The Financial Action Task Force (FATF) has published a targeted report on stablecoins and unhosted wallets, warning that stablecoins have become the most popular virtual asset for illicit transactions.

The March 2026 report singles out peer-to-peer (P2P) transfers through unhosted wallets, conducted without any regulated intermediary, as a key vulnerability the global anti-money-laundering framework was never built to reach.

Jurisdictions across Asia and beyond, Hong Kong among them, have spent two years building licensing regimes for stablecoin issuers, betting regulation can make these instruments safe for mainstream payments. The FATF stablecoin report broadly supports that direction, while laying out how much criminal activity now moves through the parts of the ecosystem that licensing doesn’t touch.

A US$316 billion market that criminals have adopted too

The market has scaled quickly. The report counts 259 stablecoins in circulation as of June 2025, with market capitalisation reaching US$316 billion by October 2025, roughly 8% of the entire virtual asset market.

Daily trading volumes are larger still. At US$156 billion, stablecoin turnover runs at nearly three times Bitcoin’s US$55 billion, and stablecoins now represent 30% of all on-chain virtual asset transaction volume.

The market is also heavily concentrated. Fiat-backed stablecoins account for 95% of total capitalisation, and of those, 97% reference the US dollar.

Nine in 10 stablecoins are centrally governed. That matters, because centralised issuers hold technical powers, such as freezing and blacklisting, that sit at the heart of the FATF’s proposed mitigations.

The same qualities driving legitimate adoption, namely price stability, deep liquidity, fast cross-border settlement and independence from banking hours, are precisely what attract criminals.

Citing Chainalysis, the report notes that stablecoins accounted for 84% of the US$154 billion in illicit virtual asset transaction volume in 2025, displacing Bitcoin as the dominant asset for cybercrime-related on-chain transactions. Most of that illicit activity occurs in the secondary market, beyond the issuer’s direct customer relationships.

North Korea and Iran have operationalised stablecoins

State-linked actors feature prominently. North Korean groups such as Lazarus have long specialised in virtual asset theft, including a roughly US$1.46 billion heist in February 2025 that was laundered through mixers, cross-chain bridges and more than 125,000 Ethereum wallets. The typical endgame involves conversion into stablecoins, most often USDT on the Tron blockchain, before cashing out through over-the-counter (OTC) brokers or P2P platforms.

What has changed is the purpose. According to the Multilateral Sanctions Monitoring Team, the DPRK’s 221 General Bureau, the regime’s primary weapons-trading organisation, UN-designated under its former name KOMID, has since at least 2023 sought to use stablecoins to launder cybercrime proceeds and as a means of payment for goods prohibited under UN Security Council resolutions.

That includes military equipment and raw materials such as copper for munitions. Compared with moving cash across borders, USDT payments are faster, less logistically burdensome and lower in risk for the sanctioned party.

Iranian actors follow a similar playbook. Blockchain analytics firms assess that addresses associated with the Islamic Revolutionary Guard Corps received several billion dollars on-chain across 2024 and 2025, with virtual assets used to procure drone components and to transfer funds to sanctioned actors in the region, including the Houthis.

The report also flags an adaptive dynamic regulators should note: after USDT freezes hit IRGC-linked addresses in mid-2025, sanctioned Iranian entities may migrate towards stablecoins such as DAI that carry no freeze function at all.

Fraud proceeds, drug money and terrorist donations

Beyond state actors, fraud networks are running investment scams, romance scams and pig butchering operations that collect proceeds in stablecoins, and launder them through mixers, decentralised exchanges, coin-swap platforms and unlicensed OTC brokers.

One case study from India traces workers in Southeast Asian scam compounds paid through a regional payment service provider, with USDT deposits into Indian exchange accounts immediately liquidated into rupees. The investigation identified 241 user locations in and around scam compounds in Cambodia and led to enforcement action against the provider.

Drug-trafficking organisations use USDT on Tron and USDC on Ethereum to pay overseas suppliers of synthetic-drug precursors. They also use these rails to launder proceeds, exploiting money mules, gambling platforms and merchant refund loops where goods bought with stolen identities are returned for stablecoin refunds to third-party wallets.

The report says terrorist organisations, including ISIL and Al-Qaeda, solicit donations in stablecoins through encrypted platforms and social media, rotating wallet addresses to obscure recipients and splitting large sums into small transfers routed through multiple providers to stay under detection thresholds.

Where the vulnerabilities sit

The report maps weaknesses across the stablecoin lifecycle. At issuance, the borderless nature of the business incentivises issuers to headquarter in weakly regulated jurisdictions while operating globally. Emerging multi-issuance schemes, where entities in two jurisdictions jointly issue fungible tokens, further muddy compliance responsibility and complicate freezing and seizure.

In circulation, compliance quality varies wildly across intermediaries, and VASPs in jurisdictions that haven’t implemented FATF Recommendation 15 may run no controls at all. At redemption, holders need not use official channels: informal off-ramps through OTC brokers and unlicensed P2P platforms achieve the same outcome with none of the checks.

The deepest structural gap for stablecoin money laundering is P2P transfers through unhosted wallets, where users hold their own keys and no obliged entity ever touches the transaction. No customer due diligence applies, and no one is responsible for filing suspicious transaction reports.

Public blockchains keep transactions visible but pseudonymous, and criminals compound this by generating fresh addresses, layering transfers through wallets that sit many hops from any Travel Rule-covered wallet, and hopping across chains. Cross-chain interoperability, a selling point for legitimate remittances, fragments transaction trails and can even neutralise an issuer’s freeze powers where its stablecoin circulates on other blockchains in wrapped form.

The FATF concedes it still cannot reliably size the P2P market, and urges jurisdictions to keep monitoring whether stablecoins reach mass adoption for purchases that bypass regulated on- and off-ramps entirely.

How the FATF wants to close the gap

The report’s second half catalogues good practices, starting with clear AML obligations on issuers and intermediaries, and smart-contract controls such as allow-listing, deny-listing, freezing and burning. It also covers blockchain analytics deployed by both supervisors and firms, and multinational supervisory colleges for cross-border arrangements.

It recommends that jurisdictions consider requiring issuers to maintain the technical capability to freeze and burn tokens in the secondary market. Issuers are also encouraged to publish a law-enforcement contact monitored around the clock.