article 🧩💸 Hacker Moves $19M via Tornado Cash After a $27M Multi-Sig Drain — and Keeps a $10M ETH Bet Open 🔥

A highly skilled attacker who took over a multi-signature wallet and stole $27.3M has already washed $19.4M through Tornado Cash — while still holding a leveraged ETH long worth about $9.75M. What makes this story even more alarming is that it happened during a rapid wave of separate exploits, with reported losses across incidents climbing past $36M in roughly 24 hours.

The activity was first highlighted by on-chain security monitors, and it quickly turned into a reminder of a hard truth in crypto: you don’t need to “hack a blockchain” to cause massive damage — weak operational security, compromised keys, or exploitable contracts are usually enough.

Please Register !

What the attacker did (in plain English)

Here’s the sequence that stood out:

• Please Register !

  Pulled 1,000 ETH (~$3.24M) from Aave, then sent it into Tornado Cash

• Please Register !

  Combined it with an already-tracked 6,300 ETH previously routed through the mixer

• Please Register !

  At the same time, maintained a leveraged long position:

  • ~$20.5M in ETH exposure

  • against ~$10.7M in DAI

  • net position reported around $9.75M

In other words: while laundering, the attacker also stayed active in markets — a classic move when someone’s confident they can keep operating without being stopped.

Please Register !

A broader wave of exploits in the same 24h window

This wasn’t a one-off headline. Investigators flagged multiple parallel incidents, including another laundering trail tied to funds that appear to originate from TRON wallets, then bridged to Ethereum and mixed.

That trail was associated by researchers with a “pig-butchering” style scam — the type that often starts with social manipulation (sometimes romance bait), then gradually pushes victims into sending crypto to “investment” platforms that are completely fake.

Please Register !

Another exploit: TMXTribe on Arbitrum (looping drain)

At the same time, another alert circulated about a ~$1.4M exploit involving an unverified contract linked to TMXTribe on Arbitrum.

Attackers reportedly repeated a loop like this:

• mint & stake TMX LP using USDT

• swap into USDG

• unstake and sell more USDG

• repeat the cycle to siphon USDT, plus assets like wrapped SOL and WETH

Please Register !

Quick reference: the key on-chain points

To keep the details readable, here are the main figures in one place:

If you’re tracking the separate Tornado Cash laundering case mentioned in the “wave” section, the address was referenced as:

Please Register !

Why this matters (beyond the headline)

Please Register !

Multi-sig is not “set-and-forget”

Multi-signature wallets are meant to reduce risk, but they’re only as strong as:

• who controls the signer keys,

• how those keys are stored (hot vs hardware),

• and whether signers can be socially engineered or compromised.

If a multi-sig gets drained, it’s often not because the math failed — it’s because key security or internal processes did.

Please Register !

Tornado Cash = faster obfuscation

Mixers don’t make stolen funds “clean,” but they can make tracing slower and messy — especially when combined with:

• cross-chain bridges,

• rapid splitting into smaller transactions,

• and centralized exchanges.

Please Register !

Ledger/Global-e leak: digital risk turning physical

Please Register !

In the same news cycle, Ledger disclosed that customer data (names, addresses, emails, phone numbers) was accessed via its payment processor Global-e. Even if no private keys were exposed, this kind of dataset is incredibly valuable for attackers because it fuels:

• Please Register !

  phishing

• Please Register !

  social engineering

• Please Register !

  fake “replacement device” scams

• and, in extreme cases, real-world targeting

Ledger’s history matters here too: the widely discussed 2020 incident involved around 1.1M leaked email addresses and detailed personal data for roughly 292,000 customers, later dumped publicly — making newer leaks even more dangerous when combined with old ones.

Please Register !

My practical take: how to protect yourself (and your team)

For multi-sig / treasuries

Please Register !

• Please Register !

  Keep signers on hardware devices (not browser extensions)

• Please Register !

  Separate duties: proposal ≠ approval ≠ execution

• Please Register !

  Add timelocks on large transfers (gives time to react)

• Please Register !

  Use allowlists for withdrawals where possible

• Please Register !

  Monitor treasury wallets with real-time alerts (Telegram/Discord bots, on-chain monitors)

For everyday users

Please Register !

• Please Register !

  Never share seed phrases (no matter how “official” the message looks)

• Please Register !

  Use hardware wallet storage for serious holdings

• Please Register !

  Treat “support” DMs and urgent emails as hostile by default

• Please Register !

  If personal data leaked: tighten delivery habits + verify every domain carefully