A wallet linked to the 2023 Mixin Network hack has moved roughly $3.85 million worth of Ethereum for the first time in nearly two years, with the funds quickly routed through Tornado Cash. The transaction activity, reported by Decrypt, is the latest reminder that proceeds from major crypto exploits can remain dormant for long periods before resurfacing.
According to Decrypt, the tagged “Mixin Hacker” wallet transferred about $3.85 million in ETH late Thursday night to a fresh address, which then sent the full amount to Tornado Cash across 20 separate transactions. Blockchain analytics platform Arkham Intelligence has labeled the originating wallet as linked to the exploit. One transaction referenced in the report is viewable via Arkham’s explorer here.
The original Mixin incident dates back to September 2023, when Hong Kong-based crypto platform Mixin Network suspended deposits and withdrawals after hackers drained around $200 million from a cloud service provider database, Decrypt noted. The attack impacted assets across multiple blockchains, underscoring the risks that sit outside smart contracts themselves—namely, infrastructure and custody layers that can become single points of failure.
After the breach, Mixin outlined a compensation approach that would cover up to half of user losses in stablecoins, with the remainder represented through tokenized claims. Decrypt also cited a later update from Mixin in October 2025 describing a debt registration and repayment process built around a series of Mixin Debt Tokens (MDT), including MDTu, MDTb and MDTe. In that update, the team said it intended to fully repay debt represented by MDTu—worth about $23 million—by September 23, 2026, while noting there was no repayment schedule at the time for other categories.
From an enforcement and compliance perspective, Tornado Cash remains a flashpoint. Mixers can be used for legitimate privacy reasons, but they are also frequently used to obfuscate the trail of stolen funds. Routing funds through a mixer can complicate investigations by creating additional hops and breaking straightforward attribution, even if analytics firms can sometimes cluster behaviors and identify patterns.
The reactivation of a long-dormant wallet also fits a broader pattern in crypto security: attackers may wait for market conditions, law enforcement pressure, or tooling changes before moving funds. That delay can be tactical, aiming to reduce attention or exploit windows when monitoring is less intense.
For everyday users, the story is another argument for layered risk management—custody choices, platform due diligence, and awareness that even centralized points such as cloud providers can introduce systemic exposure. It also highlights how the post-hack timeline can stretch across years, long after the initial headlines fade.
CoinExtra has previously covered Tornado Cash-related activity in a different context, including an incident where a hacker was reportedly tricked by a fake interface in this story. And as the number and scale of exploits fluctuate, the industry continues to track aggregate losses, as discussed in our report on crypto hacks earlier this year.
Whether this latest movement is the start of further laundering activity or an isolated transfer, it underscores the long tail of major breaches—and the persistent cat-and-mouse dynamic between attackers, investigators and the evolving privacy tooling of crypto markets.
