Voltage Finance hacker moves $182K in ETH to Tornado Cash

A hacker tied to the 2022 exploit of Voltage Finance, a decentralized lending protocol built on the Fuse network, has moved a significant portion of the stolen funds after months of inactivity. Blockchain security firm CertiK revealed on May 6 that the hacker transferred 100 Ether, valued at approximately $182,783, through crypto mixing service Tornado Cash.

According to CertiK’s investigation, the wallet address used in the transaction was inactive for 166 days, with no movement since November. The address is linked to the original exploit and can be traced to earlier activity involving the hacker. 

#CertiKInsight 🚨

Our alerting system has detected @TornadoCash
deposits of 100 ETH from 0xCF4823dA7271fdedBe103500d8E197Bdca224B6d.

The fund traces to ~$4M Voltage Finance
exploit on Fuse back in March 2022.

Stay Vigilant! pic.twitter.com/eyqH1HbN3F

— CertiK Alert (@CertiKAlert) May 6, 2025

The blockchain security firm also explained that the hacker used Tornado Cash, which was sanctioned by the US Treasury in 2022 for facilitating money laundering, to obscure blockchain transactions and prevent investigators from tracing the fund movements.

Voltage Finance original 2022 exploit

Voltage was hacked on March 31, 2022, and the hacker made away with an estimated $4.67 million in digital tokens. They reportedly took advantage of a vulnerability in a token standard, ERC677, through a built-in callback function. The function allowed them to execute a reentrancy attack to successfully drain funds from the platform’s lending pool.

In the initial phase of the attack, the culprit used a flash loan of 515 Wrapped Ether (WETH) from the WETH-WBTC pair on Voltage Finance to initiate the exploit. 

Voltage Finance operates as a decentralized protocol enabling automated token trading on the Fuse network. The attacker exploited this infrastructure by manipulating the platform’s smart contracts using wrapped tokens and flash loans. 

Ola Finance, the multi-protocol network that supports Voltage, issued a post-mortem two days after the incident that showed the exploit was specific to its Fuse deployment. The developers stated that similar attacks would not affect other lending networks under Ola’s ecosystem. 

In total, the attacker siphoned off 216,964.18 USDC, 507,216.68 BUSD, 200,000 fUSD, 550.45 Wrapped Ether (wETH), 26.25 Wrapped Bitcoin (wBTC), and 1,240,000 FUSE tokens. 

“In later transactions, the attacker avoided a flash loan by using the funds that had already been stolen,” Ola stated in its report.

Another exploit hits in March 2025

Voltage Finance was hit again in a separate exploit on March 18 this year, involving its Simple Staking pools. This time, the unauthorized withdrawal led to the theft of $171,027.20 in USDCE and $151,085.87 in wETH. The platform paused activities on the pool to stop the fund drainage, and said it was “working urgently to identify the hacker.”

According to a March 20 Medium report from Voltage Finance, the attack began when a second unknown party, referred to as Attacker 2, withdrew ETH from crypto exchange HTX. Attacker 2 transferred the stolen assets to Attacker 1, who used the money to purchase FUSE tokens via ChangeNow, bridged to the network through LayerZero.

From there, the stolen assets were bridged back to Ethereum and moved through several wallets and transactions.The funds were then passed from Attacker 1 to Attacker 3, who received additional funds via SimpleSwap. 

Attacker 3 deposited some of the tokens into the KuCoin exchange, but swapped and withdrew others back to the first hacker to complete the laundering loop.

“Since your transactions passed through KuCoin, we have initiated cooperation to identify you. We prefer resolving this situation peacefully. We’re offering a bounty of $50K upon the return of all funds,” Voltage Finance said to the hacker in its X post.

According to a recent report by blockchain security firm Immunefi, losses from crypto-related hacks and exploits have reached $1.74 billion so far this year, already surpassing the $1.49 billion total recorded in all of 2024. The 2025 year-to-date total is a nearly fourfold increase from the $420 million reported during the same period in 2024.

Cryptopolitan Academy: Coming Soon - A New Way to Earn Passive Income with DeFi in 2025. Learn More