Anti-Money Laundering enforcement has overtaken securities violations as the leading regulatory threat facing crypto companies, according to CertiK, with the United States Department of Justice and Financial Crimes Enforcement Network imposing $900 million in AML-related fines during the first half of 2025.
The shift marks a sharp break from the US Securities and Exchange Commission-led enforcement cycle that defined earlier years of crypto regulation. SEC crypto-specific penalties collapsed 97% in penalty value year over year, dropping from $4.9 billion in 2024 to $142 million in 2025, according to a Tuesday report by blockchain security auditor CertiK.
Transaction monitoring and licensing failures are now drawing penalties that rival or exceed many earlier crypto securities cases. The DOJ’s February 2025 settlement with OKX reached $504 million, while KuCoin paid $297 million in January 2025, both for operating unlicensed money transmitting businesses and Bank Secrecy Act violations.
Notable AML-related penalties in 2025. Source: CertiK
The surge in AML enforcement highlights regulators’ growing focus on compliance controls and financial surveillance, with penalties increasingly targeting operational failures rather than disclosure-related violations. The shift reflects both a change in US administration policy and a broader reassessment of the SEC’s jurisdictional approach to digital assets, according to the report.
Related: AMLBot says social engineering drove 65% of crypto cases it probed in 2025
Sanctions-related crypto volume grew over 400% year-over-year in 2025, driven primarily by Russia-linked networks and state-aligned stablecoin infrastructure, forcing regulators across all major jurisdictions to prioritize transaction monitoring and cross-border financial crime compliance over token classification disputes.
European AML fines surged 767% over the same period, while Asia-Pacific regulators increasingly favor license revocations and business improvement orders over monetary penalties.
Broader regulatory trends
The enforcement pivot coincides with broader global regulatory trends documented in the report. Stablecoin regulations, for example, are moving from design to implementation across major jurisdictions, with binding frameworks now operational from the Guiding and Establishing National Innovation for US Stablecoins (GENIUS) Act to the Markets in Crypto Assets (MiCA) regime.
Prudential standards for custodians and exchanges are tightening, with requirements now covering capital adequacy, asset segregation, liquidity management and recovery planning.
The Basel Committee’s cryptoasset prudential standard, scheduled for implementation from Jan. 1, 2026, subject to local adoption, has also created what the report calls a “structural divide” for institutional adoption. Group 2 assets, including Bitcoin and Ether, face near-100% capital charges, making them economically difficult for banks to hold on the balance sheet, while Group 1 assets, such as tokenized traditional instruments and qualifying stablecoins, receive standard risk weighting.
Related: Pierre Rochard warns US regulators over Bitcoin gap in Basel rewrite
A CertiK research team spokesperson told Cointelegraph that banks managing digital assets under the oversight of regulators such as Singapore and the EU are already subject to this adjusted enforcement.
Smart contract audit mandates address exploit landscape
CertiK said smart contract security assessments are increasingly being folded into licensing and compliance expectations across major markets, with security audits moving from voluntary best practice to statutory or quasi-statutory requirement across major jurisdictions within two years.
Smart contract security regulator mandates. Source: CertiK
That push for mandatory audits comes as regulators grapple with identifying accountability in decentralized finance. A European Central Bank working paper published in March, for example, found that governance in major DeFi protocols remains highly concentrated, complicating efforts to determine who should fall under MiCA oversight.
CertiK’s analysis of the top 100 exploited protocols found that 80% had never undergone a formal security audit before a breach, and those unaudited protocols accounted for 89.2% of total value lost. At the same time, the report says infrastructure compromises such as private key theft and access control failures drove 76% of 2025 losses by value, as the threat landscape moved beyond code exploits.
The spokesperson said that current regulatory audit requirements are in line with Web2 frameworks and that authorities generally delegate identifying relevant threats to supervised entities. While regulators may require yearly testing or various operational resilience efforts, such as source code reviews, they seldom prescribe a specific scope to avoid restricting the reach of such evaluations, they said.
Magazine: Singapore isn’t a ‘crypto hub’ — it’s something better: StraitsX CEO
