Key Insights:
- CertiK linked about $63M in Tornado Cash deposits to the $282M wallet compromise on Jan. 10.
- At least 686 BTC was bridged to Ethereum and converted into about 19,600 ETH, then split across wallets.
- The hack was tied to a seed phrase theft, with the wallet holding about 1,459 BTC and over 2M Litecoin
Blockchain security firm CertiK has linked roughly $63 million in crypto deposits routed through Tornado Cash to a major $282 million wallet compromise that occurred on Jan. 10. The firm said its monitoring systems detected interactions with the privacy mixer that matched the post-theft movement of funds.
The incident has drawn close attention due to the scale of the loss and the speed at which assets were moved.
CertiK Tracks Cross-Chain Swaps From Bitcoin to Ether
CertiK reported that a portion of the stolen Bitcoin was bridged to Ethereum before being converted into Ether. The firm said at least 686 BTC was moved through cross-chain swaps, resulting in about 19,600 ETH arriving in a single Ethereum address. From there, the Ether was divided across multiple wallets in smaller batches.
The split pattern involved sending several hundred ETH onward from each address before the funds entered Tornado Cash. CertiK described the Tornado Cash deposits as directly tied to the exploit, with the $63 million figure representing only part of the total stolen value.
Even so, the traced flow provides a clear view of how the attacker handled the funds after the initial compromise.
By moving from Bitcoin to Ether and then fragmenting the holdings across multiple addresses, the attacker created additional steps between the theft and the final mixer deposits. Each step added more transactions for investigators to track, while the mixer transfer reduced the ability to follow the funds using standard blockchain tracing tools.
Tornado Cash Deposits Reduced Traceability
CertiK’s findings align with laundering methods often seen after large crypto thefts that begin on one chain and move to another. Marwan Hachem, CEO of blockchain security firm FearsOff, said the flow resembles established tactics used in cross-chain thefts involving Bitcoin and Litecoin. He noted that the attacker used THORswap for Bitcoin-to-Ether conversions and then broke the assets into chunks of around 400 ETH.
After the funds reached Tornado Cash, tracing became far more difficult. Mixers are designed to blend deposits from many sources, making it harder to map an outgoing transaction to an incoming one.
In cases where large amounts are split into many smaller transactions before entering a mixer, investigators must review a wider set of addresses and transfers before the trail becomes unclear.
CertiK’s tracking suggests the Tornado Cash deposits were not random movements but part of a deliberate process meant to disrupt the transaction history. However, $63 million is only a fraction of the reported $282 million compromise
Seed Phrase Theft Enabled Full Wallet Control
Investigators have linked the Jan. 10 incident to a social engineering attack rather than a smart contract flaw or protocol exploit. Blockchain investigator ZachXBT previously reported that the attacker impersonated wallet support staff and tricked the victim into revealing a seed phrase. With the seed phrase, the attacker gained full access and took control of the wallet’s holdings.
Reports tied to the case said the compromised address held about 1,459 BTC and more than 2 million Litecoin at the time of the attack. After gaining control, the attacker moved the assets through swaps and transfers across chains, converting Bitcoin to Ether before dispersing it into Tornado Cash.
A separate security firm, ZeroShadow, previously stated that about $700,000 of the stolen funds was flagged and frozen early in the laundering process. However, most of the funds were moved quickly across wallets and platforms before compliance actions could limit further transfers.
The wallet compromise has remained under scrutiny from multiple security teams due to its scale and the clear use of structured laundering steps. CertiK’s update expands the public picture of how the funds were handled after the theft, including the bridge-to-Ethereum conversion and the staged transfers into Tornado Cash.
Moses K is a crypto journalist covering markets, regulation, and blockchain trends. He has written for The Coin Republic, Coinchapter, Cryptopolitan, Cryptotale, Coinspeaker, and MPost. Known for his concise, data-driven reporting, Moses focuses on price analysis, on-chain metrics, and policy developments shaping the global digital asset landscape.
