CertiK links $63M in Tornado Cash deposits to $282M wallet compromise

Roughly $63 million in Tornado Cash deposits has been linked to the $282 million cryptocurrency wallet compromise of Jan. 10.

Blockchain security firm CertiK said in a Monday X post that its monitoring systems identified Tornado Cash interactions tied to the exploit. 

The update expands on the post-theft money laundering mechanics of the Jan. 10 incident, which is being tracked by multiple crypto investigators due to the amount lost and the speed at which funds were moved.

CertiK diagram maps the laundering path

According to CertiK's analysis, a portion of the stolen Bitcoin was bridged to Ethereum, converted into Ether and then split across several addresses. 

CertiK’s found that at least 686 BTC was bridged to Ethereum using a cross-chain swap, resulting in 19,600 ETH received by a single Ethereum address. 

The funds were then split across multiple wallets, with several hundred ETH sent onward from each address before entering Tornado Cash, a privacy-focused mixing protocol.

The $63 million figure represents only a portion of the total amount lost. However, the fund movement shows how the attacker is working to obscure the trail after the initial cross-chain transfers during the exploit.  

Recovery chances drop to “near zero” after entering mixers

The fund movements observed in the Jan. 10 compromise reflects an established laundering playbook, according to Marwan Hachem, CEO of blockchain security firm FearsOff. 

“This flow follows the classic large-scale laundering playbook pretty closely, especially for cross-chain thefts involving BTC and LTC,” Hachem told Cointelegraph.

He said that the use of THORswap for Bitcoin-to-Ether conversions and the subsequent breakdown of funds into roughly 400 ETH chunks before entering the mixer were “textbook,” as they help reduce attention and make post-mixing recovery significantly harder.

“Tornado Cash is a major kill switch for traceability,” he said, adding that recovery chances “drop to near zero” in most cases after funds enter a mixer.

According to Hachem, mitigation options after mixer deposits are limited and increasingly unreliable.

Social engineering attack turns into seed phrase compromise

As previously reported by Cointelegraph, the Jan. 10 theft was traced to a social engineering attack that tricked the victim into revealing a seed phrase. 

Blockchain investigator ZachXBT said that the attacker impersonated wallet support staff, gaining full control over the victim's holdings. The compromised wallet held about 1,459 BTC and over 2 million Litecoin.

Portions of the stolen assets were also swapped into privacy-focused digital assets. 

Security firm ZeroShadow previously said that about $700,000 of the stolen funds were flagged and frozen early in the laundering process, though the vast majority of the assets moved out of reach.