On-chain analysts detailed the timeline, asset movements, and broader risks tied to misconfigured multisig wallets and phishing attacks.
A cryptocurrency whale has seen his funds wiped through an exploit on their 1-1 multisignature wallet, which siphoned over $25 million in digital assets.
Blockchain security firm PeckShield issued an alert on X on Thursday, reporting that the whale had been hacked for roughly $27.3 million. The stolen funds are being funneled through on-chain privacy tool Tornado Cash in batches of 100 ETH, according to data from Etherscan.
PeckShield said the attacker took control of the private key and made themselves the sole signatory of the multisig wallet. Once access was obtained, the drainer began systematically extracting assets and laundering them on-chain.
Multisig wallet hacker still holds $2 million of the stolen funds
According to PeckShield, the attacker, who is using the address 0x1fCf…367d23Ac, has already laundered about $12.6 million, equivalent to 4,100 Ether, through Tornado Cash. The security firm added that the drainer still holds around $2 million in liquid assets, based on wallet balances observed at the time of reporting.
Several security analysts believe the attacker is in control of the victim’s multisig wallet, which is actively holding a large leveraged position on Aave. The wallet reportedly has about $25 million worth of Ether supplied as collateral against roughly $12.3 million borrowed in DAI.
The attacker’s address, which PeckShield shared publicly, holds Ether, Wrapped Ether, OKB, Trust Wallet Token, Bitfinex LEO, Fetch, and Nexo. They have so far made deposits of stolen Ether into Tornado Cash in equal-sized batches totaling 4,100 Ether, split into 41 transactions of 100 Ether each.
Late Wednesday, on-chain investigator Specter issued more details on the breach by publishing a breakdown of the attack sequence. The blockchain analyst mentioned that a victim’s private key compromise had pushed the total losses from the incident closer to $38 million.
According to Specter, the victim created a multisignature wallet configured as a 1-of-1 system on April 11, 2025, at 07:48:11. Shortly after moving funds into the wallet, the main wallet, designated as the signer, experienced a massive outflow at 08:23:23.
While the precise cause of the breach remains unclear, Specter suggested that the private key may have been leaked during the multisignature setup process. Another possibility raised was that the victim relied on a malicious actor for assistance while creating the multisig wallet.
Whale 0xde5f44…b051e965 had suffered notable losses in May, per the tracking of analytics platform Onchainlens, which found that the investor withdrew 2,520.5 Ether, valued at about $4.52 million at the time, from OKX and staked it with Kiln Finance.
Over the course of the year, the whale reportedly staked a total of 9,918 Ether, worth $22.58 million at around July. Despite earning 105.5 Ether in staking rewards, the investor still faced a net loss of around $4.26 million before the latest exploit occurred.
Multisig wallets can be hacked without the necessary signatory threshold
Most members of the crypto community believe in multisig wallets security because they require approvals from two or more entities before executing a transaction. Some configurations in these types of wallets include systems like 2-of-3 or 3-of-5, where the first number in the system represents the keyholder threshold that must approve a swap or trade.
However, configurations such as 1-of-1, where only one signer is required, undermine the primary benefit of multisignature protection. In such cases, the compromise of a single key can lead to total loss, as appears to have happened in whale 0xde5f44…b051e965’s case.
In a separate case seen in September this year, an unidentified crypto investor lost over $3 million after unknowingly authorizing a malicious contract. Blockchain investigator ZachXBT flagged that incident on his Telegram channel, revealing that the victim’s wallet was drained of $3.047 million in USDC and swapped for Ether to be routed through Tornado Cash.
SlowMist founder Yu Xian later explained that the compromised address in that case was a 2-of-4 Safe multisig wallet. He continued to say the fraudulent contract mimicked the first and last characters of the real address, making the deception difficult to detect.
The attacker also exploited the Safe Multi Send mechanism, hiding the malicious approval inside a routine authorization. “This abnormal authorization was hard to detect because it wasn’t a standard approval,” Xian wrote on X.
Sign up to Bybit and start trading with $30,050 in welcome gifts
