The speed with which criminals move funds after breaches has become the crypto industry’s chief headache, according to a new Global Ledger report shared with ForkLog.
Analysts say that in the first half of the year, hackers stole more than $3.01bn across 119 incidents—one and a half times the industry’s total losses for all of last year.
Hackers’ new weapon
In 84% of cases, security systems recorded incidents on the day they occurred, Global Ledger found. That proved insufficient: in 68.1% of attacks, stolen funds were moved before companies detected the breach.
In 10.1% of cases, funds were moved instantly; in 64.7%, within the first 24 hours.
The record transfer speed was four seconds. On average, 15 hours elapsed between an attack and the first movement of funds. Public disclosure typically took 37 hours, leaving cybercriminals more than 20 hours to cover their tracks.
“Even where there are technical means to track and freeze digital assets, legal systems are failing to adapt to the speed of illicit operations,” said Recoveris CEO Marcin Zarakowski.
In 22.7% of cases (over $34m), laundering was completed before the incident was disclosed; in 31.1%, within 24 hours of the first movement. The fastest end-to-end laundering—from incident to final deposit—took two minutes 57 seconds, which outpaced the fastest response time (five minutes one second) by 70%.
Only 4.2% of stolen funds were recovered, despite the ability to track addresses, the researchers noted. They blamed sluggish legal mechanisms and shortcomings in international co-operation.
“While the fastest movements can be detected, the slowest laundering cases have yet to be identified—including those related to the Bybit incident, as the funds are still in motion,” the report said.
After major breaches, hackers move funds more slowly as they split transfers to mask flows, the experts said. Averages, therefore, “can create a false sense that compliance teams and investigators have more time than they actually do”.
Prime targets and attack methods
Centralised exchanges (CEXs) are the main targets. In the first half, they accounted for 54.26% of losses—$1.63bn.
“CEX remain the primary channel for cashing out stolen funds. Credit where it is due: many platforms already block high-risk deposits that exceed internal risk thresholds, routing them to manual review. But this works only with constant monitoring. Even a brief delay—just a few minutes—gives attackers a critical edge,” the analysts said.
Exploiting smart-contract vulnerabilities was the most common attack type, at 69.75%. Yet it led to “relatively moderate” losses of $365.5m, or 12.15% of the total stolen.
Malicious transaction signatures were rarer—6.72%—but caused the biggest financial damage: $1.46bn (48.51%).
Compromised private keys ranked second by incident count, costing the industry $650.05m (21.61%). They were followed by rug pulls, which accounted for $514.07m (17.08%).
All figures, however, are skewed by the Bybit incident, which greatly increased the weight of the malicious-signatures category. Excluding that case:
- compromised private keys would have been the leading cause of losses in the first half of 2025;
- the 2024 trend would have persisted, when such incidents made up 48.03% of total stolen funds ($930m).
“The data reveal a clear trend: attackers are shifting from exploiting technical bugs to systemic weaknesses in key management, the behaviour of transaction signers and user interfaces,” Global Ledger noted.
Bridges as a laundering tool
The researchers also found that cross-chain bridges are hackers’ primary laundering tool. Some $1.5bn (50.1% of stolen funds) flowed through them—4.4 times more than through mixers ($339m).
“Bridges are displacing mixers as the preferred tool for large-scale laundering—likely due to their speed, liquidity and lower regulatory attention,” the Global Ledger specialists concluded.
Around 15% ($453m) reached CEXs and 5.6% ($170m) went into DeFi. Meanwhile, 53.6% of stolen assets ($1.6bn) remain idle—perhaps waiting for the heat to die down before further laundering.
Some inter-chain bridges have begun fighting abuse, for instance by blocking suspect wallets. They face a dilemma, the report said: they wish to remain open and decentralised, yet must also accommodate regulatory demands.
In August, researchers discovered an undisclosed hack of the LuBian mining pool involving 127,426 BTC.