Crypto theft returns with real-world tactics to target known wallet holder

Crypto holder Sillutina reported a large-scale theft of crypto from his personal wallets following a physical attack. The incident did not use the usual exploits, but revealed the growing danger for known crypto owners. 

Crypto holder Sillutuna lost over $24M in stablecoins following a physical attack and threats. The funds were diverted from personal wallets and may be laundered soon. The attack is part of an earlier trend where crypto holders are directly targeted, either for their public KOL identities or through other means of gathering information. 

Crypto holder and trader Sillytuna has been involved in DeFi and has mainly lost AUSD on Aave. Other researchers and trackers were alerted, in addition to law enforcement. 

$24 million dollar theft of AUSD from 0x6fe0fab2164d8e0d03ad6a628e2af78624060322

Involved violence, weapons, kidnapp and rape threats. Obvs police involved.

Please pass on to all those who trace such things.

And now… definitely out of crypto. ****ers.

Still have limbs,…

— Sillytuna (@sillytuna) March 4, 2026

The crypto community and investigators are still making calls to freeze funds where possible, even if they are redirected through decentralized protocols. 

The theft came just as crypto exploits fell to a one-year low in February, taking away just $37.7M for the entire month. At this point, personal wallet thefts may be more efficient in comparison to attacking niche smart contracts. 

On-chain researchers seek to intercept theft

Hours after the theft, around $20M DAI were stored in two Ethereum addresses. DAI is widely used as a token that can be easily mixed through Tornado Cash. Soon after the exploit, the destination wallets started moving funds, splitting the available BTC in multiple addresses. While protocols can blacklist some wallets, some DeFi app teams do not respond to such calls, leaving exploiters to launder funds. 

Another $1.1M in BTC is sitting in a single address. The exploiter also used the Wagyu bridge to move funds to Arbitrum. Calls have been made to Hyperliquid to freeze funds from blacklisted addresses, so far with an unknown outcome. 

So far, only the creator of the Wagyu bridge has responded, stating the bridge will never freeze funds, but can blacklist addresses similar to Railgun. 

This time, the exploiters have not followed the usual script of quickly swapping or moving funds. Only a limited amount of funds went through Wagyu before the transactions stopped. 

Most of the DAI stolen still sits in the initial known addresses. Unlike DPRK exploits, the funds may be laundered more slowly over time. In general, DAI has never been frozen or censored, although it’s not accepted by centralized exchanges. Once again, DeFi and on-chain swaps may be a way to launder and partially disguise the funds. 

Sillytuna offers 10% bounty to return funds

Sillytuna has offered a 10% reward for any returned funds, even from the exploiters themselves. Researchers are also trying to distribute the addresses to multiple protocols in a bid to intercept funds. 

For now, Sillytuna has not spoken of the identities of the thieves, mostly focusing on blockchain data to track the funds. Other investigators noted that the destination addresses were linked to a known scammer wallet. The original wallet, with its special address starting with 0xbeef, has been known in previous exploits, rug pulls, and malicious contract deployments. 

The individual case showed that the crypto community had significant skill in tracking funds on an ad hoc basis, but could become overwhelmed in intercepting all transactions. There were also no clear rules on blacklisting and freezing funds, as all protocols operated on different rules.