A $200M Ghost Wallet Stirs Back to Life
A wallet address tied to the September 2023 Mixin Network exploit, one of the largest DeFi hacks in history, has broken more than two years of complete silence. Onchain data shows that 59,854 ETH, valued at approximately $117 million, has been put back into circulation after lying dormant since the original breach drained Mixin users of $200 million in combined assets.
The initial movement saw 2,005 ETH sent directly to Tornado Cash, the Ethereum-based mixing protocol. Shortly after, three freshly created wallets received 2,087 ETH (roughly $4.03 million) from Tornado Cash on the other side. Those funds were promptly sold at approximately $1,933 per ETH, marking the first confirmed liquidation from this address since the original exploit.
The hacker's remaining stash is still substantial: 57,849 ETH (roughly $113.4 million) and 891 BTC (roughly $59.7 million), bringing the total unrealized holdings to approximately $173 million at current prices.
Why Two Years of Silence, and Why Now
The two-year dormancy period is unusual but not unprecedented in major crypto hacks. Hackers often wait for multiple reasons: letting investigative heat cool down, waiting for favorable market conditions, or monitoring whether blockchain analytics firms have flagged their addresses at centralized exchanges.
Several factors may explain the timing. ETH has stabilized well above its post-exploit lows from late 2023, making this a more favorable exit window. More significantly, the legal landscape around Tornado Cash itself has shifted dramatically. In March 2025, the U.S. Treasury's Office of Foreign Assets Control (OFAC) officially lifted its sanctions on Tornado Cash after an appellate court ruled in November 2024 that OFAC had overstepped its authority. The court found that immutable smart contracts could not be classified as "property" under the International Emergency Economic Powers Act.
That delisting removed a significant deterrent. While Tornado Cash was sanctioned, using it carried direct legal exposure for any wallet interacting with the protocol. With sanctions lifted, the mixer is technically legal to use again for U.S. persons, though criminal charges against Tornado Cash co-founders Roman Storm and Roman Semenov remain pending.
The Original Mixin Breach: A Cloud Database Failure
The Mixin Network hack occurred on September 23, 2023, when attackers compromised the database of Mixin's cloud service provider. The breach gave unauthorized access to the network's hot wallets, and attackers drained approximately $200 million in combined assets: $95.3 million in ETH, $23.7 million in BTC, and $23.6 million in USDT, with additional smaller token losses.
The attack exposed a critical architectural flaw. Mixin branded itself as a decentralized network, but its reliance on a centralized cloud database for key management created a single point of failure. Users and security researchers quickly pointed out the contradiction: a "decentralized" network whose entire asset base could be drained through one database compromise.
Mixin's founder Feng Xiaodong announced a compensation plan that would initially refund 50% of users' assets, with the remainder distributed as tokenized liability claims that Mixin pledged to repurchase "with future profits." As of the last public disclosure, 16,143 individuals had registered their debt claims, with 90% completing the process. The full recovery, however, remains contingent on either the hacker returning funds or Mixin generating enough revenue to buy back the claims, neither of which has materialized at meaningful scale.
A Phased Liquidation, Not a Panic Dump
The onchain pattern suggests the hacker is executing a careful, phased liquidation strategy rather than attempting to dump everything at once. Moving $4 million through Tornado Cash as a first batch is a test run: small enough to avoid crashing markets or triggering emergency responses, but large enough to confirm the laundering pipeline works.
If the hacker continues at this pace, liquidating roughly $4 million per cycle, the full ETH position of 57,849 tokens would take dozens of cycles to clear. Each cycle introduces risk: blockchain analytics firms like Elliptic and Chainalysis have already flagged the original exploit addresses, and even post-Tornado Cash outputs can sometimes be traced through timing analysis, amount correlation, and gas payment patterns.
The 891 BTC sitting alongside the ETH adds another dimension. Bitcoin's UTXO model makes mixing more complex than Ethereum's account-based system, and the hacker has not yet moved any of the Bitcoin holdings. Whether those funds eventually route through a Bitcoin mixer like Wasabi or Whirlpool, or sit indefinitely, could signal how sophisticated this particular attacker's operational security truly is.
What This Means for Hack Victims and the Broader Ecosystem
For Mixin's 16,000+ registered creditors, this movement is a bitter development. Every ETH the hacker successfully liquidates is one less ETH that could theoretically be recovered and returned. The phased selling also creates a slow-bleed pressure on whatever hope remained for a white-hat return of funds.
The broader lesson for crypto users extends beyond Mixin. Cloud-based key management, even when wrapped in decentralized branding, remains one of the highest-risk architectural choices in the industry. Users holding assets on any platform should understand where their private keys actually live. If the answer is "on the platform's cloud server," the counterparty risk is real and has been demonstrated repeatedly across FTX, Mixin, and other custodial failures.
For holders considering how to manage their own assets, self-custody crypto cards offer a middle ground: the ability to spend directly from wallets you control, without exposing your full balance to a centralized custodian. Products from Gnosis Pay, MetaMask, and Ready let users maintain key ownership while still accessing Visa or Mastercard payment rails.
The Tornado Cash angle also raises fresh questions about the post-sanctions landscape. Now that the mixer is legally accessible again, expect more dormant hack wallets to begin moving. The legal barrier that kept many stolen funds frozen in place for 18 months has been removed, and the Mixin hacker may be the first of several to take advantage.
FAQ
How much did the Mixin Network hacker steal? The original September 2023 exploit drained approximately $200 million from Mixin Network, including $95.3 million in ETH, $23.7 million in BTC, and $23.6 million in USDT.
How much has the hacker moved so far? The hacker sent 2,005 ETH to Tornado Cash and received 2,087 ETH (approximately $4.03 million) back through three new wallets, which were promptly sold at around $1,933 per ETH. The remaining holdings total roughly $173 million (57,849 ETH plus 891 BTC).
Is Tornado Cash still sanctioned? No. OFAC lifted its sanctions on Tornado Cash in March 2025 after an appellate court ruled the Treasury had overstepped its legal authority. However, criminal charges against the protocol's co-founders remain pending.
Will Mixin users get their money back? Mixin pledged to refund 50% of lost assets and issue tokenized debt claims for the remainder. Over 16,000 users registered claims, but full recovery depends on either the hacker returning funds voluntarily or Mixin generating sufficient revenue, neither of which has happened at scale.
Overview
The wallet behind the $200 million Mixin Network hack has broken two years of dormancy, moving 59,854 ETH ($117 million) back into active circulation. The first $4 million batch was routed through Tornado Cash, now legal after OFAC lifted sanctions in March 2025, and sold across three fresh wallets at $1,933 per ETH. The hacker still holds 57,849 ETH and 891 BTC, totaling roughly $173 million. For Mixin's 16,000+ creditors awaiting compensation, every successful liquidation shrinks the already slim chance of recovery. The episode underscores why custodial platforms relying on centralized cloud databases remain high-risk, and why self-custody solutions continue gaining traction among security-conscious crypto users.
Recommended Reading
- Ledger Draws a Line in the Sand on AI Agent Security: Propose, Don't Sign
- Binance Completes Its $1 Billion SAFU Fund Bitcoin Conversion in 13 Days, Stacking 15,000 BTC as Insurance
- Crypto Fear and Greed Index Hits 5, the Lowest Reading Ever Recorded, as $2 Trillion Evaporates
