Key takeaways
- The hacker behind the Truebit exploit completely laundered 8,535 ETH through Tornado Cash.
- The Truebit team is coordinating with law enforcement and conducting a protocol review following the attack.
Hacker Truebit laundered the stolen 8,535 ETH, worth approximately $26 million, through Tornado Cash after exploiting a smart contract vulnerability in the Truebit protocol on January 8, according to data tracked by Lookonchain.
Hacker #Truebit deposited the $8,535 ETH ($26.44 million) he stole into #TornadoCash and laundered it. pic.twitter.com/0unM8sK3h5
– Lookonchain (@lookonchain) January 11, 2026
This exploit marks the first major DeFi breach of the year. The attacker abused an integer overflow in an old smart contract to create millions of TRU tokens at near-zero cost, then sold them back into the protocol to drain its liquidity.
Today we became aware of a security incident involving one or more malicious actors. The affected smart contract is 0x764C64b2A09b09Acb100B80d8c505Aa6a0302EF2 and we strongly advise the public not to interact with this contract until further notice. We are in contact with the law…
— Truebit (@Truebitprotocol) January 8, 2026
The attack caused TRU to fall by more than 99.9%, wiping out value for investors.
Blockchain security companies then linked the wallet to an earlier Sparkle Protocol hack, suggesting a very sophisticated actor.
In response, the Truebit team urged users to stop interactions with the compromised contract, engaged law enforcement, and launched a full review to evaluate potential recovery options.
