Through layers of intermediaries, stablecoins can be moved, swapped and mixed into pools of other funds in ways that are difficult to trace, experts say.

© Jeremy Leung

The U.S. Justice Department has announced the sentencing of Samourai Wallet’s two co-founders for their role in knowingly transmitting more than $237 million in criminal proceeds through the cryptocurrency-mixing platform Authorities say the platform’s design enabled users to mask the origin of funds tied to drug trafficking, darknet marketplaces, cyber intrusions, fraud schemes, sanctioned jurisdictions, murder-for-hire operations, and child exploitation sites. Nicolas Roos, Attorney for the United States acting under 28 U.S.C. § 515, said the outcomes “send a clear message that laundering known criminal proceeds—regardless of whether the funds are in fiat or cryptocurrency—will face serious consequences.”

Five- and Four-Year Prison Terms

U.S. District Judge Denise L. Cote sentenced CEO Keonne Rodriguez to five years in prison on August 6, 2025, and CTO William Lonergan Hill to four years on November 19, 2025. Both were convicted of participating in a conspiracy to operate an unlicensed money-transmitting business that knowingly processed criminal proceeds. In addition to prison time, each will serve three years of supervised release and pay a $250,000 fine. They have jointly forfeited more than $6.3 million, representing the fees Samourai earned through the illicit transactions.

How Samourai Wallet Enabled Large-Scale Laundering

According to court documents, Rodriguez and Hill began building Samourai Wallet in 2015 with features designed to hide transaction origins. Two core services—Whirlpool and Ricochet—played a central role:

• Whirlpool mixed Bitcoin among batches of users, obscuring transaction histories and preventing investigators and exchanges from tracing the original source.
• Ricochet added intentional “hops” between sending and receiving addresses, complicating blockchain analysis and further distancing funds from their origins.

Between Ricochet’s launch in 2017 and Whirlpool’s expansion in 2019, more than 80,000 Bitcoin—valued at over $2 billion at the time—moved through Samourai’s infrastructure. Prosecutors emphasized that the volume of transactions showed how deeply the platform was embedded in criminal financial flows.

Promotion to Criminal Users

Evidence presented in court showed that both co-founders actively encouraged use of Samourai Wallet on darknet forums, encrypted channels, and social media. Hill allegedly promoted Whirlpool on Dread, a marketplace forum, positioning it as a superior method to “clean dirty BTC.” Rodriguez, in a separate 2020 exchange, urged hackers involved in a major social media breach to route their stolen funds through Samourai. In private WhatsApp messages, Rodriguez reportedly described mixing as “money laundering for bitcoin.” Samourai’s own internal marketing material classified its target users as “Dark/Grey Market participants.”

Global Investigation and International Support

The investigation involved multiple international partners, including Europol, the Portuguese Judicial Police, and the Department of Justice’s Office of International Affairs. Hill was arrested in Portugal and extradited in July 2024. Rodriguez was taken into custody in the United States. The FBI, IRS-Criminal Investigation, and several European agencies contributed to evidence collection, digital forensics, and cross-border coordination

As President Trump has championed crypto and the industry has gone mainstream, funds from scammers and other criminal groups have flowed onto major crypto exchanges.

© Karolis Strautniekas

Changpeng Zhao, the richest man in crypto, had admitted to money-laundering violations that allowed terrorists and other criminals to move money on Binance.

© Katarina Premfors for The New York Times

The U.S. government today imposed economic sanctions on Funnull Technology Inc., a Philippines-based company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams known as “pig butchering.” In January 2025, KrebsOnSecurity detailed how Funnull was being used as a content delivery network that catered to cybercriminals seeking to route their traffic through U.S.-based cloud providers.

“Americans lose billions of dollars annually to these cyber scams, with revenues generated from these crimes rising to record levels in 2024,” reads a statement from the U.S. Department of the Treasury, which sanctioned Funnull and its 40-year-old Chinese administrator Liu Lizhi. “Funnull has directly facilitated several of these schemes, resulting in over $200 million in U.S. victim-reported losses.”

The Treasury Department said Funnull’s operations are linked to the majority of virtual currency investment scam websites reported to the FBI. The agency said Funnull directly facilitated pig butchering and other schemes that resulted in more than $200 million in financial losses by Americans.

Pig butchering is a rampant form of fraud wherein people are lured by flirtatious strangers online into investing in fraudulent cryptocurrency trading platforms. Victims are coached to invest more and more money into what appears to be an extremely profitable trading platform, only to find their money is gone when they wish to cash out.

The scammers often insist that investors pay additional “taxes” on their crypto “earnings” before they can see their invested funds again (spoiler: they never do), and a shocking number of people have lost six figures or more through these pig butchering scams.

KrebsOnSecurity’s January story on Funnull was based on research from the security firm Silent Push, which discovered in October 2024 that a vast number of domains hosted via Funnull were promoting gambling sites that bore the logo of the Suncity Group, a Chinese entity named in a 2024 UN report (PDF) for laundering millions of dollars for the North Korean state-sponsored hacking group Lazarus.

Silent Push found Funnull was a criminal content delivery network (CDN) that carried a great deal of traffic tied to scam websites, funneling the traffic through a dizzying chain of auto-generated domain names and U.S.-based cloud providers before redirecting to malicious or phishous websites. The FBI has released a technical writeup (PDF) of the infrastructure used to manage the malicious Funnull domains between October 2023 and April 2025.

Silent Push revisited Funnull’s infrastructure in January 2025 and found Funnull was still using many of the same Amazon and Microsoft cloud Internet addresses identified as malicious in its October report. Both Amazon and Microsoft pledged to rid their networks of Funnull’s presence following that story, but according to Silent Push’s Zach Edwards only one of those companies has followed through.

Edwards said Silent Push no longer sees Microsoft Internet addresses showing up in Funnull’s infrastructure, while Amazon continues to struggle with removing Funnull servers, including one that appears to have first materialized in 2023.

“Amazon is doing a terrible job — every day since they made those claims to you and us in our public blog they have had IPs still mapped to Funnull, including some that have stayed mapped for inexplicable periods of time,” Edwards said.

Amazon said its Amazon Web Services (AWS) hosting platform actively counters abuse attempts.

“We have stopped hundreds of attempts this year related to this group and we are looking into the information you shared earlier today,” reads a statement shared by Amazon. “If anyone suspects that AWS resources are being used for abusive activity, they can report it to AWS Trust & Safety using the report abuse form here.”

U.S. based cloud providers remain an attractive home base for cybercriminal organizations because many organizations will not be overly aggressive in blocking traffic from U.S.-based cloud networks, as doing so can result in blocking access to many legitimate web destinations that are also on that same shared network segment or host.

What’s more, funneling their bad traffic so that it appears to be coming out of U.S. cloud Internet providers allows cybercriminals to connect to websites from web addresses that are geographically close(r) to their targets and victims (to sidestep location-based security controls by your bank, for example).

Funnull is not the only cybercriminal infrastructure-as-a-service provider that was sanctioned this month: On May 20, 2025, the European Union imposed sanctions on Stark Industries Solutions, an ISP that materialized at the start of Russia’s invasion of Ukraine and has been used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia.

In May 2024, KrebsOnSecurity published a deep dive on Stark Industries Solutions that found much of the malicious traffic traversing Stark’s network (e.g. vulnerability scanning and password brute force attacks) was being bounced through U.S.-based cloud providers. My reporting showed how deeply Stark had penetrated U.S. ISPs, and that its co-founder for many years sold “bulletproof” hosting services that told Russian cybercrime forum customers they would proudly ignore any abuse complaints or police inquiries.

That story examined the history of Stark’s co-founders, Moldovan brothers Ivan and Yuri Neculiti, who each denied past involvement in cybercrime or any current involvement in assisting Russian disinformation efforts or cyberattacks. Nevertheless, the EU sanctioned both brothers as well.

The EU said Stark and the Neculti brothers “enabled various Russian state-sponsored and state-affiliated actors to conduct destabilising activities including coordinated information manipulation and interference and cyber-attacks against the Union and third countries by providing services intended to hide these activities from European law enforcement and security agencies.”