Laundering tactics in crypto are evolving fast—from meme coins used by Lazarus Group to hacks disguised as everyday trading. Sanctioned mixers like Tornado Cash are making a comeback, and even recovery efforts now face the challenge of user-driven bank runs. Meanwhile, new tech-driven responses, like Bybit’s blacklist API, hint at how the industry might fight back.
This article explores the emerging laundering patterns shaping crypto crime in 2025—and what exchanges, investigators, and regulators need to watch next.
The Lazarus Group has carried out so many cyberattacks that their laundering strategies have become disturbingly predictable, often involving DeFi protocols, coin mixers, and instant exchanges. However, after the $1.5 billion Bybit hack, the North Korean state-sponsored hacking group was forced to seek alternative methods to move funds, given the scale of the theft.
One of the most novel techniques they employed involved the use of meme coins. Long associated with speculation and internet culture, meme coins have historically been used in crypto-related crimes in two main ways. One involves hijacking celebrity social media accounts to promote pump-and-dump schemes; the second involves promising the launch of a meme coin as a front for phishing campaigns and wallet drainers.
Recently, Lazarus introduced a third tactic: using meme coins for money laundering. Merkle Science’s investigation, which connected the Bybit breach to at least four other incidents—Poloniex, BingX, WazirX, and Phemex—found that the group created a meme coin using Solana’s pump.fun platform and laundered several million dollars through it.
The use of meme coins as a laundering conduit is particularly alarming because this segment of crypto remains largely unregulated and chaotic. Anyone can launch and trade meme coins with minimal oversight, creating an ideal environment for malicious actors to obfuscate illicit financial flows under the guise of market hype and volatility.
Most people associate smurfing with efforts to evade financial compliance rules. For instance, the Travel Rule mandates the collection and transmission of information for transactions over $3,000 in the United States, and over $1,000 in jurisdictions that follow Financial Action Task Force (FATF) guidelines. To circumvent these thresholds, smurfing involves breaking up a larger transaction into smaller ones—such as two $1,500 transfers in the U.S.—so that originator and beneficiary information need not be disclosed.
However, smurfing is not limited to regulatory evasion; it can also be leveraged as part of a cyberattack. This tactic was employed in the January 2025 breach of NoOnes, a peer-to-peer crypto marketplace. Instead of draining the platform’s hot wallet in a single, conspicuous transaction, the attackers executed hundreds of withdrawals—each just under an artificial $7,000 threshold. This pattern mimicked typical trading behavior, which rarely includes large, singular transfers. As a result, the malicious activity blended in with legitimate transactions, delaying NoOnes’ detection and response to the breach.
This type of deception is likely to become more common, offering attackers more time to launder stolen funds. To counter such tactics, enterprises must move beyond manual monitoring and adopt blockchain analytics capable of detecting subtle behavioral anomalies—patterns that may appear legitimate to human analysts but raise red flags for intelligent systems.
Hacks in the crypto space have traditionally been a single-front battle: once an exchange or crypto business is breached, the focus turns to investigating the incident, recovering funds, and identifying the perpetrators. This alone is a technically complex and time-sensitive task. However, the nature of crypto incidents has evolved—businesses now face a two-front war.
In addition to managing the hack itself, exchanges must now deal with user panic and reputational fallout. Past breaches have created a lasting perception that users may lose access to their funds following an attack. In many cases, compromised exchanges lacked sufficient liquidity to honor user balances, further fueling this fear.
This reputational damage has spillover effects. For instance, when Phemex was hacked in January 2025, panic spread quickly. According to Phemex’s own data, trading volume on the BTC/USDT pair surged to 15,000 BTC per hour—a 300% increase—while ETH/USDT volume rose to 50,000, a 400% increase. These spikes likely reflect users scrambling to move assets away from the tokens or platforms perceived to be compromised. Despite initially pledging to keep withdrawals open, Phemex ultimately halted trading, compounding the erosion of user trust.
This pattern highlights a growing trend: users are increasingly proactive in protecting their assets during times of uncertainty. But such actions can amplify the crisis, turning a cyberattack into a liquidity crisis akin to a bank run—a rapid, large-scale withdrawal of funds that strains or even breaks the platform’s operational capacity.
Going forward, crypto businesses must develop more effective crisis communication strategies and user protection protocols. Simply assuring users that withdrawals won’t be paused—and then reversing that stance—only deepens mistrust. To survive future incidents, exchanges must build transparent, reliable systems for engaging users and maintaining stability under pressure.
Many organizations maintain blacklists to combat illicit activity and sanctions evasion—one of the most notable being the U.S. Office of Foreign Assets Control (OFAC). These mandates are relatively easy for crypto businesses to follow: they routinely monitor these official lists and update their internal blacklists to avoid transacting with sanctioned or prohibited wallet addresses.
However, things become more complicated when exchanges themselves are hacked. In such cases, the breached platforms often publish lists of suspicious wallet addresses, urging others in the ecosystem not to engage with them. Unlike OFAC lists, these disclosures are decentralized and inconsistent. Crypto businesses face real challenges in tracking every disclosure from hacked exchanges globally, and technical limitations may prevent easy integration of these ad hoc blacklists into their compliance systems.
Despite the chaos it caused, the Bybit hack may have introduced a valuable innovation in this space. Following its hack, the exchange released an API providing real-time access to the list of suspicious wallets tied to the breach. This made it significantly easier for other platforms to collaborate, take action quickly, and contributed to the recovery of up to $42.89 million.
Bybit’s approach could set an important precedent. If more exchanges adopt standardized, programmatic ways to share threat intelligence—such as open APIs for wallet blacklists—it could dramatically improve the crypto industry's collective ability to respond to attacks. This would raise the bar for criminals attempting to launder stolen funds and add an important layer of defense to the ecosystem.
Crypto mixers—most notably Tornado Cash—were driven underground after the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on the service on August 8, 2022, citing its role in laundering illicit funds.
However, in November 2024, an appellate court ruled that the Treasury had overstepped its authority in sanctioning Tornado Cash, effectively lifting the sanctions.
While mixers like Tornado Cash have long been a fixture in money laundering operations, the reversal could trigger a surge in usage—particularly among U.S. citizens, residents, and businesses that were previously barred from using it.
This development raises serious concerns. If authorities are unable to impose meaningful restrictions on open-source code, not only could existing mixers see renewed activity, but new tools designed to facilitate laundering may emerge with little fear of legal consequence. While the US can still pursue charges against developers, the effectiveness of such enforcement remains uncertain. Tornado Cash developer Roman Storm, for example, is set to go to trial in July 2025, and although the appellate decision may work in his favor, the outcome remains unclear.
As crypto laundering tactics evolve, exchanges and law enforcement need adaptable, forward-looking tools. Merkle Science delivers exactly that: Tracker for crypto crime investigations, Compass for compliance and suspicious transaction reporting, and Institute for training—all designed to keep pace with emerging threats. Together, they help stakeholders respond faster, stay compliant, and build long-term resilience in an increasingly complex crypto landscape.
Reach out to Merkle Science for a free demo today.
