Most ransomware payments still settle in Bitcoin due to liquidity and accessibility advantages.
TRM Labs reported that Monero’s on-chain activity stayed stable in 2024 and 2025, even after major exchanges removed support. Transaction levels remained above pre-2022 averages despite delistings from Binance and Coinbase. The data shows that Monero continues to record steady use during a period of tighter oversight across the crypto sector.
TRM Labs stated that “XMR activity on Monero remains above pre-2022 levels” despite enforcement pressure. Monthly volumes moved up and down, but overall usage held firm. Activity since 2020 shows a clear shift to a higher base level.
Several centralized exchanges have delisted Monero in recent years. Reports indicate that more than 70 platforms removed support in 2025 alone. Even with fewer trading venues, on-chain transfers did not record a lasting decline.
Binance and Coinbase cited compliance and monitoring concerns when they restricted Monero trading. Liquidity moved to smaller or offshore exchanges. As a result, trading conditions became tighter compared to Bitcoin and Ethereum.
Still, usage continued among those seeking privacy features. TRM Labs reported that 48% of new darknet markets launched in 2025 support only XMR. This share marks an increase from earlier years and reflects changing preferences in certain online markets.
The report said ransomware groups often request Monero and may offer discounts for XMR payments. However, most completed ransom payments still occur in Bitcoin.
TRM Labs wrote that “most ransomware payments still occur in BTC — liquidity matters.” Bitcoin remains easier to buy, transfer, and convert in large amounts. Broader exchange access continues to shape settlement choices.
TRM Labs also reviewed Monero’s peer-to-peer network structure. Researchers found that 14-15% of reachable peers showed non-standard behavior. These patterns involved relay timing, handshake activity, and network distribution.
The firm stated that “Monero’s cryptography remains strong.” It noted that network behavior can influence real-world privacy assumptions. The study described observable patterns and did not assign intent to specific actors.
