Attacker grabs Well’s MultiSig in minutes, starts pouring $40m in stages
A crypto-attacker appears to have taken over Whale's multisig wallet minutes after its creation 44 days ago, and has been siphoning and siphoning funds ever since.
Blockchain security firm PeckShield reported in a post on Thursday that one Well MultiSig wallet has lost $27.3 million due to private key compromise. PeckShield noted that the attacker has cashed in about $12.6 million or 4,100 Ether (ETH) in Tornado and holds about $2 million in liquid assets and is controlling a long position in Aave (AAVE).
But new findings from Yehor Ruditsya, head of forensics at Hacken Extractor, suggest that the total loss may exceed $40 million, and that the incident may have started earlier, as far back as November 4, the first signs of the theft.
Ruditsia told Cointelegraph that the multi-sig wallet labeled as “stacked” was never meaningfully controlled by the victim. Onchain data shows that the multisig was created by the victim's account at 7:46 am UTC on November 4, but ownership was transferred to the attacker six minutes later. “The hacker created this multisig and transferred money to it,” Ruditsia said.
RELATED: Spear Phishing Is North Korean Hackers' Main Tactic: How to Stay Safe
The attacker plays the long game
Once in control, the attacker seemed to work patiently. They deposited Tornado Cash in batches over the course of several weeks, starting with 1,000 ETH on November 4th and continuing through mid-December in small, chaotic transactions. About $25 million in assets are also in the multi-sig under the attacker's control, Ruditsia said.
He also raised concerns about the wallet structure. MultiSig is configured as “1-of-1,” meaning only one signature is needed to approve transactions, “which is conceptually not multi-Sig,” Rudytsia added.
Abdelfattah Ibrahim, a decentralized application (DApp) auditor at Hacken, said there are several attack vectors. These include malware or informants on the signer's device, phishing attacks that trick users into approving malicious transactions, or poor operational security practices such as storing keys in plaintext or using the same machine for multiple signers.
“Preventing this includes identifying devices as cold devices and verifying transactions over UIA,” Ibrahim said.
RELATED: Balancer Community Presents Plan to Distribute Hacked Funds
AI models capable of smart contract exploitation
As Cointelegraph reports, a recent study by the Anthropic and Machine Learning Alignment and Theory Scholars (MATS) team found that today's leading AI models can develop real, profitable smart contract exploits.
In controlled experiments, Anthropic's Cloud Opus 4.5, Cloud Sonnet 4.5, and OpenAI's GPT-5 jointly generated $4.6 million in exploits, demonstrating that autonomous exploitation is technically feasible using commercially available models.
For further testing, Sonnet 4.5 and GPT-5 were recently deployed on approximately 2,850 smart contracts with no known vulnerabilities. The models uncovered two previously unknown zero-day flaws and created exploits worth $3,694, slightly more than the $3,476 API cost required to develop them.
Magazine: 2026 is the year of practical privacy in crypto – Canton, Zcash and more.
