What is Global Ledger?

Global Ledger is a Swiss blockchain analytics company delivering fast, end-to-end AML compliance and investigation tools. Founded in 2019, we support over 2,000 digital assets and manage a database of over 700 million attributed addresses, updated daily. We perform 250,000 AML checks and monitor 30 million wallets every day. With an average response time of just 500ms and private server deployment options, Global Ledger combines speed, scale, and security.

Which blockchains does Global Ledger analyse?

Currently, the following blockchains are supported: Bitcoin (BTC) Bitcoin Satoshi Vision (BSV) Litecoin (LTC) Ethereum (ETH), including top tokens Tron (TRX), including top tokens Binance Coin (BNB) Polygon (MATIC) Arbitrum (ARB) Base (ETH) Avalanche (AVAX) Moonbeam (GLMR) Polkadot (DOT) Solana (SOL) TON.

How is the GL Score calculated?

The GL Score is a number from 0 to 100 that shows the degree of risk: low, medium, and high. Each score is represented by a corresponding color: green indicates low risk, yellow indicates medium risk, and red — high risk. The risk score is derived from the assessment of the riskiness of sources contributing to a requested address or transaction. To calculate the score, the algorithm analyzes incoming transactions, assesses the risk of identified sources, and calculates a score on a scale from 0 to 100. This score provides an indication of the potential level of risk associated with the address or transaction based on the evaluated sources and their associated activities. Learn more about risk score calculation from our blog article.

What are your data sources?

The Global Ledger team regularly collects and constantly analyses publicly available information, open data from the top blockchains, replenishes the internal information base by conducting its own investigations, as well as data purchased from reliable vendors.

What if I need help ASAP?

Our support team stays in touch 24/7 to provide clients with the most comfortable service and experience in case of unexpected hacks or cyberattacks. Please send your request with a brief description of your case to contact@globalledger.io, and our manager will reach you shortly.

The 2026 Crypto Laundering Roadmap: 5 Trends Redefining Global Financial Crime

In 2024, hackers stole $1.94 billion across 265 crypto scams and hacks, according to Global Ledger research. In 2025, that number more than doubled: $4.04 billion across 255 incidents. Fewer attacks, greater damage, and laundering operations that get harder to trace.

The challenge for compliance teams is not just that controls lag behind the threat.

Hackers treat every new preventive measure as a signal — new blacklists, tighter monitoring, updated screening logic force them to reimagine how illicit funds move next. The tactics that defined previous years have already changed significantly.

By 2026, the laundering infrastructure looks structurally different. This article breaks down the five trends redefining that shift and what this means for your AML framework today.

Key Takeaways

Cross-chain bridges have replaced crypto mixers as the primary laundering tool.
Hackers no longer move stolen funds directly to exchanges. Multistage fragmentation is now the default across most common crypto scams and protocol-level hacks alike.
Blacklist-only compliance is no longer sufficient. Tornado Cash leads the chart in terms of popularity among crypto mixers, used in 41.57% of all hacks (115 of 255) in 2025.
The window between a hack and public disclosure is where the most critical movement happens. In the fastest recorded case in 2025, funds moved in just 2 seconds — before anyone knew a hack had occurred.

5 Trends Redefining Global Financial Crime in 2026

Trend	What Changed	Compliance Risk
The Bridge Takeover	Cross-chain bridges have replaced mixers as the primary laundering tool for moving stolen funds.	Single-chain monitoring creates blind spots.
The Staging Evolution	Multi-stage laundering has become the default approach for hackers looking to remain undetected after a hack.	Individual deposits appear low-risk in isolation; attribution to a single incident requires cross-stage visibility.
DeFi Migration	DeFi protocols have become the second-largest laundering route, sometimes surpassing centralized exchanges.	Exposure surfaces later on CEXs without obvious red flags; deposits may carry significant upstream risk.
The Speed Gap	The first move after a hack is getting faster while subsequent steps are deliberately slowed down to avoid detection and plan the next move.	Faster public disclosure has improved incident detection, but it is still not enough for compliance teams to stay ahead of hackers.
Tornado's Return	Tornado Cash returned as the dominant crypto mixer after sanctions were lifted, with funds flowing directly into top-tier CEXs.	Static blacklists are insufficient; mixer exposure requires behavioral signal detection.

1. The Bridge Takeover

Cross-chain bridges have replaced mixers as the primary laundering tool, creating new “blind spots” in the risk detection process.

According to Global Ledger research, in 2025, bridges handled $2.01 billion — nearly 50% of all stolen funds and over 3x more than mixers and privacy protocols combined. The North Korea Bybit crypto hack alone contributed to the numbers: of the $1.38 billion stolen, 94.91% moved through bridges.

In 2024, the picture looked different. Mixers processed around 50% of stolen funds across the 25 largest hacks ($763.48 million). They offered lower visibility risk and remained the go-to tool before regulatory scrutiny caught up.

Top destinations of stolen funds from the 25 largest hacks of 2024. Source: Global Ledger.

The shift from mixers to bridges happened for a structural reason. Bridges break the linear transaction trail in a way mixers simply cannot, enabling chain hopping across incompatible ledger architectures.

Most bridges operate as permissionless smart contracts that are not designed to detect or freeze illicit flows, allowing attackers to move massive volumes while evading KYC and sanctions screening. A single cross-chain bridge exploit — one of the most dangerous crypto scams targeting protocol infrastructure — can disperse funds across dozens of chains before any alert is triggered.

Bridges also serve as a gateway into DeFi, where laundering volume grew 4.3× in H2 2025. Once cross-chain, attackers swap assets, fragment funds into micro-transfers across multiple chains, and make investigations far more resource-intensive than tracing a traditional mixer.

      Compliance implication: Bridges are not inherently malicious. They work exactly as designed. However, that design creates a structural blind spot that sophisticated actors actively exploit. Without cross-chain accountability models, they remain attractive for high-volume laundering and expose well-intentioned protocols to serious regulatory and reputational risk. 
    

With the Global Ledger KYT solution, you can monitor suspicious transactions in real time, flag cross-chain flows as higher risk by default, and have updated risk models with bridge- and mixer-specific patterns before exposure reaches your platform.

2. The Staging Evolution

Simple, direct transfers of illicit funds to exchanges are a thing of the past. Hackers are increasingly using fragmented, multistage laundering to move stolen funds before using an exchange as one of their cash-out points.

The Global Ledger study shows that multistage laundering was used in 99% of hacks across 255 cases in 2025. In H1’2025, just 2.5% of cases moved funds straight to a VASP or mixer within the first move. In H2, that number dropped to zero. This means that hackers don't rush to move the illicit funds right away to regulated exchanges; instead, they choose more complex and cautious methods where they're more likely to go unnoticed.

With such a laundering approach, hackers break balances into smaller transfers distributed across multiple unhosted wallets, then route them through mixers, cross-chain bridges, DEXs, and instant swap services. This pattern is especially common following flash loan attacks and smart contract exploits — among the most common types of crypto scams targeting protocol infrastructure.

The $48 million BtcTurk hack is a clear example of this staged approach to moving illicit funds. Stolen funds moved through unhosted wallets, CoinJoin, Wasabi Wallet, THORChain, Chainflip, and the Lightning Network — layered, fragmented, and deliberately obscured before any cash-out attempt.

Review how funds moved in the BtcTurk hack case in our Visual Tracing Tool.

Check Case Online

      Compliance implication: Multistage routes weaken the direct link to the original exploit. Individual deposits may look low-risk in isolation. Without cross-stage visibility, attributing funds to a single incident becomes genuinely difficult. Attackers are not moving in a straight line to a cash-out point. They are constructing layered routing paths specifically designed to degrade analytical certainty. To operate in this environment, you need to detect patterns across deposits, timing, and behaviour, not just isolated events.  
    

In the Global Ledger visual tracing tool, clustering algorithms can surface hidden links between wallets by combining behavioural patterns, smart contract interactions, and fund origin analysis to associate activity with specific entities or events.

3. DeFi Migration

Attackers are fleeing CEXs due to better security, leading to an increase in funds being laundered through decentralized protocols.

The Global Ledger research team found that laundering volumes through decentralized protocols grew more than 4.3× between H1 and H2 2025 — from $170 million to $732 million — making DeFi the second most used laundering route by year-end.

DeFi platforms have become the second-largest inflow point for stolen funds, surpassing CEXs. Source: Global Ledger.

DeFi protocols operate without KYC or sanctions screening, execute transactions through permissionless smart contracts, and offer near-instant asset swaps across chains. There is no compliance layer to flag suspicious flows, no account to freeze, and no operator to serve a court order on. For attackers looking to obscure their trail and break the transaction path, that architecture is exactly what they need. DeFi has also become an environment where different types of crypto scams — from liquidity drain schemes to governance exploits — originate and escalate.

      Compliance implication: Funds can pass through multiple intermediaries, including DeFi platforms, before reaching a VASP. Deposits that look clean at arrival can carry significant upstream risk. That gap requires closer scrutiny of unclear or high-risk sources, even when individual transactions look low-risk in isolation. 
    

With the Global Ledger KYT solution, you can generate DeFi exposure reports covering on-chain activity across a specified token set and time window, including smart contract data, transaction flows, sources or destinations of funds linked to the contract.

4. The Speed Gap

Laundering has become a game of extremes: while the total laundering "marathon" has slowed down to over 10 days, the absolute maximum speed for a first fund movement reached a record 2 seconds in H2 '25.

The average time from a crypto exchange hack to the first fund movement was around 17 hours in 2025 — well before public disclosure, which followed 2.1× later. In the fastest recorded case, funds moved in just 2 seconds — twice as fast as in H1 2025. That means by the time anyone knows a hack happened, the money is already gone.

However, after that first move, attackers deliberately slow down. Stolen funds typically reach the first mixer or VASP around 5.2 days after the incident. The logic is simple: quickly make the first move, then wait for monitoring intensity to decline before the next step.

      Compliance implication: The window between a hack and public disclosure is where the most critical movement happens. By the time an incident is reported, funds have already been repositioned. Compliance teams that rely on “post-disclosure alerts” are working with a structural delay built into their response. Continuous monitoring, real-time alerts, and proactive incident response are the only ways to close that gap. 
    

With the Global Ledger KYT tool, you can monitor addresses of interest in real time using a system that performs 500,000 AML checks each day. Instant alerts notify you about deposits from known entities and suspicious fund movements, helping your team act early and demonstrate reasonable efforts to regulators and partners.

5. Tornado’s Return

The dramatic surge in Tornado Cash usage from 42.9% to 74.3% of cases by late 2025, following the lifting of sanctions, signals a failure of blacklist-only compliance.

Mixers and privacy protocols remain the step after bridges, used in 45.1% of all hacks in 2025.

Mixers remain the step after bridges — a pattern visible across known crypto scams and large-scale hacks alike — used in 45.1% of 255 cases in 2025. Tornado Cash leads among crypto mixers, used in 41.57% of all hacks (115 of 255) in 2025, according to the Global Ledger study. Its usage jumped sharply in H2 after sanctions were lifted in March 2025. The lifting of sanctions immediately removed the primary compliance hurdles that previously triggered automated alerts at centralized exchanges.

The use of mixers and privacy protocols by hackers in 2025. Source: Global Ledger.

Compliance implication: Funds previously associated with ransomware payments, darknet market activity, and bridge hacks are now flowing more openly through Tornado Cash. The mixer has effectively become a shortcut to highly liquid CEXs, simplifying both laundering and cash-out in one step. In this new reality, mixer exposure has to be identified through behavioral signals — transaction patterns, timing, and flow analysis — rather than static lists.

With Global Ledger KYT, you can set alerts based on transaction behaviour — amounts, timing, and inflow-outflow patterns — to catch cryptocurrency mixer exposure early. For cases where direct attribution is not possible, probabilistic tracing helps surface likely links between deposits and withdrawals after the fact.

One More Upcoming Trend for 2026: Stricter Regulation Catches Up

By mid-2026, MiCA will reach full implementation in Europe and transitional arrangements for VASPs will expire across multiple jurisdictions.

Stricter Travel Rule enforcement is the most immediate pressure point. No-KYC and unregulated exchanges are becoming harder to operate as regulators close the gaps that previously allowed “lighter-touch” oversight.

Stricter oversight is not limited to VASPs. Investment scams, Ponzi schemes, and pump and dump schemes targeting retail users are also coming under closer scrutiny. More broadly, regulatory compliance in 2026 is evolving alongside new approaches to combating global financial crime both at the business and user level. Authorities are moving away from checking whether a VASP has an AML program toward asking whether that program is actually working.

      Compliance implication: Having tools on paper is no longer sufficient. Compliance teams will need to show measurable outcomes: not just policies and procedures, but evidence that risk is being identified and addressed. 
    

With the Global Ledger KYB solution, you can perform enhanced due diligence on counterparties to check their risk exposure, as required under the Travel Rule and MiCA's VASP onboarding obligations. You’ll get full visibility into fund sources, destinations, and entity exposure data that helps your team build the documentation needed to support SAR filings when required.

Conclusion

Crypto laundering has become a structured, multi-layered process. Bridges replaced mixers. Staging replaced direct transfers. Speed and patience are now used together as a cautious yet consistently effective strategy.

The tools and frameworks built for previous years are not equipped for what is happening in 2026. To operate in this new environment, compliance teams need approaches that put them ahead in the laundering race — not reacting after the fact. Multi-chain monitoring, AI-powered alerts, time-based triggers, cluster analytics, and updated risk models with bridge- and mixer-specific patterns are the baseline your compliance framework needs in 2026.

Global Ledger provides tools for real-time monitoring, cross-chain visibility, and enhanced due diligence that cover the full picture behind transactions and entities. Quiet risk is harder to spot. Preparation helps — and you don’t have to do it alone. Schedule a demo to see how we can help support your compliance workflows.

Schedule a Demo

FAQ

How do people get hacked on crypto?

Crypto hacks typically begin with phishing, smart contract exploits, or account takeovers. Common entry points include seed phrase phishing, wallet phishing, cross-chain bridge exploits, flash loan attacks, and reentrancy attacks — as well as impersonation scams targeting users directly. Once access is gained, hackers move illicit funds within seconds, often before the victim notices anything is wrong.

What are crypto scams?

Crypto scams are fraudulent schemes designed to steal digital assets or funds by exploiting user trust, technical vulnerabilities, or lack of knowledge. They range from fake investment platforms and phishing attacks to protocol-level exploits and market manipulation. What makes crypto online scams particularly damaging is the irreversible nature of blockchain transactions — once funds are moved, recovery is rarely possible.

What are the most common types of crypto scams and hacks?

The most common crypto scams types fall into two categories. Protocol-level attacks include smart contract exploits, flash loan attacks, bridge hacks, and reentrancy attacks. User-facing fraud includes investment scams, Ponzi schemes, pump and dump schemes, rug pulls, fake exchanges, phishing, and impersonation scams. What connects all common crypto scams is what happens after: stolen funds are moved through crypto mixers, chain hopping, and fragmented transfers to make tracing and crypto asset recovery increasingly difficult.

What are some examples of crypto scams and hacks?

Well-known crypto scams examples include the $48 million BtcTurk hack — where funds were layered through CoinJoin, THORChain, and the Lightning Network — and the North Korea Bybit crypto hack, where $1.38 billion was stolen and 94.91% moved through cross-chain bridges. At the retail level, common crypto scams examples include fake exchange platforms, seed phrase phishing campaigns, and pump and dump schemes promoted through anonymous social channels.

What are the most dangerous crypto scams to watch out for?

The most dangerous crypto scams are those that combine technical sophistication with large-scale laundering infrastructure. Cross-chain bridge exploits, flash loan attacks, and multistage fragmentation schemes are among the hardest to detect and trace. For retail users, the most dangerous crypto scams are typically seed phrase phishing, fake exchanges, and investment scams that mimic legitimate platforms — all designed to move illicit funds before the victim realizes anything is wrong.

How is stolen crypto laundered?

After a crypto hack, stolen funds rarely move directly to a cash-out point. Attackers typically start with chain hopping, moving illicit funds across multiple blockchains through cross-chain bridges and DEXs to break the transaction trail. From there, funds are fragmented into micro-transfers across unhosted wallets, routed through crypto mixers or Ethereum mixers like Tornado Cash, and layered through DeFi protocols before eventually reaching an exchange. The entire process is designed to degrade analytical certainty and delay detection.

What Are the Top 5 Darknet Markets in 2026?

Behind the top darknet markets in 2026: BTC flows, the most active dark web platforms, and what crypto businesses should know to prevent darknet exposure.

Laundering Speed: Lessons from 255 Hacks for VASPs

See how attackers move and launder stolen funds — and what compliance teams need to watch for to stay prepared. Bonus checklist included.