Whale Wallet Drainer Launders $19.4M Through Tornado Cash

A cybercriminal who drained $27.3 million from a compromised multisig wallet has now laundered $19.4 million through Tornado Cash. Blockchain security firm PeckShield reported the latest movements today.

The attacker withdrew an additional 1,000 ETH worth $3.24 million from Aave before routing it through the crypto mixer. Total deposits to Tornado Cash have reached 6,300 ETH across multiple transactions since the initial theft.

#PeckShieldAlert The multisig drainer who stole $27.3M from a compromised wallet has withdrawn 1K $ETH ($3.24M) from #Aave and laundered it via #TornadoCash.

They have deposited a total of 6,300 $ETH ($19.4M) to #TornadoCash so far

The drainer, who controls the compromised… pic.twitter.com/zYjuY9jGw7

— PeckShieldAlert (@PeckShieldAlert) January 6, 2026

The drainer continues to control the victim’s compromised multisig wallet. This wallet holds a $9.75 million leveraged long position with $20.5 million in ETH collateral against $10.7 million in DAI debt.

Only approximately $2 million in liquid assets remains unlaundered. The attacker has moved swiftly to obscure the stolen funds’ trail since the December 18, 2025, incident first came to light.

Six-Minute Wallet Ownership Transfer Raises Red Flags

Forensic investigators have uncovered troubling details about the wallet’s origins. Yehor Rudytsia, Head of Forensic at Hacken Extractor, conducted an independent investigation into the incident.

His findings suggest total losses may exceed $40 million. Rudytsia identified the first signs of theft dating back to November 4, 2025, weeks before public disclosure.

Screenshots reveal that ownership was transferred to the attacker just six minutes after the multisig’s creation. The victim’s account created the wallet on November 4 at 7:46 am UTC.

The ownership change occurred at 7:52 am UTC. This rapid transfer raises questions about whether the victim ever truly controlled the wallet.

Very likely the theft actor created this multisig and transferred funds there, then promptly swapped the owner to be himself.

Rudytsia stated.

The compromised wallet had been funded only 44 days before PeckShield’s initial report.

The private key compromise allowed the attacker to seize complete control of the multisig. The drainer has maintained this control while actively managing the leveraged position on Aave.

Ledger Breach Compounds Crypto Security Concerns

Meanwhile, a separate security incident has affected Ledger hardware wallet customers. The company disclosed a data breach through its third-party payment processor Global-e on January 5, 2026.

Blockchain investigator Zachxbt first reported the breach on X. Affected customers received direct email notifications from Global-e regarding unauthorized access.

Community alert: Ledger had another data breach via payment processor Global-e leaking the personal data of customers (name & other contact information).

Earlier today customers received the email below. pic.twitter.com/RKVbv6BTGO

— ZachXBT (@zachxbt) January 5, 2026

The breach exposed customer names and contact details. Global-e confirmed the incident affected users who made purchases on Ledger.com through their payment services.

Payment information and cryptocurrency assets were not compromised. Global-e stated it acted quickly to notify affected customers after confirming the unauthorized access.

This marks another security incident for the hardware wallet manufacturer. Ledger previously suffered a major data breach in 2020 that exposed extensive customer information.

That earlier incident led to widespread phishing campaigns targeting hardware wallet users. Criminals used the leaked data to craft convincing scam messages.

The combination of the whale wallet drain and Ledger breach highlights ongoing security challenges in the cryptocurrency ecosystem. Users face threats from both direct wallet compromises and third-party data exposures.

PeckShield continues to monitor the whale wallet drainer’s movements. The attacker’s leveraged position on Aave remains active as investigators track remaining unlaundered funds.

Law enforcement agencies have not publicly commented on either investigation. The use of Tornado Cash significantly complicates efforts to trace and recover the stolen cryptocurrency.

Cryptocurrency security experts recommend users regularly verify wallet ownership settings. They also advise implementing additional security measures beyond standard multisig configurations.