Tornado Cash DAO Attacker Moves Stolen Ethereum: Tracking the Exploiter's Transactions

The attacker who exploited mixing service Tornado Cash's DAO has conducted a series of transactions, the first since the governance takeover last weekend. Concerns are mounting as the exploiter appears to be actively laundering the stolen Ethereum (ETH) and TORN tokens.

Addresses tied to the attacker moved 100 ether (ETH) and 38,000 torn (TORN) tokens in two transactions using the Tornado Cash protocol on Wednesday night, further obscuring the origin of the funds. This activity reignites fears about the potential impact on the DeFi ecosystem and the integrity of governance within DAOs.

Adding fuel to the fire, an account linked to a phishing attack in September 2025 has moved $10 million in Ether (ETH) to the crypto-mixing protocol Tornado Cash. This unrelated, but similar, incident highlights the continued use of Tornado Cash for illicit activities, even amidst regulatory scrutiny.

The hacker transferring funds raises questions about the destinations of these funds. Major crypto exchange Binance has reopened TORN deposits, days after an attack occurred on the privacy-focused crypto mixer Tornado Cash DAO. This development is being closely monitored, with many wondering if the stolen funds will find their way onto the exchange.

Interestingly, after more than five months of inactivity, the hacker behind the 2025 Voltage Finance exploit has resurfaced—this time, moving a portion of the stolen Ether through Tornado Cash. This suggests a potentially wider network of individuals utilizing the mixer for illicit purposes.

We are closely tracking the Tornado Cash DAO attacker's movements and will provide updates as the situation unfolds. The implications of these transactions could be significant for the future of DeFi security and regulatory frameworks.