A crypto whale has lost roughly $38 million after an attacker took control of a multisig wallet and quietly drained its funds earlier today.
The case is drawing close attention because the attacker not only moved assets through Tornado Cash but also retained control of a leveraged DeFi position tied to the compromised wallet.
Blockchain security firm PeckShield reported on X on December 18 that a whale’s wallet was emptied after a private key was exposed, leading to losses of about $27.3 million at first glance. Follow-up on-chain tracking showed the total damage climbed closer to $38 million once related wallets and positions were included.
According to PeckShield, the attacker has already sent 4,100 ETH worth about $12.6 million, through Tornado Cash in an apparent effort to obscure the trail. Around $2 million remains in liquid assets. More concerning, the attacker still controls the victim’s address, which holds a leveraged long position on Aave, with on-chain data showing around $25 million worth of ETH supplied as collateral against more than $12 million in DAI borrowed.
On-chain analyst Specter shared a detailed timeline on X, noting that the victim created a 1-of-1 multisig wallet, meaning it only required one signature from a single signer to authorize transactions. However, this setup defeated the primary purpose of a multisig, which is to require multiple independent approvals.
Less than 40 minutes after transferring funds into it, the wallet saw a massive outflow that drained all tokens. Around the same time, the signer was switched to an attacker-controlled address.
Specter said the most likely explanation is that the private key was leaked during the setup or that the victim relied on a malicious third party for help creating the wallet. A later post, citing researcher tanuki42, suggested the attacker may have created the multisig themselves, leaving the victim exposed both during and after setup.
The incident fits into a wider pattern of private key theft and social engineering that continues to plague the crypto sector. In a December 15 report, cybersecurity group Security Alliance warned that North Korea-linked hackers are running daily fake Zoom and Teams calls to plant malware and steal private keys, a method tied to hundreds of millions of dollars in losses.
Binance founder Changpeng Zhao issued a similar warning in September, saying attackers are increasingly targeting human trust rather than smart contract flaws, often posing as helpers, job candidates, or meeting hosts.
On-chain history shows the whale had been active for months before the hack. On May 7, Onchain Lens reported that the same address had withdrawn over 2,500 ETH from OKX and staked funds via Kiln Finance, steadily building a large ETH position.
For now, the attacker’s continued control of the Aave position adds another layer of risk. If markets move sharply, forced liquidations could deepen losses, turning an already costly breach into an even harsher lesson on multisig security and private key handling.
