$6.2M from SagaEVM exploit laundered through Tornado Cash

Published: 2026-01-24 20:13:52 |

6.2 million USD of funds stolen in the January 21 SagaEVM exploit have been deposited into Tornado Cash, according to blockchain security firm CertiK and Saga team updates. The exploit — involving coordinated contract deployments, cross-chain activity, and liquidity withdrawals — transferred nearly $7M in USDC, yUSD, ETH and tBTC to Ethereum mainnet. Attackers split proceeds across five wallets before routing $6.2M into the Tornado Cash privacy mixer to obscure traces and frustrate recovery. Saga paused the affected chainlet at block 6,593,800 and identified affected components (SagaEVM chainlet, Colt and Mustang), while other Saga network elements (Saga SSC mainnet, protocol consensus, validators) were reportedly unaffected. Cosmos Labs confirmed the root cause traces to the Ethermint codebase and said it is working with Saga and external security partners on mitigations. Saga plans a technical post‑mortem after remediation. Primary keywords: SagaEVM, Tornado Cash, exploit, USDC, ETH. Secondary/semantic keywords: mixer, laundered funds, Ethermint, Cosmos Labs, incident response.

Bearish

The news is likely bearish for market sentiment. Large hacks and subsequent laundering through Tornado Cash increase perceived custodial and protocol risk in the crypto sector, particularly for projects built on reused codebases. Short-term effects: negative price pressure for tokens directly involved (native tokens or assets on SagaEVM) and broader risk-off moves as traders reduce exposure to chains with recent exploits. Exchanges and bridges blacklisting exploiter wallets may limit immediate on‑chain liquidity recovery, and use of a mixer reduces chances of reclaiming funds — both factors intensify selling pressure and uncertainty. Medium-to-long term: impact depends on Saga’s remediation and transparency. A thorough post‑mortem, patches, and coordination with Cosmos Labs could restore confidence if handled swiftly; however, the revelation that the vulnerability stems from Ethermint may prompt wider audits and temporary de-risking of other EVM-compatible chains built on the same codebase. Historical parallels: past large exploits (e.g., Ronin, Wormhole) caused immediate token selloffs and reduced TVL in affected ecosystems, with recovery only after demonstrable fixes and reimbursements. Traders should monitor on-chain flows from Tornado Cash deposits, blacklist actions by exchanges, Saga’s technical post‑mortem, and any coordinated recovery or insurance announcements.