Crypto hackers now move stolen funds in as little as two seconds after an attack has started. In most cases, they move assets before the victims even disclose the incident.
This is the clearest conclusion from the Global Ledger report 2025 on 255 cryptocurrency breaches worth $4.04 billion.
Blink and it's gone: Crypto laundering begins now before disclosure.
The speed stands out. According to Global Ledger, funds were moved in 76% of hacks before the disclosure. During the second half of the year, the figure rose to 84.6%.
This means that attackers often act before exchanges, analytics services, or the police can coordinate a response.
But the speed only describes part of the situation.
The first transfer now occurs almost instantly, but the entire laundering process takes longer.
On average, hackers needed about 10.6 days during the second half of 2025 to reach final deposit destinations such as exchanges or mixers, up from around eight days earlier in the year.
In summary, the start is faster, but the marathon is slower.
This change reflects better oversight after disclosure. When the incident becomes public, exchanges and blockchain analysts mark addresses and tighten controls.
Therefore, attackers divide the funds into smaller parts and send them through multiple layers before attempting to withdraw the money.
The speed of hacking increased, but the crypto laundering process became slower. Source: Global Ledger
Bridges, mixer services, and the long road to withdrawing money
Bridges have become the most important route for this process. Almost half of all stolen funds, around 2.01 billion USD, were moved via cross-chain bridges.
This is more than three times as much as through mixers or privacy protocols. In the Bybit case, 94.91% of the stolen funds went through bridges.
At the same time, Tornado Cash regained significant importance. The protocol was used in 41.57% of the hacks during 2025. Its share increased significantly in the second half after changes in sanctions, according to the report.
At the same time, direct withdrawals to centralized exchanges decreased significantly in the second half of the year. DeFi platforms received an increasingly larger share of stolen assets. Attackers seem to avoid clear withdrawal paths until attention has diminished.
Notably, nearly half of the stolen funds remained in wallets at the time of analysis. Therefore, billions remain, probably for future laundering attempts.
The extent of the problem is still serious. Ethereum accounted for 2.44 billion USD in losses, or 60.64% of the total.
A total of 4.04 billion USD was stolen in 255 incidents.
But recovery is limited. Only about 9.52% of the funds were frozen, and 6.52% were returned.
Together, the results show a clear pattern. Attackers now act machine-fast in the first seconds after a breach.
Defenders react later. This forces criminals into slower and incremental laundering strategies. The competition is not over. It has just entered a new phase—seconds in the start, and days at the end.
