Key Takeaways:
A new report by Global Ledger shows that $3 billion in crypto was stolen in H1 2025, with one in four hacks having funds fully laundered before any public statement was issued. The fastest fund movement following an attack occurred in just four seconds. One hack saw the entire laundering process, from the moment of hack to final deposit, completed in 2 minutes 57 seconds. The report reveals that only 4.2% of stolen funds were recovered.Hackers stole $3 billion worth of crypto in 119 separate incidents during the first half of 2025, one and a half times more than all of 2024, according to a new report by blockchain analytics firm Global Ledger.
However, it’s not just the scale of losses that’s worrying. It’s the speed with which attackers move and launder stolen funds, often before the breach is even detected or reported publicly, the report says.
Global Ledger claims that its report, titled ‘H1 2025 Crypto Hacks Report,’ is the first to analyze the exact timing of the movement of funds after an exploit, from the moment of breach to full laundering completion.
The fastest fund movement following an attack occurred in just four seconds, more than 75 times faster than the average exchange or DeFi alert response system.
“[That’s] about as fast as you blink,” the report said. “Speed has become the new dangerous weapon.”
Hackers Move Faster Than Exchanges Can Respond
Lex Fisun, CEO and co-founder of Global Ledger, noted that in over 68% of cases, hackers moved funds before the attack was publicly known.
Crucially, one in four hacks had funds fully laundered before any public statement or alert was issued. By the time an alert is issued, the chance of tracing the stolen assets has already closed.
“There are two critical sides to any crypto hack response,” Fisun told Cryptonews. “One is the hacked party: how fast they react, involve investigators, and notify the industry that these funds are tainted.”
“The other is the blockchain analytics tools they rely on and how fast these solutions can flag illicit funds,” he added.
On average, it takes 37 hours from the first fund movement for incidents to be detected and publicly reported. It’s a delay that could prove costly in an industry where the money disappears within minutes, Fisun says.
“Even the most extensive database becomes ineffective if the system can’t notify of a hack that happened 10 minutes ago. The faster both parties act, the higher the chances are of recovering the stolen assets.”
The laundering itself is just as swift. According to the report, one hack saw the entire laundering process, from the moment of hack to final deposit, completed in 2 minutes 57 seconds – faster than a typical laptop’s screen timeout.
With such a narrow response window, the report reveals that only 4.2%, or $126 million, of stolen funds were recovered during the first six months of 2025. Marcin Zarakowski, CEO of blockchain security firm Recoveris, is quoted in the report as saying:
“Even with existing technical capabilities to trace and freeze digital assets, legal frameworks haven’t evolved quickly enough to match the speed of illicit digital asset activities. Many public sector actors globally still struggle with how to properly classify and seize digital assets, making international cooperation slow and challenging.”
Tactical Exploits and Weak Spots
For its report, Global Ledger analyzed over 92,000 wallet addresses linked to various crypto entities, Fisun said. After collecting the data, it applied analytics, heuristics, and investigative logic to “turn it into actionable insights.”
The firm also used “the maximum number of sources to strengthen results,” he stated, including both on-chain data and off-chain sources, such as social media platforms and public reports.
Slava Demchuk, CEO of analytics firm AMLBot, said access-control flaws and smart contract vulnerabilities, especially in bridges, continue to be dominant attack methods.
Outdated permissions as well as phishing and malware attacks on individual wallets are also rampant, he noted.
Demchuk added that hackers are exploiting the interconnected and composable nature of decentralized finance (DeFi) protocols to amplify the impact, telling Cryptonews:
“It’s crucial to conduct proactive security audits, smart-contract real-time monitoring, and enhance internal policies for rapid incident handling.”
Cyber criminals are also getting smarter about when they strike. Global Ledger data shows that sophisticated actors, like North Korea’s Lazarus group, plan movements to coincide with normal transaction activity.
The Lazarus group is suspected of being involved in Bybit’s $1.5 billion hack and many others.
The attacks are “planned down to every single swap and transfer,” Fisun said, noting that the median time of the initial movement of funds was almost noon, at 11:51:32 AM.
“This aligns with periods of consistent system activity and may be used to mask their [hackers’] actions among legitimate transactions, sort of a blend with ‘normal’ traffic,” Fisun told Cryptonews, adding:
“It can also suggest timing when organizations are likely to experience staff shift changes (noontime), personnel have lunch breaks, and handovers, potentially resulting in lower vigilance or temporary monitoring gaps.”
The Crypto Laundering Highway
The report traced how hackers launder funds and found that online thieves use layered chains of swaps, DEXs, bridges, and high-liquidity tokens to quickly exit positions and disappear.
According to Fisun, native assets like Ether (ETH) are particularly vulnerable due to deep liquidity pools, allowing hackers to make instant swaps and “quickly cash out before anyone raises an alarm.”
In contrast, hackers often sit on low-volume tokens because there’s little demand or no pool to drain.
“In 31.1% of cases, hackers laundered the funds within 24 hours of the first move,” the report says, meaning that by the time an alert goes out, it may already be too late to recover the stolen money.
Meanwhile, centralized exchanges (CEXs) are the most attractive as high-value, single-point-of-failure targets for attackers, contributing to more than 54% of total losses during the first half of 2025.
Token contracts came in second, with $517.8 million, or 17.2%, of all losses, followed by personal wallets at 11.7%. Other losses are shared among DeFi platforms, DEXs, bridges, and gaming/metaverse.
What Can Be Done?
The researchers behind the report say exchanges and other virtual asset service providers need to move from a reactive to an anticipatory posture by automating or integrating active monitoring.
Virtual asset service providers typically have a 10-15 minute window to act once funds from a hacker-controlled address reach their platforms.
But without active monitoring, stolen funds will likely be moved again into a mixer, another exchange, or off-ramped entirely, at which point recovery becomes “nearly impossible,” the report says.
Demchuk, the AMLBot CEO, believes services must invest in real-time wallet risk scoring, dynamic blocklists, and cross-platform intelligence sharing to catch laundering attempts as early as possible.
If laundering starts four seconds after a breach, he says, defense must happen instantly. “Exchanges should also join cross-platform alert networks for rapid hack notifications,” Demchuk tells Cryptonews, adding:
“The community should build legal-ready escalation protocols to enable temporary holds without waiting for formal requests. Speed, automation, and intelligence-sharing are the only viable defense at this scale.”
Oleksandr Plakhotnyuk, a division chief in Ukraine Police’s cybersecurity department, agrees, noting that incident reporting times must collapse, and blockchain analytics tools must become faster and smarter.
“During critical incidents, most time is lost when verifying the request, confirming authority, and assessing if urgent action is needed,” said Plakhotnyu, as quoted in the Global Ledger report.
“To speed up information flow between law enforcement and affected platforms, we need to create fast-track channels for verified cases,” Plakhotnyu detailed.
He added that “[we need to] standardize request templates (e.g., case ID, wallet/TxID, AML flags), establish direct contact points within law enforcement, and pre-establish memoranda of cooperation defining emergency data exchange protocols.”
The post Crypto Hackers Are Laundering Stolen Funds in Under 3 Minutes appeared first on Cryptonews.
