A hacker returned after two years of inactivity and deposited $5.4M in stolen funds into Tornado Cash after swapping DAI for ETH.
An attacker linked to a previous theft has resumed onchain activity after nearly two years of dormancy.
Blockchain data shows stolen funds are now being deposited into Tornado Cash, with movements accelerating over recent days.
Dormant Theft Address Becomes Active Again
The theft address, identified as 0xFe7e039cC5034436C534d5E21A8619A574e206F8, showed no notable activity for almost two years.
This period of inactivity ended when funds began moving again onchain.
Blockchain records indicate the address transferred assets without warning. Observers noted the timing suggested a planned return rather than random movement.
The renewed activity drew attention due to the size of the funds involved. The address had previously been linked to stolen assets.
Funds Shifted From DAI to ETH
According to Specter, before interacting with Tornado Cash, the theft address moved about $5.8 million in DAI.
The transfer went to a newly created wallet. The fresh wallet then swapped the DAI for ETH, changing the asset type before further movement.
The attacker has resumed activity after nearly two years of dormancy and is now depositing stolen funds into Tornado Cash.
A total of $5.4M has been deposited so far.
Prior to this, the theft address transferred $5.8M DAI to a fresh wallet, which was subsequently swapped for… https://t.co/6hZWByeuRQ pic.twitter.com/67vx2CLk6U
— Specter (@SpecterAnalyst) January 26, 2026
Such swaps are often used to prepare funds for privacy tools. ETH is commonly used for Tornado Cash deposits.
After the swap, the ETH balance was broken into smaller portions. These portions were then sent to Tornado Cash contracts.
$5.4M Deposited Into Tornado Cash
Blockchain data shows that about $5.4 million has been deposited into Tornado Cash so far. The deposits followed a clear and repeated pattern.
The attacker sent 100 ETH in twenty separate transactions. Additional deposits included three transfers of 10 ETH.
Smaller deposits were also made. These included eight transfers of 1 ETH and nine transfers of 0.1 ETH.
This pattern is consistent with prior Tornado Cash usage. Such behavior is often meant to blend deposits with others.
The deposits occurred over multiple transactions instead of one large transfer. This approach can complicate transaction analysis.
Related Reading: Hacker Who Stole $282 million Last Week, Launders $63M Via Tornado Cash: CertiK
Onchain Tracking and Current Status
Despite the use of Tornado Cash, parts of the transaction trail remain visible. Analysts can still track deposits and timing patterns.
No withdrawal transactions linked to the attacker have been confirmed yet. The funds remain inside Tornado Cash pools.
The activity suggests a careful and delayed strategy. The long dormancy may have been intended to reduce attention.
Security observers continue to monitor related addresses. Any future withdrawals could reveal additional links.
The case adds to recent examples of delayed fund movements. It shows how stolen assets can resurface years later.
As of now, $5.4 million has been deposited. Further movements may follow if the attacker continues the activity.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Articoli correlati
AI16Z, ELIZAOS Creators Sued Over $2.6B Fraud Allegations; Token Crashes 99.9% From Peak
Federal class action accuses AI16Z/ELIZAOS of a $2.6B crypto fraud via fake AI claims and deceptive marketing, alleging insider favoritism and a staged autonomous system; seeks damages under consumer protection laws.
Abstract: This report covers a SDNY federal class-action filed April 21 accusing AI16Z and its rebrand ELIZAOS of a $2.6 billion crypto fraud involving fake AI claims and deceptive marketing. The suit alleges a manufactured link with Andreessen Horowitz and a non-autonomous system. It details a peak valuation in early 2025, a 99.9% crash, and about 4,000 losing wallets, with insiders receiving ~40% of new tokens. Plaintiffs seek damages and equitable relief under New York and California consumer-protection laws. Regulators in Korea and major exchanges have warned or suspended related trading.
GateNews1h fa
SlowMist Alerts: Active MacSync Stealer macOS Malware Targeting Crypto Users
SlowMist warns of MacSync Stealer (v1.1.2) for macOS that steals wallets, credentials, keychains, and infra keys, using spoofed AppleScript prompts and fake 'unsupported' errors; urges caution and awareness of IOCs.
Abstract: This report summarizes SlowMist's alert about MacSync Stealer (v1.1.2), a macOS information stealer targeting cryptocurrency wallets, browser credentials, system keychains, and infrastructure keys (SSH, AWS, Kubernetes). It deceives users with spoofed AppleScript dialogs prompting for passwords and visible fake 'unsupported' messages. SlowMist provides IOCs to customers and advises avoiding unverified macOS scripts and remaining vigilant for unusual password prompts.
GateNews2h fa
North Korean Lazarus Group Deploys Mach-O Man Malware to Steal Crypto Wallet Credentials from macOS Users
Lazarus releases Mach-O Man for macOS to steal keychain data and wallet credentials, targeting crypto executives via ClickFix pop-ups and compromised Telegram meetings.
Abstract: The article reports that the Lazarus-linked Mach-O Man malware targets macOS to exfiltrate keychain data, browser credentials, and login sessions to access cryptocurrency wallets and exchange accounts. Distribution relies on ClickFix social engineering and compromised Telegram accounts directing victims to fake meeting links. The piece ties the operation to the April 20 Kelp DAO hack and identifies TraderTraitor as Lazarus-affiliated, noting rsETH movement across blockchains via LayerZero’s OFT standard.
GateNews2h fa
ZachXBT Warns Against Bitcoin Depot ATM Over 44% Bitcoin Markup
ZachXBT warns Bitcoin Depot ATMs impose steep premiums—$25k fiat at $108k/BTC vs ~$75k market (about 44%), leading to ~ $7.5k loss on 0.232 BTC; also notes a $3.26M security breach.
This article summarizes ZachXBT's warnings about Bitcoin Depot's pricing practices and a recent security breach, highlighting risks from inflated rates and security lapses for users.
GateNews4h fa
Privacy Protocol Umbra Shuts Down Frontend to Block Attackers from Laundering Stolen Kelp Funds
Gate News message, April 22 — Privacy protocol Umbra has shut down its frontend website to prevent attackers from using the protocol to transfer stolen funds following recent attacks, including the Kelp protocol breach that resulted in losses exceeding $280 million. Approximately $800,000 in stolen
GateNews6h fa
慢霧 23pds 警示:Lazarus Group 發布針對加密貨幣的新型 macOS 工具包
慢霧首席資訊安全長 23pds 於 4 月 22 日發布警示,稱北韓駭客組織 Lazarus Group 已發布全新原生 macOS 惡意軟體工具包「Mach-O Man」,專門針對加密貨幣行業及高價值企業高管。
MarketWhisper7h fa
