Cryptocurrency hackers now move stolen funds in just 2 seconds after an attack begins. In most cases, assets are transferred before victims even disclose the breach.
This is most clearly revealed in the 2025 analysis published by the Global Ledger. The analysis covers a total of 255 cryptocurrency hacks, with damages amounting to $4.04 billion.
In the blink of an eye, cryptocurrency laundering starts before it is publicly revealed.
The speed is very fast. According to Global Ledger, funds were moved before the public announcement in 76% of all hacking incidents, and by the end of the year, this rate increased to 84.6%.
As a result, attackers can act before exchanges, analytics firms, or law enforcement respond.
However, speed is not everything.
The first transfer occurs almost immediately, but the complete laundering process takes more time.
As of the second half of 2025, hackers took an average of 10.6 days to reach the final deposit point (such as exchanges or mixers), an increase from about 8 days in the first half.
That is, the initial movement has become faster, but the overall process has slowed down.
This change shows that surveillance is intensified after information disclosure. Once an incident is made public, exchanges and blockchain analysis firms designate addresses and strengthen monitoring.
Accordingly, attackers split funds into smaller amounts and transfer them across various layers before attempting final cash-out.
The speed of hacking has increased, but the speed of cryptocurrency laundering has slowed down. Source: Global Ledger
Bridge, mixer… a long way to cash-out
Bridges have become a major conduit in this process. About half of the total stolen funds, $2.01 billion, were moved through cross-chain bridges.
This is more than three times the amount moved through mixers or privacy protocols. Just looking at the Bybit incident, 94.91% of the stolen funds passed through bridges.
At the same time, Tornado Cash has begun to be used significantly again. This protocol was used in 41.57% of all hacks in 2025, and its usage increased significantly in the second half after the sanctions were changed.
Meanwhile, the direct cash-out rate to centralized exchanges sharply decreased in the second half. The proportion of stolen funds shifted to DeFi platforms, and attackers seem to avoid clear cash-out channels until visibility decreases.
Additionally, nearly half of the total stolen funds remained unspent by the time of analysis. This means that billions of dollars are held in wallets, waiting for future laundering attempts.
The scale of the problem remains serious. The damage caused by Ethereum has reached $2.44 billion, accounting for 60.64% of the total.
Overall, $4.04 billion was stolen in 255 incidents.
The amount recovered so far is limited. About 9.52% of the funds have been frozen, and only 6.52% have been returned.
In summary, a clear pattern emerges. Attackers move at machine-like speed within seconds of a breach.
Defenders then respond and push criminals into slower, step-by-step laundering strategies. This competition is not over; the beginning happens in seconds, and the conclusion enters a new phase over days.
