Tornado Cash flows tied to major wallet compromise, CertiK update says

CertiK said blockchain monitoring tied the mixer activity to post-theft movements from the incident, which investigators have tracked for the size of the loss and the speed of transfers across networks. The firm’s diagram shows at least 686 BTC bridged to Ethereum, resulting in 19,600 ETH at one address that then split funds across multiple wallets prior to Tornado Cash deposits.

According to the report, flows followed a familiar playbook for cross-chain laundering. The conversion path included BTC-to-ETH swaps and subsequent breakdowns into several hundred-ETH tranches, a pattern intended to lower on-chain visibility before mixing. CertiK’s figures indicate that the $63 million routed into Tornado Cash accounts for only a portion of the funds lost, but illustrates the obfuscation steps the attacker took after initial transfers.

Marwan Hachem, CEO of security firm FearsOff, described the path as “textbook” for large-scale thefts, noting the use of THORswap for conversions and the practice of distributing roughly 400-ETH chunks ahead of deposits. He added that once assets enter a mixer like Tornado Cash, recovery odds “drop to near zero,” leaving few reliable mitigation options.

Jan. 10 breach began in 2026 with social engineering: the victim disclosed a seed phrase to someone posing as wallet support, giving the thief full control of holdings that included about 1,459 BTC and more than 2 million LTC. Investigators said portions of the haul were also swapped into privacy-focused coins, while security firm ZeroShadow flagged and helped freeze about $700,000 early in the flow.

The fresh mapping demonstrates: attacker shifted value across chains before mixing, complicating attribution and asset recovery as the case enters a phase where, experts say, the trace often goes cold.