Cryptocurrency hackers are now transferring stolen assets in as little as two seconds after the attack begins. Most often, they move assets before victims even reveal the data breach.
This is clearly evident from Global Ledger's 2025 analysis, which examined 255 cryptocurrency hacks with a total value of $4.04 billion.
Take a glance and it's gone: cryptocurrency laundering is now starting before the reveal
The speed is striking. According to Global Ledger, in 76% of attacks, assets were taken before they were publicly reported, and in the latter half of the year, the percentage rose to 84.6%.
This means that attackers often manage to act before exchanges, analytics companies, or authorities can coordinate countermeasures.
However, speed is only part of the overall picture.
Although the first transfers happen almost immediately, full money laundering takes more time.
On average, hackers needed about 10.6 days in the second half of 2025 to reach final deposit points, such as exchanges or mixers. In the early part of the year, the corresponding time was about eight days.
In other words, in the early stages, the actions are rapid, but money laundering progresses more slowly.
This change indicates that monitoring has improved after notifications. As cases become public, exchanges and blockchain analytics companies mark addresses and increase scrutiny.
As a result, attackers break the assets into smaller pieces and recycle them through many layers before converting to cash.
The speed of hacks increased, but cryptocurrency money laundering slowed down. Source: Global Ledger
Bridget, mixers, and a long road to cashing out
The importance of bridges has grown significantly in this process. Nearly half of all stolen assets, about $2.01 billion, were transferred through cross-chain bridges.
This is more than three times the amount that passed through mixers or privacy protocols. In the Bybit case alone, 94.91% of the stolen assets moved through bridges.
At the same time, Tornado Cash became significant again. The protocol appeared in 41.57% of the hacks in 2025. The usage share increased significantly in the latter half of the year, following the enforced changes mentioned in the report.
At the same time, direct transfers to centralized exchanges decreased significantly in the second half of the year. DeFi platforms received an increasing share of the stolen assets. Attackers seem to avoid obvious exits as long as monitoring is strict.
In particular, nearly half of the stolen assets were unused at the time of analysis. This means that billions are lying in wallets, possibly waiting for future money laundering attempts.
The scale of the problem remains serious. Ethereum accounted for $2.44 billion in losses, which was 60.64% of the total.
A total of $4.04 billion was stolen in 255 cases.
However, recoveries remain minimal. Only about 9.52% of the assets were frozen, and 6.52% were returned.
These observations show a clear pattern. Attackers now operate at machine speed in the first seconds after the data breach.
Defenders reacted more slowly, forcing criminals to use slower and more gradual money laundering strategies. The competition has not ended but has shifted to a new phase—at the beginning, it is about seconds, and at the end, it is about days.
