A hacker has stolen about $27.3 million in digital assets by exploiting a multi-signature wallet setup intended to add extra protection for extensive on-chain holdings.
According to PeckShieldAlert, the attacker initially unwound a leveraged position on Aave, releasing 1,000 ether placed as collateral, per on-chain data. The withdrawal signaled a change from aggressively cycling cash into more difficult-to-track channels to using decentralized finance infrastructure as a parking space.
Soon after the withdrawal, the hacker started dividing the 1,000 ether into smaller transactions sent to Tornado Cash. The platform pools deposits before transferring them to different addresses. This pattern is similar to strategies used in earlier attacks, where mixers play a crucial role in isolating stolen items from their original source.
How Mixers Like Tornado Cash Obscure Fund Flows
Attackers commonly deposit stolen cash on Aave to generate income or manage exposure while investigations are ongoing.
Aave enables users to borrow and lend cryptocurrency assets by providing collateral. The hacker indicated that they were prepared to switch from passive holding to active laundering by closing the position.
Tornado Cash has long been a preferred tool for obfuscation because it breaks the direct transaction link between sender and recipient, despite public visibility on Ethereum.
Authorities in several jurisdictions have sanctioned the protocol’s use in certain contexts, citing its role in laundering proceeds from major hacks.
Obstacles Facing Investigators and Compliance Teams
The hacker’s shift to Tornado Cash complicates recovery efforts, since individual withdrawals are sent to new addresses that lack an obvious connection to the compromised wallet. Investigators must now rely more heavily on pattern analysis, timing correlations, and potential slipups when the attacker interacts with centralized venues.
Exchanges and compliance teams are likely stepping up monitoring of deposits that mimic the volume and timing of Tornado Cash withdrawals associated with the 1,000 ether batch. Any effort by the hacker to use regulated platforms to transfer significant amounts into fiat or stablecoins may still result in freezes or referrals to criminal authorities.
