Approximately 46% of hacked funds are sitting idle in the chain, suggesting opportunities for recovery after integration, according to an analyst at Global Ledger.
table of contents
Hackers are quick, but the system that chases them is still catching up. A new report from blockchain intelligence firm Global Ledger is based on hundreds of on-chain incidents, and in many cases, stolen funds will land at laundry destinations before the hacks are published.
On average, it takes 43.83 hours from the initial chain violation to reporting an incident by either the victim project or a third-party investigator, according to a report shared with Crypto.news. Meanwhile, hackers tend to move stolen funds within 46.74 hours to the first identified entities, such as exchanges, crypto mixers, and decentralized finance protocols.
However, the longest delay is the window between public disclosure and interaction with the attacker’s laundry service, an average of 78.55 hours of laundry institutions, suggesting that funds are often already moving before the hack becomes widely known.
“There’s no clear playbook here.”
In total, global ledger researchers measured four important timelines across hundreds of incidents. Time from violation to fundraising, time from violation to report, time from violation to initial entity interaction, and time from public disclosure to laundry activity. Each rug also tells its own story.
How funds’ movement speeds vary depending on hacking targets | Source: Global Ledger
For example, attacks targeting NFT projects show the slowest fund movement. On average, it takes 563.63 hours or nearly 24 days for funds from these exploits to move from the beginning to the last known entity in the laundry chain. This is more than twice the average lag seen in centralized exchange-related hacks that clock in in about 425 hours.
Global Ledger co-founder and CEO Lex Fisun told Crypto.news in an exclusive commentary that long delays in the case of NFTS are not just low liquidity.
“There’s no clear playbook here. Laundry usually involves washing transactions and social engineering. Remember the misuse of idols who drained $340,000 on Steth but stuck with the related NFT.”
Lex Fisun
The report highlights how laundry passes differ depending on the type of project that was misused. Defi platforms and tokens typically see funds pass through the laundry channel within 230 hours, while payment platforms average only 0.6 hours. Games and Metaverse Exploits are one of the fast flows that travel within 25 hours.
Distribution of stolen post-crypto hacking | Source: Global Ledger
Despite the speed and fragmentation of fund flow, an astonishing amount of hacked assets remains untouched. Data suggests that almost 46% of stolen funds are not yet dependent on them, leading to important opportunities for continuous pursuits and potential recovery long after the incident occurred.
Cross chain trace
While much of the funds are idle, the growing share is slipping past the difficult cross-chain routes. The report shows that 42.23% of the stolen funds have moved throughout the chain, bypassing the chain-specific surveillance system.
Fison explained that the cross-chain bridge has “already become one of the top money laundering tools.” And while repeated abuse can cause AML scrutiny, a tornado cash case proves one thing.
Washing method based on frequency of use | Source: Global Ledger
You might like it too: “Where there are hackers where there are money”: Ledger CEO
Global Ledger data also shows that Tornado Cash, which is used in over 50% of cases tracked by companies, remains the dominant laundry protocol. Despite rising pressure from 2022 US financial sanctions and regulatory authorities around the world, the service continues to play a central role in post-hack laundry.
Its use has surged once again after a US court ruling overturned sanctions in 2024 on constitutional reasons.
Other privacy tools are gaining momentum too. For example, Railgun was used in 20% of cases, while wasabi wallets appeared in 10%. ChainFlip, Coinjoin, and Cryptomixer were each involved in less than 7% of the washing flow, data show.
Attackers become smarter
Fisun noted that the slow flow of centralized exchanges (currently on an average of over 425 hours) does not necessarily reflect better compliance alone.
The CEO of Global Ledger says that slower timelines are “by design, not by glitch,” as attackers use privacy protocols to split assets, use hop chains, and use stolen funds using privacy protocols to “try to slow down suspicious-looking flows.”
Only a small portion of the funds frozen by the executive or compliance team. The report suggests that real-time responses remain rare despite the analytical and monitoring tools being progressed.
The numbers refer to ongoing challenges, but also highlight where defenders can gain advantage. The gap in time is measured from time to time, but indicates that there is still space to act before the stolen funds disappear completely.
read more: Hackers exploit SourceForge to hide crypto miners in Microsoft Office packages
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
