What Blockchain Intelligence Firms Actually Do During a Major Exploit

When a major DeFi exploit happens -- a nine-figure theft measured in minutes -- the public sees the aftermath: the protocol team's disclosure, the Twitter/X threads, the falling TVL charts. What the public rarely sees is the operational response that begins within minutes on the other side of the screen, inside blockchain intelligence firms. The work these firms do in the first hours after an exploit often determines whether tens or hundreds of millions of dollars are recovered or lost permanently.

The process is more structured, more technical, and more time-pressured than most people in the crypto space appreciate. It involves real-time on-chain analysis, rapid coordination with dozens of exchanges simultaneously, law enforcement liaison across multiple jurisdictions, and forensic work that continues for months after the initial incident.

This is how it works.

Phase 1: Detection​

The detection phase is the starting gun. How a blockchain intelligence firm learns about an exploit determines how quickly the response begins, and speed is the single most important variable in fund recovery.

There are three primary detection channels.

On-chain monitoring alerts. The major chain analytics firms -- Chainalysis, Elliptic, TRM Labs, and others -- operate real-time transaction monitoring systems that flag anomalous activity. These systems watch for patterns including unusual large transfers from known protocol contracts, rapid draining of liquidity pools, and transactions involving addresses that match known attacker patterns. When a monitoring alert fires, an analyst is notified and begins initial triage.

The sensitivity tuning of these systems is a constant balancing act. Too sensitive, and the team is buried in false positives. Too permissive, and genuine attacks are detected late. Major firms report processing thousands of alerts per day across all monitored chains, with dedicated triage teams responsible for separating genuine incidents from normal high-volume activity.

Protocol team notification. In many cases, the protocol team detects the attack first -- through their own monitoring, through user reports, or through direct observation of anomalous contract behaviour. The team then contacts their chain analytics provider directly, often through pre-established emergency communication channels. Protocols that have incident response retainers with chain analytics firms get priority routing.

Social media and community signals. Twitter/X, Discord, and Telegram often surface exploit information before formal detection systems trigger. Independent security researchers, MEV bot operators watching mempool activity, and community members monitoring protocol dashboards sometimes identify attacks in real time. Chain analytics firms monitor these channels as supplementary intelligence sources.

The practical implication is that detection latency varies significantly. A protocol with a pre-established relationship with a chain analytics firm and proper monitoring infrastructure might get response initiated within 5-10 minutes of the first malicious transaction. A protocol without these relationships might not get professional response for hours.

Phase 2: Triage​

Once an exploit is detected and confirmed, the triage phase begins. The objective is to establish the basic facts as rapidly as possible: what happened, how much was taken, and where the funds are now.

Identifying the attacker wallets is the first step. Analysts trace the flow of funds from the exploited protocol contracts to the initial receiving addresses. These addresses are flagged and tagged in the firm's proprietary database, creating the seed from which all subsequent tracing expands.

Mapping initial fund flows involves following the attacker's first moves. In most cases, the attacker begins moving stolen funds within minutes -- swapping tokens, bridging to other chains, splitting across multiple wallets. The triage team's goal is to map this initial dispersion quickly enough to inform the notification phase.

Estimating the total loss requires understanding what was taken and its current market value. This is straightforward for stablecoin drains but more complex for exploits involving volatile tokens, LP positions, or synthetic assets that may have moved in value during the attack.

Classifying the attack type helps predict the attacker's likely next moves. An exploit by a sophisticated state-sponsored group (such as the Lazarus Group) will follow different post-exploit patterns than a flash loan governance attack by an opportunistic operator. The classification informs the tracing strategy.

During triage, the chain analytics firm is typically in direct communication with the protocol team, sharing findings in real time. The protocol team provides context that helps analysts understand the attack mechanism -- which contract functions were exploited, what permissions were compromised, and what the expected fund flow should have looked like.

The triage phase for a major exploit typically lasts 30 minutes to two hours, depending on the complexity of the attack and the number of chains involved. For the Drift exploit we recently analysed, the multi-chain fund dispersion began almost immediately, compressing the triage timeline.

Phase 3: Tracing​

The tracing phase is the core analytical work, and it continues for days, weeks, or months after the initial incident. The objective is to follow every unit of stolen value from the exploited protocol to its final destination -- whether that is an exchange deposit address, a mixer, a cold storage wallet, or a cross-chain bridge.

Following Cross-Chain Bridges​

Cross-chain bridges are the primary challenge in modern exploit tracing. When an attacker bridges funds from Solana to Ethereum, there is no direct on-chain link between the source transaction on Solana and the destination transaction on Ethereum. The chain analytics firm must maintain cross-chain mapping databases that correlate bridge deposits with bridge withdrawals based on timing, amounts, and bridge-specific metadata.

The major firms invest heavily in this capability. Chainalysis and Elliptic both maintain proprietary bridge-mapping systems that cover the major bridges (Wormhole, LayerZero, Stargate, and others). Coverage is not universal, however, and newer or less-used bridges may have limited mapping, creating gaps that sophisticated attackers can exploit.

When an attacker uses multiple sequential bridges -- Solana to Ethereum to Arbitrum to Avalanche, for example -- each hop introduces analytical overhead and potential mapping gaps. The tracing team must reconstruct the complete path, which often requires manual analysis when automated mapping fails.

Mixer Interactions​

When stolen funds pass through a mixing service, the tracing challenge increases significantly. The purpose of a mixer is to break the deterministic link between input and output addresses. Chain analytics firms use statistical and heuristic techniques to probabilistically link mixer inputs and outputs -- timing correlations, amount analysis, and behavioural patterns of known addresses -- but these techniques are probabilistic rather than deterministic.

The practical impact is that mixer usage introduces uncertainty into the trace. A firm might assess with high confidence that funds exiting a mixer are associated with the exploit, but the confidence level is not 100 percent. This matters for legal proceedings, where the standard of evidence is higher than for exchange freeze requests.

Exchange Deposit Identification​

The ultimate tracing goal is identifying when stolen funds arrive at an exchange. Exchange deposits are the primary offramp for stolen crypto -- the point at which digital assets are converted to fiat or stablecoins that can be withdrawn to traditional banking. Chain analytics firms maintain databases of known exchange deposit addresses, which allow them to flag when traced funds arrive at an exchange.

The coverage of these databases is extensive for major exchanges but less complete for smaller or newer platforms. Attackers know this and sometimes target exchanges with weaker compliance infrastructure and less comprehensive chain analytics coverage.

Counter-Forensic Techniques​

Sophisticated attackers use counter-forensic techniques: address poisoning (sending small amounts to many addresses to create false trails), decoy transactions mimicking exchange deposit patterns, and dust attacks against the protocol's own addresses. Experienced analysts recognise these techniques, but they still consume time -- which is the attacker's objective.

Phase 4: Notification​

Notification runs in parallel with tracing, beginning as soon as exchange deposits are identified.

Exchange contact networks. Major chain analytics firms maintain direct relationships with compliance teams at hundreds of exchanges globally, established through commercial contracts and industry working groups.

Freeze requests include the on-chain evidence: the exploit transaction, traced fund flow, exchange deposit transactions, and associated wallet addresses. The speed of processing varies enormously -- from minutes at exchanges with mature compliance operations to days at those with limited staff.

Law enforcement coordination happens in parallel. Agencies like the FBI's virtual asset unit and Europol's cybercrime centre can issue formal freeze orders carrying legal weight.

As tracked in our Exchange Watch coverage, the quality of exchange compliance response to freeze requests is one of the factors we consider in exchange risk assessment.

Phase 5: Recovery​

Fund recovery is the most uncertain phase and can take months or years.

Negotiation is common. On-chain messaging to attacker wallets typically opens with a "white hat" bounty offer of 10-15 percent for return of the remainder. The Euler Finance recovery in 2023 (substantially all of USD 197 million returned) is the benchmark success case.

Legal action follows when negotiation fails -- court orders directing exchanges to surrender frozen funds, civil litigation, and asset recovery proceedings. The legal infrastructure for crypto recovery has improved significantly since 2022 but remains slow.

Insurance claims through providers like Nexus Mutual or InsurAce add another recovery dimension for covered protocols.

The First 24 Hours: Why They Matter​

The data from major DeFi exploits consistently shows that the first 24 hours are disproportionately important for fund recovery. Exchange processing delays (24-72 hours for new accounts) create a window where funds can be frozen before withdrawal. Even sophisticated attackers face operational constraints in dispersing hundreds of millions quickly. And not all exchange compliance teams operate 24/7, so the timing of freeze requests matters.

Across major DeFi exploits from 2022 to early 2026, approximately 70 percent of all frozen funds were frozen within the first 48 hours. After that window, the marginal recovery rate drops sharply.

The Key Firms​

Several firms dominate the space. Chainalysis is the largest by revenue, with its Reactor investigation tool as the industry standard for fund tracing and the most extensive exchange relationship network. Elliptic has invested heavily in cross-chain analytics and bridge-tracing capabilities. TRM Labs focuses on compliance-oriented analytics with strong mid-tier exchange relationships. ZachXBT operates as an independent on-chain investigator, often identifying exploits and tracing funds faster than commercial firms, funded by community donations.

These firms often work in parallel during major incidents, and their findings are sometimes complementary.

Success Rates and Limitations​

Across the 20 largest DeFi exploits by dollar value from 2022 through Q1 2026, the median recovery rate is approximately 22 percent of stolen funds. The range is wide -- from 0 percent to over 90 percent. The factors that most strongly predict recovery are speed of detection, attacker sophistication, exchange cooperation, and paradoxically the amount stolen (larger thefts are sometimes easier to partially recover because the attacker cannot move the full amount quickly enough).

The limitations are real. Chain analytics cannot trace funds through every possible channel. Some exchanges do not cooperate with freeze requests. And the legal infrastructure for cross-border crypto asset recovery, while improving, remains fragmented.

What Protocols Should Do Before an Exploit​

Preparation determines outcomes. Protocols that recover more funds have pre-established chain analytics retainers with emergency contact procedures, pre-drafted exchange freeze request templates, relationships with law enforcement agencies that have crypto-competent investigators, documented incident response playbooks, and exploit insurance where economically viable.

The Research section of our coverage includes ongoing analysis of how protocol security practices affect exploit outcomes.

Frequently Asked Questions​

How quickly do blockchain intelligence firms respond to a major exploit?

For protocols with pre-established retainer relationships, the initial response typically begins within 5-15 minutes of notification. The triage phase -- identifying attacker wallets, estimating losses, and mapping initial fund flows -- usually takes 30 minutes to two hours. Exchange notifications can begin as soon as the first exchange deposits are identified, which may be within an hour of the exploit for attackers who move funds quickly. Without a pre-established relationship, response times can be significantly longer.

What percentage of stolen DeFi funds are typically recovered?

The median recovery rate across major DeFi exploits from 2022 to Q1 2026 is approximately 22 percent. However, this varies enormously by case -- from 0 percent to over 90 percent. The most important factors are the speed of response, the attacker's sophistication, and the cooperation of exchanges where stolen funds are deposited. Negotiated returns (where the attacker accepts a bounty in exchange for returning most of the funds) account for the majority of high-recovery cases.

Can blockchain intelligence firms trace funds through mixers?

Partially. Chain analytics firms use statistical and heuristic techniques -- timing correlations, amount matching, and behavioural analysis -- to probabilistically link mixer inputs and outputs. These techniques can identify likely links with varying degrees of confidence, but they are not deterministic. A skilled attacker who uses mixers with proper technique (randomised timing, varied amounts, multiple mixing rounds) can significantly reduce the confidence of tracing analysis.

What role does law enforcement play in exploit response?

Law enforcement provides legal authority that chain analytics firms and protocol teams lack. This includes the ability to issue formal freeze orders to exchanges, subpoena exchange records to identify account holders, coordinate international enforcement through MLAT (Mutual Legal Assistance Treaty) requests, and pursue criminal prosecution that can lead to fund seizure and return. The effectiveness varies significantly by jurisdiction -- some agencies have dedicated crypto investigation units with strong capabilities, while others lack the technical expertise to handle crypto cases.

Why do some protocols offer bounties to attackers?

The pragmatic calculation is that a 10-15 percent bounty payment that results in the return of 85-90 percent of stolen funds is a better outcome than a lengthy, uncertain legal process that may recover nothing. The bounty approach works when the attacker is motivated by financial gain rather than ideology, when the attacker is uncertain about their anonymity, and when the protocol can credibly communicate that identification efforts are underway. Not all attackers accept bounties, and some exploits are conducted by state-sponsored groups that have no interest in negotiation.