TL;DR
- Investigators say a whale lost about $27.3M after a 1-of-1 multisig key was compromised and funds were drained.
- PeckShield traced 41 deposits of 100 ETH each, totaling ~4,100 ETH or $12.6M, through Tornado Cash; about $2M remained liquid.
- Analysts warn the attacker also controls an Aave position with ~$25M ETH collateral against ~$12.3M DAI, and misconfigurations plus deceptive approvals amplify risk. Specter said total losses could reach $38M overall too.
A cryptocurrency whale has suffered a major wipeout after attackers exploited a misconfigured 1-of-1 multisignature wallet, with investigators putting losses at roughly $27.3 million. A flawed multisig setup became a single point of failure, allowing the drainer to seize control of the signing key, extract assets, and route proceeds through Tornado Cash in 100 ETH batches. Security observers tie the breach to a private key compromise, and the scale of the loss is forcing a sharper conversation about wallet configuration, operational controls, and the real cost of irreversibility on-chain. Analysts say the drain was rapid.
#PeckShieldAlert A whale's Multisig was drained of ~$27.3M due to a private key compromise.
The drainer has laundered $12.6M (4,100 $ETH) via #TornadoCash and retains ~$2M in liquid assets.
The drainer also controls the victim's multisig, which maintains a leveraged longā¦ pic.twitter.com/1Ulk4X7bkl
— PeckShieldAlert (@PeckShieldAlert) December 18, 2025
Investigators map the drain, laundering flow, and control gaps
PeckShield flagged the incident on X, citing on-chain data that shows the stolen funds being funneled through Tornado Cash in standardized chunks. The laundering pattern was systematic and repeatable, with about $12.6 million, or roughly 4,100 ETH, already mixed via 41 deposits of 100 ETH each. PeckShield said the attacker made themselves the sole signatory after taking over the private key, then drained assets and still held around $2 million in liquid balances at the time of reporting, based on observed wallet holdings. The address held ETH, WETH, OKB, TWT, LEO, Fetch and Nexo tokens.
Analysts also highlighted that the attacker appears to control a wallet still holding a large leveraged position on Aave. The compromise is not just theft, it is a live balance-sheet risk, with about $25 million of ETH supplied as collateral against roughly $12.3 million borrowed in DAI. On-chain investigator Specter published a sequence breakdown and said total losses could be closer to $38 million. Specter noted the 1-of-1 multisig was created on April 11, 2025 at 07:48:11, followed by a major outflow at 08:23:23, raising questions about exposure during setup. Exact entry vector remains unclear.
The case is being used to stress-test assumptions about multisig safety. Threshold design and approval hygiene drive real security outcomes, and 1-of-1 configurations remove the core benefit of multi-party authorization. Investigators cited a September incident where an investor lost $3.047 million in USDC after unknowingly approving a malicious contract, later swapped to ETH and routed through Tornado Cash. SlowMist founder Yu Xian said that case involved a 2-of-4 Safe multisig, with a deceptive contract and a hidden approval inside a routine authorization flow. Yu said the fake contract mimicked addressās first and last characters closely.
