Total ransomware payments fell in 2025, but the tactics around them got sharper. TRM Labs data shows a clean 25-point swing away from privacy mixers and into cross-chain bridges — a direct response to enforcement pressure.
Ransomware is, for the first time in four years, in a measurable retreat. According to TRM Labs' 2026 Crypto Crime Report, total on-chain ransomware payments in 2025 came in around $820 million — down 15% year-over-year, and the lowest total since 2021. But the celebration is muted. Underneath the topline, ransomware operators are running a more sophisticated, harder-to-interdict laundering operation than at any prior point in the category's history.
| Metric | Value |
|---|---|
| Total on-chain payments (2025) | ~$820M (down ~15% YoY) |
| Share laundered via bridges (Q4 2025) | 58% |
| Share via mixers (Q4 2025) | 33% |
| Biggest affiliate group shutdown | LockBit successor cluster (Q2 2025) |
| Organizations publicly declining to pay | Up 41% YoY |
| Mandatory disclosure jurisdictions | US (CIRCIA), EU (NIS2), Australia |
In Q1 2024, roughly 62% of ransomware payout laundering passed through mixers; bridges handled just 18%. By Q4 2025, those numbers had nearly inverted: bridges accounted for 58%, mixers 33%. The shift is causal, not coincidental. The U.S. Treasury's sanctioning of Tornado Cash in August 2022 and Sinbad.io in late 2023 materially raised the operational costs of mixer use. THORChain — a permissionless cross-chain swap protocol — has become a preferred replacement, with ransomware-attributable volumes rising 66% between 2023 and 2025.
The takedowns of LockBit and BlackCat affiliate infrastructure in 2024 fractured what had been the most productive ransomware-as-a-service operations. On the victim side, the share of incidents where organizations publicly declined to pay rose 41% year-over-year. Mandatory disclosure regimes — CIRCIA in the US, NIS2 in the EU — have also reduced the asymmetric information advantage that drove many organizations to pay quietly.
Bridge-based laundering is harder to interdict than mixer-based laundering: there is no single service operator to sanction, and THORChain's permissionless design means funds can be routed through liquidity pools without any intermediary holding them. U.S. Treasury officials have quietly floated the possibility of designating certain permissionless cross-chain protocols as primary money-laundering concerns under Section 311 of the USA PATRIOT Act — a move that would be legally available but precedent-setting.
The attacks described in this article exploit gaps that pre-signature transaction monitoring is built to close. Web3Firewall evaluates 100+ risk signals before a transaction reaches the blockchain — enforcing policy controls at the only moment intervention is actually possible.
Real crypto news, market data, and analysis — free to your inbox every weekday at 7am.
No spam. Unsubscribe anytime. Sent to admin@coinhubtoday.com
The definitive source for cryptocurrency news, market data, press releases, and product reviews — trusted by professionals worldwide.
CoinHub Today is an independent media organisation and does not provide investment, financial, or legal advice. All content is for educational purposes only. Cryptocurrency investments involve substantial risk. Past performance is not indicative of future results. Always consult a qualified financial adviser before investing.