See how attackers move and launder stolen funds — and what compliance teams need to watch for to stay prepared. Bonus checklist included.
Key Highlights:
The conversation around a crypto hack usually stops at the exploit. Headlines focus on the biggest crypto hack, a new crypto exchange hack, or the latest wave of crypto phishing and broader cybercrime activity. However, for compliance teams, the real risk begins after the breach — when stolen funds start moving.
In 2025 alone, $4.04 billion was stolen across 255 incidents. In the fastest case, funds moved in just 2 seconds. In ~76% of cases, funds moved before public disclosure. That changes how compliance must think about exposure.
Below are the top crypto scam and hack patterns used last year and what they signal for 2026.
Top 5 ways crypto hacks happen
1. Smart contract exploits — most frequent entry point
According to the Global Ledger research, contract exploits accounted for almost 64% of all crypto hacks last year, making them the most common attack vector behind the biggest crypto hacks of the year. Although their share declined from about 70% in H1 to about 58% in H2, total damage increased by almost 36% in H2, bringing annual losses to $861.54 million in 2025.
Smart contract exploits happen when attackers find a flaw in a protocol’s code and use it to withdraw funds. Common patterns include:
- logic errors in DeFi contracts
- manipulation of price feeds
- repeated calls that drain liquidity
- weak or misconfigured access controls.
These are the types of incidents that often appear in crypto hack news as a major DeFi breach or crypto exchange hack such as the Bybit exploit, which included smart contract manipulation, among other factors. Because they originate from a specific vulnerable contract, they usually leave a visible on-chain trail.
However, while smart contract exploits are the most frequent attack type, they are no longer the most financially damaging category. The bigger structural risk in 2026 increasingly lies beyond code vulnerabilities.
2. Malicious approvals — fewer Incidents, larger financial damage
Malicious approvals represented only 11.76% of incidents, but accounted for $1.51 billion in losses in 2025. In 2025, contract exploits dominated by count, but malicious approvals drove 1.76× more losses, illustrating a disconnect between attack frequency and financial impact. However, the sum is skewed by the volume of the Bybit exploit (nearly $1.46 billion), which significantly inflated the impact of the malicious approval category.
Many of these attacks are linked to crypto phishing scams, and broader investment scams targeting wallet users rather than protocol vulnerabilities.
Unlike contract exploits, malicious approvals:
- target user signing authority directly
- enable immediate access to large balances
- often rely on Web2 infrastructure that disappears quickly.
This is why recovery is harder. Evidence may vanish within days, making forensic preservation critical for any potential recovery of stolen crypto assets.
3. Private key compromises — direct wallet control
Private key compromises accounted for 13.33% of incidents and caused $959.68 million in losses in 2025.
This attack vector does not target the blockchain itself. Instead, attackers gain control over the credentials that protect a wallet or exchange account. This typically includes:
- stolen login credentials
- leaked API keys
- exposed seed phrases
- failures in access control or internal security
In other words, the protocol is not hacked — the keys are. Once attackers obtain private key access, they can move funds immediately. This results in what is effectively a direct crypto wallet hack, highlighting the weaknesses in crypto wallet security practices.
Private key compromises remained the leading attack vector used by DPRK-linked actors. Moreover, centralised exchanges — as high-liquidity targets — became their primary focus. The share of DPRK-linked incidents targeting CEXs increased from approximately 40% in H1 to over 83% in H2. In total, North Korea crypto hacks accounted for around $1.89 billion, representing approximately 46.8% of total losses in 2025.
Because these movements are authorised by valid credentials, they may initially appear legitimate, increasing the importance of behavioural monitoring rather than relying solely on exploit detection.
4. Rug pulls and Ponzi schemes — lower share, persistent risk
Rug pulls accounted for 4.71% of incidents, totalling $524.10 million in losses. However, losses fell by more than 5× in H2 compared to H1, despite the same number of incidents.
A rug pull occurs when developers create a project, attract investors, and then suddenly disappear with the funds. Ponzi schemes, by contrast, rely on funds from new investors to pay returns to earlier participants, creating the illusion of profitability.
The largest rug pulls and Ponzi schemes — including Bitcoin Ponzi schemes — continue to appear in lists of the biggest crypto scams in history, including the OneCoin (ONE) case, the Thodex Exchange (THODEX) collapse, the BitConnect (BCC) scheme, and more.
5. Address poisoning — emerging behavioural exploit
Last year, five such incidents (1.96% of the total) involving address poisoning led to $52.41 million in losses. Although smaller in financial scale, address poisoning became the fourth-largest attack type by stolen volume last year.
Source: Global Ledger research. Contract exploits
Technically, address poisoning involves:
- sending small transactions from addresses visually similar to legitimate ones
- exploiting wallet history copying behaviour
- tricking users into sending funds to attacker-controlled addresses.
This vector exploits human behaviour rather than code, meaning that behavioural weaknesses are increasingly rivaling technical vulnerabilities.
What it means for compliance teams
The data reveals a trend: attackers are shifting from technical bugs to systemic weaknesses in key management, signer behaviour, and user interfaces.
Contract exploits are frequent but often capped by protocol-level limits or rapid mitigation. In contrast, malicious approvals and private key compromises directly target user wallets and signing authority, allowing attackers to access large balances in a single step. Address poisoning similarly exploits user behaviour rather than technical vulnerabilities.
Focusing only on common threats (e.g., smart contract bugs) can be misleading. Many of the biggest crypto scams and crypto platform scams stem from weaknesses in user behaviour rather than code. Therefore, low-frequency but high-impact attacks — like malicious approvals or private key leaks — represent systemic vulnerabilities, especially in CEX environments.
What happens after a hack: key signals for 2026
1. Faster public disclosure
If we compare the beginning and the end of last year, public incident reporting became noticeably faster. According to the same report, in H1, attackers were on average 23 hours ahead of public disclosure. By H2, this gap had narrowed to 11 hours — a ~2.1× reduction.
Such a shift provides compliance teams with a stronger position heading into 2026. However, in ~76% of incidents, stolen funds moved before any public disclosure. This underscores the need for continuous monitoring with AI-powered real-time alerts, time-based triggers and cluster analytics, rather than relying solely on disclosure-driven reactions. Besides, it is particularly critical in the context of cross-chain hacks, where funds can move rapidly across bridges before “traditional” controls detect exposure.
2. Laundering is slower but more fragmented
While the first movement is rapid, post-incident laundering takes more time. In H2 2025, the average laundering speed declined by ~25%.
However, laundering became increasingly multi-stage. In ~99% of cases, attackers moved funds through multiple hops rather than a single transfer, making risk detection more complex.
For 2026, this signals a shift from speed alone to structural complexity.
3. Attackers are more patient — exposure is delayed
Data from the report shows that attackers are becoming more cautious, often waiting out initial scrutiny before proceeding further. Approximately 50% of stolen funds (over $1.97 billion) remain unspent (at the time of the research), suggesting a deliberate strategy: delay exposure, wait for attention to fade, then act.
Why this matters
The difference between a Ponzi scheme, a rug pull, a wallet exploit matters less than:
Ultimately, how to protect your crypto, how to secure your crypto wallet, and how not to be hacked are no longer just user concerns — they are platform- and compliance-level priorities. This is no longer a narrow technical issue, but a systemic risk management challenge.
The real question for 2026 is: “How quickly can we detect and respond when it happens?” When funds from a hacker-controlled address reach your platform, the response window is extremely narrow — typically 10–15 minutes to act. Transactions that exceed internal risk thresholds may be routed for manual review and temporarily withheld, but this only works if continuous monitoring is already in place. If no action is taken within this window, assets are likely to move again — into a mixer, another exchange, or off-ramped entirely — where tracing and crypto recovery become significantly more complex.
For compliance teams, this means having continuous monitoring, cross-chain visibility and clear response timelines in place.
CEXs Received ~447M USDT Allegedly Tied to Venezuelan Laundering Scheme
The wallet’s high-risk counterparties include Huione, Garantex, Grinex, Islamic Revolutionary Guard Corps.