PeckShield Flags $27.3M Multi-Sig Wallet Exploit Linked to Tornado Cash

PeckShield, a blockchain security firm, has reported a major crypto theft. It involves a compromised multi-signature wallet. According to its on-chain observation, a hacker gained control of the wallet and drained assets worth about $27.3 million.

#PeckShieldAlert The multisig drainer who stole $27.3M from a compromised wallet has withdrawn 1K $ETH ($3.24M) from #Aave and laundered it via #TornadoCash.

They have deposited a total of 6,300 $ETH ($19.4M) to #TornadoCash so far

The drainer, who controls the compromised… pic.twitter.com/zYjuY9jGw7

— PeckShieldAlert (@PeckShieldAlert) January 6, 2026

The attack came to light after unusual fund movements appeared on-chain. PeckShield said the attacker did not simply move the funds once. Instead, the wallet was used in multiple steps. Which suggests the hacker had full control rather than brief access.

Funds Moved Through Aave and Tornado Cash

After taking control of the wallet. The attacker moved part of the stolen assets into the DeFi ecosystem. PeckShield reported that the hacker withdrew 1,000 ETH. It is worth roughly $3.24 million from Aave. Soon after, those funds were sent to Tornado Cash. 

Tornado Cash is a privacy tool that breaks the on-chain link between deposits and withdrawals. Because of this, it is often used to hide the origin of funds after hacks. According to PeckShield, the attacker has already deposited 6,300 ETH into Tornado Cash. That is almost $19.4 million at current pricing. This means the majority of the stolen cash is already being laundered.

Leveraged Positions Add More Risk

In addition to moving funds, the hacker is also taking market risk. PeckShield said the attacker currently holds leveraged long positions worth about $9.75 million. These positions include around $20.5 million in ETH against roughly $10.7 million in borrowed DAI.

This behavior shows that the attacker is actively trading, not just hiding funds. However, leveraged positions carry liquidation risk. If prices move sharply, the hacker could lose part of the stolen assets to margin calls. Still, this does not reduce the damage already done to the wallet’s original owners.

What the Incident Highlights

The exploit adds to growing concerns around multi-signature wallet security. Developers design these wallets to reduce risk by requiring multiple approvals. However, compromised key holders or signing systems can undermine this protection. PeckShield did not disclose how the attacker breached the wallet. In many past cases, similar attacks involved leaked private keys, social engineering or compromised signing services. Investigations often take time. Especially when funds pass through privacy tools.

The use of Tornado Cash also raises legal and compliance issues. Several jurisdictions already restrict or monitor interactions with mixing services. Once funds enter these protocols, recovery becomes far more difficult. Currently, PeckShield continues to track the attacker’s addresses. The firm urged users and protocols to stay alert and review wallet security setups. The incident serves as another reminder that even advanced wallet designs require strong operational security.