How this millionaire crypto hacker continues to freely cash out a year later
News

How this millionaire crypto hacker continues to freely cash out a year later

Posted on by Josh Taylor

How this millionaire crypto hacker continues to freely cash out a year later

Think of it as the slow, polite bank robbery: not a dramatic vault smash but a series of perfectly timed, boring-looking moves that add up to a multi-million-dollar vanishing act. One year after a high‑stakes exploit drained tens of millions from cross‑chain lending pools, the person behind it keeps shrinking the loot into manageable, hard-to-trace pieces and nudging them through privacy tools — patiently, politely, and annoyingly effectively.

What actually happened (in plain English)

Mid‑October of the breach year, a set of lending pools on two different networks were emptied of roughly $50–$58 million. The technical root wasn’t a sexy code bug; it was operational: someone got the right approvals at the right time. A multi‑signature setup that required a subset of signers to agree ended up being a large attack surface — more signers meant more chances for a bad actor to trick or compromise one of them.

After the initial hit, the attacker didn’t sprint for the exits. Funds hopped between chains into the place where liquidity is deepest, converted into the most portable token, then flowed into a mixer in carefully sized chunks. Over many months we saw repeated waves — small deposits that match mixer norms, bridge hops from layer‑2 networks, swaps to consolidate balances, then timed mixer entries. The on‑chain moves look like someone minimizing noise and maximizing optionality: slow, steady, and annoyingly methodical.

How the teardown playbook works — and why it still works

The playbook is basically: concentrate value into the busiest chain, convert to the token easiest to move, break it into standard sizes, and let time and obscurity do the rest. Standard denomination batching is clever: it makes each piece look ordinary and raises the computational cost for anyone trying to stitch all the fragments back together.

Investigators and compliance teams aren’t helpless. They cluster addresses by unusual gas use, shared timing, and withdrawal patterns. They watch for peel chains (small withdrawals that fan out, then reconverge). But legal and technical realities create gaps — courts have sent mixed signals about liability and how far enforcement can reach into privacy tools, so exchanges focus more on behavior than blanket bans. That leaves a gray zone where patient actors can still move value with some confidence.

So until the rails change — meaning bridges get stricter, mixers become unusable for laundering at scale, or legal pressure tightens — the same playbook remains effective. The defensive checklist is obvious: fewer signers with better device hygiene, stricter approval rules, real‑time bridge monitoring, quick liquidity snapshots after suspicious events, and treating signer devices like the crown jewels they are.

Every time a slow, careful exit like this succeeds, it chips away at trust in cross‑chain conveniences. Teams will have to audit not just smart contracts but the people and processes around them. For users chasing yield across networks, the seamless UX hides where the failure modes live — and the smartest thieves know exactly where to tug.

In short: not a Hollywood heist, but a long con — and it keeps working until we make the plumbing harder to abuse.