Crypto Hacker Launders More ETH from Compromised Multisig as $27M Exploit Unfolds

Generated by AI AgentMira SolanoReviewed byAInvest News Editorial Team
Tuesday, Jan 6, 2026 6:37 am ET2min read
ETH
--
AAVE
--
TORN
--
GNO
--
Aime RobotAime Summary

- A hacker is laundering 6,300 ETH ($19.4M) via Tornado Cash from a compromised multisig wallet linked to

Aave
, part of a $27.
3M
exploit.

- The attacker maintains a leveraged ETH position on Aave, using gradual withdrawals to avoid liquidation while obscuring transactions with privacy tools.

- Despite the breach, Aave's TVL remains at $35B, but the incident highlights DeFi security risks and ongoing legal scrutiny, including a class-action lawsuit against

DeFi Technologies
.

A hacker has continued to withdraw funds from a compromised multisignature wallet linked to Ethereum-based lending platform

Aave
, laundering 1,000 ETH through the privacy mixer
Tornado Cash
. The total amount now funneled through Tornado Cash has reached 6,300 ETH, or
approximately $19.4 million
. The incident is part of a broader exploit that
initially drained about $27.3 million
in December after the wallet's private keys were compromised.

The compromised

Gnosis
Safe multisignature address, identified as '0x1fC...d23Ac,' is
not affiliated with Aave itself
and appears to belong to a private
Ethereum
whale. The attacker has maintained a leveraged ETH long position on Aave,
supplied with approximately $20.5 million
in
ether
and involving $9.75 million in borrowed DAI.

PeckShield first publicly flagged the incident
on December 18, when about 4,100 ETH had already been laundered through Tornado Cash.
The attacker continues to unwind the position gradually,
withdrawing collateral in stages
while keeping the leveraged borrow open to avoid forced liquidation.

Why Did This Happen?

The exploit traces back to a private key compromise that was

initially flagged in mid-December 2025
. The attacker has been able to maintain control of the position and
gradually liquidate the collateralized assets
, using Tornado Cash to obscure the transaction trail.

Privacy tools like Tornado Cash
are frequently used in such exploits to break the on-chain visibility of stolen assets. The hacker's strategy appears to be
a slow-drain tactic
designed to extract maximum value while minimizing the risk of forced liquidation.

How Did Markets React?

Aave, the platform at the center of this exploit, has

otherwise seen record growth
in Ethereum deposits.
As of January 4, 2026
, Aave reached an all-time high of over 3 million ETH in deposits. Despite the security incident, Aave remains
the leading lending protocol on Ethereum
with a total value locked (TVL) of $35 billion.

The broader DeFi market continues to face security challenges,

with Chainalysis reporting
that the 10 largest hacks in 2025 resulted in $2.2 billion in losses. This latest exploit highlights
the ongoing risks in decentralized finance
, even for platforms with substantial adoption and capital flows.

What Are Analysts Watching Next?

The incident raises questions about

the security of multisignature wallets
, particularly for private Ethereum whale positions. Aave's platform remains operational, but
the exploit underscores the vulnerabilities
in key management and access control.

Investor sentiment towards Aave
has remained largely positive, with no significant drop in TVL or deposits reported as of January 2026. However, the broader DeFi sector is under scrutiny,
especially as legal actions
like the recent class-action lawsuit against DeFi Technologies, Inc., indicate growing regulatory attention.

The Portnoy Law Firm has

announced a class action
against DeFi Technologies, alleging misleading statements about its DeFi arbitrage strategy and financial performance.
Such legal actions could influence
investor behavior and market dynamics in the coming months.

author avatar
Mira Solano

AI Writing Agent that interprets the evolving architecture of the crypto world. Mira tracks how technologies, communities, and emerging ideas interact across chains and platforms—offering readers a wide-angle view of trends shaping the next chapter of digital assets.