CertiK links $63M Tornado Cash flows to $282M Crypto theft

New Laundering Activity Identified

Blockchain investigators have identified new laundering activity connected to the $282 million cryptocurrency wallet compromise that occurred on January 10. A significant portion of the stolen funds has now been traced to Tornado Cash, according to blockchain security firm CertiK.

In a post shared on X on Monday, CertiK stated that its on-chain monitoring systems detected Tornado Cash deposits totaling roughly $63 million that can be traced back to wallets linked to the January 10 exploit.

#CertiKInsight 🚨

We have detected Tornado Cash deposits that trace to the alleged wallet compromise on Jan 10th that cost over $282M.

Part of the fund (~$63M) was bridged to 0xF73a4EbC3d0984F166AC215471Cc895cB4F5cc21 before further laundering.

Stay Vigilant! pic.twitter.com/byzRmjoeZR
— CertiK Alert (@CertiKAlert) January 19, 2026

This finding adds another layer to the complex laundering trail surrounding one of the largest crypto thefts recorded this year.

Tracing the Funds

CertiK noted that part of the stolen funds, estimated at around $63 million, was first bridged to the Ethereum address 0xF73a4EbC3d0984F166AC215471Cc895cB4F5cc21. From there, the funds were routed through Tornado Cash.

Privacy mixers like Tornado Cash are frequently used by attackers to obscure transaction histories. This practice makes it significantly more difficult for investigators and law enforcement agencies to track and recover stolen assets.

Post-Theft Activity and Investigation

The latest update expands on earlier findings related to the post-theft movement of funds. Shortly after the January 10 compromise, attackers rapidly shifted assets across multiple chains and platforms. This activity triggered heightened scrutiny from on-chain analysts due to both the scale of the loss and the speed of execution.

Investigators have previously reported conversions into privacy-focused assets and cross-chain transfers as part of an aggressive laundering strategy.

The January 10 incident remains under close observation by several blockchain intelligence firms and independent crypto investigators. The theft has drawn particular attention because it appears to involve a wallet compromise rather than a protocol-level exploit. This underscores ongoing risks related to key management and social engineering attacks.

CertiK stated that it continues to monitor wallet activity associated with the exploit and is sharing its findings with the broader security community.

As funds move through mixers and cross-chain bridges, analysts warn that recovery becomes increasingly challenging. This highlights the importance of real-time monitoring and coordinated response efforts.

The case adds to renewed regulatory and industry debate around privacy tools such as Tornado Cash, which remain controversial due to their repeated use in high-profile laundering cases linked to major crypto thefts.