CertiK report: $900 million in AML fines; SEC crypto enforcement down 97% year over year

According to a report published on April 28 by blockchain security audit firm CertiK, anti-money laundering (AML) enforcement has replaced securities violations determinations and has become the top regulatory threat facing crypto companies. The report shows that the U.S. Department of Justice and the Financial Crimes Enforcement Network (FinCEN) issued $900 million in AML-related fines in the first half of 2025; in the same period, crypto-asset fines by the U.S. Securities and Exchange Commission (SEC) fell 97% year over year.

Key AML Enforcement Figures and Typical Cases

(Source: CertiK)

According to CertiK’s April 28 report, major AML-related enforcement cases in 2025 include:

OKX: In February 2025, it reached a settlement with the DOJ for $504 million, due to operating a money-transmitting business without a license and violating the Bank Secrecy Act

KuCoin: In January 2025, it paid $297 million, for the same reasons: operating a money-remitting business without a license and violating the Bank Secrecy Act

CertiK’s report states that in 2025, the volume of crypto transactions related to sanctions increased by more than 400% year over year, mainly driven by Russia-linked networks and national stablecoin infrastructure. In the same period, AML fines in Europe surged 767%; in the Asia-Pacific region, regulators have relied more on license revocations and business improvement orders rather than direct monetary penalties.

Global Regulatory Framework Shift: Stablecoins and Basel Standards

According to CertiK’s April 28 report, stablecoin regulation is moving from the design stage into implementation, and major jurisdictions have begun enforcing binding frameworks, including the U.S. “Guiding and Establishing the Stablecoin National Innovation Act (GENIUS Act)” and the EU’s “Markets in Crypto-Assets Regulation (MiCA).”

CertiK’s report explains that the Basel Committee’s prudential standards for crypto assets are planned to take effect on January 1, 2026: assets in Group 2 (including BTC and ETH) face capital occupancy requirements of nearly 100%; assets in Group 1 (including tokenized traditional instruments and eligible stablecoins) apply risk-weight standards. A spokesperson for CertiK’s research team, speaking in an interview with Cointelegraph, said that banks managing digital assets under the oversight of regulators in Singapore and the EU have applied the above adjusted enforcement requirements.

Requirements for Strengthening Smart Contract Security Audits

According to CertiK’s April 28 report, after analyzing the top 100 most heavily targeted protocols, it found that 80% of the protocols had never undergone formal security audits before being attacked, and unaudited protocols accounted for 89.2% of the total loss value. By loss type, events where infrastructure was breached—such as incidents involving private key theft and access control failures—accounted for 76% of losses in 2025 when calculated by value.

In comments to Cointelegraph, a spokesperson for CertiK’s research team said that security audits are shifting from voluntary best practices to statutory or quasi-statutory requirements in major jurisdictions, and are expected to be implemented within two years. When regulators require annual testing or source code reviews, they typically do not specify specific scope to avoid limiting the assessment coverage.

Frequently Asked Questions

Why has AML enforcement replaced the SEC to become the biggest regulatory risk for the crypto industry?

According to CertiK’s April 28 report, SEC fines targeting crypto assets fell 97% year over year in 2025 to $142 million. In the same period, DOJ and FinCEN’s AML fines totaled $900 million, accompanied by an over-400% year-over-year increase in crypto transaction volume related to sanctions, reflecting a shift in enforcement focus from disclosure violations to transaction monitoring and compliance controls.

What are the most significant AML enforcement cases in the crypto industry in 2025?

According to CertiK’s April 28 report, OKX reached a $504 million settlement with the DOJ in February 2025; KuCoin paid $297 million in January 2025; both involve unlicensed money transmission businesses and violations of the Bank Secrecy Act.

What are CertiK’s key findings regarding smart contract security audits?

According to CertiK’s April 28 report, among the top 100 protocols most heavily attacked, 80% had never undergone formal security audits before the attacks, and unaudited protocols accounted for 89.2% of the total loss value. In 2025, 76% of losses by value came from attacks on infrastructure such as private key theft and access control failures.