Approximately $63 million in Tornado Cash deposits has been linked to the $282 million cryptocurrency wallet compromise that occurred on January 10. Blockchain security firm CertiK stated in a Monday X post that its monitoring systems identified Tornado Cash interactions tied to the exploit. This update expands on the post-theft money laundering mechanics of the January 10 incident, which is being tracked by multiple crypto investigators due to the significant amount lost and the speed at which funds were moved.
CertiK Diagram Maps the Laundering Path
According to CertiK's analysis, a portion of the stolen Bitcoin (BTC) was bridged to Ethereum, converted into Ether, and then split across several addresses. CertiK's findings indicate that at least 686 BTC was bridged to Ethereum using a cross-chain swap, resulting in 19,600 ETH being received by a single Ethereum address. The funds were then split across multiple wallets, with several hundred ETH sent onward from each address before entering Tornado Cash, a privacy-focused mixing protocol. The $63 million figure represents only a portion of the total amount lost. However, the fund movement demonstrates how the attacker is working to obscure the trail after the initial cross-chain transfers during the exploit.
Recovery Chances Drop to "Near Zero" After Entering Mixers
The fund movements observed in the January 10 compromise reflect an established laundering playbook, according to Marwan Hachem, CEO of blockchain security firm FearsOff. "This flow follows the classic large-scale laundering playbook pretty closely, especially for cross-chain thefts involving BTC and LTC," Hachem told Cointelegraph. He explained that the use of THORswap for Bitcoin-to-Ether conversions and the subsequent breakdown of funds into roughly 400 ETH chunks before entering the mixer were "textbook," as these actions help reduce attention and make post-mixing recovery significantly harder. "Tornado Cash is a major kill switch for traceability," he stated, adding that recovery chances "drop to near zero" in most cases after funds enter a mixer. According to Hachem, mitigation options after mixer deposits are limited and increasingly unreliable.
Social Engineering Attack Leads to Seed Phrase Compromise
As previously reported, the January 10 theft was traced to a social engineering attack that tricked the victim into revealing a seed phrase. Blockchain investigator ZachXBT stated that the attacker impersonated wallet support staff, thereby gaining full control over the victim's holdings. The compromised wallet held approximately 1,459 BTC and over 2 million Litecoin (LTC). Portions of the stolen assets were also swapped into privacy-focused digital assets. Security firm ZeroShadow previously reported that about $700,000 of the stolen funds were flagged and frozen early in the laundering process, although the vast majority of the assets moved out of reach.