$15 Billion in Bitcoin Sanctioned: U.S. and U.K. Take Largest Action Ever Targeting Cybercriminal Networks in Southeast Asia

8 min readOct 17, 2025

Background

On October 14, 2025, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), the Financial Crimes Enforcement Network (FinCEN), and the U.K. Foreign, Commonwealth & Development Office (FCDO) take the largest-ever joint sanctions action against cybercriminal networks operating in Southeast Asia. The operation sanctioned 146 individuals and entities linked to the Prince Group Transnational Criminal Organization (Prince Group TCO) and announced the seizure of 127,271 BTC — worth approximately $15 billion USD — associated with the group. At the same time, FinCEN designated Cambodia-based Huione Group as a primary money laundering concern, effectively cutting it off from the U.S. financial system.

Wire Fraud

According to the indictment unsealed by the U.S. District Court for the Eastern District of New York, the Prince Group, under the leadership of its founder and chairman Chen Zhi (also known as Vincent), has since 2015 developed into a vast network spanning over 30 countries and dozens of business entities.

On the surface, the Prince Group operates legitimate businesses in real estate, finance, and consumer services. In reality, its core profits derive from transnational telecom fraud and investment scams built on forced labor.

The group runs large-scale scam compounds in Cambodia and other countries, orchestrating fraudulent investment schemes — including “pig butchering” crypto scams — that have victimized people worldwide. The U.S. government estimates that in 2024 alone, American citizens lost at least $10 billion to scams originating from Southeast Asia.

These operations extend beyond online fraud: they are deeply intertwined with human trafficking, illegal detention, and forced labor, forming an industrialized underground economy that fuels and sustains cyber-enabled crime across the region.

Money Laundering Conspiracy

According to the indictment and FBI analysis, the Prince Group laundered vast proceeds derived from scams and illegal gambling by layering them through multiple channels, including cross-border cash conversions, shell companies, fake bank accounts, and the disguise of legitimate business operations, ultimately making the illicit funds appear as lawful income.

In the initial stage of fund conversion, the Prince Group utilized so-called “laundering houses” or “water houses” networks — entities operating under the guise of “money service providers” — to receive assets from scam victims, typically in Bitcoin or stablecoins. These assets were then off-ramped into cash, which was subsequently used to purchase “clean” fiat currency and reinvested into new Bitcoin or other cryptocurrencies. For example, The Brooklyn Network, serving as the U.S.-based operational node of the Prince Group, lured victims during the scam process by having account managers present seemingly legitimate investment portfolios, encouraging victims to make continuous additional investments. In reality, these accounts were merely financial channels controlled by shell companies. The funds were subsequently funneled back to the Prince Group’s core accounts in the form of cash or cryptocurrency. Between approximately May 2021 and August 2022, The Brooklyn Network assisted the Prince Group in transferring and laundering over $18 million from more than 250 U.S. victims.

To further obscure the flow of funds, the Prince Group established numerous shell companies — such as FTI, Amber Hill, and LBG — and integrated illicit proceeds into its so-called “legitimate” business divisions. Although Cambodia officially banned online gambling in 2020, the Prince Group continued to operate across multiple countries. Internal accounting records even contained explicit notes such as: “Employee wages — Please use clean money to pay.” Another major funding source was cryptocurrency mining. Chen Zhi invested illicit profits into mining operations including Warp Data and Lubian Mining Farm. Investigations revealed that nearly 70% of the funds associated with Lubian’s mining wallets did not originate from newly mined Bitcoin, but were instead mixed with cryptocurrency from other undisclosed sources.

The Prince Group also employed a range of sophisticated on-chain money laundering techniques, notably the “spray-funnel” model, which involves repeatedly splitting large amounts of cryptocurrency into dozens of wallets and then merging them back together to disrupt blockchain tracing paths. By around 2020, Chen Zhi had accumulated approximately 127,271 Bitcoins in illicit wealth, which were distributed across 25 non-custodial wallets under his control.

In the indictment, the FBI divided these addresses into multiple clusters (Cluster Index 1–13). The addresses within each cluster exhibited highly consistent transaction patterns, showing clear characteristics of money laundering activities.

In this sanctions action, four Bitcoin addresses directly controlled by Chen Zhi were added to the OFAC sanctions list.

According to on-chain anti-money laundering and tracing tool MistTrack, these four addresses have been active since March 2023, collectively receiving 15,961.15 BTC to date. Each of these addresses has only transferred 1 BTC to the next-layer addresses.

Also based in Cambodia, the Huione Group was identified in this action as a major money laundering organization. The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) finalized a rule under section 311 of the USA PATRIOT Act to sever the Huione Group from the U.S. financial system. Furthermore, the United Nations Office on Drugs and Crime (UNODC) stated in its May 2025 report that Huione Guarantee has become part of Southeast Asia’s “industrialized online fraud ecosystem,” with the platform having received over $24 billion in cryptocurrency. SlowMist’s previous analysis also showed that from January 1, 2024, to June 23, 2025, HuionePay handled more than 50 billion USDT in total deposits and withdrawals, indicating massive and continuous capital inflows and outflows over the past year and a half.

According to FinCEN, the Huione Group laundered at least $4 billion between August 2021 and January 2025, including:
- At least $37 million worth of virtual currency stemming from DPRK cyber heists;
- At least $36 million from virtual currency investment scams;
- And $300 million worth of virtual currency from other cyber scams.

Under FinCEN’s Section 311 Final Rule, all U.S.-regulated financial institutions are prohibited from opening or maintaining correspondent accounts for Huione Group, and are barred from processing any cross-border transactions on its behalf — effectively preventing the group from indirectly accessing the U.S. financial system.

Following the announcement of the sanctions, some exchanges such as OKX publicly stated that they would implement strict control measures against Huione.

(https://x.com/okxchinese/status/1978334319048327241)

Anti-Money Laundering Recommendations

In today’s regulatory landscape, on-chain money laundering, online fraud, and high-risk fund flows are no longer issues that concern only regulators or institutions — they are now directly affecting every participant in the crypto asset industry.

For practitioners, even unintentionally interacting with sanctioned addresses or funds linked to illicit activities can result in account freezes or asset seizures. Therefore, it is strongly recommended that before receiving or transferring digital assets, practitioners use blockchain tracing tools (such as MistTrack) to conduct real-time screening of counterpart addresses. This helps assess historical transaction behavior and potential risks, verify the legitimacy and clarity of fund sources, and avoid accepting assets from sanctioned wallets, known high-risk addresses, or suspicious transaction paths.

For enterprises, exchanges, service providers, and other project teams, KYC (Know Your Customer) and KYT (Know Your Transaction) are no longer optional. Engaging with high-risk entities may lead to secondary sanctions. Beyond verifying customer identities through KYC, organizations should implement on-chain transaction monitoring (KYT) to trace fund flows, identify potentially high-risk addresses, sanctioned entities, and suspicious transactions — ensuring that companies and exchanges are not inadvertently involved in illegal financial activities.

Based on years of blockchain security research and risk control practice, SlowMist’s anti-money laundering tracing and analytics platform MistTrack has provided stable and reliable on-chain risk management support and robust AML compliance solutions for numerous exchanges and enterprises. It also offers individuals, corporate teams, and developers accurate data analysis, real-time risk monitoring, and comprehensive compliance support. MistTrack can analyze fund sources, detect whether assets originate from sanctioned wallets or high-risk addresses, and help users avoid receiving tainted funds. It also enables real-time risk control by pre-screening addresses before transactions, reducing the likelihood of account freezes due to interaction with sanctioned or suspicious funds.

To date, MistTrack has accumulated over 400 million Address Labels, 1,000+ Address Entities, 500,000+ Threat Intelligence Addresses, and 90 million+ Identified Risky Addresses, providing a strong foundation for digital asset security and global anti-money laundering efforts. For more information, please visit https://aml.slowmist.com.

About SlowMist

SlowMist is a threat intelligence firm focused on blockchain security, established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring), SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.