CoinLaw

Bringing Crypto & Finance Closer to You

Subscribe To Our Newsletter

Hacker Launders $19M in ETH After $27M Multisig Wallet Heist

Updated on: January 6, 2026
As Featured In
FortuneYahoo! FinanceCoinDeskSeeking AlphaCoin Market Cap

A hacker who stole $27.3 million from a compromised multisignature wallet has now laundered nearly $19.4 million worth of Ether through Tornado Cash, while still controlling an open leveraged position on Aave.

Key Takeaways

  • The attacker stole $27.3 million in crypto by gaining access to a Gnosis Safe multisignature wallet in December.
  • Over 6,300 ETH has been laundered through Tornado Cash, with the latest 1,000 ETH withdrawn from a leveraged position on Aave.
  • PeckShield linked the exploit to a broader scam campaign, including “pig-butchering” tactics and other exploits active across Ethereum and TRON.
  • The hacker’s position on Aave remains open, holding $20.5 million in ETH against $10.7 million in DAI, creating a volatile exposure.

What Happened?

security firm PeckShield reported that a hacker used stolen keys to access a multisignature wallet and steal over $27 million. Since the December breach, the attacker has laundered a growing portion of those funds using Tornado Cash. The latest withdrawal of 1,000 ETH brings the total to over 6,300 ETH laundered.

The wallet, which is not linked to Aave itself but appears to belong to a private whale, is still active and holds a leveraged long position that increases risk if crypto markets shift sharply.

Hacker Uses Tornado Cash for Gradual Laundering

The hacker’s methodical approach is turning heads in the crypto security space. Instead of closing the leveraged position on Aave all at once, they are slowly unwinding it.

  • Initial theft occurred in December 2025 after the wallet’s private keys were compromised.
  • The hacker maintains a long position on Aave, with $20.5 million in ETH collateral and $10.7 million in borrowed DAI.
  • By withdrawing portions of collateral and routing them through Tornado Cash, the attacker avoids triggering liquidation events.

PeckShield first flagged the exploit publicly on December 18, noting that 4,100 ETH had already been laundered by that point. Now, with 6,300 ETH processed, the attacker shows no signs of stopping.

More Exploits Tied to the Same Period

This incident occurred amid a broader wave of crypto security breaches, including several within 24 hours of the multisig hack. PeckShield and CertiK identified other wallets involved in laundering stolen assets:

  • Wallet 0xB8b4…3714 was caught laundering 2,479.1 ETH (about $7.9 million) via Tornado Cash, with funds initially bridged from TRON.
  • The funds appear linked to a pig-butchering” scam, a social engineering attack that lures victims through fake relationships before stealing crypto assets.
  • Another hack targeting TMXTribe drained $1.4 million via a looping smart contract exploit involving USDT, USDG, WETH, and wrapped SOL.
  • A separate UXLink exploit also saw 248 wrapped Bitcoin swapped for 23 million DAI, continuing the trend of high-value DeFi vulnerabilities.
Newsletter Img
Don't chase the news. Let us curate it.

You get one weekly briefing with only the stories that matter. If the market is quiet, we skip it.

Risks Continue for Victims and Crypto Users

So far, no recovery effort has been made public, and the identity of the compromised wallet’s owner remains unknown. Onchain data continues to show the attacker interacting with Aave and Tornado Cash contracts.

This latest exploit joins a long list of high-value hacks that plagued 2025. According to Chainalysis, the 10 biggest hacks last year totaled $2.2 billion in losses, with this multisig breach falling just below the largest incidents, such as those involving Bybit and GMX.

The broader threat environment was also amplified by a January 5 disclosure from Ledger, where customer data was exposed via a third-party payment processor breach. Although no crypto assets were lost in that incident, the risk of phishing and scams increased significantly.

CoinLaw’s Takeaway

In my experience, this kind of slow-drain strategy is a red flag that the hacker knows exactly how DeFi systems work. They are not just hitting and running. Instead, they are playing a calculated game, unwinding positions and hiding traces with precision. This incident should be a wake-up call to anyone using multisig wallets or complex DeFi structures. If a private whale can lose millions this easily, it’s a reminder that personal key security is still the weakest link in the crypto chain.

Add CoinLaw as a Preferred Source on Google for instant updates! Follow on Google News
Kathleen Kinder

Kathleen Kinder

Senior Editor

Kathleen Kinder brings over 11 years of experience in the research industry, with deep expertise in finance, cryptocurrency, and insurance. At CoinLaw, she writes timely, reader-focused news articles and also serves as a senior editorial reviewer. Drawing on her background in B2B research, consumer insights, and executive interviews, she ensures every piece delivers clarity, accuracy, and real-world relevance.

Disclaimer: The content published on CoinLaw is intended solely for informational and educational purposes. It does not constitute financial, legal, or investment advice, nor does it reflect the views or recommendations of CoinLaw regarding the buying, selling, or holding of any assets. All investments carry risk, and you should conduct your own research or consult with a qualified advisor before making any financial decisions. You use the information on this website entirely at your own risk.

Related Posts

Reader Interactions

Leave a Comment

Company
Discover
Categories
Cryptocurrency
Payments
Finance
Banking
Insurance
Categories
Cryptocurrency
Investments
Compliance
Fintech
Finance