$27.3M multisig crypto wallet hacker begins liquidating funds via Tornado Cash

The perpetrator behind the December 18 $27.3 million cryptocurrency theft has withdrawn 1,000 ETH worth $3.24 million from the DeFi platform Aave and laundered it through Tornado Cash.

According to PeckShield, the attacker has now funneled up to 6,300 ETH, valued at $19.4 million, through Tornado Cash since the initial breach.

PeckShield wrote on X, “The drainer, who controls the compromised multisig, holds a $9.75M leveraged long position ($20.5M in ETH against $10.7M in DAI).”

Pig-butchering scam emerges in money trail

Another incident involving laundering and the use of Tornado Cash has caught the eye of on-chain monitors.

On-chain analyst Specter notified the public on X, stating, “A wallet bridged $7M to Ethereum from multiple wallets on the TRON blockchain. Tracing the funds suggests they originate from a crypto investment pig-butchering scam.”

PeckShield also corroborated the story with on-chain data, uncovering a laundering operation that is related to pig butchering.

PeckShield analysis indicated that one address alone had processed 2,479.1 ETH worth $7.9 million through Tornado Cash, with funds traced back to multiple Tron wallets before being bridged to Ethereum.

The attacker’s methodical approach involves depositing funds in 100 ETH batches into Tornado Cash, which severs the blockchain links between deposits and withdrawals, making recovery efforts more difficult.

Another incident highlighted by PeckShield the same day was the one where a “UXLink exploiter labeled address has swapped 248 $WBTC for 23M $DAI within the last hour.”

The on-chain security firm added that “This follows the Sept. 22 hack, where the attacker minted billions of unauthorized tokens and drained tens of millions in crypto assets.”

Crypto industry grapples with losses

The December theft forms part of an increasing pattern of crypto breaches that saw over $117.8 million lost to exploits, according to industry data. In November 2025, around $127 million was lost, with about $45 million frozen or recovered from that loot, according to data from cybersecurity firm Certik.

December saw several significant incidents, including a $50 million address poisoning attack and the exploit of Trust Wallet’s browser extension that saw losses run up to over $8.5 million.

A recent Chainalysis report pointed out that the top ten cryptocurrency hacks of 2025 resulted in a combined loss that exceeded $2.2 billion of the $3.4 billion that was stolen in the crypto industry. The report came out before the Trust Wallet exploit later in December.

The December breach ranks among the year’s most significant private key compromises, a category of attack that security experts consider devastating due to the complete control it grants perpetrators.

Phishing and wallet compromises ranked first and second by category in terms of the amount lost to breaches in December. Despite ongoing monitoring by blockchain security firms, no recovery efforts have been announced.

The attacker’s leveraged position on Aave presents more challenges to an already complicated issue, as liquidation of the collateral could trigger market movements. However, it will also provide opportunities for tracking if the perpetrator attempts to extract value.