On October 10, 2025, Merkle Meets London brought together law enforcement, compliance leaders, regulators, exchanges, and blockchain builders for a full day of panels, case studies, and live demos. Across the sessions, one message came through clearly: crypto crime in 2025 is professional, scalable, and deeply integrated into global illicit finance.
The conversations did not stop at crime. Compliance and regulatory experts also examined what “good” looks like under MiCA and other frameworks, from the realities of the transitional regime to the operational gaps that emerge during authorization and the first lessons from stablecoin applications.
In this recap, we walk through the biggest themes from the day: how criminal organizations are evolving, how laundering patterns have shifted, how AI is reshaping scams, why preparedness now determines whether an exchange survives a major incident, and what compliance teams need to get right in the MiCA era.
Speakers agreed that the days of “hobbyist hackers” are over. The most impactful threat actors now operate more like scaled companies than opportunistic individuals.
Panelists cited estimates shared during the event that North Korea-linked actors alone have already stolen more than $2.2 billion in crypto in 2025, supported by structured laundering pipelines and repeatable playbooks. For many criminal groups, exploits are no longer one-off windfalls; they are treated as recurring revenue streams.
At the same time, organized crime groups and transnational networks have moved beyond experimentation. Crypto is now embedded in how they take payments and extort victims, move money across borders at scale, and manage logistics and supply chains in illicit markets.
This shift matters because these organizations bring process discipline, staffing, and even “middle management” to criminal operations. They also bring something the average DeFi exploiter does not: the ability and willingness to use violence. The net result is a higher baseline threat level for exchanges, protocols, and infrastructure providers.
For Merkle Science clients, that means “crypto-native” crime cannot be viewed in isolation. It is increasingly just one layer in a broader organized crime business model.
Several sessions focused on how laundering behavior has changed over the last few years. What used to be considered advanced is now standard practice.
In 2017, a single cross-chain hop might have looked sophisticated. In 2025, it is routine to see criminals route value through L1s, L2s, bridges, DEX aggregators, swapping protocols, mixers, staking platforms, yield products, custodial exchanges, and other off-ramps within a single laundering chain.
Speakers stressed that investigators can no longer rely on single-chain heuristics. The default behavior is multi-chain by design, with assets constantly moving to weaken attribution and exploit coverage gaps between tools or jurisdictions.
For Merkle Science, this reinforces why cross-chain analytics, rather than chain-by-chain views, have become essential. Investigators need to see the full path of funds as they hop across ecosystems, not just isolated segments.
Investigators also described a clear evolution in how criminals treat stolen assets.
Historically, the dominant pattern was speed: move funds through mixers and obfuscation layers as quickly as possible, then cash out. Now, many sophisticated actors treat stolen assets as capital to be managed. Criminals park funds in staking protocols and yield-generating products, earn yield while they wait out periods of intense tracing pressure, and time exits to coincide with liquidity windows or market events that make movement less conspicuous.
This shift is partly a response to better on-chain surveillance. When investigators can move quickly, criminals respond by slowing down, spreading risk over time, and relying on protocol-level yield to grow their war chests while they wait.
For compliance teams and law enforcement, it means that “dormant” funds are not necessarily abandoned. They may be actively earning and strategically positioned for a later move.
Another major takeaway was how normalized asset freezes and seizures have become in criminal planning.
According to investigators on stage, sophisticated actors now assume that a portion of stolen funds will be frozen or seized. In response, they immediately distribute proceeds across dozens of chains, services, and liquidity pools after an incident. Losing a fraction of the funds is acceptable if the majority survives enforcement action.
This “starburst” approach is a sign of maturity. It mirrors how traditional organized financial crime diversifies risk across multiple banks, jurisdictions, and intermediaries.
For investigators, the implication is clear. Speed still matters, but breadth matters just as much. Case teams need tooling that can quickly surface all the off-ramps and touchpoints linked to a hack or scam, across chains and entities, to maximize the portion of funds that can be recovered or frozen.
AI’s impact on crypto crime came up repeatedly, but not in the generic “AI makes scams more dangerous” sense.
Speakers emphasized a more specific and worrying trend: AI is making scams native to each ecosystem’s culture and user experience. Attackers can now generate phishing sites and fake governance proposals that mimic a specific protocol’s interface and language, clone UI elements and design patterns, and imitate notification styles that users have learned to trust. They can also tailor scams to the jargon and behavior patterns of niche communities on particular chains or within specific DeFi subsectors.
The result is a wave of impersonation attacks that feel credible even to seasoned users, not just newcomers. For security teams, this raises the bar for user education and brand protection, and increases the value of behavior-based monitoring that can detect anomalies even when the front-end looks legitimate.
One of the “bonus” insights from the day was how central digital assets have become to global seizure statistics.
Investigators and policy experts highlighted that, in many jurisdictions, crypto now accounts for the largest share of assets seized from criminals, surpassing cash, vehicles, and real estate. As a result, international standard-setters and regional bodies are putting growing pressure on governments to show they can not only regulate crypto, but also trace and freeze assets at scale, manage seized crypto responsibly, and convert or hold digital assets in ways that stand up to audit and public scrutiny.
This shift is also beginning to change the public narrative. Instead of “crypto is uncontrollable,” policymakers are increasingly asking whether effective crypto seizures could help address budget gaps or fund restitution. That question introduces its own legal and ethical challenges and adds another layer of scrutiny for the ecosystem.
For Merkle Science, this trend underscores why seizure-readiness is no longer just a law enforcement concern. It is becoming a key part of how exchanges, VASPs, and financial institutions are assessed by regulators and partners.
The compliance panels in London focused on what all of this means for firms that want to operate under MiCA and adjacent frameworks without sleepwalking into new risks. Rather than treating MiCA as a simple box-ticking exercise, speakers framed it as a set of non-negotiable expectations for firms that want lasting access to the European market.
In a session on MiCA’s transitional regime, Racheal Muldoon, Partner at Charles Russell Speechlys, explained that the supposed “smooth path” into the new framework is, in practice, a patchwork. Member states have adopted transition periods that range from a few months to a year and a half. France has taken the full eighteen months, while countries such as the Netherlands and Poland opted for six-month windows that have already closed. On the ground, that means a firm may be operating lawfully in one jurisdiction while already out of scope in another. What looks like a grace period on paper can quickly become a source of legal and operational uncertainty.
She also warned about the risk of looking back at today’s activity through tomorrow’s lens. Functions such as custody, staking, and advisory services that feel comfortably “pre-MiCA” today may later be scrutinized by supervisors, especially in countries that choose to gold-plate MiCA with additional local requirements. That creates the possibility of retrospective enforcement and complicates rollout plans for firms that hoped to rely on a single European strategy. Her message to CASPs was direct: build market-specific authorization roadmaps, stay in active dialogue with national regulators, and treat cross-border compliance as a design problem rather than an afterthought.
Operational readiness was another recurring theme. Drawing on experience from Gemini, Azariah Nukajam noted that many VASPs are meeting a level of proportional oversight they have never faced before. MiCA is not only about writing policies, it is about evidencing how those policies work day to day. Supervisors will ask how client assets remain distinct, identifiable, and redeemable from firm assets in real operational conditions, and how the firm plans to demonstrate that separation in audits and inspections. Many teams only confront these questions for the first time during authorization, which is the worst possible moment to discover gaps in processes, staffing, or systems.
She also highlighted a common pitfall: the heavy reuse of pre-canned TradFi policies that do not fit crypto business models. Regulators recognise these immediately and will push firms to explain how they identified important functions, risks, and thresholds in a crypto-specific context. It is not enough to state what a limit or trigger is; supervisors want to understand how the firm arrived at that figure and why it is appropriate for its customers, products, and jurisdictions. When that reasoning is unclear, the entire control framework starts to look fragile.
In a panel on stablecoins, Laura Talvitie from PwC UK shared some of the early lessons from the first wave of MiCA applications. As with any license process, regulators begin with the fundamentals: the strength of the business case and the credibility of the product’s use-case. Stablecoins are no exception. A clear and defensible economic rationale remains the foundation of an application that can move forward.
From there, she noted that two factors are consistently decisive. The first is AML maturity. Supervisors expect issuers to arrive with monitoring, investigations, and escalation processes that are already functioning, not aspirational. The second is governance. Regulators and commercial partners are scrutinising senior management structures, decision-making processes, and internal controls. A stablecoin issuer that cannot demonstrate credible leadership and accountable governance will face immediate headwinds, regardless of how compelling the whitepaper looks.
Across these compliance discussions, a single pattern emerged. Firms that treat MiCA as a living operational framework rather than a checklist will be in a stronger position. Those that rely on the transitional regime, generic policies, or undeveloped AML and governance models will find that the real risk is not just regulatory friction, but the possibility of being shut out of key markets when expectations solidify.
Perhaps the most actionable takeaway for exchanges and crypto businesses was the discussion around incident response.
Speakers were blunt that the way an organization handles a hack is decided long before anything goes wrong.
Teams that fared best in real-world incidents shared several common traits. They maintain a precise, up-to-date map of all wallets, accounts, and on-chain touchpoints. They have crisis-contact networks in place that include law enforcement, analytics providers, infrastructure partners, and regulators. They rehearse their incident playbooks so that decision-makers know their roles and communication channels are clear. They also invest in multi-chain investigative tooling ahead of time instead of scrambling to onboard tools mid-crisis.
Those that lacked this preparation often lost control of the narrative and the investigation within hours of the breach. By the time they scrambled to assemble the right people and tools, most of the damage was already done.
A recurring message throughout Merkle Meets London was that resilience is now a competitive advantage. Preparedness does not just limit losses, it can be the difference between surviving a crisis with trust intact and never fully recovering.
Across every panel and fireside chat, Merkle Meets London reinforced a simple reality: crypto crime is not standing still, and neither are regulatory expectations.
Criminals are professionalising, multi-chain laundering is the default, AI-driven scams are becoming protocol-native, and digital asset seizures now sit at the centre of global enforcement strategy. At the same time, MiCA’s transitional regime is more complex than it appears, operational readiness is under a microscope, and early stablecoin applications are setting a high bar for AML and governance.
In that environment, proactive readiness across investigations, compliance, and incident response is no longer optional.
Merkle Science will continue working with law enforcement, regulators, and crypto businesses worldwide to help them see across chains, navigate regulatory complexity, respond faster to emerging threats, and turn that complexity into an investigative and compliance advantage.
If you would like to learn more about how Merkle Science supports cross-chain investigations, seizure-readiness, and compliance teams operating under MiCA and beyond, get in touch. To watch the panels and talks from Merkle Meets London 2025, visit our YouTube channel.
