Blockchain security firm CertiK said it had traced roughly $63M in deposits to Tornado Cash that were tied to a $282M wallet compromise on Jan. 10. The firm published its findings on Jan. 19, 2026 after on-chain monitoring revealed a multi-step laundering chain.
Investigators attributed the initial loss to a targeted social-engineering scheme. Blockchain researcher ZachXBT reported that the attacker impersonated wallet support and persuaded the victim to reveal the seed phrase, which provided full access to the account that held the large BTC and LTC balances.
Once access was obtained, the attacker moved funds quickly across chains and services to reduce traceability. CertiK’s timeline showed immediate conversion and cross-chain activity aimed at dispersing the proceeds into multiple on-chain addresses.
Laundering chain, mitigation and expert view
CertiK’s forensic mapping identified several distinct steps: at least 686 BTC was bridged to Ethereum and converted into roughly 19,600 ETH that landed in a single Ethereum address, then fragmented across many intermediaries. From those addresses, several hundred ETH at a time were forwarded in hops and a tranche valued at about $63M was deposited into Tornado Cash, the report said.
Security analysts described the pattern as an established laundering playbook. Marwan Hachem, CEO of security firm FearsOff, called the use of cross-chain swaps, THORswap-like bridges and the subsequent breakdown into ~400 ETH chunks “textbook” and warned that Tornado Cash functioned as “a major kill switch for traceability,” noting recovery chances fall sharply after mixer deposits.
Some recovery work did succeed: security firm ZeroShadow reported that about $700,000 of the stolen funds were identified and frozen early in the sequence, but the bulk of assets were routed beyond practical reach once fragmentation and privacy tools were in play. CertiK also noted swaps into other privacy-focused assets coincided with market moves such as a Monero price surge on Jan. 14.
The episode underlines how human-targeted breaches combine with automated on-chain obfuscation to frustrate recovery. Market participants and compliance teams will watch how further tracing, freezes and any legal actions proceed, because additional recoveries or law-enforcement disruptions could change the calculus for how quickly mixed funds become irrecoverable.
