US AML Fines Top $1B; OKX, KuCoin Lead Crypto Penalties

U.S. prosecutors and the Financial Crimes Enforcement Network collected more than $1 billion in anti-money-laundering fines in the first half of 2025. The total was driven by a $504 million settlement with OKX in February and a $297 million payment from KuCoin in January.

The enforcement total exceeded penalties imposed by the Securities and Exchange Commission on crypto-specific matters. SEC crypto penalties fell 97% year over year to $142 million in H1 2025, down from $4.9 billion in 2024, according to CertiK.

CertiK’s analysis finds regulators focused on failures in transaction monitoring, licensing and AML controls rather than disclosure or token-classification issues. The Department of Justice and FinCEN pursued large penalties under the Bank Secrecy Act and related rules for operating unlicensed money transmission businesses and for lapses in AML controls.

Sanctions-related crypto activity increased more than 400% year over year in 2025, driven largely by networks linked to Russia and by stablecoin systems aligned with state actors. Regulators stepped up transaction surveillance and cross-border financial crime controls in response.

European AML fines rose 767% over the same period. In the Asia-Pacific region, authorities relied more on license revocations and business improvement orders instead of only monetary penalties. Stablecoin frameworks moved into implementation, with binding rules active under the U.S. GENIUS Act and the EU’s Markets in Crypto-Assets regime.

Prudential standards for custodians and exchanges tightened to cover capital adequacy, segregation of client assets, liquidity management and recovery planning. The Basel Committee’s cryptoasset prudential standard, scheduled for Jan. 1, 2026 subject to local adoption, assigns near-100% capital charges to Group 2 assets including bitcoin and ether, while Group 1 assets such as tokenized traditional instruments and qualifying stablecoins receive standard risk weighting.

CertiK projects that smart contract security assessments will shift from voluntary practice to statutory or quasi-statutory requirements across major markets within about two years. Its review of the top 100 exploited protocols found 80% had not undergone a formal security audit before a breach; those unaudited projects accounted for 89.2% of value lost. Infrastructure compromises, including private key theft and access-control failures, accounted for 76% of value lost in 2025.

A CertiK spokesperson said, “Authorities may demand annual testing or operational resilience measures such as source-code reviews, but they rarely dictate a specific audit scope.” The firm added that current audit expectations resemble frameworks used in traditional finance and that supervised firms are expected to identify and manage relevant threats.

Firms that handle digital assets face increased pressure to strengthen transaction monitoring, licensing processes and custody safeguards to comply with evolving rules across multiple jurisdictions.