A prominent crypto investor has recently lost approximately $38 million after an unauthorized party exploited a multisig wallet and drained its contents earlier today.

This incident has garnered significant attention, as the assailant not only utilized Tornado Cash to transfer the stolen assets but also maintained control over a leveraged DeFi position linked to the compromised wallet.

Wallet Compromised After Key Exposure

Blockchain security firm PeckShield reported on X (formerly Twitter) that the wallet of a whale was emptied following the exposure of a private key, initially causing losses amounting to around $27.3 million. However, subsequent on-chain investigations revealed that the total losses neared $38 million when considering related wallets and asset positions.

As per the report from PeckShield, the hacker managed to transfer 4,100 ETH, equating to about $12.6 million, via Tornado Cash in what appears to be an attempt to cover their tracks. Approximately $2 million in liquid assets remains accessible, but more troubling is the fact that the attacker still controls the victim’s address, which has a leveraged long position on Aave, showing around $25 million in supplied ETH collateral against over $12 million in borrowed DAI.

On-chain analyst Specter shared a comprehensive timeline on X, indicating that the victim had established a 1-of-1 multisig wallet, which required only one signature from a solo signer to authorize transactions. Unfortunately, this arrangement undermined the central purpose of multisig setups, which is to demand multiple independent approvals.

Roughly 40 minutes after the funds were transferred into the wallet, a significant outflow occurred, depleting all tokens, and simultaneously, the signer was changed to an attacker-managed address.

Pattern of Crypto Security Breaches

Specter suggested that the most plausible reason for this breach is that the private key was leaked during the wallet’s creation or that the victim had depended on a malicious third party for assistance in setting it up. A follow-up post referenced the insights of researcher tanuki42, proposing that the attacker might have orchestrated the multisig creation themselves, thus leaving the victim susceptible both through and after the setup.

This incident illustrates a troubling trend in the crypto space regarding private key theft and social engineering tactics, as highlighted by the Security Alliance. On December 15, the group revealed that North Korean-affiliated hackers are executing fake Zoom and Teams meetings daily to implant malware and procure private keys, corresponding to hundreds of millions of dollars lost.

Binance’s founder, Changpeng Zhao, echoed similar concerns in September, advising that attackers are increasingly exploiting human trust rather than flaws in smart contracts, often masquerading as aids, job seekers, or meeting hosts.

The whale’s on-chain history indicates that they had been active for several months prior to the breach, including withdrawing over 2,500 ETH from OKX and staking with Kiln Finance, thereby augmenting a sizable ETH position.

Currently, the attacker’s ongoing dominance over the Aave position adds further risk. In the event of a sudden market shift, forced liquidations could exacerbate losses, transforming an already expensive error into an even harsher lesson regarding multisig security and private key stewardship.

Further Reading:

• Bitcoin Can’t Magically Double: Advisor Sounds Alarm After Client Loses 1 BTC
• Bubblemaps Mocks Soulja Boy’s Apology, Calls Out Repeat Offender Behavior in Crypto Promotions
• SEAL Warns of Daily Fake Zoom Attacks as DPRK Hackers Weaponize Familiar Faces