Blockchain security firm PeckShield has reported a major cryptocurrency theft involving a compromised multi-signature wallet, resulting in losses of approximately $27.3 million. The attack, which came to light in December, saw a hacker gain full control of a Gnosis Safe multisignature address identified as "0x1fC...d23Ac". PeckShield first publicly flagged the incident on December 18.
The attacker has been actively laundering the stolen assets through the privacy protocol Tornado Cash. According to PeckShield's on-chain observations, the hacker has deposited a total of 6,300 ETH (worth roughly $19.4 million at current prices) into the mixer. The laundering process has been gradual, with the latest movement involving the withdrawal of an additional 1,000 ETH (approximately $3.24 million) from the decentralized lending protocol Aave before sending it to Tornado Cash.
In a notable twist, the hacker is not merely hiding the funds but is also engaging in active market speculation. The attacker maintains a leveraged long position worth about $9.75 million on Aave, consisting of roughly $20.5 million in supplied ETH against approximately $10.7 million in borrowed DAI. This strategy carries significant liquidation risk if market prices move sharply, potentially causing the hacker to lose part of the stolen assets to margin calls.
The exploit highlights growing security concerns around multi-signature wallets, which are designed to require multiple approvals to reduce risk but remain vulnerable if private keys are compromised, signing systems are breached, or through social engineering. PeckShield has not disclosed the exact method of the breach. The identity of the victim has not been revealed, and the wallet does not appear to be affiliated with Aave itself or any protocol treasury, suggesting it belonged to a private entity or "whale."
The use of Tornado Cash complicates recovery efforts, as the privacy tool breaks the on-chain link between deposits and withdrawals. Several jurisdictions restrict or monitor interactions with such mixing services. As of now, no public recovery effort has been announced, and PeckShield continues to track the attacker's addresses, urging users and protocols to review their wallet security setups.
