A hacker returned after two years of inactivity and deposited $5.4M in stolen funds into Tornado Cash after swapping DAI for ETH.
An attacker linked to a previous theft has resumed onchain activity after nearly two years of dormancy.
Blockchain data shows stolen funds are now being deposited into Tornado Cash, with movements accelerating over recent days.
Dormant Theft Address Becomes Active Again
The theft address, identified as 0xFe7e039cC5034436C534d5E21A8619A574e206F8, showed no notable activity for almost two years.
This period of inactivity ended when funds began moving again onchain.
Blockchain records indicate the address transferred assets without warning. Observers noted the timing suggested a planned return rather than random movement.
The renewed activity drew attention due to the size of the funds involved. The address had previously been linked to stolen assets.
Funds Shifted From DAI to ETH
According to Specter, before interacting with Tornado Cash, the theft address moved about $5.8 million in DAI.
The transfer went to a newly created wallet. The fresh wallet then swapped the DAI for ETH, changing the asset type before further movement.
The attacker has resumed activity after nearly two years of dormancy and is now depositing stolen funds into Tornado Cash.
A total of $5.4M has been deposited so far.
Prior to this, the theft address transferred $5.8M DAI to a fresh wallet, which was subsequently swapped for… https://t.co/6hZWByeuRQ pic.twitter.com/67vx2CLk6U
— Specter (@SpecterAnalyst) January 26, 2026
Such swaps are often used to prepare funds for privacy tools. ETH is commonly used for Tornado Cash deposits.
After the swap, the ETH balance was broken into smaller portions. These portions were then sent to Tornado Cash contracts.
$5.4M Deposited Into Tornado Cash
Blockchain data shows that about $5.4 million has been deposited into Tornado Cash so far. The deposits followed a clear and repeated pattern.
The attacker sent 100 ETH in twenty separate transactions. Additional deposits included three transfers of 10 ETH.
Smaller deposits were also made. These included eight transfers of 1 ETH and nine transfers of 0.1 ETH.
This pattern is consistent with prior Tornado Cash usage. Such behavior is often meant to blend deposits with others.
The deposits occurred over multiple transactions instead of one large transfer. This approach can complicate transaction analysis.
Related Reading: Hacker Who Stole $282 million Last Week, Launders $63M Via Tornado Cash: CertiK
Onchain Tracking and Current Status
Despite the use of Tornado Cash, parts of the transaction trail remain visible. Analysts can still track deposits and timing patterns.
No withdrawal transactions linked to the attacker have been confirmed yet. The funds remain inside Tornado Cash pools.
The activity suggests a careful and delayed strategy. The long dormancy may have been intended to reduce attention.
Security observers continue to monitor related addresses. Any future withdrawals could reveal additional links.
The case adds to recent examples of delayed fund movements. It shows how stolen assets can resurface years later.
As of now, $5.4 million has been deposited. Further movements may follow if the attacker continues the activity.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
When even I cannot prove that I'm not an AI, forensic experts recommend: set up a secret code with family and friends.
BBC reporter Thomas Germain's experiment shows that AI deepfake technology is now difficult to distinguish, with digital forensics expert Hany Farid claiming it's "finished." Even when experts verify a video's authenticity, people may still doubt it. As AI fraud cases surge, especially in crypto markets, the cost of verifying authenticity is high, while creating doubt has become low-cost. Ultimately, the recommendation is to return to old methods: using cryptographic signatures to enhance trust.
動區BlockTempo37m ago
Distributed Shenbo: Set Bounty to Recover Approximately $42 Million Stolen Three Years Ago
Shen Bo, founder of Distributed Capital, had his personal wallet compromised in November 2022, resulting in losses of approximately $42 million. After three years of tracking, the team has obtained key leads and is publicly soliciting information from those who can provide clues, offering rewards of 10%-20% based on contributions. Approximately $1.2 million in assets has been frozen so far, and the team has expressed gratitude to individuals and teams who have continuously provided assistance.
BlockBeatNews2h ago
Distributed Capital Founder Bo Shen: Lost $42 Million from Personal Wallet Theft in 2022, Now Offering 10%-20% Bounty for Information
Distributed Capital founder Bo Shen recently publicly solicited leads regarding the theft of his personal wallet and established a bounty mechanism. His wallet was compromised in November 2022, resulting in losses of approximately $42 million. The bounty program is open to all individuals and institutions, with reward ratios of 10%-20% of recovered funds.
GateNews2h ago
Google Sets 2029 Target for Post-Quantum Cryptography Migration, Six Years Ahead of Government Goal, Crypto Industry Must Keep Pace
Google announced 2029 as the deadline for completing post-quantum cryptography migration across all products, six years ahead of the U.S. government's 2035 target. Quantum computing poses a threat to current cryptographic methods, with major blockchains adopting different response strategies. The Bitcoin community holds divided views on the risks, while Ethereum plans to provide corresponding protections by 2029. Time is tight, and industry action needs to accelerate.
動區BlockTempo2h ago
Polymarket Suspected Insider Trading: 6 "Mystery Wallets" Bet on US-Iran Ceasefire
Recently, six wallets on Polymarket precisely built positions before the U.S. attack on Iran and profited $1.2 million, then continued betting on Iranian nuclear facilities, and later coordinated a $100,000 bet predicting a U.S.-Iran ceasefire. This series of transactions has raised market concerns about information advantages and highlighted a trust crisis in prediction markets. Changes in market participant behavior reflect worries about insider trading, and the conflict between transparency and anonymity makes it difficult to trace responsibility.
MarketWhisper3h ago
Resolv Foundation suspends Season 4 airdrop claims and RESOLV token staking functions
Gate News: On March 25, Resolv Foundation announced that due to recent security incidents involving Resolv Labs' stablecoin USR, both the protocol and applications have been suspended. Season 4 airdrop claiming functionality is temporarily unavailable, and staking and unstaking functions for RESOLV tokens are also temporarily unavailable. Once the protocol recovery plan is finalized and the application can be safely used again, the relevant functions will be restored.
GateNews14h ago
