Hong Kong Licensed Stablecoins, and the Criminal Money Using the Same Rails

One Settlement System, Two Very Different Users

A stablecoin is a digital token pegged to a real currency, usually the US dollar, that moves between wallets in minutes rather than days. The Hong Kong Monetary Authority, the city's central bank and financial regulator, spent late 2025 consulting on a licensing regime for the companies that issue these tokens. That regime came into operation through early 2026. For a compliance officer at a licensed issuer, the obligations are clear enough: hold real reserves against every token issued, let customers redeem on demand, screen customers under the Travel Rule, the international standard that requires identifying both sender and receiver above a certain threshold. These are rules built for a payment product used by ordinary people and businesses.

The complication is that the same settlement system, the same chains and the same wallets, is now also the preferred plumbing for a different economy. Organized criminal networks moved onto stablecoin rails over the past eighteen months, for the same reasons legitimate users did: it is fast, it is global, and it does not need a bank to clear. The licensing regime that began operation this quarter was designed for the first economy. It was not designed for the collision with the second.

The Vantage Exploit: Forty-Seven Million Dollars, Twenty-Two Minutes

On a Tuesday morning in March, a cross-chain bridge called Vantage was exploited. A cross-chain bridge is a piece of software that moves value between different blockchains, the way a currency exchange moves money between countries. Roughly forty-seven million dollars in mixed assets was drained through a vulnerability in that software. Within twenty-two minutes, the proceeds had been converted into USDT, the largest dollar-pegged stablecoin.

For the on-chain investigator tracing it, the laundering pattern was familiar. The stolen funds were broken across more than forty wallets in the first move. Over the next seventy-two hours they were reassembled across three different chains, then handed off through unlicensed peer-to-peer trading desks in jurisdictions that do not enforce the Travel Rule. By the time the funds left the blockchain into local currency, they had passed through stablecoin pools that no licensed Hong Kong issuer had any visibility into, because those pools sit outside the licensing perimeter entirely.

The VPN Takedown: Servers Seized, Payments Untouched

In April, a Europol-coordinated operation took down a criminal communications network called Nexus, used by ransomware affiliates across seventeen identified groups. Ransomware is the business of locking a victim's data and demanding payment to unlock it. The takedown was a real win on the communications side. It was also a lesson in what it did not touch.

The European investigator running the case found that Nexus operators had built their entire payment side on stablecoin transfers, settled through unlicensed exchanges in jurisdictions outside the operation's legal reach. The servers came down. The money kept moving. Ransomware payment flow had migrated to stablecoin rails eighteen months before anyone seized a Nexus machine, which is the part of the story most worth carrying forward.

What the License Catches, and What It Does Not

Under the HKMA regime, a licensed issuer in Hong Kong must do specific things and do them well. It must screen its own customers, identify counterparties above the Travel Rule threshold, and watch transactions for the patterns regulators have already named as suspicious. A compliance officer can build a program around that.

What the regime does not require, because the rules do not reach that far, is for the licensed issuer to catch freshly laundered money re-entering the system from an unlicensed pool offshore. It does not require the issuer to recognise the cross-chain consolidation patterns that come before re-entry. It does not require the issuer to flag wallets whose history was poisoned by an exploit that chain analytics firms have not yet catalogued. None of that is the issuer's job under the current text.

That is the regulator gap. The licensed front door is well-built. The traffic moving in through the back is the part nobody in the Hong Kong perimeter has been told to watch, and for now, nobody has.