Attacker Takes over Multisig Minutes After Creation, Drains up to $40M Slowly

The recent compromise of a high‑value whale multisig wallet underscores a fundamental flaw in how many crypto custodians configure their signing structures. Although labeled a multisig, the wallet operated as a 1‑of‑1 device, allowing a single private key to authorize all movements. By hijacking the signer’s credentials within minutes of the wallet’s creation, the attacker gained unrestricted access and began a methodical exfiltration that now appears to total more than $40 million. This incident highlights that the mere presence of a multisig contract does not guarantee security; proper threshold settings and rigorous key‑management practices are essential.

Beyond the immediate loss, the laundering pattern reveals a sophisticated approach to obscuring provenance. The thief used Tornado Cash to deposit and withdraw ETH in staggered batches, spreading activity over weeks to evade detection. Simultaneously, the compromised address maintained a leveraged position on Aave, suggesting the attacker was also exploiting DeFi protocols for additional profit. Such layered tactics demonstrate how a single breach can cascade across multiple layers of the ecosystem, amplifying risk for both individual holders and institutional participants.

Compounding the operational‑security concerns, recent research shows that advanced AI models can autonomously discover and exploit smart‑contract vulnerabilities. Tests with Claude Opus, Claude Sonnet, and GPT‑5 generated exploits worth millions, proving that automated, cost‑effective attack vectors are no longer theoretical. This convergence of human error and machine‑driven exploitation forces the industry to rethink threat models, prioritize cold‑device isolation, multi‑factor verification, and continuous code‑audit automation. Organizations that adopt zero‑trust signing architectures and monitor AI‑generated code will be better positioned to defend against the next generation of blockchain attacks.