CertiK has flagged fresh on-chain movement linked to the $282 million compromise that occurred on January 10, with a portion of the stolen funds now actively flowing through Tornado Cash.
According to CertiK’s tracking, approximately $63 million has already been set in motion as the attackers begin laundering operations.
How the Funds Are Moving
On-chain data shows the process unfolding in clear stages:
- •The attacker first consolidated large balances in Bitcoin and Litecoin wallets, including more than 1,100 BTC and 2.05 million LTC.
- •Roughly 686 BTC was then bridged to Ethereum via ThorSwap, converting into 19,632 ETH.
- •From there, the ETH was distributed across multiple Ethereum wallets, with repeated 400 ETH transfers, a pattern commonly associated with obfuscation.
- •The flow ultimately leads into Tornado Cash, signaling the start of active fund anonymization.
Why This Matters
The use of Tornado Cash strongly suggests an attempt to break transaction traceability, reducing the likelihood of recovery. The decision to bridge assets cross-chain before mixing further complicates forensic efforts, as it fragments liquidity and introduces multiple protocol layers.
While only $63 million has moved so far, the broader $282 million pool remains at risk of entering similar laundering paths if not intercepted.
For now, CertiK continues to monitor the wallets involved, as any acceleration in mixer deposits could indicate the attackers are preparing to fully exit the remaining funds.