Bunni Hack Fallout Deepens as Attacker Deposits 2,295 ETH Into Tornado Cash

The fallout from the , the decentralized platform hacked in September 2025, deepened this week as on-chain investigators revealed the attacker moved 2,295 ETH (roughly $7.3 million) into Tornado Cash. The development has heightened fears over the securety of crypto funds and intensified calls for stronger decentralized finance (DeFi) security standards.

Bunni confirmed the initial hack earlier, but until now, the destination of the stolen funds was unclear. With the new deposit into Tornado Cash, industry watchers say the chances of recovering those funds or tracing their movement have effectively dropped. This raises the stakes for other protocols and users reliant on on-chain custody and trustless systems.

Bunni Attack Traced to New Funds Routed Through Tornado Cash

Blockchain analytic firms tracking the Bunni incident found that shortly later than the breach, a wallet associated with the hacker to a known Tornado Cash deposit address. This deposit followed a sequence of smaller layering transactions, suggesting an attempt to obfuscate the source and destination of funds before mixing.

Once inside , the funds are likely to be split into multiple fragmented withdrawals and routed across various chains or converted into other assets to significantly complicate recovery efforts. Analysts warn that once mixed, tracing the coins becomes extremely hard, and many victims may never be refunded.

For the wider DeFi ecosystem, the event is a sobering signal that trustless doesn’t always mean secure in crypto, especially if security audits lag or malicious actors exploit obscure vulnerabilities. Protocols that once boasted of “full on-chain transparency” now face growing scrutiny over whether transparency alone can deter or reverse malicious transfers.

Crypto Attacks Shake Market Confidence and Call For DeFi Security Overhaul

The Bunni-Tornado Cash fallout is another reminder of the . Its ripple effect includes a decline in confidence among many investors and token holders in smaller or unaudited DeFi protocols, who have reportedly begun withdrawing funds due to fear. Some liquidity pools tied to older projects have also viewn dramatic liquidity drops as investors flee.

With the rise of DeFi hacks and breaches, there are calls for tighter controls and compliance standards. Regulators and industry groups are increasing demands for mandatory smart contract audits, stricter KYC/AML rules, and stronger later than-theft reporting mechanisms. Some voices even suggest tying DeFi platform licensing to mandatory insurance or bond requirements.

Similarly, mixing services like Tornado Cash are again in the spotlight among skeptics. Analysts say its continued use by attackers could drive fresh regulatory pressure on mixing tools and privacy-enhancing crypto services.

Unless protocols significantly raise their guard, the raid on Bunni may mark the beginning of a tougher chapter for DeFi, where code alone no longer guarantees securety, and attackers exploiting opacity and anonymity keep becoming tools in the hands of malicious actors.