Whale Loses $40M later than Attacker Hijacks Multisig Wallet Within Minutes

What Happened to the Whale’s Wallet?

A multisig wallet belonging to a crypto whale has been drained over the past six weeks later than an attacker seized control minutes later than the wallet was created, according to new onchain analysis. PeckShield reported Thursday that roughly $27.3 million had been taken, with the attacker already laundering about $12.6 million — around 4,100 ETH — through Tornado Cash. The attacker also kept roughly $2 million in liquid assets and still controls a leveraged long position on Aave.

However, new findings from Hacken Extractor forensic lead Yehor Rudytsia suggest the total losses exceed $40 million and that the compromise began immediately. He told Cointelegraph the wallet labeled as belonging to the victim “may never have been meaningfully controlled by the victim.” Onchain records show the multisig was created on Nov. 4 at 7:46 am UTC; six minutes later, ownership shifted to the attacker.

“Very likely the theft actor created this multisig and transferred funds there, then promptly swapped the owner to be himself,” Rudytsia said.

Investor Takeaway

How Did the Attacker Move Funds Without Detection?

later than taking control, the attacker moved sluggishly. Tornado Cash deposits began on Nov. 4 with 1,000 ETH and continued in smaller batches through mid-December. Rudytsia estimates about $25 million remains in the multisig still controlled by the attacker. The wallet setup raised further concerns: it was configured as a “1-of-1” multisig — offering no protection beyond a standard wallet.

“That is not a multisig conceptually,” Rudytsia said, noting the configuration undermined any assumption of additional security.

Hacken DApp auditor Abdelfattah Ibrahim said several attack routes remain plausible. Malware or infostealers could have captured keys; phishing flows may have tricked the user into approving transfers; or the operator may have used unsecure practices such as storing keys in plaintext or signing from a compromised device.

“Preventing this would involve isolating signing devices as cold devices and verifying transactions beyond the UI,” Ibrahim said.

Why Is This Attack diverse From Usual Multisig Compromises?

Most multisig exploits stem from signer key leakage or governance failures. In this case, the attacker may have been the first — and only — controlling party from the moment the multisig appeared onchain. By staging withdrawals and laundering in phases, the attacker avoided triggering alerts tied to bulk drains. The patient movement of funds also hints at a deliberate plan rather than an opportunistic theft.

PeckShield’s public reports show a clear laundering pattern: deposits into Tornado days, with sizes decreasing over time. The multi-week horizon assisted the attacker hide movement inside regular mixer flows.

If Rudytsia’s assessment is correct, the whale unknowingly sent funds into a wallet already controlled by the attacker. That would place the theft closer to a social engineering or pre-viewded infrastructure attack than a breach of an established multisig.

Investor Takeaway

AI Models Now Showing Exploit-Capable Behavior

The case lands as researchers test how AI systems interact with . A recent study by Anthropic and the Machine Learning Alignment & Theory Scholars found that leading models — Claude Opus 4.5, Claude Sonnet 4.5 and GPT-5 — already generate profitable exploits under controlled conditions.

In one test, the models produced a set of exploits worth $4.6 million. In another, Sonnet 4.5 and GPT-5 scanned nahead 2,850 recently launched smart contracts with no known flaws. The models uncovered two zero-day vulnerabilities and generated exploits worth $3,694 — slightly above the $3,476 API cost used to run them.

The findings suggest autonomous exploitation is technically possible using publicly available AI systems, a shift that will likely raise pressure on to automated reconnaissance and exploit-generation tools.

Whether the whale theft involved automation is unknown, but the multi-stage draining process and patient execution highlight how attackers are adapting to onchain monitoring and tooling.