Arkham Intelligence tracking the Sillytuna attackers suggests the group has shifted from staging to active laundering, with more than $10 million in stolen assets moved across addresses and venues in short order.

The update highlights three notable pathways.

Roughly $1.08 million in Bitcoin was flagged as entering a mixing service. Mixing tools attempt to sever the visible link between inputs and outputs, making it harder to map the next hop even when the initial theft is well-attributed. For investigators, the key takeaway is not only the mixer deposit itself, but the timing: it signals the operation has progressed from consolidation to obfuscation.
Around $900,000 of DAI was converted into USDT and deposited to BitKan, a venue that positions itself as a multi-exchange aggregation broker routing execution across partner liquidity pools. That route matters because trade aggregation can blur where the final fills land, even when the deposit venue is identifiable.
The attackers moved roughly $10 million out of a widely watched Ethereum address labeled in the update as “0xd0c,” splitting the balance among several other addresses. This type of fragmentation is a standard laundering primitive, reducing the odds that a single freeze or interdiction action captures the majority of funds.

Laundering Moves Can Change the Recovery Math

Early in a theft lifecycle, large balances sitting in a small number of wallets are easier to track and, in some cases, easier to recover if they touch centralized venues that can freeze funds. Once stolen assets begin to move through mixers, stablecoin hops, and multi-venue routing, recovery odds tend to drop.

A Bitcoin mixer deposit increases the cost of attribution because it disrupts straightforward transaction graph analysis. While the broader flow remains observable on-chain, investigators often need probabilistic heuristics, timing correlations, and off-chain intelligence to follow the money after mixing.

Stablecoin conversions and deposits to trading venues can be a different kind of fork in the road. If funds hit a compliance-oriented centralized exchange, they can be frozen. If they instead land in venues or brokers that route orders across multiple partners, the laundering chain can become less direct, with the effective exit liquidity distributed across more endpoints.

The $10 million split adds another layer. Smaller tranches can be bridged, swapped, or dripped into venues in sizes designed to reduce alerting thresholds, avoid concentration risk, and maintain operational flexibility.

Backdrop: A $24 Million Theft and Rapid Multi-Chain Dispersion

The laundering update follows a widely circulated incident in which an account using the name Sillytuna claimed roughly $24 million was stolen after a violent, real-world extortion event, while on-chain analysts pointed to an address poisoning style theft on Ethereum as the mechanism for the initial drain.

In the first wave of on-chain tracking, analysts described stolen assets being converted into DAI and staged across a small number of wallets before smaller pieces were bridged to other networks, an approach commonly used to complicate tracing and create optionality for later cash-out routes.

Separate reporting on the early movements also described routing across Ethereum and Arbitrum, along with activity tied to Hyperliquid and a privacy-asset leg, illustrating how quickly a theft can branch into multiple ecosystems even before mixing begins.

Against that backdrop, the latest signals are meaningful because they point to the stage at which attackers typically aim to turn traceable balances into harder-to-follow outputs.

How These Flows Usually Work

The most consistent pattern across large crypto thefts is assembly, then dispersion.

Assembly starts with consolidating the theft proceeds into a few addresses and swapping into more liquid, widely accepted assets. DAI and USDT fit this role because they are deep-liquidity collateral on multiple venues and can be moved quickly across chains and services.

Dispersion follows as a risk-management layer for criminals. Funds are split across multiple addresses, and then routed through infrastructure that raises tracing complexity, such as bridges, aggregators, and mixers. Each hop introduces more degrees of freedom: new venues, new counterparties, new chain contexts, and more places to blend illicit flow with regular activity.

The BitKan route is a useful example of why venue choice matters. A broker-style platform that aggregates liquidity across partners can provide competitive execution while distributing downstream exposure across multiple books. For investigators, that can widen the scope of where to look next if deposits convert into trades and withdrawals across partner venues.

Market and User Impact

These laundering steps do not automatically imply an imminent market dump in any single asset. In many cases, stolen funds are liquidated gradually to reduce slippage and attention, or swapped into stablecoins and moved through cash-out channels over time.

The direct impact is operational. Users and trading desks monitoring the incident typically watch for exchange deposit clusters, sudden stablecoin inflows, or bridge activity that suggests the attacker is positioning funds for off-ramps. Exchanges and brokers, meanwhile, often face pressure to tighten screening around known attacker clusters and to clarify whether deposits can be interdicted before they fragment further.

If the flows continue to touch centralized venues, compliance teams can still act, especially on stablecoin legs that may involve issuers or regulated intermediaries. If more value is pushed through mixers and multi-hop swapping, the laundering path can become less deterministic, increasing the gap between attribution and recovery.

The post Sillytuna Attackers Move $10M+ as Laundering Steps Hit Mixers and Exchange-Routed Liquidity appeared first on Crypto Adventure.

---

Filed under: Bitcoin - @ March 6, 2026 12:25 pm