to launder funds from North Korean hacks. According to court documents, Sim and his Chinese partners converted tens of millions in stolen crypto into U.S. dollars by funneling it through a maze of exchanges and shell companies, then using the proceeds to purchase sanctioned goods via front companies in Hong Kong. In essence, they turned hacked crypto into tangible commodities — a form of sanctions evasion marrying cybercrime proceeds with underground trade channels.

Blockchain analysis revealed the Chinese brokers acting as critical middlemen, leveraging their access to major crypto exchanges and bank accounts to swap illicit crypto for fiat under cover of legitimate high-volume trades. The funds would pass through offshore shell companies in lax jurisdictions to conceal their origin before entering the formal banking system. China's role as a geographic hub is notable — Sim Hyon-Sop relocated to Dandong, China, a border city notorious for North Korean illicit commerce, highlighting how physical safe havens complement the digital laundering.

The Chinese underground networks have thus become a financial lifeline not only for North Korea's sanctions-busting but for other illicit flows benefiting U.S. adversaries. They have helped Russian entities as well: investigations show Chinese companies selling drone technology and optical equipment to Russia (for its war in Ukraine) were paid via crypto channels to skirt sanctions,¹⁹²⁰ often with Russian intermediaries sending cryptocurrency that Chinese suppliers cashed out domestically. This crypto-for-weapons barter exemplifies the melding of cybercrime, sanctions evasion, and illicit trade. Similarly, Chinese chemical exporters fueling the Russian darknet fentanyl trade have readily accepted cryptocurrency as payment.

Chinese money brokers effectively serve as the connective tissue: bridging Russian dirty money and Chinese markets, North Korean crypto and hard currency, cartel cash and Asian goods. Yet Beijing's official stance remains ambivalent — China professes neutrality or ignorance even as these networks flourish on its soil. To date, there is no evidence of a concerted Chinese crackdown on these OTC brokers (many of whom operate out of big cities like Guangzhou or Hong Kong). U.S. officials warn that disrupting Chinese underground banking must become a priority, calling for "new types of intelligence collection" and even offensive cyber capabilities to target them. As the Lawfare article on the "world's underground bankers" bluntly put it, these networks have created "a sprawling illicit finance ecosystem that exploits crypto and underground systems to launder dirty money on a global scale",¹ and they currently operate without a dedicated counterstrategy.

Case Study: Crypto-Funded Espionage — Russia's "Teenage Spy" and Bitcoin Payments

In mid-2025, an espionage case in Europe dramatically illustrated how deeply cryptocurrency has penetrated state intelligence operations. Polish authorities, with help from blockchain analysts, uncovered a crypto money trail underpinning a Russian spying plot. The saga began with Laken Pavan, a 17-year-old Canadian, who was recruited by Russia's FSB (Federal Security Service) in April 2024 while he was in Russian-occupied Donetsk. The FSB coerced Pavan into agreeing to spy in NATO countries and arranged to fund his activities via Bitcoin.³⁴

In May 2024, as Pavan traveled through Europe on his mission, he found himself low on cash in Copenhagen and messaged his handler — an FSB officer known only by the code name "Slon" ("Elephant") — asking for money in BTC. Slon sent about $500 in Bitcoin to Pavan's wallet that same day, which Pavan then planned to cash out at crypto ATMs or exchanges in Poland. However, overcome by fear and guilt, the teenager turned himself in to Polish police upon arriving in Warsaw, confessing the spy scheme. Pavan's arrest in May 2024 blew the lid off a broader pattern: Russian intelligence agencies, facing unprecedented expulsions of traditional spies from Europe, have been recruiting youths and amateurs — and paying them via cryptocurrency.

What investigators pieced together from Pavan's case was startling. Every Bitcoin transaction between Pavan and his FSB handler was traceable, and with a court order, Polish authorities obtained the full chat logs and wallet addresses. By collaborating with crypto forensic firms (Global Ledger and Recoveris), they traced the small BTC payments Pavan received back through intermediate wallets to a single large Bitcoin wallet upstream. This wallet had been created in June 2022 (just after Russia's invasion of Ukraine) and had processed over $600 million worth of BTC by mid-2025 — all under the control of persons unknown. Critically, the analysts observed that transactions in and out of this wallet cluster occurred mostly during Moscow business hours (6am–6pm), and it even sent funds to the sanctioned Russian exchange Garantex. These clues strongly suggest the wallet is managed by Russian state actors (or affiliates) as a covert funding pool.

In other words, the FSB or GRU have amassed a crypto war chest — potentially via mining, ransomware cut-outs, or dark market sales — to finance espionage, sabotage and influence operations abroad. Indeed, Recoveris experts told the media that Russia's intelligence services are "constantly financing agents using cryptocurrency," not just in this case but across multiple discovered rings. In Poland alone, authorities have found numerous instances since 2022 of crypto-funded sabotage cells: one GRU-backed group of youths was paid in crypto to spread propaganda and even attempt arson targeting Polish infrastructure. In another incident, crypto traced to GRU wallets was used to pay Belarusians and Ukrainians to install surveillance cameras along railway lines supporting Ukraine.

The digital bankroll for Russian spy missions extends beyond teen informants. According to blockchain intelligence, FSB/GRU-linked wallets have also been tied to financing paramilitary activities and disinformation campaigns. Russian operatives used cryptocurrency to pay private military contractors (mercenaries fighting on Russia's behalf in Eastern Ukraine) and to covertly fund European politicians to push pro-Russia, anti-Ukraine narratives. For the Kremlin, crypto offers a potent combination of relative anonymity, speed, and global reach. As one expert noted, millions in Bitcoin can be moved instantly across borders "without any government barriers, except the crypto-to-fiat gateway." This makes it ideal for covert operations, where cash couriers or bank wires would be too slow or detectable. Paradoxically, the transparent ledger of crypto also provides a benefit to spy agencies: handlers in Moscow can monitor the blockchain to audit how field agents spend funds and ensure they aren't skimming or defecting. Every Satoshi can be accounted for in a way that traditional cash drops cannot.

From an intelligence perspective, the Pavan case is proof of concept that even low-level espionage now has a cryptocurrency component. It highlights both the strengths and weaknesses of this method. On one hand, Russia could quickly fund an inexperienced asset abroad with minimal intermediary steps (simply sending BTC to a wallet). On the other, those transactions created an immutable trail that, once uncovered, led investigators to a much larger secret financing network. The pattern of life and links to a known Russian exchange strongly imply a state connection. Western security services are now alert to this modus operandi: since the war, dozens of teenagers and petty criminals across Europe have been arrested in Russia-linked spy plots, many involving crypto payments. It represents an entirely new counterintelligence challenge — tracking and interdicting cryptocurrency flows as an integral part of espionage investigations. And it again demonstrates the convergence at hand: the FSB's crypto funding pipeline overlaps with the criminal ecosystem (e.g. using Garantex, which is popular with ransomware cash-outs, and possibly sourcing coins from illicit mining pools). Breaking this pipeline will require targeting those overlap points — the rogue exchanges, mixers, and facilitators that service both state and criminal clients.

Case Study: Evita Pay — Stablecoins and Sanctions Evasion as a Service

In June 2025, the U.S. Department of Justice unmasked a significant crypto-based sanctions evasion scheme operated from within the United States itself. Iurii "George" Gugnin, a Russian citizen and New York resident, was indicted on 22 counts for turning his crypto payments startup into a "covert pipeline for dirty money" on behalf of sanctioned Russian entities.⁵⁶⁷ Gugnin was the founder and CEO of Evita Pay (Evita Investments), a Florida-registered crypto payment processing company that outwardly offered cross-border transaction services. Behind the scenes, Evita Pay functioned as a laundering conduit funneling over $530 million through the U.S. financial system between 2019 and 2025.

According to the DOJ indictment, the scheme worked as follows: Russian customers (including major banks like Sberbank, VTB, and others on the sanctions list) would provide Gugnin with cryptocurrency — primarily the dollar-pegged stablecoin Tether (USDT) — from their accounts in Russia. Evita Pay would then layer and transfer this crypto through multiple digital wallets and exchanges, ultimately converting it into U.S. dollars which were deposited into Evita's bank accounts in New York. From those accounts, Gugnin would make payments or wire transfers on behalf of his clients, such as paying an American tech company for equipment or transferring funds to a business partner. In doing so, he effectively bypassed the normal checkpoints that would have blocked a direct wire from a sanctioned Russian bank.

The sources of the money were masked by the crypto conversion, and Gugnin went to lengths to deceive financial institutions about Evita's true activities. He lied to U.S. banks and exchanges, claiming Evita had no business in Russia and did not deal with sanctioned parties. In reality, "many of Evita's customers were located in Russia" and the funds often originated from accounts at sanctioned banks like Alfa-Bank, Sberbank, and Tinkoff. Gugnin even maintained personal accounts at some of those Russian banks, indicating his awareness and direct access to that financial ecosystem.

flowchart LR
    subgraph RUSSIA["Russia"]
        SB["Sanctioned Banks
Sberbank, VTB,
Alfa-Bank, Tinkoff"]
    end
    subgraph CRYPTO["Crypto Layer"]
        USDT["USDT
Stablecoin"]
        WALLETS["Evita Pay
Wallets
(layering)"]
    end
    subgraph USA["United States"]
        BANK["Evita NY
Bank Accounts
(USD)"]
        TECH["US Tech
Companies"]
        ROSATOM["Rosatom
Procurement"]
    end
    SB -->|"crypto transfer"| USDT
    USDT -->|"multiple hops"| WALLETS
    WALLETS -->|"convert to USD"| BANK
    BANK -->|"wire transfers"| TECH
    BANK -->|"equipment purchases"| ROSATOM
          

The Evita Pay case showcased several hallmarks of crypto-enabled laundering. First, the prominent use of stablecoins: between mid-2023 and early 2025, Gugnin received most of the $530 million in the form of USDT stablecoin. Stablecoins provided an ideal vehicle — their 1:1 parity with the U.S. dollar meant Russian clients could effectively hold dollars outside the banking system, move them quickly via crypto ledgers, then have Gugnin convert them to actual dollars in U.S. banks at the endpoint. Here, they enabled sanctioned oligarchs to quietly "teleport" money into Manhattan.

Second, Gugnin's methods involved layering transactions and front companies to hide trails. He routed crypto through an array of wallets (some hosted at exchanges, others likely self-custodied) to break any direct link from a Russian sanctioned source to the eventual U.S. bank deposit. He also obfuscated invoices and documentation — prosecutors revealed he would digitally "white out" Russian names and addresses on invoices when purchasing U.S. technology for his clients. For instance, he used Evita funds to buy an export-controlled server from a U.S. tech company and to procure parts for Rosatom (Russia's state nuclear agency), disguising that the buyers were actually in Moscow. This is a striking example of crypto facilitating not just financial evasion but the illicit procurement of sensitive goods.

Furthermore, Gugnin abused regulatory gray areas to keep his operation running. He belatedly registered Evita Pay as a Money Service Business with FinCEN and got a Florida money transmitter license — but only by fraudulently misrepresenting the company's business (claiming no Russia ties). This gave Evita a veneer of legitimacy and allowed it to open accounts and transact with at least one compliant cryptocurrency exchange under false pretenses. Internally, however, Gugnin ignored all compliance obligations. He implemented no meaningful AML program, conducted virtually no KYC on the true customers, and filed zero Suspicious Activity Reports (SARs) despite moving over half a billion in a short period. In essence, Evita Pay was a shell company created to launder funds, cloaked as a fintech startup. Gugnin's Google search history, tellingly, included queries like "how to know if there is an investigation against you" and "money laundering penalties US" — showing consciousness of guilt.

This case underlines the evolving "sanctions evasion-as-a-service" model. Gugnin provided Russian clients a one-stop shop to convert sanctioned crypto into clean dollars. The volume — over $500 million in ~18 months — suggests a high demand for such services and a high degree of operational sophistication. It also highlights the role of U.S. gatekeeper institutions. Banks in Manhattan unknowingly cleared hundreds of millions that had been laundered through crypto, because the immediate sender was a U.S.-incorporated entity (Evita) with a U.S. account. As we will discuss, however, many similar actors likely remain at large, leveraging the same mix of stablecoins, false documentation, and global crypto liquidity to undermine financial restrictions.⁵

Typologies of Cryptocurrency Money Laundering

The above case studies reveal a diverse toolkit of laundering techniques that underpin crypto-enabled financial crime. Key typologies include:

Shadow Conversions (OTC Brokers & Cash-for-Crypto)

Criminals and sanctioned actors often rely on OTC brokers or underground exchangers to convert fiat cash into crypto (and vice versa) outside regulated venues. For example, Russian laundromats collected drug cash in London and swapped it to crypto (like USDT) through unlicensed brokers. In China, OTC middlemen conduct "mirror exchanges" — taking cartel dollars in the U.S. and paying out RMB in China via crypto settlements — thereby evading cross-border transaction records. These shadow on-ramps and off-ramps provide the initial entry and exit points for dirty money into the crypto ecosystem.

Complicit or Low-KYC Exchanges

A number of cryptocurrency exchanges with lax compliance serve as havens for laundering. Garantex in Russia is a prime example — even after U.S. sanctions, it continued processing hundreds of millions in illicit transactions, effectively ignoring AML/CFT rules.²³ By splitting deposits across exchanges in permissive jurisdictions (e.g. Russia, certain CIS countries), launderers exploit regulatory arbitrage to cash out or move funds with minimal oversight.

Mixers and Tumblers

Cryptocurrency mixers like Tornado Cash and Blender are used to break the traceability of crypto by pooling and shuffling funds. These services co-mingle deposits from many users and return them in randomized batches, obscuring the links between input and output addresses. Tornado Cash alone was used to launder over $7 billion worth of crypto since 2019, with nearly 30% of its volume tied to illicit actors.²⁵¹² North Korea's Lazarus Group laundered $100M from a 2023 bridge hack through Tornado, and even after U.S. sanctions banned the mixer, Lazarus continued using it (switching briefly to a clone mixer "Sinbad" after Tornado's blacklisting).²⁷²⁸

Chain-Hopping and Cross-Chain Bridges

Launderers frequently engage in "chain-hopping," moving crypto across multiple blockchains and tokens to make tracing harder. They might convert Bitcoin into Ethereum, then into altcoins or tokens on obscure chains, etc. Cross-chain bridges (which swap assets between blockchains) are abused to hide tracks — each hop to a new chain forces investigators to stitch together disparate ledger records. The Lazarus hackers, for instance, swapped stolen ERC-20 tokens for ETH and used a cross-chain bridge to transfer funds to a different chain before mixing. Every transition creates complexity and potential jurisdictional hurdles.

Stablecoins and Digital Fiat Substitutes

Stablecoins pegged to hard currencies (USDT, USDC, etc.) have emerged as key instruments in cross-border laundering. They allow criminals to park funds in crypto with low volatility risk and easily swap into fiat when needed. In Evita Pay's case, over half a billion dollars came in as USDT and flowed through U.S. banks as laundered fiat. Their liquidity and 24/7 transferability make them ideal for rapid layering. However, they also introduce chokepoints: major stablecoins are managed by issuers that can blacklist addresses (and Tether has cooperated with authorities at times), so sophisticated launderers may favor decentralized or lesser known stablecoins to avoid that risk.

Privacy Coins

Cryptocurrencies like Monero (XMR) and Zcash offer on-chain privacy features (stealth addresses, encrypted memo fields, zero-knowledge proofs) that make tracing virtually impossible when used properly. While not highlighted in our case studies, many cybercriminal and sanctioned actors use Monero to obscure trails, especially since chain analysis tools have difficulty tracking it. Ransomware groups often convert Bitcoin ransom into Monero to cash out, and North Korean actors have mined Monero directly. Privacy coins can serve as an additional layer of obfuscation in laundering typologies, though their usage is somewhat limited by lower liquidity and acceptance.

Trade-Based and Mirror Transactions

As seen with Chinese CMLOs, converting funds into goods and trade value is a powerful laundering method. Illicit crypto can be used to buy high-value goods (like electronics, gold, or raw materials) via shell companies, which are then shipped and sold — effectively turning digital assets into laundered cash abroad. Similarly, the mirror transactions described earlier allow two parties in different countries to swap value without a direct transfer. This technique was key to the Chinese networks laundering cartel money and is likely employed in other corridors (e.g. Middle East to Russia swaps via Dubai).

Real Estate and Hard Asset Integration

Converting illicit proceeds into real estate, luxury goods, and other hard assets is a classic laundering step, now facilitated by crypto. Launderers use crypto profits to purchase properties through proxies or shell companies. Dubai and London condominiums, villas on the French Riviera, high-end cars, yachts, and fine art have all been bought with laundered crypto funds. The Dubai Unlocked leaks showed extensive property holdings in Dubai by sanctioned Russians.¹⁰¹¹ Real estate is attractive because it's a stable store of value and, in some jurisdictions, requires weak disclosure of beneficial owners.

Shell Companies and Offshore Structures

Underpinning many of the above techniques is the use of shell companies, front businesses, and trusts to hide true ownership. Whether it's an LLC in Wyoming (as TGR used) or a British Virgin Islands shell that holds a London mansion, these legal entities provide a "corporate veil." Crypto makes moving funds into these entities easier (no bank intermediaries to flag suspicious transfers). In our cases: Zhdanova created offshore firms for clients' UAE bank accounts; TGR had entities in multiple countries; and Gugnin falsified corporate filings to mask Russian involvement. Shells and crypto form a potent combination: crypto provides the anonymous funding flow, and shell companies provide the anonymous asset ownership.

Exploitation of Crypto Mining

A newer typology on the radar is the use of cryptocurrency mining to generate ostensibly "clean" coins that can be used or sold for cash. Russia, Iran, and North Korea have all pursued crypto mining as a way to monetize energy or evade sanctions. In the FSB spy case, analysts noted the suspected Russian wallet was partly funded by a "major mining pool." This suggests that Russian state actors may be mining Bitcoin (or colluding with domestic mining farms) to obtain fresh BTC that has no prior criminal taint, then using those coins to pay operatives or procure illicit items. Mining is essentially converting electricity (which sanctioned regimes often have in surplus) into untraceable money.

Each of these typologies is often used in combination to form a multi-layered laundering process. For instance, a North Korean hacker might swap stolen tokens for ETH (chain-hop), send ETH through Tornado Cash (mix), trade the cleaned ETH for Bitcoin and Monero on a peer-to-peer market, use the Monero to pay for luxury gift cards (trade-based value), or convert to USDT and then to cash via a Chinese broker (OTC off-ramp). The end result is that by the time the funds reach their final use — whether buying weapons or mansions — the trail is convoluted and obscured by many intermediaries.

Jurisdictional Vulnerabilities and Safe Havens

A recurring theme in these cases is the exploitation of certain jurisdictions that offer weak enforcement, regulatory loopholes, or outright safe haven for illicit financial activity. Key vulnerable jurisdictions include:

United Arab Emirates (Dubai)

The UAE, particularly Dubai, has emerged as a destination of choice for illicit crypto money and sanctioned wealth. Dubai's combination of secrecy, booming real estate, and historically lax oversight makes it a magnet for money launderers.¹⁶³⁰⁴⁷ Until recently, Dubai's real estate agents and lawyers had no requirement to report large cash or crypto deals, enabling countless transactions with dirty money. Investigations like Dubai Uncovered/Unlocked revealed hundreds of properties owned by sanctioned individuals, corrupt officials, and criminals from around the world.²⁹⁴⁶

In our context, Ekaterina Zhdanova based much of her operation in Dubai — running a "tax residency" service to get Russians Emirati IDs and bank accounts. TGR's network included Dubai-registered firms facilitating fund flows. Dubai's appeal lies in its neutrality (not aligning with Western sanctions), lack of extradition treaties historically, and a desire to attract foreign capital with minimal questions. The UAE has made notable improvements — new AML regulations for real estate (2022), cooperation in U.S. cases, and removal from the FATF grey list in February 2024 — but the sheer volume of suspect capital in Dubai presents an ongoing vulnerability.⁴⁰⁴¹⁴² Dubai's Virtual Assets Regulatory Authority (VARA) fined 19 unlicensed crypto firms in 2025 and has blocked privacy coins, signaling a shift from experimentation to enforcement — though whether this will meaningfully deter the flows described above remains to be seen.

Russia and Post-Soviet States

Russia itself is a permissive jurisdiction for crypto crime — not by law, but by practice. The Russian government has not only tolerated but seemingly encouraged certain crypto activities that support its interests (e.g. ransomware groups operating domestically and paying "taxes" to intelligence services).¹⁸ Exchanges like Garantex, Bitzlato, and formerly BTC-e have operated out of Russia or neighboring states with impunity until foreign sanctions hit. Cybercriminal safe havens like Russia pose a challenge because local law enforcement won't act against "patriotic" hackers or launderers. Other Eurasian jurisdictions — e.g. Belarus, parts of Ukraine's occupied territories, Central Asian countries — sometimes fill this gap, providing banking and corporate registration that can be used by Russian networks.

China and Hong Kong

As detailed, China is a primary hub for underground financial networks leveraging crypto. While China formally banned domestic crypto exchanges, OTC trading and crypto-to-fiat movements via Hong Kong remain robust. Hong Kong, with its global financial center status and more open economy, is often the intermediary — many shell companies used in laundering schemes are registered in Hong Kong, and Hong Kong's banking sector has been misused to wash funds. Additionally, cities like Shenzhen, Guangzhou, and Dandong in mainland China host brokers who handle enormous illicit flows with little interference. Chinese enforcement tends to prioritize domestic stability over clamping down on activities that mostly harm foreign interests. This asymmetry — where Chinese networks can freely facilitate crime abroad — is a significant vulnerability in the international system.

Jurisdictions with Weak Corporate Transparency

Many laundering schemes take advantage of jurisdictions known for shell companies and limited beneficial ownership disclosure. These include classic offshore havens like the British Virgin Islands, Seychelles, and Panama, as well as onshore but secretive jurisdictions like Delaware and Wyoming in the U.S., the UK (for trusts), and Luxembourg.³²³⁴³⁵ For instance, Zhdanova's clients hid behind BVI companies to buy London real estate. The TGR network used a Wyoming LLC (Pullman Global Solutions) to perhaps mask funds in U.S. investments. The UK's National Crime Agency has lamented that hundreds of billions of illicit funds wash through the UK each year — though the UK has started implementing a register of foreign property owners and tightening company registration in response.³³³⁹

The United States (Specific Weak Points)

While the U.S. generally has strong AML laws, certain aspects create vulnerabilities. Real estate in the U.S. until recently did not require beneficial owner reporting except in select cities under temporary orders. Luxury property purchases via LLCs in Florida, New York, or California have been a way for foreign kleptocrats to hide money. Also, crypto-friendly states like Wyoming and certain fintech charter regimes could be misused by front companies. The stablecoin market is largely outside traditional banking regulation — Tether, for instance, is based offshore — meaning billions in quasi-dollar assets move without the same oversight as bank dollars. This was the gap Gugnin leveraged. Lastly, fragmented oversight between federal and state regulators can result in things slipping through (for example, Evita Pay got a state license under false pretenses, which a more comprehensive vetting might have caught sooner).

In summary, the convergence of crypto and illicit finance thrives in the seams of the global system — where East meets West (Dubai, Hong Kong), where regulated meets unregulated (offshore shells, decentralized exchanges), and where enforcement is uneven. These jurisdictional weak links allow sophisticated launderers to play "hide-and-seek" with funds: bouncing value from a bank in Moscow to Tether to a Dubai crypto exchange to a Seychelles shell company's account in London, and so on. Identifying and hardening these vulnerable points is critical for any strategy to counter the threat.

Enforcement and Countermeasures: Progress and Gaps

Law enforcement and regulatory bodies worldwide are grappling with this new frontier of financial crime. There have been notable successes in piercing crypto-enabled schemes, as well as challenges that require urgent attention.

On the enforcement front, multinational operations and sanctions designations have been key tools. Operation Destabilise (led by the UK NCA with help from U.S. OFAC, DEA, FBI, and others) demonstrated the impact of coordinated action: dozens of arrests, millions seized, and the outing of major players.⁸¹³ OFAC has aggressively wielded its sanctions authority against facilitators in the crypto space. In 2022, OFAC took the unprecedented step of sanctioning crypto mixing services — adding Blender.io and Tornado Cash to the SDN list for their role in laundering funds for North Korea and Russian criminals.²⁵²⁸ OFAC also sanctioned individuals like Ekaterina Zhdanova and entities associated with TGR,²¹ which has the effect of freezing any of their assets within U.S. reach and barring U.S. persons from transacting with them.

Criminal prosecutions are another prong. The U.S. Department of Justice formed a National Cryptocurrency Enforcement Team (NCET) in late 2021, and DOJ pursued cases ranging from the Bitfinex hack launderers to darknet marketplace operators. The indictment of Iurii Gugnin in New York, the Sim Hyon Sop & Chinese brokers indictment in 2023, and the convictions of several money mule networks showed that investigators were tracing crypto and willing to bring complex charges. The Gugnin case in particular highlighted DOJ's view of these crimes as national security matters — it was handled by the National Security Division and prosecutors explicitly framed it as "enabling foreign adversaries."⁵

Meanwhile, in Europe, countries like Poland, Germany, and France have ramped up prosecutions of Russian espionage operatives and their facilitators, often incorporating the crypto angle when present. Poland has quietly become a leader in blockchain analysis for security cases due to the spy incidents on its soil. Germany's federal police similarly worked on cases of teenagers recruited by Russia (some paid in crypto) and has pushed for EU-level action.

Despite these efforts, significant gaps and challenges remain:

Targeting Chinese Underground Networks

As noted, U.S. agencies lack a coordinated strategy to disrupt the Chinese CMLOs that are laundering money at unprecedented scale. These networks operate out of reach of Western law enforcement and often under the radar of Chinese law. Traditional tools like indictments or sanctions are important but haven't stemmed the tide. Lawfare analysts advocate more innovative measures: greater intelligence sharing, undercover cyber operations, and diplomatic pressure on China to rein in these groups.¹

Jurisdictional Cooperation

Some jurisdictions mentioned as safe havens are starting to face pressure. The UAE was placed on the FATF "grey list" for deficiencies in money laundering controls in 2022 (a reputational prod) and has since passed new laws and cooperated in high-profile money laundering busts.³¹⁴¹ However, enforcement on the ground can be inconsistent. In the case of Russia, direct law enforcement cooperation is obviously dead due to the geopolitical situation. Instead, Western agencies have focused on disrupting Russian-linked networks externally — for instance, U.S. Treasury and DOJ worked with Latvian and Estonian authorities to shut down ChipMixer (another mixer service) and to arrest a Russian exchange operator in 2023 who ran an OTC desk for ransomware gangs.

Regulatory Measures in Crypto Markets

Regulators are tightening rules for the crypto industry to choke off some abuse. The Financial Action Task Force (FATF) has adopted the "Travel Rule" for crypto, requiring exchanges to share sender/recipient information on transfers — though as of April 2025, only 29% of jurisdictions are fully compliant. The EU's Markets in Crypto-Assets (MiCA) regulation went fully into effect on December 30, 2024, with over 40 licenses issued and more than €540 million in penalties since enforcement began. The EU has also enacted a ban on privacy coins and anonymous crypto wallets (Regulation 2024/1624, effective July 2027), with a new EU Anti-Money Laundering Authority (AMLA) in Frankfurt set to directly supervise crypto firms. Yet, implementation remains uneven globally — thousands of smaller exchanges or DeFi platforms simply ignore such rules. DeFi (decentralized finance) presents a particularly thorny issue: mixers like Tornado exist as code on blockchain, not as companies, so sanctioning them has mainly symbolic effect unless someone can actually shut the smart contracts down.

Blockchain Analytics & Asset Seizure

On the positive side, law enforcement now routinely uses blockchain tracing software (Chainalysis, Elliptic, TRM Labs, etc.) and has had notable successes seizing funds. The U.S. DOJ in 2022 seized $3.6 billion in Bitcoin from the Bitfinex hack launderers — the largest crypto seizure ever. In 2023, $30M stolen by North Korean hackers was seized back from exchanges with the help of private analysts. These seizures usually occur when criminals make a mistake by depositing funds into a service that cooperates with law enforcement. As criminals shift to decentralized exchanges (DEXs) or privacy coins, seizures get harder. But interestingly, offensive cyber operations have been employed — U.S. authorities reportedly hacked the infrastructure of the Sinbad mixer and were able to obtain control, which is how they took it down.²⁷

Policy and Legislative Responses

Policymakers have begun to address crypto in sanctions and AML contexts, though the direction varies sharply by jurisdiction. In the U.S., the GENIUS Act (July 2025) established the first federal framework for stablecoins, requiring 1:1 reserves and AML compliance. The CLARITY Act (digital asset market structure) passed the House in 2025 but remained pending in the Senate as of early 2026. However, the current administration simultaneously repealed DeFi broker reporting rules and gutted the Corporate Transparency Act, reflecting a tension between stablecoin regulation and broader industry deregulation. The EU has moved more aggressively: MiCA is fully in force, privacy coins are banned (effective 2027), and the AMLA will directly supervise crypto firms.

Overall, while the awareness has increased, the response is fragmented and — in the U.S. — has arguably retreated from its 2022–2024 peak. The Kleptocapture Task Force, which had restrained nearly $700 million in assets from Russian enablers, was shut down in February 2025. The NCET was disbanded the following month. The intersection of national security (sanctions evasion, espionage) and traditional crime in the crypto arena means agencies that didn't historically work together must coordinate — yet the institutional infrastructure for that coordination has been weakened.⁵⁸ Internationally, organizations like Interpol and the Egmont Group have formed crypto-focused working groups, and the EU has taken significant steps. Yet, as long as there exist jurisdictions and technologies that provide an avenue for secrecy and movement of funds, determined actors will exploit them.

Strategic Recommendations

To effectively counter the intertwined threats of crypto-facilitated laundering and state-enabled financial crime, a multi-pronged strategy is required. Below are key recommendations:

1. Prioritize Disruption of Key Nodes

U.S. and allied authorities should make it a top priority to target Chinese underground banking networks enabling North Korea, cartels, and sanctioned Russians. This could include forming an interagency task force focused on these networks, much like past efforts against the Colombian cartels' money networks. On the crypto exchange front, aggressively sanction or shut down rogue exchanges like Garantex that cater to criminals. Public-private partnerships can help: blockchain analytics firms often know which exchanges are highest-risk — regulators can use that intel to pressure banks and payment processors to cut off those exchanges.

2. Close Regulatory Gaps for Mixers, Mining, and DeFi

Policymakers must bring currently unregulated crypto activities under the AML umbrella. This means clarifying that mixers/tumblers have AML obligations or can be sanctioned if they fail to register and conduct KYC. For cryptocurrency mining, require that mining operations implement sanctions screening for their payouts. DeFi exchanges and cross-chain bridges that facilitate anonymity should be incentivized or compelled to integrate compliance tools.

3. Strengthen Global Cooperation and Information Sharing

The transnational nature of these crimes means no country can tackle it alone. Enhance intelligence sharing between Western law enforcement and financial intelligence units (FIUs) regarding crypto addresses and typologies linked to state actors and crime networks. Expand joint investigations under bodies like the Egmont Group or bilateral MLATs to include crypto-specific leads. With Hong Kong and Singapore, emphasize the need to supervise OTC markets and exchanges tightly.

4. Increase Transparency in Corporate and Property Ownership

A foundational way to stymie crypto launderers is to remove the anonymity of shell companies and assets they ultimately seek. Countries should implement and enforce public beneficial ownership registries for companies and trusts, as well as real estate ownership transparency.⁵⁹ The U.S. Corporate Transparency Act was designed to create such a database, but its domestic requirements were largely gutted in 2025 (see Jurisdictional Vulnerabilities above). The UK recently launched a register for overseas entities owning property.³³⁵² Pushing jurisdictions like the BVI, Cayman Islands, and Dubai to either adopt transparency or face countermeasures will make it harder for launderers to park funds in opaque assets.

5. Leverage Advanced Analytics and AI

Governments should invest in next-generation blockchain analytics and AI pattern recognition to spot complex layering activity in real time. Machine learning could help identify previously unknown clusters of addresses that are likely controlled by the same entity (as was done with the FSB's 161-address cluster). By correlating blockchain data with other datasets (communication metadata, travel records, etc.), investigators can get leads on the human actors behind wallets. Real-time monitoring of known bad actor wallets can also give early warning of funds moving — allowing law enforcement to possibly seize assets when they hit an exchange.³⁶³⁷

6. Enhance Sanctions Enforcement on Crypto Channels

U.S. sanctions authorities should work closely with major stablecoin issuers (Tether, Circle) to freeze addresses linked to sanctioned persons or entities whenever feasible. Formalizing that cooperation — possibly via regulation classifying stablecoin issuers as financial institutions under BSA — would remove a major avenue for sanctioned funds. Additionally, monitor and sanction any crypto mining operations that provide revenue to sanctioned governments.

7. Build Cryptocurrency Capacity in Law Enforcement

Many countries still lack expertise in crypto investigations. It's crucial to train investigators, prosecutors, and regulators in blockchain analysis and the crypto underground's workings. The U.S. and EU could fund capacity-building programs — e.g., equip Eastern European countries on Russia's periphery with tools and training to track FSB/GRU crypto operations (as Poland has done domestically). Encourage fusion centers where cybercrime experts, financial analysts, and traditional agents sit together to tackle cases holistically.

8. Proactive Engagement with the Crypto Industry

Regulators and law enforcement should engage exchanges, blockchain startups, and even DeFi developers in dialogue about designing systems resistant to abuse. Promote blockchain analytics API integration into exchange platforms so even smaller exchanges can automatically screen wallets and transactions for risks. Encourage industry-led "bad actor" address consortiums, where exchanges share info on addresses linked to scams or sanctioned entities. The honest majority of the crypto industry has an incentive to distance itself from illicit finance to achieve mainstream legitimacy.

9. Target the Convergence Points

Because we are dealing with converged threats (state actors using criminal networks), strategies should also converge. For instance, when pursuing North Korean hack funds, simultaneously investigate the Chinese brokers and Russian touchpoints that intersect with those funds — build a complete network map. Use "whole-of-government" toolkits. In espionage cases, make crypto tracing an integral part of counterintelligence operations. By targeting the links between state and criminal financial systems, we can have outsized impact.

10. Public Awareness and International Norms

Finally, treat this as an international security threat that requires norm-building. Just as there are norms forming against state-sponsored cyberattacks on critical infrastructure, push for norms against harboring crypto-crime. G7 or G20 statements could explicitly call out countries that permit crypto money laundering for rogue states. Increase public transparency by governments naming and shaming facilitators. In essence, treat illicit crypto finance as a top-tier illicit finance issue, on par with terror financing and proliferation finance, in all international forums.⁵⁶⁶⁰

Implementing these recommendations will not be easy — adversaries will adapt, and some industries will resist regulation. However, the cost of inaction is to allow a burgeoning shadow financial system to undermine sanctions, enrich criminals, and fund activities hostile to global security. By acting decisively and collaboratively, policymakers and law enforcement can make significant strides in containing the threat. The convergence of cryptocurrency, underground banking, and state-enabled crime is a complex challenge, but it is one that our investigative and analytic capabilities are increasingly equipped to meet.