The attacker responsible for the multi-million dollar exploit of the TrustedVolumes protocol has begun moving and laundering the stolen assets. According to monitoring data from the blockchain security firm PeckShield, the malicious actor recently processed approximately $300,000 through various privacy-enhancing protocols and cross-chain bridges. This activity follows the major security breach on May 7, 2026, which resulted in a total loss of roughly $6.7 million for the Ethereum-based liquidity provider.
Sophisticated Laundering Tactics Identified
On-chain analysts have tracked several specific transactions used by the exploiter to obfuscate the origin of the funds. The laundering process involved a combination of decentralized mixers and cross-chain swaps to break the audit trail.
- The attacker deposited 10.2 ETH (approximately $23,600) into the Tornado Cash mixing protocol.
- A significant portion of the funds, totaling 110 ETH (valued at $250,000), was moved across chains to Bitcoin (BTC) using the THORChain protocol.
- A minor attempt was made to interact with the privacy protocol Railgun by depositing 0.5 ETH, though the attacker ultimately retracted the funds back to their original wallet.
Background of the TrustedVolumes Security Breach
The exploit on May 7 targeted a vulnerability in the protocol's custom Request-for-Quote (RFQ) swap proxy. Security researchers from Blockaid and PeckShield noted that the flaw allowed the attacker to register as an authorized order signer, subsequently draining assets including WETH, WBTC, and USDT.
"The attacker appears to be the same entity behind the March 2025 1inch Fusion V1 exploit, which previously cost TrustedVolumes approximately $5 million", noted security analysts following the incident.
Despite the significant loss, the protocol team has previously expressed a willingness to negotiate a bug bounty in exchange for the return of the remaining stolen capital. However, the current laundering activity suggests the attacker may be opting to retain and clean the illicit proceeds rather than pursuing a white-hat resolution.
The incident underscores the persistent risks associated with smart contract authorization and the increasing use of cross-chain bridges for illicit fund movements. While 1inch has confirmed its core infrastructure remains unaffected, the event has highlighted vulnerabilities in third-party market-making tools within the DeFi ecosystem.
Frequently Asked Questions
Quick answers to the most common questions about this topic.
For educational purposes only. Nothing here constitutes financial or investment advice. Crypto markets are highly volatile — always DYOR before making any decisions.
Fact-checked per our editorial policy. We maintain strict independence from advertisers. Spot an error? Let us know.