With the passage of the GENIUS Act in the U.S. in June 2025, stablecoin issuers and crypto-native enterprises now face heightened responsibilities to detect and prevent illicit finance. While stablecoins have long appeared in high-profile hacks, they are increasingly at the center of more diverse and less visible criminal activity.
From social engineering to sanctions evasion, stablecoins are increasingly being misused in ways that demand sharper vigilance and more sophisticated blockchain analytics. This article explores five key threat patterns involving stablecoins—ransomware, address poisoning, wrench attacks, flash loan exploits, and sanctions evasion—and explains how understanding these patterns can help compliance teams, regulators, and investigators strengthen their defenses against illicit finance.
While Bitcoin remains the currency of choice for most ransomware operators—accounting for over 98% of ransom payments due to its liquidity and familiarity—that dominance is gradually being challenged. A recent variant of NoCry ransomware has begun requesting payment in USDT-TRC20, a stablecoin issued by Tether on the TRON network, likely due to its speed and lower transaction costs.
The trend toward stablecoins was further shown in 2023, when a US-led multinational operation disrupted the Qakbot botnet. As part of the takedown, the Justice Department seized illicit proceeds from an affiliate, including over 170 BTC and more than $4 million in USDT and USDC.
These developments suggest that stablecoins are becoming more viable not only as a primary ransom payment method for some actors, but also as a secondary layer in laundering operations—offering both value stability and efficient cross-chain movement.
If you’re holding a physical dollar, you can only spend it in whole or fractional amounts. But with stablecoins, malicious actors can exploit a feature of token smart contracts to perform a zero-value transfer—a tactic that uses the transferFrom function to send 0 tokens from a victim’s wallet to an address that closely resembles one the victim has used before.
This technique, known as address poisoning, tricks users into believing that the spoofed address is familiar. By polluting the victim’s transaction history with lookalike entries, attackers increase the chances that the victim will later copy and send funds to the wrong address. In one notable case, an individual mistakenly transferred $2.6 million in stablecoins to an attacker’s wallet because of this exact tactic. For blockchain investigators, it's a reminder that even zero-value interactions can be an early warning sign of larger thefts to come.
The incident highlights a specific risk in how stablecoins are used: their programmability, while enabling seamless digital payments, also creates openings for sophisticated social engineering attacks. Compared to Bitcoin, which has more rigid transaction structures, stablecoins—especially those on Ethereum or TRON—can be manipulated at the smart contract level in ways that are less obvious to everyday users. When that logic is deliberately exploited, it becomes a quiet but powerful instrument of fraud, allowing attackers to execute sophisticated scams.
Hacks on crypto exchanges are no longer confined to the digital realm—they’re spilling into the physical world, with high-profile investors, entrepreneurs, and whales becoming targets of violent crime. What’s notable in many of these wrench attacks isn’t just the demand for cryptocurrency, but the specific request for stablecoins. In a 2024 incident in Phuket, Thailand, 23-year-old Ukrainian national Viacheslav Leibov was ambushed in his hotel room, tied up with ropes and cable ties, and threatened with a hammer and a knife unless he transferred $500,000 in USDT to a specified wallet. He pleaded to reduce the amount and eventually sent $250,000 in USDT—not Bitcoin or Ethereum—to his attackers.
This detail matters. Stablecoins like USDT offer price certainty: attackers don’t have to worry about volatility eroding the value of what they steal. They’re also easier to liquidate through exchanges or OTC brokers, and transfers—especially over fast, low-fee networks like Tron—settle almost instantly. For criminals looking to minimize risk and move quickly, stablecoins represent a clean, efficient payout, even in the most brutal of circumstances.
A flash loan allows someone to borrow large amounts of crypto without collateral, as long as the loan is repaid within the same transaction. If not, the transaction fails. While powerful, flash loans can be hard to exploit using volatile assets like ETH or BTC—price swings, slippage, or oracle defenses can easily break the economics of the attack.
Stablecoins, on the other hand, make flash loan attacks more precise and scalable. Their price stability ensures that calculations remain accurate across complex, multi-step transactions. That’s what made the April 2022 Beanstalk exploit so effective. Beanstalk's governance gave voting power based on deposited stablecoin LP tokens. The attacker flash-loaned about $1 billion in USDC, DAI, and USDT, used it to mint LP tokens, and gained instant majority control. In a single transaction, they proposed and executed a malicious governance proposal, draining $182 million.
Because stablecoins are liquid, predictable, and deeply integrated in DeFi, they’re ideal for flash loan attacks—especially when protocols fail to guard against temporary, borrowed voting power.
Sanctioned entities—such as those based in Iran, Russia, and North Korea—are frequently cut off from global financial infrastructure, including SWIFT and U.S. dollar-based clearing systems, often due to enforcement actions by agencies like the Office of Foreign Assets Control (OFAC). Stablecoins provide a way around these restrictions by operating on public blockchains outside of traditional financial rails. Tokens like USDT and USDC allow users to access dollar-equivalent value without touching the regulated banking system.
There is a growing track record—especially among Russian actors—of using stablecoins for sanctions evasion. One example is TGR Group, which was implicated in laundering funds for Russian elites as part of a broader crypto-based sanctions evasion network. The group made use of USD-backed stablecoins alongside other cryptocurrencies to obscure fund origins and facilitate cross-border transfers.
In another case prosecuted by the U.S. Department of Justice, Iurii Mashukov and his associate George Gugnin were accused of moving approximately $530 million through the U.S. financial system between June 2023 and January 2025. The majority of the funds flowed through Tether (USDT), illustrating how stablecoins have become core instruments for illicit financial activity at scale.
These cases illustrate why regulators are racing to catch up. The recent passage of the GENIUS Act in the United States marks a turning point: it classifies stablecoin issuers as regulated financial institutions and introduces stricter KYC, reporting, and freezing obligations across the ecosystem.
As enforcement frameworks become more aligned with the speed and programmability of digital assets, the use of stablecoins for sanctions evasion may become far more difficult—especially as blockchain analytics platforms and compliance partners extend their visibility across high-risk networks. Merkle Science’s investigative platform, Tracker, already supports Tron, giving investigators the tools to trace stablecoin flows in environments that have historically been exploited for cross-border obfuscation and sanctions evasion.
As stablecoins become more deeply embedded in criminal typologies—from ransomware to real-world extortion—the regulatory burden is shifting sharply toward compliance, visibility, and rapid detection. The GENIUS Act sets a new standard, but legislation alone isn’t enough.
Enterprises need tools that can adapt to the unique risks posed by programmable, high-speed, fiat-pegged assets. With Tracker, investigators can follow stablecoin flows across high-risk chains like TRON. With Compass, compliance teams can proactively screen wallets and behaviors before damage is done. Reach out to Merkle Science for a free demo.
