Fresh forensic work on the $282 million wallet hack has uncovered extensive tornado cash laundering activity that continued well after the initial theft.
CertiK links mixer flows to $282 million wallet compromise
Blockchain security firm CertiK has traced $63 million in Tornado Cash flows to the January 10 crypto wallet breach that drained $282 million. The team identified new laundering activity and confirmed recent movements of funds tied to the original compromise. Moreover, the fresh link significantly extends the known timeline of activity following the theft.
According to CertiK, the attacker routed stolen assets across multiple blockchains before sending them through the privacy protocol. The firm detected structured transfers that pushed Ether (ETH) through a sequence of addresses ahead of deposits into Tornado Cash. That said, the pattern closely mirrored laundering methods seen in earlier large-scale crypto thefts.
Cross-chain movements and structured batch transfers
The investigation found that a substantial portion of the stolen Bitcoin (BTC) was first bridged to Ethereum and then converted into ETH. CertiK highlighted one receiving address that accumulated 19,600 ETH following this cross-chain bridge operation. However, these holdings were quickly fragmented into smaller tranches, then moved again, before being dispatched to Tornado Cash.
The $63 million figure reflects only part of the overall stolen value but illustrates the methodical design of the operation. Analysts observed repeated batch transfers, deliberately staged to lower on-chain scrutiny and lengthen the laundering chain. Moreover, the steady, phased use of Tornado Cash emphasized the attacker’s sustained intent to complicate any crypto wallet breach tracing.
Specialists noted that these batch transfer laundering patterns are increasingly common in sophisticated thefts. The attacker repeatedly shifted funds through new addresses and across chains, using time gaps and varied amounts to avoid obvious clustering. Consequently, each additional hop before the mixer further weakened direct attribution to the original hacked wallet.
Tracing limitations once funds hit Tornado Cash
Crypto security teams stressed that Tornado Cash deposits sharply reduce crypto fund recovery chances once mixing cycles are completed. Mixers break visible links between sending and receiving addresses, undermining conventional on-chain analytics. Likewise, tracing the full set of exits becomes far harder after funds leave the pool.
The January 10 incident followed the same pattern, with additional wallet hops executed shortly before every mixer deposit. Investigators confirmed that these last-minute jumps created extra distance from the source wallet. Furthermore, the moment funds crossed into Tornado Cash marked a decisive barrier for most follow-up tracking efforts.
Security firms also reported very limited mitigation options after tornado cash laundering steps had begun. Some centralized platforms managed to flag and freeze small fragments that touched their services. However, those blocks covered only a minor fraction of the overall volume, and the majority of assets moved beyond reach during the early mixer stages.
Social engineering attack triggered full wallet compromise
Background checks into the breach revealed that the operation began with a targeted social engineering wallet compromise. The attacker posed as legitimate support staff and convinced the victim to reveal a critical seed phrase securing access to the wallet. As a result, the intruder obtained direct control over significant Bitcoin and Litecoin (LTC) reserves held in the compromised account.
The wallet contained more than 1,459 BTC and over 2 million LTC prior to the theft, according to CertiK’s reconstruction. Parts of these holdings were converted into other digital assets during the early phases of the laundering process. Moreover, sections of the funds were shifted across various networks, employing cross chain laundering tactics before the final transfers into the Tornado Cash mixer.
Security analysts continue to monitor fresh movements from any addresses linked to the hack, though they now anticipate only incremental progress. The repeated use of the Tornado Cash protocol underscores a deliberate plan to erase transaction traces and exploit mixer design. Overall, the case illustrates how coordinated social engineering, cross-chain transfers, and mixer deposits can severely limit recovery prospects in major crypto thefts.
Source: https://en.cryptonomist.ch/2026/01/19/tornado-cash-laundering-hack-tracing/
