Activation of Funds Stolen in 2022 May Signal New Wave of Cryptocurrency Laundering

A hacker who breached the Voltage Finance decentralized finance protocol in 2022, stealing crypto assets worth $4.67 million, has resumed activity and transferred part of the stolen funds to the transaction anonymization service Tornado Cash. Blockchain security firm CertiK detected the movement of 100 Ethereum (ETH) worth approximately $182,783 from the perpetrator’s address, which had remained inactive since November last year. The last movement of funds before this was observed 166 days ago. The activation of stolen assets comes against the backdrop of a recent breach of the same platform in March 2025, raising questions about the security of DeFi protocols and the effectiveness of measures to combat cryptocurrency crimes.

Attack Details and Activation of Stolen Funds

In March 2022, Voltage Finance suffered an attack in which the perpetrator exploited a vulnerability in the callback function built into the ERC-677 token standard. Using a re-entry attack technique, the hacker emptied the platform’s credit pool. According to Voltage Finance, the breach resulted in the theft of USDC and Binance USD (BUSD) stablecoins, as well as ETH and wBTC tokens, totaling $4.67 million.

The attacker’s address was promptly marked on Etherscan as involved in the hack, and the Voltage Finance team requested centralized exchanges to block any transactions associated with this address. Attempts were also made to contact the hacker to discuss a possible return of funds in exchange for a reward, but until recently, the address remained inactive.

“Activation of a hacker’s address after a lengthy period of inactivity is a typical behavior pattern,” comments Alex Pertsev, blockchain security specialist from ChainDefense. “Perpetrators often wait until interest in the incident subsides and monitoring of the address weakens. Using Tornado Cash for money laundering is also a standard tactic, as this service provides a high degree of anonymity by breaking the connection between sender and recipient addresses.”

According to Etherscan, the movement of 100 ETH to Tornado Cash was executed through several intermediate addresses, which is a typical practice to complicate tracking. Despite Tornado Cash being under OFAC (US Office of Foreign Assets Control) sanctions since August 2022, the service continues to function and is used for anonymizing cryptocurrency transactions.

Recent Breach and Parallels with Past Incidents

Notably, the activation of funds from the 2022 attack occurs shortly after a new security incident on the Voltage Finance platform. On March 18, 2025, the platform suffered another attack, resulting in compromised Simple Staking pools with losses of crypto assets totaling approximately $322,000.

Following this incident, Voltage Finance offered a $50,000 reward to the hacker on the condition of returning the stolen funds. Interestingly, the platform suspected one of its own Simple Staking pool developers of involvement in this breach. Although there is no direct confirmation of this theory, as a precautionary measure, Voltage Finance immediately revoked the suspect’s access to systems and began cooperation with law enforcement agencies and centralized exchanges to investigate the incident.

“The fact that the same platform has suffered two serious breaches within three years points to possible systematic problems in the security architecture,” notes Maria Ivanova, DeFi market researcher from the Blockchain Institute. “The suspicion of internal collusion or insider involvement in the latest breach is particularly concerning. This confirms that threats can come not only from outside but also from within the development team.”

Experts note a growing trend of “white hat hacking” and the return of stolen funds in exchange for rewards. In April of this year, a hacker who breached the ZKsync protocol agreed to return 90% of the stolen funds, keeping only a portion of the amount as a reward for discovering the vulnerability. A similar case occurred with the decentralized exchange KiloEx, where the perpetrator returned some of the stolen crypto assets.

Market Consequences and Regulatory Challenges

The recent movement of some of the funds stolen in 2022 to Tornado Cash highlights the persistent problem of cryptocurrency laundering and the effectiveness of sanctions against anonymization tools. Despite Tornado Cash being added to the OFAC sanctions list, the service continues to function and is used to conceal the origin of funds.

“The use of Tornado Cash by the Voltage Finance hacker illustrates a fundamental challenge for regulators,” explains Viktor Nosenko, an expert on cryptocurrency regulation. “The decentralized nature of such services makes sanctions not as effective as in the traditional financial system. Unlike centralized exchanges, which can block transactions from flagged addresses, Tornado Cash smart contracts continue to operate according to their embedded logic.”

The movement of funds at this particular time may be related to several factors. First, the current rise in Ethereum’s value makes the stolen assets more valuable. Second, the hacker may have seen increased investigation activity following the new Voltage Finance breach and decided to take measures to further conceal the funds. Finally, this could be part of a broader strategy of gradual withdrawal and legitimization of stolen assets.

“Laundering cryptocurrencies through mixers is becoming an increasingly complex process,” notes Daniel Sergeev, a specialist in tracking cryptocurrency transactions from CryptoTracer. “Modern blockchain analytics tools allow tracking funds even after passing through mixers, especially with large amounts. Hackers are adapting, using more complex schemes with multiple intermediate steps, including cross-chain bridges, decentralized exchanges, and atomic swaps.”

The Voltage Finance case also raises the question of the need for more thorough security audits for DeFi protocols. Two serious breaches of one platform indicate potential systematic problems in the approach to security. Experts recommend that DeFi projects not only conduct regular code audits but also implement multilayered protection mechanisms, including transaction volume limitations, multi-step verification for large operations, and early detection systems for anomalous behavior.

For users of DeFi platforms, the activation of the Voltage Finance hacker serves as a reminder of the risks associated with decentralized financial protocols and the necessity of diversifying funds across various platforms to minimize potential losses from such incidents.