Blockchain security firm CertiK has detected a $63 million rapid-fire deposit into crypto mixer Tornado Cash, confirming the on-chain laundering of assets stolen in the massive January 10 wallet compromise. The movement marks the latest phase in liquidating what is now confirmed as the largest individual theft of 2026, totaling over $282 million.
The Laundering Circuit
According to CertiK Alert, the funds originated from a wallet address (0xF73a...cc21) directly tied to the Jan. 10 breach. While the initial theft involved Bitcoin and Litecoin, the attacker has employed a complex cross-chain obfuscation strategy.
On-chain data indicates the stolen BTC and LTC were initially swapped for Monero (XMR), causing a liquidity crunch that forced XMR to a temporary all-time high of nearly $800 earlier this week. The funds currently entering Tornado Cash, likely converted to ETH or stablecoins to access the Ethereum-based mixer, suggest the attacker is diversifying liquidation channels as Monero liquidity dries up.
The wallet address linked to the Jan 10th theft… has shown unusual fund movements. Approximately $63 million… has been deposited into Tornado Cash. CertiK Alert
The ‘Social Engineering’ Vector
The scale of the breach ($282M) initially triggered rumors of an exchange hack, but investigations by ZachXBT revealed a more alarming reality: a single whale was compromised via a sophisticated social engineering attack targeting hardware wallet credentials. The victim surrendered access to approximately 2,059 LTC and 1,459 BTC.
This incident highlights a critical failure point in self-custody: while hardware wallets remain secure against remote execution, they cannot patch human error. The attacker’s ability to bypass cold storage protocols through psychological manipulation has rattled the OTC desks, with Bitcoin holding steady at $90,297 despite the selling pressure.
Institutional Context
The brazen use of Tornado Cash follows the U.S. Treasury’s unexpected decision to lift sanctions on the protocol in March 2025. While the mixer is no longer on the OFAC SDN list, its usage for laundering stolen proceeds remains a felony. However, the regulatory reversal has seemingly emboldened bad actors to return to the high-liquidity privacy pools of Ethereum rather than relying solely on fragmented privacy chains.
