A hacker who stole $27.3 million from a compromised multisignature wallet has now laundered nearly $19.4 million worth of Ether through Tornado Cash, while still controlling an open leveraged position on Aave.
Key Takeaways
- The attacker stole $27.3 million in crypto by gaining access to a Gnosis Safe multisignature wallet in December.
- Over 6,300 ETH has been laundered through Tornado Cash, with the latest 1,000 ETH withdrawn from a leveraged position on Aave.
- PeckShield linked the exploit to a broader scam campaign, including “pig-butchering” tactics and other exploits active across Ethereum and TRON.
- The hacker’s position on Aave remains open, holding $20.5 million in ETH against $10.7 million in DAI, creating a volatile exposure.
What Happened?
Blockchain security firm PeckShield reported that a hacker used stolen keys to access a multisignature wallet and steal over $27 million. Since the December breach, the attacker has laundered a growing portion of those funds using Tornado Cash. The latest withdrawal of 1,000 ETH brings the total to over 6,300 ETH laundered.
The wallet, which is not linked to Aave itself but appears to belong to a private whale, is still active and holds a leveraged long position that increases risk if crypto markets shift sharply.
#PeckShieldAlert The multisig drainer who stole $27.3M from a compromised wallet has withdrawn 1K $ETH ($3.24M) from #Aave and laundered it via #TornadoCash.
— PeckShieldAlert (@PeckShieldAlert) January 6, 2026
They have deposited a total of 6,300 $ETH ($19.4M) to #TornadoCash so far
The drainer, who controls the compromised… pic.twitter.com/zYjuY9jGw7
Hacker Uses Tornado Cash for Gradual Laundering
The hacker’s methodical approach is turning heads in the crypto security space. Instead of closing the leveraged position on Aave all at once, they are slowly unwinding it.
- Initial theft occurred in December 2025 after the wallet’s private keys were compromised.
- The hacker maintains a long position on Aave, with $20.5 million in ETH collateral and $10.7 million in borrowed DAI.
- By withdrawing portions of collateral and routing them through Tornado Cash, the attacker avoids triggering liquidation events.
PeckShield first flagged the exploit publicly on December 18, noting that 4,100 ETH had already been laundered by that point. Now, with 6,300 ETH processed, the attacker shows no signs of stopping.
More Exploits Tied to the Same Period
This incident occurred amid a broader wave of crypto security breaches, including several within 24 hours of the multisig hack. PeckShield and CertiK identified other wallets involved in laundering stolen assets:
- Wallet 0xB8b4…3714 was caught laundering 2,479.1 ETH (about $7.9 million) via Tornado Cash, with funds initially bridged from TRON.
- The funds appear linked to a “pig-butchering” scam, a social engineering attack that lures victims through fake relationships before stealing crypto assets.
- Another hack targeting TMXTribe drained $1.4 million via a looping smart contract exploit involving USDT, USDG, WETH, and wrapped SOL.
- A separate UXLink exploit also saw 248 wrapped Bitcoin swapped for 23 million DAI, continuing the trend of high-value DeFi vulnerabilities.
Risks Continue for Victims and Crypto Users
So far, no recovery effort has been made public, and the identity of the compromised wallet’s owner remains unknown. Onchain data continues to show the attacker interacting with Aave and Tornado Cash contracts.
This latest exploit joins a long list of high-value hacks that plagued 2025. According to Chainalysis, the 10 biggest hacks last year totaled $2.2 billion in losses, with this multisig breach falling just below the largest incidents, such as those involving Bybit and GMX.
The broader threat environment was also amplified by a January 5 disclosure from Ledger, where customer data was exposed via a third-party payment processor breach. Although no crypto assets were lost in that incident, the risk of phishing and scams increased significantly.
CoinLaw’s Takeaway
In my experience, this kind of slow-drain strategy is a red flag that the hacker knows exactly how DeFi systems work. They are not just hitting and running. Instead, they are playing a calculated game, unwinding positions and hiding traces with precision. This incident should be a wake-up call to anyone using multisig wallets or complex DeFi structures. If a private whale can lose millions this easily, it’s a reminder that personal key security is still the weakest link in the crypto chain.
