Attacker Seizes Whale Multisig Minutes After Creation, ~$40M Loss

A crypto attacker allegedly seized control of a large holder’s multisig wallet minutes after it was created on Nov. 4 and has since been withdrawing and laundering funds in phases, according to blockchain security firm PeckShield and analysis by Hacken Extractor.

In an update posted Thursday on X, PeckShield said the wallet was drained of roughly $27.3 million following a private key compromise. The firm reported that the attacker has routed about $12.6 million, or 4,100 Ether (ETH), through Tornado Cash, retains approximately $2 million in liquid assets, and also holds a leveraged long position on Aave (AAVE).

Separately, Yehor Rudytsia, head of forensics at Hacken Extractor, said total losses may exceed $40 million and that on-chain indicators suggest the incident started earlier than initially believed, with activity traceable to Nov. 4.

Rudytsia said the wallet labeled as “compromised” may not have been under the victim’s meaningful control at any point. On-chain data shows the multisig was created by the victim’s account on Nov. 4 at 7:46 am UTC, with ownership transferred to the attacker six minutes later.

According to Rudytsia, it is likely the perpetrator set up the multisig, moved funds into it, and then quickly reassigned ownership to themselves.

Attacker’s extended cash-out approach

Once in control, the attacker appeared to proceed gradually, making staggered deposits to Tornado Cash over several weeks. Transfers began with 1,000 ETH on Nov. 4 and continued into mid-December in smaller batches. Rudytsia added that about $25 million in assets still sits in the attacker-controlled multisig.

Rudytsia also flagged the wallet’s configuration. The multisig was set as “1-of-1,” requiring only a single signature for approvals, which he noted does not align with the conceptual purpose of a multisig.

Abdelfattah Ibrahim, a decentralized application (DApp) auditor at Hacken, said several vectors could explain the compromise, including malware or infostealers on the signer’s device, phishing that leads users to authorize malicious transactions, or weak operational security such as storing keys in plaintext or using the same machine for multiple signers.

Ibrahim said mitigation should include isolating signing devices as cold devices and validating transactions beyond the user interface.

AI models demonstrate ability to craft smart contract exploits

Research by Anthropic and the Machine Learning Alignment & Theory Scholars (MATS) group found that current AI models can construct real, profitable smart contract exploits. In controlled experiments, Anthropic’s Claude Opus 4.5, Claude Sonnet 4.5, and OpenAI’s GPT-5 collectively generated exploits valued at $4.6 million, indicating that autonomous exploitation is technically possible with commercially available systems.

In additional testing, Sonnet 4.5 and GPT-5 were run against nearly 2,850 newly deployed smart contracts with no known vulnerabilities. The models identified two previously unknown zero-day issues and produced exploits worth $3,694, slightly exceeding the $3,476 API cost required to generate them.

Stay informed, read the latest news right now!

Disclaimer

The content on TrustsCrypto.com is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency markets are highly volatile, always do your own research before making decisions.

Some content may be assisted by AI and reviewed by our editorial team, but accuracy is not guaranteed. TrustsCrypto.com is not responsible for any losses resulting from the use of information provided.