Addressing the Narrative Around DeFi & Illicit Finance

On September 8, 2025, the House Financial Services Subcommittee (HFSC) on National Security, Illicit Finance, and International Financial Institutions held a hearing: Evaluating the Financial Crimes Enforcement Network (FinCEN). During the hearing, members discussed topics such as the effectiveness of reporting requirements, data sharing and retention, cybersecurity and identity fraud, and the proper regulatory approach to digital assets. While several members made statements about ensuring FinCEN took a pro-innovation approach, see the DEF Debrief covering the hearing here, others expressed reservations about crypto and decentralized finance (DeFi).

In his statement, Representative Sam Liccardo (D-CA) expressed concerns about the potential money laundering risks in DeFi protocols, specifically mentioning a statistic that, “as recently as January, [a study showed] 91% of fraud and theft occurring in the 1,100 cases was happening on DeFi protocols.” Rep. Liccardo was referring to a study entitled “Mapping the DeFi crime landscape: an evidence-based picture” by Catherine Carpentier-Desjardins, Masarah Paquet-Clouston, Stefan Kitzler, and Bernhard Haslhofer. The authors of this study “collected data on 1,141 crime events from 2017 to 2022. Of these, 1036 were related to DeFi (the main focus of this study) and 105 to centralized finance (CeFi).” We provide additional context for the cited statistic below.

The Data Collected 

From the outset, the goal of the study was to “provide a comprehensive assessment of profit-driven crimes targeting the DeFi sector,” meaning, the data was intentionally constructed to examine crimes occurring with some relationship to DeFi. Further, the authors confirmed that they “obtained the majority of [the dataset] from De.Fi REKT database,” which itself focuses on collecting DeFi scams, hacks, and exploits.

Notably, the study relied on “categorizations from crime aggregators and DeFiLlama” as of September 2023 and, on that basis, defined DeFi actors as “any individual, group, or organization supporting the operations of DeFi services, including blockchain, fungible token (FT), nonfungible token (NFT), exchange, lending, derivative, Dapp, yield, staking, bridge, and oracle services.” However, such a definition may be over-representative. For example, “individuals supporting the operation of” such categories is a broad, amorphous group of people. By collecting DeFi-focused data and adopting an expansive scope of DeFi, the study makes the statistics appear even worse and disproportionately high. 

Furthermore, the data was taken from years 2017 to 2022, but was only published earlier this year, allowing a distorted impression of “recent” DeFi activity when cited by its publication date and not its data source. 

While Rep. Liccardo did reference data tied to certain activity connected with DeFi, this study he cited overstates that connection rather than placing it in context with crimes in traditional finance or CeFi. It should not be misread as proof that DeFi poses disproportionately higher risks of fraud or theft. In fact, although the study focused only on DeFi-related crimes, it ultimately found that CeFi has suffered greater overall losses. Specifically, the report noted that the cryptoasset industry as a whole has seen at least $30B in losses—two-thirds from CeFi and only one-third from DeFi. 

Reality for DeFi

As several government reports—including those from the Biden Administration’s Treasury Department’s 2024 National Risk Assessments (published in February 2024) and the Illicit Finance Risk Assessment of Decentralized Finance (published in April 2023) recognized, “most money laundering, terrorist financing, and proliferation financing by volume and value of transactions occurs in fiat currency or otherwise outside the virtual asset ecosystem via more traditional methods.” This was reaffirmed in the President’s Working Group Report published in July 2025 under the Trump administration, which noted, “the prevalence of money laundering and terrorist financing via digital assets remains well below that of the same activities utilizing fiat currency, bank and traditional money services fund transfers, and other methods that do not involve digital assets.” In other words, while illicit activity does occur in the digital asset ecosystem, it represents only a small share of the financial crimes overall. The majority of such risks still remain in the traditional financial system.

Further, risks in digital assets—and the DeFi sector—are declining. This is confirmed by several industry reports, such as by Chainalysis, who concluded that crypto crime in 2024 accounted for just 0.14% of total on-chain transaction volume in its “2025 Crypto Crime Trends” report, and in the 2025 Crypto Crime Report published by TRM Labs, it noted that while crypto transaction volume grew 56% since 2023 to over USD 10.6 trillion in 2024, “illicit volume currently appears to have dropped to USD 45 billion, down 24% since 2023. This represents 0.4% of overall crypto volume—a decline from 0.9% in 2023, marking a 51% decrease year over year.” As effective tools for combating illicit finance in the DeFi sector continue to improve, the risks will continue to fall even further.

Even if we just compare DeFi and CeFi within the crypto sector, according to the latest report “Crypto Losses in Q1 2025” by Immunefi: “CeFi became the primary target of successful exploits, comprising 94% of cases, while DeFi accounts for 6% of total losses” and “DeFi losses are down 69% when compared to the previous period [at Q1 2024].” Specifically, in January 2025, “CeFi accounted for 93% of the total losses, while DeFi, which experienced 18 cases, accounted for the remaining 6.5% of the total volume of funds lost.”

In light of this, regulators should correctly recognize that most illicit finance risks remain in traditional finance and should not disproportionately focus on DeFi. While the industry is united in its desire to root out bad actors wherever they engage in criminal conduct, it is important that the United States adopt a proportionate, risk-based approach to DeFi technology that does not compromise innovation and send developers overseas. As highlighted in the study by Carpentier-Desjardins et al., “many attacks target legitimate DeFi actors who genuinely contribute to the ecosystem” and it is necessary to “[foster] collaboration between regulators and actors to establish clear guidelines for DeFi.” 

The following blog post was authored by Maeve Zou, a policy intern with the DeFi Education Fund.