Voltage Finance hacker moves $182K in ETH to Tornado Cash
A hacker tied to the 2022 exploit of Voltage Finance, a decentralized lending protocol built on the Fuse network, has moved a significant portion of the stolen funds after months of inactivity. Blockchain security firm CertiK revealed on May 6 that the hacker transferred 100 Ether, valued at approximately $182,783, through crypto mixing service Tornado Cash.
According to CertiK’s investigation, the wallet address used in the transaction was inactive for 166 days, with no movement since November. The address is linked to the original exploit and can be traced to earlier activity involving the hacker.
#CertiKInsight 🚨
Our alerting system has detected @TornadoCash
deposits of 100 ETH from 0xCF4823dA7271fdedBe103500d8E197Bdca224B6d.
The fund traces to ~$4M Voltage Finance
exploit on Fuse back in March 2022.
Stay Vigilant! pic.twitter.com/eyqH1HbN3F
— CertiK Alert (@CertiKAlert) May 6, 2025
The blockchain security firm also explained that the hacker used Tornado Cash, which was sanctioned by the US Treasury in 2022 for facilitating money laundering, to obscure blockchain transactions and prevent investigators from tracing the fund movements.
Voltage Finance original 2022 exploit
Voltage was hacked on March 31, 2022, and the hacker made away with an estimated $4.67 million in digital tokens. They reportedly took advantage of a vulnerability in a token standard, ERC677, through a built-in callback function. The function allowed them to execute a reentrancy attack to successfully drain funds from the platform’s lending pool.
In the initial phase of the attack, the culprit used a flash loan of 515 Wrapped Ether (WETH) from the WETH-WBTC pair on Voltage Finance to initiate the exploit.
Voltage Finance operates as a decentralized protocol enabling automated token trading on the Fuse network. The attacker exploited this infrastructure by manipulating the platform’s smart contracts using wrapped tokens and flash loans.
