The incident traces back to a private key compromise first flagged publicly in mid-December, and the attacker still controls a leveraged ETH long position on Aave tied to the hacked multisig.
A hacker who seized control of a compromised multisignature wallet has withdrawn an additional 1,000 ETH from decentralized lending protocol Aave and laundered the funds via Tornado Cash, bringing the total amount funneled through the privacy mixer to 6,300 ETH, according to blockchain security firm PeckShield.
The latest withdrawal came from an open position on Aave, where the hacker continues to control a leveraged ETH long.
On Tuesday, PeckShield said on X that the attacker has now laundered roughly $19.4 million worth of ether from the wallet, part of a broader exploit that drained approximately $27.3 million in assets in December after the multisig’s private keys were compromised.
The compromised wallet, a Gnosis Safe multisignature address identified as “0x1fC…d23Ac”, is not affiliated with Aave itself and appears to belong to a private whale. Blockchain data cited by PeckShield shows the attacker still maintains a $9.75 million leveraged long position involving roughly $20.5 million in ether supplied against about $10.7 million in borrowed DAI, leaving the position solvent but increasingly exposed if market conditions shift.
PeckShield first publicly flagged the incident on Dec. 18. At the time, about 4,100 ETH had already been routed through Tornado Cash, with the attacker retaining control of the wallet and its open Aave position.
Privacy tools like Tornado Cash are commonly used in crypto exploits to break onchain transaction trails and complicate recovery efforts.
Rather than closing the position outright, the hacker has since been unwinding it gradually, withdrawing collateral in stages and laundering the proceeds while keeping the borrow open to avoid triggering liquidation.
The approach appears to be a slow-drain tactic used to maximize extraction while minimizing the risk of forced liquidation in DeFi protocols.
The identity of the victim has not been disclosed, and no protocol treasuries have been linked to the wallet. Activity associated with the address can be tracked publicly on Etherscan, which shows ongoing interactions with Aave contracts and Tornado Cash deposits.
Also, no recovery effort has been widely announced, and the long-term outcome of the leveraged position remains uncertain.
The ongoing laundering extends the fallout from a year marked by major crypto security breaches.
In 2025, the 10 largest hacks resulted in an estimated $2.2 billion in losses across centralized exchanges, DeFi protocols, and infrastructure providers, according to Chainalysis, with this multisig incident falling below the year’s biggest cases, including Bybit and GMX.
