AML Penalties Eclipse SEC Issues As High Crypto Risk: Report
Anti-counterfeiting enforcement has overtaken security breaches as the leading regulatory threat to crypto companies, with the US Justice and Financial Crimes Enforcement Network imposing $900 million in AML-related fines in the first half of 2025, according to CertiK.
The shift marks a significant break from the enforcement cycle led by the US Securities and Exchange Commission, which has dictated crypto regulation in previous years. SEC crypto-specific fines fell 97% year-over-year in fines, from $4.9 billion in 2024 to $25 million in 2025, according to a Tuesday report by blockchain security auditor CertiK.
Failures in transaction regulation and licensing are now imposing fines that rival or exceed many previous crypto security issues. DOJ's 2010 Its February 2025 settlement with OKX reached $504 million, while KuCoin paid $297 million in January 2025.
Significant penalties associated with AML in 2025. Source: CertiK
The increase in AML enforcement will highlight regulators' focus on compliance monitoring and financial monitoring. The shift reflects both a change in US administration policy and a reevaluation of the SEC's regulatory approach to digital assets, the report said.
Related: AMLBot Says Social Engineering Will Drive 65% of Investigated Crypto Cases by 2025
Sanctions-related crypto volume has grown by 400% year-on-year by 2025, driven primarily by Russia-linked networks and state-linked stablecoin infrastructure, forcing regulators in all major states to prioritize transaction controls and cross-border financial crimes over token allocation disputes.
European AML fines rose 767% over the same period, with Asia-Pacific regulators favoring license revocations and trade reform orders more than fines.
Broader regulatory trends
The enforcement pillar relates to broader global regulatory trends documented in the report. Stablecoin regulations, for example, are moving from design to implementation in major states, with binding frameworks now in place from the US Stablecoins (GENIUS) National Initiative for the US Stablecoins (GENIUS) Act to the Markets in Crypto Assets (MiCA) regime.
Prudential standards for custodians and exchanges are tightening, with requirements now covering capital adequacy, asset segregation, liquidity management and recovery planning.
The Basel Committee's cryptoasset prudence standard, slated to go into effect on January 1, 2026, has created what the report calls a “structural divide” in terms of local adoption, as well as institutional adoption. Group 2 assets, including Bitcoin and Ether, face capital charges of nearly 100%, making them economically difficult for banks to hold on their balance sheets, while Group 1 assets, such as tokenized traditional instruments and eligible stablecoins, receive standard risk weights.
Related: Pierre Rochard warns US regulators on Bitcoin loophole in Basel rewrite
A spokesperson for Certike Research Group told Cointelegraph that banks that manage digital assets under the supervision of regulators such as Singapore and the European Union are subject to this streamlined enforcement.
Smart contract auditing dictates the landscape of address exploitation
Certike said smart contract safety assessments are being integrated into licensing and compliance in large markets, with safety audits moving from a voluntary best practice to a legal or statutory requirement in major jurisdictions within two years.
Smart Contract Security Regulatory Duties. Source: CertiK
That push for mandatory audits comes as regulators struggle to identify accountability for decentralized finance. A European Central Bank working paper published in March found that governance in major DeFi protocols is too centralized, complicating efforts to decide whether it should fall under MiCA control.
Certike's analysis of the top 100 exploit protocols found that 80% had never undergone a formal security audit prior to a breach, and those unaudited protocols accounted for 89.2% of the total value. At the same time, the report says infrastructure problems such as private key theft and access control failures will account for 76 percent of losses by 2025, with the threat landscape going beyond code exploitation.
The spokesperson said the current regulatory audit requirements are in line with the Web2 framework and authorities generally delegate to relevant regulatory bodies identifying relevant risks. While regulators may require annual testing, such as source code reviews, or various functional resiliency efforts, they rarely impose limits on access to reviews, he said.
Magazine: Singapore is not a ‘crypto hub' – it's something better: StreetX CEO
