Whale Loses ~$38M After 1-of-1 Multisig Key Compromised; Attacker Controls Aave Position

A crypto whale lost roughly $38 million after an attacker gained control of a multisig wallet that was effectively a 1-of-1 signer. Early on-chain reports pegged initial losses at about $27.3M; subsequent tracking of associated wallets and leveraged positions raised the total to ~ $38M. The attacker moved about 4,100 ETH (~$12.6M) through Tornado Cash to obfuscate funds and left roughly $2M liquid. Critically, the attacker still controls the victim address, which holds a large leveraged Aave long: ~25,000 ETH supplied as collateral against over $12M in borrowed DAI. On-chain timestamps show the multisig was created and ownership transferred to an attacker-controlled key within minutes, suggesting the private key was leaked during setup or the multisig was maliciously created for the victim. Analysts warn this is part of a wider pattern of private-key theft and social-engineering attacks that target human trust rather than smart-contract bugs. Traders should note immediate liquidation risk for the Aave position and elevated market risk from on-chain movement of large collateral. Recommended defensive measures: use hardware/cold signers, set up true multisig with multiple independent signers, isolate signing devices, verify transactions off-UI, and avoid third-party setup assistance. Primary keywords: multisig exploit, private key compromise, Tornado Cash, Aave, wallet security. Secondary keywords: social engineering, leveraged position, on-chain tracking.