PeckShield Alerts on $27.3M Multi-Sig Wallet Exploit Tied to Tornado Cash

PeckShield, a blockchain security firm, has identified a $27.3 million exploit involving a compromised multi-signature wallet. The attacker gained full control of the wallet and drained the assets, marking one of the largest single incidents in December 2025. The breach was uncovered due to unusual on-chain fund movements, with the hacker using the wallet in multiple steps, indicating prolonged access. This event highlights growing concerns around multi-sig wallet security, especially when private keys or signing systems are compromised.

The attacker moved part of the stolen assets into the DeFi ecosystem, withdrawing 1,000 ETH ($3.24 million) from Aave before sending the funds to Tornado CashTORN--. Tornado Cash, a privacy tool that obscures transaction trails, has become a common destination for stolen funds after hacks. Additionally, the hacker deposited 6,300 ETH into Tornado Cash, representing nearly $19.4 million at current prices, making it a major laundering effort.

Beyond moving funds, the attacker is also engaging in leveraged trading. PeckShield reported that the hacker holds long positions valued at $9.75 million, which include $20.5 million in ETH against $10.7 million in borrowed DAI. This behavior shows the attacker is actively managing the stolen assets rather than simply hiding them.

Why Did This Happen?

Multi-signature wallets are designed to enhance security by requiring multiple approvals for transactions. However, compromised key holders or weak signing systems can undermine this protection. PeckShield did not disclose the exact method of the breach but noted that private key leaks, social engineering, or compromised signing services are common in past cases.

The use of Tornado Cash also raises legal and compliance concerns. Many jurisdictions monitor or restrict interactions with mixing services due to their role in laundering illicit funds. Once funds enter these protocols, recovery becomes more difficult, complicating efforts to trace or reclaim stolen assets.

How Did Markets React?

Crypto exploit losses fell sharply in December 2025, with a total of $76 million stolen across 26 incidents. This marked a 60% drop from November's $194.2 million in losses, according to PeckShield. The largest single incident in December was a $50 million address poisoning scam, while the $27.3 million multi-sig breach was another notable case.

Despite the overall decline, 2025 remained a challenging year for the digital asset sector, with over $2.2 billion lost in top hacks. The Bybit breach in February, which resulted in a $1.4 billion loss, remains the year's most significant incident.

What Are Analysts Watching Next?

PeckShield urged users and protocols to stay alert and review their wallet security setups after the incident. The firm emphasized that even advanced wallet designs require strong operational security to prevent breaches. Additionally, PeckShield recommended that users avoid relying on saved transaction data and double-check each character of an address before transfers.

Security firms also highlighted the risks associated with browser wallets, which remain connected to the internet and are vulnerable to phishing and social engineering attacks. PeckShield recommended using hardware wallets for long-term private key storage and keeping keys offline.

The recent incident underscores the need for stronger key management practices and continuous monitoring of wallet activity. As the crypto sector evolves, security threats persist, requiring constant vigilance and adaptation from both individuals and institutions.

Investors and market participants are watching for further developments in the case, particularly the outcome of any recovery efforts and the response from regulatory authorities. The use of Tornado Cash and other privacy tools complicates enforcement actions, raising broader questions about the balance between privacy and accountability in the digital asset space.