Crypto-hackers now move stolen money sometimes within two seconds after an attack begins. In most cases, they move assets before victims disclose the breach.
That is the clearest result from the analysis by Global Ledger in 2025, in which 255 crypto-hacks with a total value of $4.04 billion were investigated.
Blink and it's gone: crypto-money laundering now starts before disclosure
The speed is remarkable. According to Global Ledger, in 76% of hacks, the money was moved before it became public. In the second half of the year, this even rose to 84.6%.
This means that attackers often strike before exchanges, analysis companies, or law enforcement can respond.
Yet, speed tells only part of the story.
Although the first transfers now occur almost instantly, complete money laundering usually takes longer.
On average, hackers needed about 10.6 days in the second half of 2025 to get the money to exchanges or mixers. Earlier in the year, it was about eight days.
In short: the sprint is faster, but the marathon proceeds more slowly.
This change shows that oversight improves after disclosure. Once an incident is known, exchanges and blockchain analysis companies label addresses and perform additional checks.
As a result, attackers split the money into smaller parts and send it through multiple layers before attempting to cash out.
Hacks are faster, but money laundering in crypto is slower. Source: Global Ledger
Bridges, mixers, and the long road to cash-out
Bridges have become the main route for these transactions. Nearly half of all stolen money, about $2.01 billion, was moved through cross-chain bridges.
That is more than three times what has gone through mixers or privacy protocols. In the Bybit incident, even 94.91% of the stolen money flowed through bridges.
At the same time, Tornado Cash came back into the spotlight. In 2025, the protocol was involved in 41.57% of the hacks. Usage surged in the second half of the year, partly due to adjusted sanctions.
Meanwhile, direct payouts to centralized exchanges decreased significantly in the second half of 2025. More and more stolen money went to DeFi platforms. Attackers seem to avoid clear cash-out opportunities as long as there is attention.
Notably, nearly half of the stolen money had not yet been spent at the time of analysis. This means that billions are still sitting in wallets, possibly awaiting future attempts at money laundering.
The problem remains significant. Ethereum accounted for $2.44 billion in losses, or 60.64% of the total.
In total, $4.04 billion was stolen in 255 incidents.
Recovery remains limited. Only 9.52% of the money was frozen, and 6.52% was returned.
All in all, the results show a clear pattern. Attackers now act at machine speed in the first seconds after a hack.
Defenders react later, causing criminals to spread their laundering practices over more steps and time. The fight has not stopped, but has now entered a new phase: seconds at the beginning and days at the end.
