STRATEGYMonths to result

Whole-of-Government Crypto Crime Takedown Playbook

Dismantle transnational crypto crime networks when traditional arrest is impossible

Problem it solves

Traditional arrest-focused enforcement fails when crypto criminals operate from non-extradition jurisdictions, allowing networks to continue operating indefinitely.

Best for

Law enforcement agencies, national security teams, and policy makers building coordinated multi-agency responses to transnational organized crypto crime.

Not ideal for

Cases where suspects are in extraditable jurisdictions or where standard criminal prosecution and physical custody is readily viable.

Overview

Why this framework exists

The Whole-of-Government framework coordinates multiple agencies—DOJ, OFAC, FinCEN, and intelligence services—to dismantle crypto crime networks when direct arrest is impossible. Rather than waiting for extradition, the approach simultaneously indicts leadership to freeze their movement, sanctions the organization to cut financial access, dismantles money laundering infrastructure, and executes asset forfeiture. The core insight is that asset seizure deters financial criminals more effectively than the threat of imprisonment. Blockchain tracing enables law enforcement to follow stolen funds through cross-chain conversions, mixing services, and OTC handoffs, building evidence for each intervention layer. The Prince Group case—a $15 billion forfeiture, the largest in history—validated this playbook across every enforcement layer, from criminal prosecution to sanctions to regulatory action.

Core principles

6 total
  1. Asset seizure deters financial criminals more effectively than the threat of arrest
  2. Multi-agency coordination multiplies enforcement impact beyond what any single agency achieves alone
  3. The off-ramp is the chokepoint where crypto crime is most vulnerable to disruption
  4. Blockchain immutability transforms every on-chain transaction into traceable, admissible evidence
  5. Non-extraditable adversaries can be financially neutralized without physical custody
  6. Victim restitution must be designed into enforcement strategy from the start, not added afterward

Steps

8 steps
  1. Map the Criminal Network via Blockchain Tracing
    Deploy threat hunters and blockchain forensic tools to attribute illicit wallet addresses, trace transaction flows, and build a complete map of the network's financial infrastructure. Focus attribution on the laundering layer—bridges, mixers, and OTC handoffs—not just the initial theft event.
    Pro tipSpecialists who focus full-time on a single threat actor (e.g., North Korea, Iran) develop attribution depth that general analysts cannot match; build dedicated single-actor teams.
    WarningWithout solid on-chain attribution, downstream enforcement actions lose legal standing and practical effect.
  2. Build Intelligence on Leadership and Money Laundering Infrastructure
    Identify key figures, organizational hierarchy, government connections, and the facilitators enabling fund movement off-chain. Engage human intelligence sources—including insiders—where on-chain visibility ends.
    Pro tipInsider access near the top of the organization can provide the decisive intelligence needed for asset seizure, as evidenced by the role of an insider referenced in the Prince Group forfeiture documents.
  3. Coordinate Multi-Agency Alignment on a Sequenced Action Plan
    Align DOJ (prosecution), OFAC (sanctions), FinCEN (regulatory), and intelligence agencies on a unified timeline. Determine the optimal sequence of enforcement moves to prevent network adaptation between actions.
    Pro tipSanctions applied before indictment can cause leadership to go further underground before sufficient evidence is secured for prosecution; sequence carefully.
    WarningSiloed action by any single agency allows the network to adapt and reconstitute around the individual pressure point.
  4. Indict Key Leadership to Create Legal and Diplomatic Pressure
    File criminal indictments against network leaders to establish grounds for future extradition, limit their international travel, and signal to foreign governments that shielding these actors carries diplomatic cost.
    Pro tipEven when extradition is unlikely, indictments constrain where leaders can operate globally and may motivate foreign governments to act independently on their own interests.
  5. Apply OFAC Sanctions to Freeze Organizational Assets
    Designate the organization and key figures under OFAC to freeze accessible assets and cut the network off from the global financial system. Coordinate with allied financial regulators and stablecoin issuers to extend the perimeter internationally.
    Pro tipCoordinate directly with stablecoin issuers like Tether and Circle to freeze and reissue tokens held in sanctioned wallets, neutralizing stable-value holdings that bad actors prefer for liquidity.
  6. Dismantle Money Laundering Infrastructure via FinCEN
    Target primary facilitators—exchanges, OTC brokers, mixing services—through FinCEN regulatory action to destroy the off-ramp capability that converts illicit crypto into usable funds. The off-ramp is the chokepoint.
    Pro tipDisrupting the off-ramp traps funds on-chain where they remain fully traceable; a strong perimeter at exit points is often more damaging to the network than any upstream enforcement action.
    WarningMultiple facilitators often operate in parallel; neutralizing one without targeting others allows rapid network rerouting.
  7. Execute Asset Seizure and Forfeiture as the Primary Enforcement Outcome
    Prioritize taking the money over securing physical arrests. Use every available technical, intelligence, and legal tool—including exploiting access to private keys through insider intelligence or system vulnerabilities—to identify and forfeit criminal proceeds.
    Pro tipFinancial criminals are typically more deterred by asset loss than by jail time; shifting enforcement philosophy to money-first maximizes deterrence impact per dollar spent.
  8. Build a Structured Victim Restitution Fund from Seized Assets
    Allocate forfeited assets into a compensation fund—modeled on precedents like the US Vaccine Injury Compensation Fund—where individual victims file verified claims. Use blockchain tracing to link victim wallets to specific criminal compounds, enabling scalable verification.
    Pro tipBlockchain tracing can associate specific victim addresses with specific criminal operations, enabling claim verification at a scale impossible in traditional financial fraud restitution.
    WarningSlow restitution erodes public confidence in the enforcement system and leaves hundreds of thousands of victims without recourse despite successful seizure.

Checklist

Saved in your browser

Examples

3 cases
Prince Group / Shenzi Pig Butchering Takedown

The Prince Group, operating out of Cambodia with ties to Chinese national security networks, ran massive scam compounds stealing billions from Americans through social engineering. DOJ indicted ringleader Shenzi, OFAC sanctioned Prince Group, and FinCEN dismantled Wei One—the primary laundering facilitator. The coordinated multi-agency action resulted in a $15 billion asset forfeiture. China subsequently apprehended Shenzi before he could be extradited, apparently to prevent the US from gaining access to evidence implicating Chinese state actors.

Outcome$15 billion forfeited—the largest asset seizure in DOJ/FBI history. Full multi-agency playbook validated across criminal prosecution, sanctions, and regulatory enforcement layers.
Colonial Pipeline Ransomware Recovery

Following a ransomware attack that shut down critical US fuel infrastructure, attackers received a Bitcoin ransom payment. FBI and national security agencies used blockchain tracing combined with technical intelligence tools—likely gaining access to private keys—to trace and recover the majority of the ransom without securing physical custody of the attackers, who remained beyond US jurisdiction.

OutcomeSignificant portion of ransom recovered without arrest, demonstrating that asset recovery is achievable through technical and intelligence means even when suspects are unreachable.
Bybit Hack Real-Time Laundering Attribution

After North Korea stole $1.5 billion in Ethereum from Bybit, blockchain forensic firms tracked conversion of nearly all stolen funds to Bitcoin via ThorChain within 72 hours—a recognized North Korea laundering signature. The rapid cross-chain conversion pattern was identified in real time, enabling law enforcement to begin building an off-ramp perimeter far faster than previous state-sponsored hacks had allowed.

OutcomeReal-time attribution confirmed rapid BTC conversion via cross-chain bridges as a key North Korea detection signal, accelerating law enforcement mobilization timelines.

Common mistakes

3 traps
Relying solely on arrests as the enforcement metric
When suspects operate in non-extradition countries, building cases around eventual arrest wastes resources and allows networks to operate for years or decades. Asset seizure should be the primary enforcement objective, with arrest treated as a secondary outcome when circumstances allow.
Siloing enforcement agencies from each other
Each agency acting independently allows criminal networks to detect pressure and adapt before the full enforcement package lands. Coordinated sequencing between DOJ, OFAC, and FinCEN is essential to prevent network reconstitution between individual enforcement actions.
Neglecting victim restitution planning until after seizure
Treating seized assets as government windfalls rather than victim compensation misses the restorative justice dimension and creates public skepticism about enforcement value. Restitution fund structure should be designed at case inception, not retrofitted after forfeiture proceedings close.

Origin story

How this framework came to be

Extracted from Bankless, featuring Ari Redbord, former DOJ prosecutor and Head of Global Policy at TRM Labs. Validated through the Prince Group/Shenzi case, in which coordinated DOJ, OFAC, and FinCEN action achieved the largest asset forfeiture in history at $15 billion, reflecting a documented shift in US law enforcement from arrest-first to asset-seizure-first strategy.

Source

Traced to primary
Source · VIDEO
Why North Korea Is Winning Crypto Crime | Ari Redbord — Bankless
Bankless · 2026
Open source →

Related frameworks

Browse all Strategy →