Key Highlights
- KyberSwap hacker resumes moving stolen ETH in 100 ETH batches, signaling a structured attempt to obscure fund origins.
- Transfers routed through Tornado Cash raise fresh concerns over tracking stolen crypto and ongoing laundering efforts.
- Despite U.S. charges, the Medjedovic-linked wallet still holds about $29M, showing the case remains unresolved.
The KyberSwap hacker has started moving stolen funds again, sending Ether (ETH) through Tornado Cash in structured 100 ETH batches, according to blockchain platform Arkham. The activity involves Andean Medjedovic, who drained $48.8 million from KyberSwap in 2023, and previously hacked Indexed Finance for $16.5 million two years earlier.
Arkham pointed to the transactions in a public post, stating, “Andean Medjedovic, drained $48.8M from KyberSwap in late 2023. Medjedovic also hacked Indexed Finance for $16.5M, 2 years prior. He was charged by the FBI in 2025. Did he… get away with it?” The latest movement has raised new questions about unresolved DeFi exploits and the difficulty of tracking stolen crypto funds.
Patterned transfers raise red flags
According to the blockchain data, there is a clear, coordinated pattern: repeated withdrawals of exactly 100 ETH sent to the Tornado Cash Router address. Transfers occurred in quick succession — some labeled “just now,” others within seconds or minutes of each other — indicating a deliberate, scripted laundering operation rather than random activity.
Meanwhile, the data further shows the account connected to the hacker still has over $29 million at its disposal. The portfolio is dominated by 11,861 ETH ($27.58M) and 796.39 wstETH ($2.28M), plus minor holdings in stablecoins and other tokens.
It is typical that coordinated transactions indicate attempts to conceal information on their origin. Such behavior is frequently observed by investigators who consider such moves as suspicious and possible laundering attempts.
Furthermore, the involvement of the Tornado Cash service makes it even more problematic to determine the origin of the transactions. Thus, once transferred via such a service, it is hard to trace the funds back to the owner.
Legal pressure meets ongoing activity
Medjedovic, a Canadian national, faces criminal charges in the United States, where prosecutors have accused him of exploiting vulnerabilities in KyberSwap and Indexed Finance to steal roughly $65 million in total. Prosecutors allege he borrowed large sums, artificially manipulated trading systems, and withdrew funds at inflated prices. The indictment, unsealed in February 2025, also references an alleged attempt to extort KyberSwap through a settlement demand tied to the stolen assets.
His whereabouts are still unknown, with no public confirmation of an arrest. Investigators previously noted his use of mixers, swaps, and cross-chain bridges to cover tracks — tactics apparently still in play with these fresh Tornado Cash deposits.
The case underscores a wider challenge in DeFi enforcement, as stolen funds can still move despite public identification and charges, exposing gaps between blockchain transparency and enforcement.
Also Read: How a ‘Perfect Storm’ of 3 Bugs Led to ZetaChain’s $333K GatewayEVM Exploit
