The speed at which hackers launder stolen cryptocurrency doubled in the second half of 2025, according to a comprehensive report from Swiss blockchain analytics firm Global Ledger. The study, based on 255 reported incidents totaling $4.4 billion in losses, reveals a significant evolution in attacker tactics, with a pronounced shift away from centralized exchanges toward decentralized finance (DeFi) protocols and cross-chain bridges for laundering.
One of the most alarming findings is the immediate reaction speed of attackers. In some cases, the first movement of stolen funds occurred in as little as two seconds after an exploit. Overall, in 76% of cases, hackers successfully moved, split, or partially laundered funds before the attack was even detected and publicly reported. Despite this initial speed, the average time to complete the full laundering cycle increased slightly to 10.6 days in H2 2025, up from around eight days in the first half, as hackers employed more complex methods involving multiple intermediaries.
The report highlights a major shift in laundering infrastructure. While mixers like Tornado Cash were used in 42% of exploits, DeFi protocols saw explosive growth as a laundering route. More than $732 million was laundered through DeFi in H2 2025, a more than 4.3-fold increase from the $170 million in H1. This makes DeFi the second most-used laundering channel after mixers.
Cross-chain bridges played an even larger role, serving as a conduit for nearly half of all stolen funds. Approximately $2.01 billion was routed through bridges in 2025—more than triple the amount that passed through mixers. Bridges were primarily used for "chain-hopping" to obscure the origin of funds and to access the deep liquidity of the Ethereum network.
Ethereum remained the primary target for attackers, accounting for $2.44 billion in losses, or roughly 60% of the global total. Lex Fisun, CEO and co-founder of Global Ledger, attributed this not to specific technical flaws but to the chain's unmatched liquidity. "If you are building on Ethereum with high liquidity, you are the default target for hackers," Fisun stated.
In response, victims and exchanges have improved their reaction times, compressing them by more than half in H2 2025 through faster fund-freezing and cooperation. However, Fisun argues that manual tracking is no longer sufficient. The solution, he says, lies in real-time on-chain monitoring and automated transaction tracing to detect anomalies the moment they occur and close the gap between hack and response.
