The Tornado Cash sanctions, the Sinbad takedown, and the gradual deplatforming of Bitcoin mixers across 2023-2025 reshaped how criminal proceeds move on-chain. The pipeline didn’t disappear, money still has to be laundered, but the route looks meaningfully different in 2026 than it did three years ago. Here’s the current map.
Where the funds flow now
Three layers, increasingly used in combination. DEX swaps, moving from BTC/ETH into something less surveilled (Monero, sometimes USDT on Tron) via a decentralised exchange that doesn’t require KYC. Cross-chain bridges, fragmenting traceability by hopping between blockchains with different surveillance maturity. Privacy coins, primarily Monero, occasionally Zcash shielded transactions, as the laundering layer of choice when the operator can convince counterparties to accept it.
The combined effect is that the easy “follow the money on a Chainalysis chart” investigations of 2020-2022 are harder in 2026. Not impossible, most operators slip up somewhere, but the analyst’s day is longer.
Mixers that survived the crackdown
A few mixers still operate. The successors and clones of the takedown victims (multiple Tornado Cash forks, Sinbad-style services on alternative branding) have learned to be smaller and quieter. Volume per mixer is down, the number of mixers is up. Operators rotate between them faster.
The risk to operators using these mixers has gone up: any mixer with meaningful volume attracts active monitoring by chain-analytics firms, and the OFAC framework now lists not just specific services but specific deposit addresses, which makes downstream off-ramps harder.
The DEX and cross-chain layer
This is the volume layer in 2026. THORChain, ChangeNOW (operating in jurisdictions where it remains legal), the various non-KYC swap services, and a long tail of cross-chain bridges all see meaningful illicit volume. Most are not malicious by design, they’re general-purpose trading infrastructure that handles both legal and illegal flow.
The cross-chain hop is the trick. BTC → Wrapped BTC on Ethereum → swap to Monero on a DEX → withdraw → swap back. Each step adds friction and breaks the simple-trace; each step also costs fees. Operators absorb the cost as a tax on the bigger ransoms.
The off-ramp problem
The hard step is still cashing out. Centralised exchanges with proper KYC have gotten genuinely good at flagging wallets associated with ransomware activity, even after laundering. The off-ramps that operators use in 2026 are: small regional exchanges in less-regulated jurisdictions, peer-to-peer trades on platforms like LocalCoinSwap or LocalMonero, OTC desks that quietly accept the volume for a steep premium, and increasingly NFT and DeFi staking products as a holding pattern.
The premium operators pay for off-ramping in 2026 is significantly higher than in 2022. Estimates range from 10-30% of the laundered amount, eaten in fees and slippage. That cost shapes the rest of the economy.
What this means for tracking
Chain analysis is still effective at the BTC layer. The pivot point is when funds enter a DEX or bridge, the trace doesn’t end, but it gets noisier. The analytics firms have caught up at the DEX layer for the major ones; the long tail of smaller services is the gap.
For ransomware-tracker work, the practical update is that the wallet attribution is most defensible immediately after payment, before the funds move through laundering. Wallet-graph evidence at that early moment is high-confidence; the same evidence three hops later is much weaker. The window for clean attribution has gotten narrower.
Bottom line
Mixer takedowns worked, they raised the cost of laundering and forced operators into noisier patterns. Those patterns are visible. The investigators have to work harder, and they get fewer slam-dunk attributions, but the financial layer remains the most reliable place to ground operator-level attribution.