In October 2008, amidst the ruin of the Global Financial Crisis, someone using the name Satoshi Nakamoto published the Bitcoin Whitepaper, proposing a system for electronic transactions without the need for intermediaries such as banks. Since then, the crypto industry has faced headwinds to mainstream adoption. The immaturity of the technology itself, the libertarian ethos which surrounded it, regulatory scrutiny, large-scale hacks, difficulty of use, price volatility, and lack of familiarity created barriers and prevented many businesses from entering the industry. Meanwhile, distributed ledger networks such as Ethereum, capable of accommodating more complex activity, have developed into the building blocks of a new financial ecosystem, promising composable, customizable digital assets that incorporate real-world data in real time.
“What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party.”
Regulators and the broader public remained skeptical, even as the technology advanced, due to a fixation on its use by criminals. But while the ability to control assets outside of the banking system provided criminals with useful money laundering and sanctions evasion tools, the transparency of public blockchains also allowed law enforcement greater visibility into their activities. In 2025, the US government took a new stance: to finally set clear rules and to promote the advancement of the digital asset industry.
As a result, the barriers to adoption of crypto technologies have diminished, and mainstream adoption is proceeding on two main fronts: stablecoins and the tokenization of a broad array of financial assets. Stablecoins are digital tokens representing a currency such as the US dollar or the Euro. Similarly, other assets—such as stocks, bonds, real estate deeds, carbon credits, digital art, or commodity futures contracts—can be represented in digital tokens through the incorporation of real-world data to give those assets new qualities.
Both developments are poised to remake our financial system dramatically. As they do so, financial institutions must adapt to the risk profile of digital assets, while crypto-native companies will increasingly be subject to the rules imposed on other market participants. The unique qualities of digital assets bring risks that financial institutions may not be prepared to handle, but they also present new opportunities for risk management that were not previously possible.
Regulatory Tailwinds
The Previous Regulatory Environment
The past four years have seen a whirlwind of lawsuits, scandals, and regulatory enforcement actions against companies in the crypto industry, as the US Securities and Exchange Commission (SEC), Commodities and Futures Trading Commission (CFTC), and other American regulators issued multi-billion-dollar penalties to many of the largest and most well-established crypto firms for insufficient anti-money-laundering controls, unlicensed money-transmitting activities, operating in the US without a license, violations of US sanctions, and misleading disclosures, in addition to more serious fraud and market manipulation penalties. Meanwhile, many crypto services were obliged to block users in the US, offering their products globally while specifically restricting US residents out of fear of legal action.
White House Executive Action
By way of contrast, on January 23, 2025, the White House issued an order on “Strengthening American Leadership in Digital Financial Technology,” setting the stage for a variety of new actions. It sought to further Americans’ use of digital assets, maintain the dominance of the US dollar, expand access to financial services, clarify rules and regulations, and preclude the possibility of government control over digital asset networks through so-called Central Bank Digital Currencies (CBDC). Underneath the news cycle, US regulators have followed this path consistently and aggressively.
The GENIUS Act and Stablecoin Regulation
The GENIUS Act, passed by Congress and signed into law in July 2025, confirmed this crypto-friendly approach. For the first time, it established definitions and rules for the issuance of “payment stablecoins” in the US, authorizing a formal registration process for stablecoin issuers, delineating the authority of federal and state regulators over them, and explicitly subjecting them to the Bank Secrecy Act, which governs anti-money-laundering and suspicious transaction reporting. As a result, the US financial system will be able to move more of its dollars on crypto architecture, and it will operate within clear boundaries.
Securities Tokenization Initiatives
Developments in the tokenization of securities have advanced with similar force. The SEC established a Crypto Task Force chaired by commissioner Hester Peirce, a longtime advocate of regulatory clarity for digital assets. Commenting on the promise of tokenization, commissioner Peirce said, “Removing securities from siloed databases and tokenizing them on open, composable crypto networks mobilizes them and makes them usable in new and enhanced ways” by providing “increased operational efficiency, transactional transparency, liquidity, and accessibility; faster settlement; and greater investor opportunity.” Signaling that the commission would show a more permissive attitude towards the crypto industry, Chairman Paul Atkins declared, “Despite what the SEC has said in the past, most crypto assets are not securities.” Similarly, the CFTC is launching pilot projects for securities tokenization in collaboration with the SEC’s “Project Crypto,” an initiative aiming “to modernize the securities rules and regulations to enable America’s financial markets to move on-chain.”
Old Risks and New Opportunities
Many of the risks that accompany engagement with digital assets are not new. Combatting money laundering and terrorist financing, preventing and mitigating cybersecurity threats, verifying customers’ source of funds, monitoring reputational risk, and preventing insider threats are not unique to the crypto industry or specific to digital assets, nor has the traditional financial system developed a way to fully counter these threats.
“The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone. This is similar to the level of information released by stock exchanges, where the time and size of individual trades […] is made public, but without telling who the parties were.”
However, many of these risks are exacerbated by the unique characteristics of crypto networks. Just as the increase in internet usage over the past several decades has introduced cybersecurity risks into activities that were previously secure, the expansion of crypto infrastructure may introduce crypto-specific risks into unexpected places:
Cyberattacks: While cybersecurity breaches can wreak havoc in any industry, hackers who succeed in gaining access to a crypto wallet not only steal data but drain funds instantaneously, and the pseudonymous nature of wallets means that activity can be easily tracked but not easily attributed to real-world individuals.
In February 2025, hackers of the Lazarus Group, affiliated with North Korea, were able to extract @USD 1.5 billion worth of digital currency from an Ethereum wallet of Dubai-based cryptocurrency exchange ByBit—the largest crypto hack in history as of the time of writing. In response, the exchange pledged to cover all customer assets and maintained solvency, and the FBI provided a list of Ethereum wallet addresses associated with the hack. By following the wallets used to carry out the theft, it is possible to better understand the group’s operations and avoid interactions with it in the future.
Insider Threats: A broader risk, which is particularly salient in the crypto industry, where assets travel through blockchain and non-blockchain systems created—and in some cases, controlled—by a small number of people. Whereas many large and well-established exchanges, custodians, and asset managers have set up internal controls and compliance programs, and whereas some of the most well-known crypto assets, such as Bitcoin and Ethereum, cannot be controlled by any one person or company, other parts of the industry are more sensitive to the behavior of company founders and executives.
For example, the Luna blockchain was designed to support an algorithmic stablecoin known as Terra. At its peak, the Terra stablecoin supported @USD 18 billion in funds. However, in May 2022, the stablecoin experienced total and catastrophic failure as an outflow of funds exposed its faulty design. The Luna blockchain, despite having reached a peak market capitalization of @USD 40 billion the previous month, collapsed and ceased to operate for significant periods of time. The founder of the blockchain, Do Kwon, was arrested and eventually extradited to the US, where in August 2025, he pled guilty to two counts of fraud for misrepresenting the effectiveness of his crypto protocol and misrepresenting relationships between several entities which he controlled.
Although some may see the Terra-Luna collapse as a failure of regulation or simply as an episode of criminal activity, it reflects deeper pressures in fast-moving financial technology. Because crypto markets develop quickly, and because of the proliferation of new and innovative products, greater power accrues to founders in crypto than in many other industries, and new protocols can gain wide adoption before their reliability has been fully proven. While a new project may not have a track record, its creators may.
Money Laundering: A third category of risk is that crypto assets can be used to launder the proceeds of criminal activity, or that nefarious actors can hide their assets from creditors and law enforcement. While traditional financial transactions require the approval of multiple regulated institutions, digital assets can be moved from one wallet to the next without the permission or approval of any third party or any disclosure of the transacting party’s real-world identity.
Does this make crypto inherently risky? Despite these seemingly favorable characteristics of digital assets, criminals continue to use traditional financial institutions, cash, and other methods to launder illicit funds, in addition to digital assets, and digital assets account for a small fraction of global money laundering. Unlike traditional financial networks, into which only individual companies and regulatory agencies have visibility, commonly used blockchains are publicly transparent by nature and design, and stolen assets can be tracked through an arbitrary number of intermediaries. The use of digital assets presents both advantages and challenges for compliance due to the pseudonymous nature of ownership. Funds can be tracked and verified more easily and with greater certainty by third parties than in the traditional financial system. Precisely because of this transparency, even lawful and legitimate users are hesitant to publicly disclose their wallets, which will therefore typically appear as a meaningless string of several dozen alphanumeric characters.
“For greater privacy, it’s best to use bitcoin addresses only once.”
Because of these unique characteristics, criminals frequently change the methods they use to move illicit crypto assets. Digital asset analytics firm Chainalysis publishes regular crypto crime reports, and its most recent “2025 Crypto Crime Mid-year Update” shows the fast-evolving nature of crypto crime. For example, although mixing services such as Tornado Cash, which combine many users’ assets to obscure the flow of funds, feature prominently in public discourse due to their use by the Lazarus Group and others, a relatively small fraction of illicit digital asset flows are moved through these services. More commonly, crypto hackers prefer to transform their ill-gotten gains by exchanging them with other crypto tokens and moving them to other blockchains and services, while a growing share of stolen digital assets are not properly laundered at all, but simply rest in the hacker’s wallets. According to the Financial Action Task Force (FATF), illicit use of digital assets is now mostly conducted through stablecoins.
The Importance of Verification Diligence
One foundational element of compliance—ascertaining the identity of a customer and of all parties to a transaction—requires new forms of verification for the world of digital assets. It is not enough to know that someone owns Bitcoin or works for a crypto company. In every case, meaningful due diligence must start with collecting relevant wallet addresses. Gathering this information directly breaks through the barrier of pseudonymity and allows researchers to apply all the tools of digital asset analysis to bear. By examining the current holdings, historical activity, and counterparties of a given wallet, it is possible to form an understanding of its risk profile, verify the user’s claims about the source of funds, and identify high-risk activity. IntegrityRisk Cryptocurrency Diligence is where this new form of verification comes to play.
The next step is to integrate digital asset analysis with real-world information, such as news reports, regulatory licenses, or social media activity. It is tempting to think that, due to the abundance of public information in a computer-readable format, crypto compliance checks can be automated. In fact, many aspects of crypto compliance can and will be automated, allowing for faster risk analysis. However, key aspects of due diligence research defy easy automation, both in and outside of the digital asset space. The analytical depth provided by sophisticated crypto research tools provides a starting point for researchers, but evaluating the risk profile of a given crypto wallet often requires human input. Due to the unique nature of the crypto industry, many wallets are connected to bad actors through several intermediaries, providing a dizzying array of risk signals that may in reality reflect routine or risk-neutral behavior, while the risks from other information revealed in blockchain analysis may only become apparent in combination of real-world sources. Digital asset research, no matter how complex, is an increasingly necessary element in a holistic risk-based approach to compliance.
Even the most sophisticated, deep-reaching, and broad-based digital asset analysis cannot identify all crypto wallets with certainty; the pseudonymous nature of crypto wallets is a durable feature of public blockchains and one of their only reliable privacy protections, so it is not likely to disappear. Researchers must be careful not to spend scarce time and resources pursuing a set of wallets that appear risk-free when the true risk has been segregated and hidden away. After all, a “clean” wallet with a limited history can be created from thin air, and only a robust monitoring program will be able to identify whether the wallet has crossed critical risk boundaries. Restricting the scope of research too narrowly can be a gift to sophisticated bad actors.
Takeaways for Compliance
Globally, many jurisdictions have responded to the threat of illicit financial flows on crypto rails by requiring certain crypto firms to obtain a license or registration. However, while crypto protocols have developed and matured quickly, regulators in many jurisdictions have not clarified how digital asset firms should comply with existing financial regulations. For example, under the Travel Rule, financial institutions must collect and transmit certain information on transactions involving multiple financial institutions, but real-world identity information is excluded by default from most digital asset transactions.
Two changes are required for the integration of digital assets into the financial system:
- More providers of digital assets will be required to comply with anti-money-laundering, counter-terrorist financing (AML/CFT), and other requirements that are well-known to traditional financial institutions.
- Institutions will have to update their due diligence and compliance procedures to accommodate the unique characteristics of the digital asset industry.
Final Thoughts
It is vital to appreciate that crypto analytics and traditional research tools reinforce each other in important ways. Once a high-risk counterparty has been identified, it becomes paramount to understand the full scope of that counterparty’s risk profile beyond their crypto activity, and real-world sources help to illuminate the nature and extent of that risk. Conversely, searches of more traditional sources may uncover new avenues of inquiry for crypto research, for example by suggesting that a high-net-worth individual has made venture investments in digital assets or has been an advisor to a blockchain development firm.
Even though bad actors may conduct their illicit activity at arm’s length, a holistic risk-based approach, the 5 Step Cryptocurrency Diligence Process, can shine light on these connections.
Geoffrey Winkleman, Senior Analyst at IntegrityRisk, is also based in Washington, D.C. and specializes in German, Russian, and Korean-language research. He is a Returned Peace Corps Volunteer, having served in the Kyrgyz Republic, and recently earned a master’s degree from the Johns Hopkins University School of Advanced International Studies. Geoffrey’s interests range from Europe and Central Asia to the world of cryptocurrency, US foreign policy, and the challenges of international development.