Hackers act fast, but so do the clues they leave behind.
A significant portion of stolen cryptocurrency—nearly 46%—remains untouched on the blockchain, offering a silver lining in the shadowy world of cybercrime. According to a new report by blockchain intelligence firm Global Ledger, the lag in laundering timelines and the visibility of on-chain movements may provide valuable windows for asset recovery even days after a breach occurs.
The study, which analyzed hundreds of on-chain hacks, outlines a nuanced timeline of how stolen funds are moved and laundered and how long victims and the broader crypto community take to detect and report such incidents. The findings underscore both the challenges and the evolving tactics in tracing digital theft.
A Race Against the Clock
Global Ledger’s analysis breaks down the lifecycle of a hack into four key stages: the time from the breach to fund movement, from breach to public disclosure, from breach to first interaction with a laundering entity, and from public disclosure to laundering activity. These timelines are crucial for understanding how quickly hackers act—and how long defenders have to respond.
On average, it takes 43.83 hours for a breach to be publicly reported. Yet hackers typically move funds to laundering destinations—such as exchanges, mixers, or DeFi platforms—within 46.74 hours. The longest gap identified is the average of 78.55 hours between public disclosure and the attacker’s interaction with laundering services, indicating that many illicit transfers are completed before the public even becomes aware.
NFT Attacks Drag Out the Laundering Timeline
Not all hacks follow the same pattern. The type of project targeted heavily influences how funds are laundered and how long that process takes. For instance, attacks on NFT platforms experience the slowest movement of stolen funds, averaging a staggering 563.63 hours—nearly 24 days—from the first to the last known laundering step.
Lex Fisun, co-founder and CEO of Global Ledger, explained why NFT-related thefts are harder to offload. “There’s no clear playbook here; laundering usually involves wash trading or social engineering. Remember The Idols exploit, where the attacker drained $340,000 in stETH but got stuck with the associated NFTs?” he told.
In contrast, centralized exchange-related hacks see laundering flows wrap up in about 425 hours, while DeFi and token-based exploits average 230 hours. The quickest laundering occurs in payment platforms, where stolen assets are typically moved within 0.6 hours. Gaming- and metaverse-related hacks also show fast flows, averaging under 25 hours.
Stolen But Not Gone
One of the most revealing insights in the report is the amount of stolen crypto that remains dormant. Nearly half of all hacked assets are still unspent on-chain, indicating they have yet to be laundered or cashed out. This presents a meaningful opportunity for investigators and security teams to intervene—often well after the incident itself.
Still, the growing use of cross-chain routes makes tracking more complex. According to the report, 42.23% of stolen funds were moved across blockchain networks, evading traditional, chain-specific monitoring tools.
“Cross-chain bridges have already become one of the top money laundering tools,” Fisun noted. “Sanctions shift tactics, not demand.”
Privacy Tools Still Dominate
Despite increased scrutiny from regulators, privacy tools remain at the heart of laundering operations. Tornado Cash, sanctioned by the U.S. Treasury in 2022, continues to be the dominant protocol, used in more than half the cases analyzed by Global Ledger. Its usage rose again after a U.S. court overturned the sanctions on constitutional grounds in 2024.
Other privacy solutions like Railgun and Wasabi Wallet are also gaining ground, appearing in 20% and 10% of laundering cases, respectively. Lesser-used tools include Chainflip, CoinJoin, and CryptoMixer, each accounting for under 7% of laundering activity.
Smarter Criminals, Slower Systems
According to Fisun, the longer timelines seen in centralized exchange-related laundering aren’t necessarily a sign of stronger compliance. “It’s both,” he said. “A slower timeline is not a glitch; it’s by design,” as attackers now split assets, hop chains, and use layered privacy strategies to bypass detection.
Only a small portion of stolen funds are successfully frozen, the report notes, as real-time enforcement remains rare. Still, the data offers a glimmer of hope: delayed fund movements and dormant assets show there is still time to act—if defenders know where to look.
