Whale ‘Multisig’ Drained of $27M in 6 Minutes Due to 1-of-1 Config Error

A crypto whale lost approximately $27.3 million today after their newly created multisignature wallet was drained in an exploit that blockchain investigators attribute to a fundamental configuration error. The wallet, established on November 4, was compromised just six minutes after creation, with ownership transferred immediately to an attacker.

Security firm PeckShield identified the breach, noting the attacker has already laundered 4,100 ETH ($12.6 million) through Tornado Cash. The remaining assets include a leveraged long position on the lending protocol Aave.

The ‘1-of-1’ Security Theater

While the wallet was deployed as a multisig contract, typically used to require multiple approvals for transactions, forensic analysis revealed it was configured with a "1-of-1" signature threshold. This setup offers no additional security over a standard private key account, effectively creating a single point of failure wrapped in complex code.

The multisig was created on Nov. 4, but ownership was transferred to the attacker just six minutes later.

On-chain analyst Specter confirmed the operational failure, stating the private key was likely compromised during the setup process itself. The attacker effectively seized control of the "owner" privileges before the victim could secure the assets.

Market Reaction & Asset Flight

The stolen funds are moving rapidly. In addition to the Tornado Cash deposits, the attacker controls a volatile leveraged position on Aave. AAVE traded lower on the news, slipping to $178 (-4%), while Ethereum (ETH) struggled to hold the $2,968 level (-5%) amid broader market weakness.

Forensic estimates suggest total losses could swell beyond $40 million depending on the liquidation value of the seized Aave position. The attacker retains approximately $2 million in liquid assets within the compromised contract, with no indication of negotiation.