What is Global Ledger?

Global Ledger is a Swiss blockchain analytics company delivering fast, end-to-end AML compliance and investigation tools. Founded in 2019, we support over 2,000 digital assets and manage a database of over 700 million attributed addresses, updated daily. We perform 250,000 AML checks and monitor 30 million wallets every day. With an average response time of just 500ms and private server deployment options, Global Ledger combines speed, scale, and security.

Which blockchains does Global Ledger analyse?

Currently, the following blockchains are supported: Bitcoin (BTC) Bitcoin Satoshi Vision (BSV) Litecoin (LTC) Ethereum (ETH), including top tokens Tron (TRX), including top tokens Binance Coin (BNB) Polygon (MATIC) Arbitrum (ARB) Base (ETH) Avalanche (AVAX) Moonbeam (GLMR) Polkadot (DOT) Solana (SOL) TON.

How is the GL Score calculated?

The GL Score is a number from 0 to 100 that shows the degree of risk: low, medium, and high. Each score is represented by a corresponding color: green indicates low risk, yellow indicates medium risk, and red — high risk. The risk score is derived from the assessment of the riskiness of sources contributing to a requested address or transaction. To calculate the score, the algorithm analyzes incoming transactions, assesses the risk of identified sources, and calculates a score on a scale from 0 to 100. This score provides an indication of the potential level of risk associated with the address or transaction based on the evaluated sources and their associated activities. Learn more about risk score calculation from our blog article.

What are your data sources?

The Global Ledger team regularly collects and constantly analyses publicly available information, open data from the top blockchains, replenishes the internal information base by conducting its own investigations, as well as data purchased from reliable vendors.

What if I need help ASAP?

Our support team stays in touch 24/7 to provide clients with the most comfortable service and experience in case of unexpected hacks or cyberattacks. Please send your request with a brief description of your case to contact@globalledger.io, and our manager will reach you shortly.

TrustedVolumes Hack: When DeFi Infrastructure Becomes a Compliance Liability

On May 7, TrustedVolumes — a liquidity provider connected to the 1inch DEX aggregator — was exploited for approximately $5.87 million (though losses were reported as higher).

Another DeFi hack, another set of stolen funds. But the way this attack was built, and where the money is sitting right now, tells a bigger story about how DeFi exploits create compliance exposure for VASPs.

In this article, we break down what happened, why DeFi is becoming an increasingly easy target for hackers, and what it means for compliance teams.

Key takeaways

TrustedVolumes lost $5.87 million on May 7 through an exploit of RFQ execution layer — the same mechanism used in the March 2025 1inch Fusion V1 attack, suggesting a linked operator.
Nearly $5.86 million remains unspent in identified wallets.
April 2026 set a 2026 record in crypto hacks — $641.67 million stolen, DeFi at the center of it.

TrustedVolumes Hack: What Happened

On May 7, TrustedVolumes was drained of $5.87 million (although the reported loss was higher — $6.7 million).

The attack was fast. According to our data, the first transaction went through just 13 minutes and 4 seconds after the exploit started, with the first swap following about 10 minutes later.

A small part of the funds moved toward mixers and privacy protocols almost immediately: 10.2 ETH ($23,735) went to Tornado Cash, and 0.45 ETH ($1,053) was sent to RailGun. But most of the money — ~$5.86 million — has not moved since, spread across four known wallets:

0xc3…9100 — 1,169.9611 ETH (~$2.74M)
0x61…2d1c — 1,222.1188 ETH (~2.86M)
0x0c…7836 — 0.44201061 ETH (~1.03K)
bc1q…x0yt — 3.15394517 BTC (~257.6K)

As of May 7, 2026. TrustedVolumes hacked for $5.87M — nearly $5.86M still unspent. Source: Global Ledger

TrustedVolumes worked as a resolver inside 1inch's RFQ system — essentially a market maker that held real assets and executed swaps on demand. The attacker found a flaw in how the smart contract validated incoming requests and used it to drain the funds as if they were a legitimate trade. 1inch itself was not directly impacted.

What makes this incident stand out is the connection to history: the TrustedVolumes exploit and the March 2025 1inch Fusion V1 attack were both executed through the same RFQ mechanism and resolver layer. The same infrastructure, exploited twice. This does not appear to be coincidental and may indicate the same operator, or at least the same tactics being used.

DeFi Hack Losses Reach Record Highs

TrustedVolumes is part of a much larger wave. April 2026 set a 2026 record: $641.67 million stolen across the month. DeFi drove the majority of losses, with two incidents — KelpDAO hack ($293 million) and Drift Protocol ($285 million) — making up ~88% of the total.

According to the Global Ledger Laundering Race report, DeFi became the second most used laundering route: H2 volumes hit ~$732M, up 4.3× from H1 (bridges rank first).

      The pattern is clear. Hackers are not moving less money — they are moving it differently. As compliance controls at centralized exchanges tightened, attackers shifted to DeFi, bridges, and privacy tools as intermediate layers. 
    

The 2026 Laundering Race Report

See how attackers move and launder stolen funds — and what compliance teams need to watch for to stay prepared.

Get the Report

Why DeFi Keeps Getting Hit

DeFi is not a soft target by accident. Several structural features make it attractive to attackers:

Permissionless architecture. Most DeFi protocols are open smart contracts. There is no KYC, no ability to reverse transactions once confirmed.
Speed and liquidity. Large amounts can be moved and swapped across protocols in minutes, often before any monitoring system has processed the first alert.
Composability creates an attack surface. DeFi protocols plug into each other — a resolver connects to an aggregator, which connects to liquidity pools across multiple chains. Each integration is a potential point of failure, and a vulnerability in one layer can cascade into another.
Low cost of obfuscation. Once funds are in DeFi, they can be routed through bridges, swapped across chains, split across dozens of wallets, and mixed — all within minutes, in a single coordinated sequence.

The TrustedVolumes case illustrates this well: the attacker moved from exploit to bridge (Tornado Cash, RailGun) within minutes. The bulk of the funds are now sitting quietly, and licensed exchanges may well be the next stop for cash-out.

What This Means for Compliance Teams

DeFi exploits do not stay in DeFi.

The bridges, DEX swaps, mixer deposits, and RFQ resolver hacks are not isolated incidents — they are steps in a larger, deliberate laundering strategy. Hackers have become more cautious: they move quickly in the first minutes, then slow down and wait. The goal is to let the noise settle, fragment the trail, and eventually route funds toward regulated institutions for cash-out — but only once the obvious connections are hard to trace.

For compliance teams, this creates three specific risks worth naming:

CEXs are usually the cash-out point.
Attackers avoid centralized exchanges in the early stages — public disclosure is getting faster, and direct routes to CEXs are more likely to be blocked. Instead, they shift to fragmented, multi-hop laundering through DeFi. That is exactly why the cash-out attempt often comes later, when the link to the original exploit is no longer obvious.
Unspent funds are not resolved risk.
The $5.86 million sitting in TrustedVolumes-linked wallets will move at some point. So will the $1.97 billion in unspent 2025 hack proceeds documented in the Global Ledger report. Early reporting reduces immediate exposure, but the real risk is downstream — and it requires continuous monitoring, not a one-time incident response.
Transactions may look “clean” by arrival.
A deposit that has passed through three bridges, two DEXs, and a mixer may carry no obvious flag when it reaches your platform. Without visibility into the full path, standard screening can miss it.

Grinex Processed $16.54B Before Suspension

For a closer look at how laundered funds move through exchanges in practice — and what compliance teams missed — read our investigation into Grinex, which processed $16.54B before suspension.

Read the Investigation

To Conclude

As attack activity becomes more fragmented — with funds increasingly passing through bridges, mixers, and services with limited or no KYC controls — deposits arriving from unclear or high-risk sources require closer scrutiny.

Screening the known TrustedVolumes-linked addresses is the immediate step, but the broader posture matters more.

Enhanced due diligence (EDD) is the practical tool here. With the right AML platform on board, your compliance team can:

Apply stricter rules for deposits originating from instant swap or non-KYC sources.
Trigger EDD reviews for flows linked to mixers, bridges, or sanctioned wallets.
Use hold-and-review policies to freeze funds while the investigation is still open.

Global Ledger's KYB solution helps compliance teams generate comprehensive entity exposure reports for custom time periods — all transactions, counterparties, and high-risk entities in one place. It also supports dedicated DeFi reports on contract addresses, covering lending, staking, and other on-chain activity by requested period.

This way, your team always knows what it's dealing with before making the next compliance decision.

Get full counterparty visibility
to prevent hidden exposure

Schedule a Demo

FAQ

What does it mean to bridge Arbitrum funds after a freeze?

After the Arbitrum Kelp exploit freeze, stolen ETH moved into a governance-controlled wallet. To bridge Arbitrum funds out, a formal governance vote must complete first — making the freeze a coordinated enforcement structure, not just a technical block.

What is the A7A5 stablecoin and why does it matter for compliance?

The A7A5 stablecoin is a ruble-pegged token used as a core instrument in stablecoin sanctions evasion schemes — replacing frozen USDT after the Garantex takedown and routing illicit Russia A7A5 flows through licensed exchanges.

What does the Grinex hack mean for sanctions compliance?

Designation doesn't stop flows. Grinex processed $9.25B after OFAC sanctions routing funds through licensed platforms. Under strict liability, exchanges that “touched” Grinex-linked flows, even unknowingly, may carry exposure.

What are the key Russian crypto exchange compliance risks?

The main risk is hidden exposure to sanctioned liquidity moving through layered infrastructure. The A7A5 token is a clear case of stablecoin sanctions evasion explained: a ruble-pegged asset used to route funds through licensed platforms under the cover of normal trading. These flows often look routine, but any link to sanctioned entities still creates compliance risk — regardless of intent.