Crypto hackers are now moving stolen funds in as little as two seconds after an attack begins, with most assets being moved before victims even report the breach.
This is the clearest conclusion from Global Ledger's 2025 analysis of 255 crypto attacks worth $4.04 billion.
Blink and it's gone: Crypto laundering now starts before disclosure
The pace is striking. According to Global Ledger, funds were moved in 76% of attacks before disclosure, and this percentage rose to 84.6% in the second half of the year.
This means that attackers often act before exchanges, research firms, or the police have time to take action.
Speed, however, only tells part of the story.
While the first transfers now happen almost immediately, full laundering takes longer.
On average, hackers took about 10.6 days in the second half of 2025 to reach final deposit locations such as exchanges or mixers, up from around eight days earlier in the year.
In short: The sprint is faster, but the marathon is slower.
This change reflects improved post-publication monitoring. As events become known, exchanges and blockchain analytics firms flag addresses and increase monitoring.
As a result, the attackers split the funds into smaller parts and send them through multiple layers before attempting to withdraw the money.
The speed of hacking has increased, but the pace of crypto money laundering has slowed. Source: Global Ledger
Bridges, mixers and the long road to outlets
Bridges have become the main artery in the process. Almost half of all stolen funds, approximately $2.01 billion, were moved through cross-chain bridges.
This is over three times more than the share sent via mixers or privacy protocols. In the Bybit case alone, 94.91% of the stolen funds went through bridges.
At the same time, Tornado Cash gained importance. The protocol was used in 41.57% of attacks in 2025. Its use increased sharply in the second half of the year, following the sanctions changes discussed in the report.
Meanwhile, direct withdrawals to centralized exchanges fell sharply in the second half of the year. DeFi platforms received an increasing share of stolen funds. Attackers appear to be avoiding obvious “off-ramps” until attention subsides.
It is worth noting that almost half of all stolen funds remained unused at the time of analysis, meaning billions are still sitting in wallets, waiting for new money laundering attempts.
The scale of the problem remains serious. Ethereum accounted for $2.44 billion in losses, or 60.64% of the total.
A total of $4.04 billion was stolen across 255 incidents.
The recovery is limited, however. Only around 9.52% of the funds were frozen, and 6.52% were returned.
In summary, the findings show a clear pattern. Attackers are now operating at machine speed in the first seconds after a break-in.
Defenders respond later, forcing criminals to adopt slower, incremental money laundering strategies. The race is not over. It has simply entered a new phase—now measured in seconds at first, and days at last.
