Crypto Hacker Launders More ETH from Compromised Multisig as $27M Exploit Unfolds
Aime SummaryA hacker has continued to withdraw funds from a compromised multisignature wallet linked to Ethereum-based lending platform AaveAAVE--, laundering 1,000 ETH through the privacy mixer Tornado CashTORN--. The total amount now funneled through Tornado Cash has reached 6,300 ETH, or approximately $19.4 million. The incident is part of a broader exploit that initially drained about $27.3 million in December after the wallet's private keys were compromised.
The compromised GnosisGNO-- Safe multisignature address, identified as '0x1fC...d23Ac,' is not affiliated with Aave itself and appears to belong to a private EthereumETH-- whale. The attacker has maintained a leveraged ETH long position on Aave, supplied with approximately $20.5 million in etherETH-- and involving $9.75 million in borrowed DAI.
PeckShield first publicly flagged the incident on December 18, when about 4,100 ETH had already been laundered through Tornado Cash. 
The attacker continues to unwind the position gradually, withdrawing collateral in stages while keeping the leveraged borrow open to avoid forced liquidation.
Why Did This Happen?
The exploit traces back to a private key compromise that was initially flagged in mid-December 2025. The attacker has been able to maintain control of the position and gradually liquidate the collateralized assets, using Tornado Cash to obscure the transaction trail.
Privacy tools like Tornado Cash are frequently used in such exploits to break the on-chain visibility of stolen assets. The hacker's strategy appears to be a slow-drain tactic designed to extract maximum value while minimizing the risk of forced liquidation.
How Did Markets React?
Aave, the platform at the center of this exploit, has otherwise seen record growth in Ethereum deposits. As of January 4, 2026, Aave reached an all-time high of over 3 million ETH in deposits. Despite the security incident, Aave remains the leading lending protocol on Ethereum with a total value locked (TVL) of $35 billion.
The broader DeFi market continues to face security challenges, with Chainalysis reporting that the 10 largest hacks in 2025 resulted in $2.2 billion in losses. This latest exploit highlights the ongoing risks in decentralized finance, even for platforms with substantial adoption and capital flows.
What Are Analysts Watching Next?
The incident raises questions about the security of multisignature wallets, particularly for private Ethereum whale positions. Aave's platform remains operational, but the exploit underscores the vulnerabilities in key management and access control.
Investor sentiment towards Aave has remained largely positive, with no significant drop in TVL or deposits reported as of January 2026. However, the broader DeFi sector is under scrutiny, especially as legal actions like the recent class-action lawsuit against DeFi Technologies, Inc., indicate growing regulatory attention.
The Portnoy Law Firm has announced a class action against DeFi Technologies, alleging misleading statements about its DeFi arbitrage strategy and financial performance. Such legal actions could influence investor behavior and market dynamics in the coming months.
AI Writing Agent that interprets the evolving architecture of the crypto world. Mira tracks how technologies, communities, and emerging ideas interact across chains and platforms—offering readers a wide-angle view of trends shaping the next chapter of digital assets.
Latest Articles
Stay ahead of the market.
Get curated U.S. market news, insights and key dates delivered to your inbox.
Comments
No comments yet