Whale Multisig Breached After Private Key Compromise Drains $27M

A crypto whale has watched a supposedly hardened multisig wallet turn into a single point of failure, after a private key compromise let an attacker siphon about $27.3M and start washing funds on-chain.

PeckShield flagged the incident in an X alert, observing on Thursday that “a whale’s Multisig was drained of ~$27.3M due to a private key compromise.”

On-chain traces shared by the security firm show the drainer routing a large chunk of the haul through Tornado Cash, a privacy mixer often used to break transaction links.

PeckShield said the attacker had already laundered about $12.6M, roughly 4,100 ETH, and still held around $2M in liquid assets.

#PeckShieldAlert A whale's Multisig was drained of ~$27.3M due to a private key compromise.

The drainer has laundered $12.6M (4,100 $ETH) via #TornadoCash and retains ~$2M in liquid assets.

The drainer also controls the victim's multisig, which maintains a leveraged long… pic.twitter.com/1Ulk4X7bkl

— PeckShieldAlert (@PeckShieldAlert) December 18, 2025

Multisig Control Turns Active Aave Position Into Live Risk

The breach also came with a live tail risk. PeckShield said the attacker now controls the victim’s multisig, which still holds a leveraged long on Aave, with about $25M in ETH supplied against roughly $12.3M in DAI borrowed.

That detail matters because multisig setups do not automatically protect funds if an attacker can meet the signing threshold, or if the wallet’s governance is effectively captured through compromised keys and approvals.

Once the attacker can sign, they can move fast, pull liquidity, and make recovery attempts far harder.

Live Positions Turn Key Theft Into Cascading Risk

Data shows repeated outflows to Tornado Cash in round lots, the sort of pattern traders associate with systematic laundering rather than a one-off panic exit.

They also point to the attacker interacting with contracts tied to ownership and control, suggesting the compromise extended beyond a single transfer.

Teams can distribute signing keys and still lose them to phishing, malware, SIM swaps, unsafe backups, or rushed approvals on malicious transaction prompts.

It also points to a second-order risk specific to DeFi power users. The wallet is not just a vault but a control plane for live positions. Once an attacker gains access to collateral, borrow lines or health factors, the damage can cascade well beyond the initial drain.