Crosschain swaps move $21B in illicit funds, up 200% in two years: Elliptic

At slightest $21.8 cardinal successful illicit oregon high-risk crypto has flowed done crosschain swaps, up from $7 cardinal successful 2023, according to estimates by UK-based blockchain analytics steadfast Elliptic. Elliptic attributes 12% of those movements to North Korea.

Crosschain swaps were erstwhile a niche enactment reserved for precocious traders and decentralized concern (DeFi) users, but they’ve evolved into a halfway constituent of wealth laundering. Illicit actors nary longer simply nonstop crypto done mixers oregon dump tokens connected a azygous decentralized speech (DEX). Nowadays, the funds determination astir aggregate blockchains to frustrate investigators and evade detection.

This swift 211% increase, from $7 cardinal to $21.8 billion, reflects the increasing usage of blockchain bridges, DEXs and coin swap services, arsenic good arsenic the expanding fig of blockchains.

“When you look back, let’s accidental a decennary ago, the superior cryptocurrencies and blockchains retired determination were Bitcoin and Ethereum and a fewer others,” Arda Akaturna, Elliptic’s APAC pb crypto menace researcher, told Cointelegraph.

“It’s an progressively multichain ecosystem... that conscionable widens the disposable assets and the disposable obfuscation channels unfastened to criminals.”

The emergence of caller blockchains and crosschain services is resulting successful much crypto laundering avenues. Source: Elliptic

Bridges are crosschain laundering highways

A azygous span transaction mightiness bespeak mean idiosyncratic behavior, but patterns of structured oregon multi-hop enactment are reddish flags for coordinated efforts to interruption the onchain trail, Elliptic said successful its 2025 crosschain transgression report published connected Wednesday.

Structured chain-hopping involves splitting funds and distributing them simultaneously crossed respective blockchains. Multi-hop chain-hopping is the enactment of moving assets from 1 concatenation to different repeatedly. Both techniques are inefficient by design, and travel with precocious fees successful bid to confuse investigators.

Edit the caption present oregon region the text

These methods are progressively communal successful high-stakes laundering operations. In 1 aboriginal 2025 case, hackers suspected to beryllium linked to North Korea stole $75 cardinal from an unnamed speech and bridged the funds successful series from Bitcoin to Ethereum, past to Arbitrum, Base and yet Tron — employing some structured and multi-hop tactics.

Related: From Sony to Bybit: How Lazarus Group became crypto’s supervillain

These patterns are nary longer constricted to authorities actors oregon large-scale thefts. In a abstracted lawsuit involving a $200,000 fraud successful the UK, the now-convicted culprit divided funds crossed 90 antithetic assets connected aggregate chains to money online gambling.

Akaturna explained:

“This isn’t conscionable high-level enactment reserved for large hackers. You’ve got smaller-scale criminals utilizing concatenation hopping to launder funds — radical backing gambling habits oregon petty frauds. That’s however mainstream this maneuver has become.”

Elliptic estimates that astir a 3rd of blockchain investigations present impact tracing flows crossed astatine slightest 3 antithetic networks.

Crosschain laundering starts successful DeFi

DEXs are often viewed arsenic transparent and traceable arsenic they run connected blockchains. However, they’re progressively being utilized arsenic introduction points successful the crypto laundering cycle, particularly erstwhile low-liquidity tokens are involved. 

DEXs are platforms wherever specified assets tin beryllium swapped for much wide accepted tokens similar USDt (USDT) oregon Ether (ETH) without relying connected centralized platforms that whitethorn enforce Know Your Customer (KYC) rules.

A lawsuit survey by Elliptic successful its 2025 crosschain transgression study analyzed the May 2025 exploit connected Cetus — a large liquidity supplier connected the Sui blockchain — that enabled attackers to drain implicit $200 cardinal successful tokens. The attacker initially utilized a DEX to swap USDT to USDC, which Elliptic suspects was perchance to instrumentality vantage of little bridging costs.

Related: Twice lucky? Cetus’ betterment program connected Sui mirrors a Solana blueprint

These stablecoins were past bridged to Ethereum, wherever a DEX aggregator was utilized again to person the USDC into ETH. Centralized stablecoins similar USDt and USDC person functions that let their issuers to frost funds. Ether, which is the autochthonal plus of the Ethereum blockchain, does not inherently person that functionality.

CETUS token hasn’t recovered from the hack successful May. Source: CoinGecko

Criminals besides exploit the unfastened plan of DEX aggregators and automated marketplace makers (AMMs) to way transactions successful ways that trim slippage and debar detection. For instance, laundering flows often walk done aggregate obscure trading pairs earlier settling successful a liquid token. In galore cases, these swaps are performed successful tiny batches oregon via astute contracts to debar triggering Anti-Money Laundering (AML) alarms.

Though DEXs are not inherently crosschain, the favoritism is becoming little wide successful newer services arsenic they besides connection autochthonal cross-asset swaps, Elliptic said.

Coin swap sites prima successful crosschain laundering

Coin swap services run much similar underground currency changers. They let users to anonymously speech assets crossed antithetic blockchains with minimal friction, nary registration, and often nary meaningful anti-money laundering (AML) checks. As a result, these services person go a go-to instrumentality for a wide scope of illicit actors, peculiarly those operating successful darknet markets, ransomware networks and online carding fraud.

These platforms are chiseled from bridges and DEXs successful that they relation arsenic centralized intermediaries but deliberately run successful opaque oregon permissive jurisdictions. Many advertise straight connected darknet forums and Telegram channels, often promising to judge “dirty BTC” oregon emphasizing their non-cooperation with instrumentality enforcement. 

Some adjacent connection services similar equipped currency pickups, wealth counting, oregon “treasure” currency drops, wherever carnal currency is buried successful pre-agreed locations successful speech for crypto.

Some swap services, similar eXch, person announced shutdowns pursuing accrued scrutiny. Source: eXch

Elliptic reported that astir 25% of illicit and high-risk flows done coin swap services are linked to online gambling, particularly platforms lacking mainstream licenses. Many of these sites, peculiarly those tied to Russian-speaking and Southeast Asian operators, are besides connected to scams specified arsenic pig butchering and narcotics trafficking, creating a closed loop of high-risk funds being recycled betwixt illicit gambling and laundering networks.

The cat-and-mouse tools chasing crosschain laundering

Chain-hopping, erstwhile a fringe tactic, is present routine. Laundering methods that erstwhile relied connected mixers oregon elemental swaps person evolved into analyzable sequences that span aggregate chains, tokens and platforms — often structured to discarded analysts’ clip oregon interruption automated tracing.

In the $75 cardinal lawsuit Elliptic linked to North Korea, funds moved done 5 blockchains successful accelerated succession. Similar patterns are showing up successful smaller frauds arsenic well, suggesting that complexity itself has go the strategy.

Tracing these movements inactive depends connected visibility — and a increasing acceptable of tools. Platforms similar Elliptic Investigator, Chainalysis Storyline and TRM Forensics are built to automate and visualize crosschain analysis, portion centralized stablecoin issuers reserve the quality to frost flagged assets. 

“It doesn’t substance if they’ve tried to bash it implicit 5 antithetic blockchains oregon conscionable erstwhile — we’re capable to travel those funds automatically done our probe tools. Something that’s truly manual and mightiness instrumentality respective hours, you tin present bash successful specified clicks and minutes due to the fact that it’s each automated,” said Akaturna.

It's an uneven match, but the infrastructure for warring crypto transgression is adapting, too.

Magazine: Inside a 30,000 telephone bot workplace stealing crypto airdrops from existent users