Best crypto insights delivered straight to your inbox.
- A dormant hacker linked to the 2022 Voltage Finance exploit has moved $182K in ETH through Tornado Cash after 166 days of inactivity.
- Voltage Finance suffered a second exploit in March 2025, with over $320K drained from its staking pools via a compromised proxy contract.
- Crypto-related hacks in 2025 have already hit $1.74B, surpassing last year’s record, with major incidents involving UPCX, KiloEx, and others.
A hacker tied to the 2022 exploit of Voltage Finance, a decentralized lending protocol built on the Fuse network, has moved a significant portion of the stolen funds after months of inactivity. Blockchain security firm CertiK revealed on May 6 that the hacker transferred 100 Ether, valued at approximately $182,783, through crypto mixing service Tornado Cash.
According to CertiK’s investigation, the wallet address used in the transaction was inactive for 166 days, with no movement since November. The address is linked to the original exploit and can be traced to earlier activity involving the hacker.
Our alerting system has detected @TornadoCash
deposits of 100 ETH from 0xCF4823dA7271fdedBe103500d8E197Bdca224B6d.The fund traces to ~$4M Voltage Finance
exploit on Fuse back in March 2022.Stay Vigilant! pic.twitter.com/eyqH1HbN3F
— CertiK Alert (@CertiKAlert) May 6, 2025
The blockchain security firm also explained that the hacker used Tornado Cash, which was sanctioned by the US Treasury in 2022 for facilitating money laundering, to obscure blockchain transactions and prevent investigators from tracing the fund movements.
Voltage Finance original 2022 exploit
Voltage was hacked on March 31, 2022, and the hacker made away with an estimated $4.67 million in digital tokens. They reportedly took advantage of a vulnerability in a token standard, ERC677, through a built-in callback function. The function allowed them to execute a reentrancy attack to successfully drain funds from the platform’s lending pool.
In the initial phase of the attack, the culprit used a flash loan of 515 Wrapped Ether (WETH) from the WETH-WBTC pair on Voltage Finance to initiate the exploit.
Voltage Finance operates as a decentralized protocol enabling automated token trading on the Fuse network. The attacker exploited this infrastructure by manipulating the platform’s smart contracts using wrapped tokens and flash loans.
Ola Finance, the multi-protocol network that supports Voltage, issued a post-mortem two days after the incident that showed the exploit was specific to its Fuse deployment. The developers stated that similar attacks would not affect other lending networks under Ola’s ecosystem.
In total, the attacker siphoned off 216,964.18 USDC, 507,216.68 BUSD, 200,000 fUSD, 550.45 Wrapped Ether (wETH), 26.25 Wrapped Bitcoin (wBTC), and 1,240,000 FUSE tokens.
“In later transactions, the attacker avoided a flash loan by using the funds that had already been stolen,” Ola stated in its report.
Another exploit hits in March 2025
Voltage Finance was hit again in a separate exploit on March 18 this year, involving its Simple Staking pools. This time, the unauthorized withdrawal led to the theft of $171,027.20 in USDCE and $151,085.87 in wETH. The platform paused activities on the pool to stop the fund drainage, and said it was “working urgently to identify the hacker.”
According to a March 20 Medium report from Voltage Finance, the attack began when a second unknown party, referred to as Attacker 2, withdrew ETH from crypto exchange HTX. Attacker 2 transferred the stolen assets to Attacker 1, who used the money to purchase FUSE tokens via ChangeNow, bridged to the network through LayerZero.
From there, the stolen assets were bridged back to Ethereum and moved through several wallets and transactions.The funds were then passed from Attacker 1 to Attacker 3, who received additional funds via SimpleSwap.
Attacker 3 deposited some of the tokens into the KuCoin exchange, but swapped and withdrew others back to the first hacker to complete the laundering loop.
“Since your transactions passed through KuCoin, we have initiated cooperation to identify you. We prefer resolving this situation peacefully. We’re offering a bounty of $50K upon the return of all funds,” Voltage Finance said to the hacker in its X post.
According to a recent report by blockchain security firm Immunefi, losses from crypto-related hacks and exploits have reached $1.74 billion so far this year, already surpassing the $1.49 billion total recorded in all of 2024. The 2025 year-to-date total is a nearly fourfold increase from the $420 million reported during the same period in 2024.
Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.
Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.
Florence Muchai
Florence has been covering for the past 6 years crypto, gaming, tech, and AI news. Her Computer Studies at Meru University of Science and Technology and Disaster Management and International Diplomacy at MMUST amply equip her with language, observation and technical skills. Florence has worked at VAP Group and as an editor for several crypto media houses.
CRASH COURSE
- Which cryptocurrencies can make you money
- How to boost your security with a wallet (and which ones are actually worth using)
- Little-known investment strategies that the pros use
- How to get started investing in crypto (which exchanges to use, the best crypto to buy etc)