Hackers turn to mixers and DeFi as speed of laundering stolen funds doubles

Hackers have modified their operations in 2025, laundering crypto much faster after an exploit. The recent Global Ledger report revealed the evolving techniques of hackers and the biggest threats in the crypto space. 

Hackers changed their targets and laundering techniques in 2025, as revealed by the latest Global Ledger report on exploits. The Global Ledger report is based on 255 reported incidents with a total of $4.4B in losses. 

The exact estimation of hacks is traced by different methods, as Cryptopolitan reported a lower total of $3.4B. However, a common picture has emerged, where hackers target Web3 features and discover ways to exploit the AI agent environment.

The Swiss blockchain analytics company Global Ledger examined the details of multiple hacks, discovering the speed of moving and disguising funds. 

Hackers moved funds immediately after the exploits

The fastest movement of funds took around two seconds, according to Global Ledger. Despite this, around 50% of the funds remain unspent after the hack or wait for months to be moved. 

In 42% of exploits, hackers resorted to Tornado Cash for laundering. Overall, hackers moved funds twice as fast in the second half of 2025. In 76% of cases, they succeeded in moving, splitting or partially laundering funds even before the exploit was intercepted and reported. 

The victims also began reacting faster, compressing their reaction time by more than half in H2. The new reactions on freezing funds where possible and cooperating with exchanges led to a slowdown of exploits in the second half of 2025. 

Despite the fast movement of funds, hackers still took 10.6 days on average to launder funds in H2, up from around eight days in the first half of the year. The bad actors fragmented their haul, taking it into smaller chunks through more intermediaries and over a slightly longer time span.

The laundering techniques were well-known, but hackers used them more intensively in 2025.

Which protocols were the most targeted by hackers?

The past year saw a shift from using centralized exchanges for laundering to tapping the DeFi ecosystem. Over $732M was laundered through DeFi in the second half of 2025, up from $170M in the first half of the year. The volumes rose more than 4.3 times, making DeFi the second most-used laundering route after mixers. 

This also meant DeFi protocols were under siege, as they directly connect to a powerful laundering infrastructure.

“Ethereum remains the top target for attackers, accounting for $2.44 billion in losses (~60% of the global total) in 2025. If you are building on Ethereum with high liquidity, you are the default target for hackers. The data shows that while other chains like Solana or Bitcoin are growing in incident counts, the massive financial damage is still concentrated where the most liquidity lives,” Lex Fisun, CEO and co-founder of Global Ledger, told Cryptopolitan.

To prevent some of the losses, Fisun believes manual tracking of funds is not efficient. The fix may lie in instant labeling of the source of funds and the automated tracing of transactions. 

“To close the gap between a hack and response, DeFi protocols need real-time action. Here, implementing real-time on-chain monitoring that detects anomalies the moment they happen. Without internal detection and alerting, no ecosystem response can be fast enough,” commented Fisun.

Bridges were also key infrastructure for hacks, which could be monitored.

In 2025, nearly half of stolen funds, or $2.01B was laundered or routed through bridges, over three times the amount that went through mixers.

One of the reasons was to move funds to the Ethereum L1 chain, which is more liquid and accessible. Bridges still attract hackers for their liquidity, as well as for chain-hopping and disguising origins, added Fisun.

If you're reading this, you’re already ahead. Stay there with our newsletter.