Anti-money-laundering enforcement has overtaken securities violations as the principal regulatory threat facing crypto firms, according to CertiK’s State of Digital Asset Regulations report. The U.S. Department of Justice and the Financial Crimes Enforcement Network together imposed more than $1 billion in AML-related fines during the first half of 2025. The development signals a sharp regulatory pivot away from the Securities and Exchange Commission-led enforcement cycle that once dominated crypto compliance discourse. CertiK notes that SEC crypto-specific penalties collapsed in value, falling from $4.9 billion in 2024 to about $142 million in 2025, a trend the firm attributes to shifts in policy priorities and jurisdictional focus.

According to CertiK’s findings, transaction-monitoring and licensing lapses are now generating penalties that rival or exceed many prior securities cases. High-profile settlements illustrate the trend: the Department of Justice’s February 2025 resolution with OKX amounted to $504 million, and KuCoin agreed to a $297 million settlement in January 2025 for operating as an unregistered money-transmitting business and violations of the Bank Secrecy Act.

Notable AML-related penalties in 2025. Source: CertiK

The surge in AML enforcement highlights regulators’ intensified emphasis on robust compliance controls and financial surveillance, with penalties increasingly stemming from operational shortcomings rather than disclosure failures. The report ties the shift to broader changes in U.S. policy and a re-evaluation of the SEC’s regulatory reach over digital assets.

Sanctions-related crypto transaction volume expanded more than fourfold year over year in 2025, driven principally by Russia-linked networks and state-aligned stablecoin infrastructure. This dynamic compelled regulators across major jurisdictions to prioritize cross-border financial crime compliance and transaction monitoring over token-classification debates.

Across regions, AML penalties followed a similar pattern. European authorities registered a near-quadrupling of fines, surging by about 767% over the period, while Asia-Pacific regulators increasingly relied on license revocations and business-improvement orders rather than monetary penalties. The global trend underscores a move toward a more stringent, process-oriented approach to crypto supervision that emphasizes ongoing compliance programs and operational resilience.

Key takeaways

AML enforcement has surpassed securities penalties in scale during the first half of 2025, reflecting a regulatory priority shift in crypto oversight.
In the United States, DOJ and FinCEN actions produced AML-related fines totaling over $1 billion in H1 2025, a milestone signaling intensified surveillance.
High-profile settlements—OKX for $504 million and KuCoin for $297 million—highlight the risk to exchanges and other crypto-asset businesses from licensing failures and BSA violations.
Global enforcement trends show rapid growth in sanctions-related activity, with Europe and Asia-Pacific pursuing more aggressive compliance actions, including licensing and exit/remediation orders.
Regulatory architecture is shifting toward mandatory security and operational audits and stronger prudential standards for custodians and exchanges, with consequential implications for capital, liquidity, and asset segregation.

Regulatory architecture in flux: from policy to practice

The enforcement pivot aligns with broader regulatory shifts documented in CertiK’s report. Stablecoins are moving beyond design debates toward concrete implementation across jurisdictions, with statutory and regulatory regimes maturing from concept to operation. Notable milestones include legislative and policy pathways from the GENIUS Act to the Markets in Crypto Assets (MiCA) framework, which collectively aim to establish binding rules for digital assets, stablecoins, and related infrastructure.

Prudential standards for market infrastructure—custodians and crypto exchanges—are tightening. Requirements now address capital adequacy, asset segregation, liquidity management, and recovery planning. In parallel, the Basel Committee’s cryptoasset prudential standards are slated for implementation beginning January 1, 2026, subject to local adoption. The framework creates a bifurcated treatment of cryptoassets: Group 2 assets (including Bitcoin and Ether) face near-100% capital charges, while Group 1 assets (such as tokenized traditional instruments and qualifying stablecoins) receive standard risk-weighting. This division risks a structural disconnect for large-scale institutional adoption, particularly in bank balance sheets where capital costs influence holding patterns.

CertiK noted that banks already under regulator supervision in jurisdictions like Singapore and the EU are encountering the practical effects of these evolving standards. The shift increases the cost of holding crypto assets on balance sheets and reinforces the importance of robust custody, risk-management, and reporting capabilities for institutional clients and banks alike.

According to Cointelegraph’s reporting on CertiK’s findings, the regulatory emphasis is broadening from asset classification to the reliability of operational controls and compliance programs. The move reflects a desire to close governance, risk, and control gaps that have historically enabled illicit activity and financial crime through crypto channels.

Smart contract audits and the evolving compliance baseline

Auditing and security standards are increasingly being folded into licensing and supervisory expectations across major markets. CertiK described a trajectory whereby rigorous security assessments are no longer voluntary best practices but are becoming de facto prerequisites for market access. Regulators’ push toward formal audits coincides with heightened concern about accountability in decentralized finance and governance models.

Regulatory attention to DeFi governance is rising in tandem with audit requirements. A European Central Bank working paper cited in CertiK’s analysis highlights that governance consolidation within major DeFi protocols complicates MiCA oversight, underscoring the need for clear accountability in a landscape where code and control may sit with disparate actors. CertiK’s review of the top 100 exploited protocols found that 80% had never undergone a formal security audit prior to a breach, and those unaudited protocols accounted for 89.2% of total value lost. Moreover, 2025 losses by value were dominated by infrastructure compromises, such as private-key theft and access-control failures, which accounted for 76% of total losses by value, signaling a shift from purely code-level exploits to broader operational risk.

The firm also observed that regulators often defer to supervised entities to identify and mitigate risks, with annual testing, resilience drills, and source-code reviews forming the cornerstone of a jurisdictional compliance program. While some regulators require annual audits or ongoing security testing, they typically avoid prescribing an overly prescriptive scope to preserve insurers’ and firms’ flexibility in implementing robust controls.

From a practical standpoint, these developments matter for institutions and compliance teams because they reshape onboarding and ongoing supervision considerations. Banks and fintechs seeking to operate or expand digital-asset activities must demonstrate robust KYC/AML programs, secure custody arrangements, and demonstrable risk governance that aligns with evolving prudential standards and cross-border supervision expectations. As CertiK’s spokesperson explained to Cointelegraph, regulators globally are signaling that governance, operational resilience, and security audits are integral to licensure and ongoing oversight.

Looking ahead, the convergence of AML enforcement with broader regulatory modernization suggests a tightening of the compliance perimeter for crypto firms. The emphasis on licensing-driven enforcement, cross-border cooperation, and capital-adequacy discipline for custodians and exchanges will shape the operating models of exchanges, banks exploring digital-asset services, and institutional traders alike. The push toward mandatory audits and stronger governance standards also raises questions about the competitive landscape: entities with advanced risk-management capabilities may gain preferential access to banking relationships and market corridors, while those with weaker controls could face accelerated remediation orders or exits from regulated markets.

For compliance teams, the takeaway is clear: the regulatory baseline is shifting from “best practice” to “binding requirement” for critical control functions. The 2025 enforcement environment demonstrates that penalties are increasingly tied to operational execution—how firms monitor transactions, verify counterparties, manage keys and access, and maintain auditable records—rather than merely to disclosure-related missteps.

Closing perspective: the regulatory trajectory indicates that crypto supervision will continue to converge with traditional financial crime controls. Institutions should monitor ongoing Basel developments, MiCA implementation, and cross-border enforcement dynamics, while preparing for tighter licensing regimes and mandatory security audits as the standard of fit for regulated digital-asset activities.