Blockchain security firm CertiK has flagged a suspicious on-chain incident involving the loss of nearly $2.3 million in digital assets, after detecting unusual wallet activity through its monitoring systems.
The case was identified using CertiK’s Skylens platform, which tracks abnormal fund movements and behavioural patterns across public blockchains.
The incident highlights how wallet-level breaches continue to pose a major risk in the crypto ecosystem.
Unlike smart contract exploits, these attacks often rely on compromised access, making them harder to detect until funds have already been moved.
In this case, blockchain data shows a coordinated sequence of transfers followed by rapid laundering, a pattern commonly associated with deliberate theft.
Wallet activity triggers alert
Copy link to section
CertiK’s investigation found that two separate wallets were involved in the incident. One wallet transferred roughly $1.8 million, while a second wallet sent about $506,000.
Both transactions were directed to the same previously unidentified address, which was later flagged as malicious based on its activity and behaviour.
The transfers occurred within a short window, raising immediate concerns. Analysis of the transaction flow suggested that the movements were not part of routine trading or asset management.
Instead, the pattern pointed to a loss of wallet control, consistent with scenarios where private keys or signing permissions have been compromised.
Funds moved into Tornado Cash
Copy link to section
Shortly after receiving the funds, the malicious address began routing the assets through Tornado Cash, a privacy protocol designed to obscure transaction histories.
Blockchain records show multiple Ethereum transfers passing through the mixer, including both smaller and larger denominations such as 10 ETH and 100 ETH.
The speed and structure of these transfers stood out. Funds were broken into different amounts and moved within minutes, reducing traceability and limiting the possibility of recovery.
Such rapid laundering is often associated with pre-planned attacks, where the objective is to remove funds from public visibility as quickly as possible.
On-chain messages suggest breach
Copy link to section
An unusual detail emerged after the laundering activity. Data reviewed by CertiK indicates that both affected wallets sent on-chain messages to the receiving address, asking whether negotiation was possible.
These messages appeared after the funds had already been moved into Tornado Cash.
On-chain communication of this nature is rarely seen in legitimate transactions. Its presence suggests that the wallet owners were reacting after discovering the loss, rather than participating knowingly in the transfers.
This further supports the conclusion that the wallets were compromised rather than voluntarily used to send funds.
Wallet security under pressure
Copy link to section
The incident underscores the growing threat posed by wallet-level attacks in the crypto market.
Even without exploiting smart contracts, attackers can drain assets using phishing attempts, malicious approvals, or leaked private keys.
Once funds are moved through privacy tools, tracing them becomes significantly more difficult.
While some blockchain analysts are now monitoring and flagging the malicious address involved, the prospects of recovering the stolen assets remain uncertain.
The case adds to broader concerns around user security, reinforcing the need for stronger wallet protections and continuous on-chain monitoring as attack methods become more sophisticated.
https://invezz.com/news/2025/12/23/certik-flags-suspicious-wallet-breach-after-funds-routed-through-tornado-cash/
