A major Ethereum whale has suffered a catastrophic loss after a private key compromise rendered a multisignature wallet effectively useless, allowing an attacker to drain roughly $27.3 million in crypto assets and begin laundering the proceeds through Tornado Cash.
The incident, first flagged by blockchain security firm PeckShield, has sent fresh shockwaves through the DeFi community and renewed concerns around wallet setup practices, key management, and the hidden risks tied to active on-chain positions.
“A whale’s Multisig was drained of ~$27.3M due to a private key compromise,” PeckShield wrote in an alert on X.
“The drainer has laundered $12.6M (4,100 ETH) via Tornado Cash and retains ~$2M in liquid assets.”
Key Takeaways
- A misconfigured 1-of-1 multisig turned a security tool into a single point of failure once the private key was compromised.
- Control of a wallet tied to live DeFi positions can magnify losses far beyond the initial fund drain.
- The structured use of Tornado Cash shows that many high-value crypto thefts are planned operations, not impulsive attacks.
- Most major losses in crypto stem from key management and approval errors rather than flaws in blockchain protocols.
How a Multisig Became a Single Point of Failure
Multisignature wallets are widely viewed as a safer alternative to single-key wallets, especially for large holders. They are designed to require multiple approvals before funds can be moved. In this case, however, that protection failed entirely.
On-chain investigators later revealed that the wallet was configured as a 1-of-1 multisig. That setup meant only one signature was required to authorize transactions, eliminating the redundancy that gives multisigs their security edge. Once the private key was compromised, the attacker gained full control.
According to on-chain investigator Specter, the multisig wallet was created on April 11, 2025, at 07:48:11 UTC. Just 35 minutes later, at 08:23:23, a massive outflow occurred from the main signing address.
The speed of the drain suggests the key may have been exposed during wallet setup, possibly through an insecure tool, a poisoned download, or third-party assistance that turned out to be malicious.
Systematic Draining and On-Chain Laundering
Blockchain data shows that the attacker did not rush to exit in a single transaction. Instead, the funds were moved in a structured pattern that points to deliberate laundering rather than panic selling.
Roughly 4,100 ETH, valued at about $12.6 million at the time, was sent through Tornado Cash in batches of 100 ETH. In total, the attacker executed 41 separate transfers, a method commonly used to reduce traceability and avoid drawing immediate attention from automated monitoring systems.
Etherscan-linked traces show the address, partially identified as 0x1fCf…367d23Ac, repeatedly interacting with Tornado Cash while retaining control of additional assets.
Beyond ETH, the wallet still holds tokens including Wrapped Ether, OKB, Trust Wallet Token, Bitfinex LEO, Fetch, and Nexo. PeckShield estimates that around $2 million in liquid assets remain under the attacker’s control.
The Aave Position That Raised the Stakes
What makes this breach more dangerous than a standard wallet drain is what the attacker gained access to after the initial theft. PeckShield confirmed that the compromised multisig still controls a large live position on Aave.
“The drainer also controls the victim’s multisig, which maintains a leveraged long,” PeckShield noted.
The wallet reportedly holds about $25 million worth of ETH supplied as collateral, against approximately $12.3 million in DAI borrowed. Control over this position turns the incident from a simple theft into an ongoing risk event.
With signing authority over the multisig, the attacker can withdraw collateral, adjust borrow parameters, or intentionally push the position toward liquidation. Any sudden move could have ripple effects, not just for the victim, but also for the DeFi protocols involved if liquidations occur under stressed market conditions.
This highlights a key issue for advanced DeFi users: wallets are no longer just storage tools. They are control centers for complex financial positions. When access is lost, the damage can extend well beyond the assets already stolen.
Signs of a Broader Compromise
On-chain analysts also observed the attacker interacting with contracts related to ownership and control, suggesting the breach went deeper than a single unauthorized transfer. This reinforces concerns that the private key was fully exposed rather than temporarily misused.
Security firms point out that even when users distribute signing keys across devices or locations, they remain vulnerable to phishing attacks, malware, SIM swaps, compromised backups, and malicious transaction approvals. In multisig environments, a single weak link can undermine the entire setup.
A Whale Already Under Pressure
Additional context from Onchainlens shows that the whale had already been struggling before the attack. In May, the same wallet reportedly suffered losses after withdrawing more than 2,500 ETH from OKX and transferring the funds to Kiln Finance.
By July, the whale had staked a total of 9,918 ETH, valued at roughly $22.5 million at the time, earning only 105.5 ETH in staking rewards. Even before the hack, the address was estimated to be down about $4.26 million overall.
The breach effectively wiped out any chance of recovery, turning an already difficult position into one of the largest individual losses of the year.
Not an Isolated Case
This incident fits a broader pattern of high-value crypto thefts that rely less on protocol bugs and more on user-side failures. In a separate case earlier this year, an unknown investor lost more than $3 million after unknowingly approving a malicious contract. Those funds were also converted to ETH and routed through Tornado Cash.
These attacks underline a hard truth in crypto security: most losses do not come from broken blockchains, but from compromised keys, poor wallet configurations, and deceptive approvals.
Lessons From a $27 Million Mistake
The takeaway from this breach is not that multisig wallets are unsafe, but that they are only as strong as their configuration and key hygiene. A 2-of-3 or 3-of-5 multisig dramatically reduces the risk of total loss from a single compromised key. A 1-of-1 multisig does not.
For large holders and DeFi power users, the incident is a reminder to treat wallet setup with the same care as institutional custody. That includes using trusted tools, verifying software sources, isolating signing devices, and understanding exactly what each approval allows.
As PeckShield’s findings make clear, once an attacker can sign transactions, speed becomes the enemy of recovery. And when that access includes live DeFi positions, the fallout can escalate far beyond the initial theft.
The $27.3 million loss is now effectively locked behind Tornado Cash, with little chance of recovery. What remains is a costly case study in how a single compromised key can undo even the appearance of strong security.
