Upbit and SwapNet Attackers Transfer 5,333 ETH to Tornado Cash

According to recent on-chain data from the monitoring platform Specter, two significant actors involved in major decentralized finance (DeFi) and exchange security breaches have intensified their money laundering activities. Over the past 48 hours, the individuals responsible for the Upbit exchange hack and the SwapNet protocol exploit have collectively funneled more than 5,333 ETH into the mixing service Tornado Cash to obscure the origin of the stolen assets.

Large-Scale Fund Movements Identified

The monitoring reports indicate that the attacker behind the Upbit breach has deposited 700 ETH, valued at approximately US$1.53 million, into the Ethereum-based privacy protocol. This process was executed across seven separate transactions. To further complicate the audit trail, the hacker utilized the Arbitrum Layer-2 network to route assets before bridging them back to the Ethereum mainnet for final mixing.

Simultaneously, the entity associated with the SwapNet exploit moved a significantly larger sum of 4,633 ETH, which is estimated to be worth US$11.8 million. These movements come after a period of relative dormancy for the associated wallet addresses, signaling a coordinated effort to liquidate or hide the proceeds of the previous exploits.

Technical Background of the Exploits

The assets being moved are linked to two distinct security incidents:

• The Upbit hack, which initially involved the unauthorized withdrawal of approximately 342,000 ETH from the exchange's hot wallets, remains one of the most prominent cases of centralized exchange breaches.
• The SwapNet attacker exploited a vulnerability in the protocol's smart contracts on January 25, 2026, resulting in an estimated loss of US$13.4 million through arbitrary call vulnerabilities.
• Both actors have utilized Tornado Cash due to its non-custodial nature and ability to break the on-chain link between the source and destination addresses.

Tornado Cash remains under heavy scrutiny by global regulators, but its decentralized architecture continues to facilitate anonymization for various blockchain participants.

The use of cross-chain bridges like Arbitrum highlights the evolving sophistication of digital asset laundering, as attackers seek to bypass automated tracking systems that primarily monitor single-network movements. Security analysts suggest that the sudden surge in mixing activity often precedes attempts to move funds to OTC (over-the-counter) desks or non-compliant exchanges for fiat conversion. Despite the transparency of the blockchain, the integration of Layer-2 solutions and privacy mixers continues to pose a significant challenge for forensic investigators and law enforcement agencies.