Attacker Seizes Whale’s Multisig in Minutes, Starts Draining $40M in Stages
A crypto attacker gained control of a whale’s multisig wallet minutes after its creation, stealing an estimated $27.3–$40 million due to a private key compromise. The attacker laundered at least $12.6 million through Tornado Cash, retains about $2 million in liquid assets, and holds a leveraged long position on Aave. Evidence suggests the attacker may have created the multisig wallet and transferred ownership to themselves almost immediately, rather than compromising an existing wallet. The theft started as early as November 4 and has involved a patient series of fund movements and laundering. Around $25 million remains in assets still controlled by the attacker. The wallet, configured as “1-of-1,” lacked real multisig security. Attack vectors could include malware, phishing, or poor key management. Experts recommend isolating signing devices and verifying transactions carefully. Separately, recent research shows leading AI models can autonomously generate profitable smart contract exploits, successfully uncovering unknown vulnerabilities and producing exploits exceeding the costs of their creation.
