Funds tied by blockchain monitors to the theft of about $24 million in aEthUSDC from the wallet associated with Sillytuna are now being routed through a more fragmented laundering path, with part of the haul converted into Monero, part sent to centralized exchanges, and another slice pushed through Tornado Cash.
PeckShieldAlert said in an X post, that the attacker swapped about $2 million worth of DAI and ETH for 6,174.4 XMR, which it said is currently held on Hyperliquid. The same alert said about $6.5 million in USDC and USDT was deposited into centralized exchanges including OKX, MEXC, and Bitkan, while 375 ETH was laundered through Tornado Cash.
The significance of the latest movement is not only the size of the funds but the structure of the flow. Instead of relying on one exit route, the wallet appears to be dividing assets across privacy infrastructure, centralized exchange rails, and mixing tools at the same time.
That kind of routing increases complexity for investigators because each channel creates a different recovery problem. A centralized exchange deposit can become an opportunity for account identification, freezing, or law-enforcement outreach if the receiving venue cooperates. A Tornado Cash transfer reduces direct transaction visibility and makes downstream attribution harder. A conversion into XMR shifts part of the trail into an asset designed to limit public traceability more aggressively than transparent blockchains.
The move into 6,174.4 XMR is one of the most important pieces of the flow because it changes the tracing environment. Public-chain assets such as ETH, DAI, USDC, and USDT leave visible transaction records even when routed across multiple wallets and bridges. Monero is different. Once funds rotate into XMR, open-ledger tracking becomes far less useful, which is why privacy-coin conversion often draws immediate attention in large exploit cases.
The Hyperliquid reference is also notable because it suggests the attacker used a venue with fast execution and broad market access rather than limiting the operation to simple wallet-to-wallet transfers. That does not prove what the next move will be, but it does show that the laundering process is using trading infrastructure, not only static storage.
The roughly $6.5 million in USDC and USDT that PeckShield said was deposited into OKX, MEXC, and Bitkan matters for a separate reason. Centralized exchange transfers can be an off-ramp, but they can also be a conversion point into other assets, a staging area for internal transfers, or a way to split balances across multiple accounts and venues.
From a recovery perspective, this is the most visible part of the route. Funds entering a centralized platform move into an environment where compliance controls, account records, and freeze mechanisms can matter more than on-chain obfuscation. That is why exchange-side routing often becomes the main pressure point for investigators even when part of the stolen value has already been pushed into privacy tools.
The 375 ETH routed through Tornado Cash shows that the attacker is not relying on one laundering method. Mixing a smaller ETH slice while also moving stablecoins into exchanges and rotating value into XMR creates a layered approach that is harder to follow cleanly from a single vantage point.
This matters because it suggests the wallet is optimizing for flexibility. Some funds can stay liquid inside exchange environments, some can become harder to trace through XMR, and some can be mixed to blur intermediate ownership history. In practice, that reduces the chance that one defensive measure, such as exchange monitoring alone, will fully contain the flow.
The Sillytuna case is increasingly becoming a live example of how large crypto thefts now move through several market structures at once. The initial exploit or forced transfer is only the first stage. The real contest starts when assets begin crossing from transparent stablecoins and ETH into privacy coins, mixers, bridges, and exchange accounts with different control points.
That is why the latest alert matters. It shows the laundering phase becoming more operationally sophisticated, not less. For the market, the practical takeaway is that recovery odds often hinge on the parts of the route where control still exists, especially centralized venues and identifiable conversion points. For security teams, it is another reminder that once an attacker starts splitting size across multiple mechanisms, time and coordination become as important as tracing itself.
The post Sillytuna Attacker Moves Funds Through XMR, CEXs, and Tornado Cash appeared first on Crypto Adventure.
