The perpetrator behind the Gravity Bridge security breach has resumed the movement of illicit funds, transferring a significant portion of stolen assets to a privacy protocol. According to on-chain monitoring data provided by CertiK Alert on June 5, 2026, the attacker deposited 1,180 ETH, valued at approximately $4.06 million, into the decentralized mixer Tornado Cash. This move represents the latest attempt by the malicious actor to obscure the transaction trail of the original 2,600 ETH haul.
Tracking the Flow of Stolen Ethereum
The initial exploit resulted in the theft of 2,600 ETH, which was valued at roughly $8.4 million at the time of the incident. Investigative data reveals a systematic approach to laundering these funds. To date, the attacker has utilized two primary external accounts (EOAs) to facilitate the transfers.
- The most recent transaction involved 1,180 ETH sent directly to Tornado Cash.
- A cumulative total of 2,020 ETH has now been processed through the mixer.
- The remaining balance of the stolen assets has reportedly been routed toward centralized exchanges (CEXs).
Tornado Cash is a non-custodial private transaction protocol built on the Ethereum blockchain that uses zero-knowledge proofs to break the on-chain link between source and destination addresses.
Security Monitoring and Forensic Analysis
The activity was flagged as part of ongoing surveillance of the addresses associated with the Gravity Bridge exploit. Security analysts note that the use of mixers is a standard procedure for hackers seeking to bypass Anti-Money Laundering (AML) filters employed by trading platforms. By breaking the deterministic link on the Ethereum blockchain, the attacker aims to make the "clean" funds harder to blacklist.
Of the stolen 2,600 ETH, 2,020 ETH have already been deposited into Tornado Cash through two external accounts, with the remaining portion being transferred to centralized exchanges.
The distribution of the remaining 580 ETH into centralized platforms suggests that the attacker may be attempting to liquidate portions of the assets into fiat or other digital currencies, despite the high risk of account freezes by exchange compliance teams.
The persistence of fund movements from the Gravity Bridge exploit underscores the ongoing challenges within the DeFi ecosystem regarding asset recovery post-exploit. As of today, the majority of the illicitly obtained funds have successfully entered privacy protocols, complicating recovery efforts for the affected bridge protocol. Security firms continue to monitor the associated wallets for any further interactions with known exchange hot wallets or liquidity pools.
Frequently Asked Questions
Quick answers to the most common questions about this topic.
For educational purposes only. Nothing here constitutes financial or investment advice. Crypto markets are highly volatile — always DYOR before making any decisions.
Fact-checked per our editorial policy. We maintain strict independence from advertisers. Spot an error? Let us know.