7-5-2025 – A shadowy figure behind the audacious $4.67 million heist of Voltage Finance’s decentralised lending platform in 2022 has resurfaced, stirring the murky waters of cryptocurrency crime. On May 6, blockchain security experts at CertiK revealed via X that the culprit transferred 100 Ether, valued at $182,783, into Tornado Cash, a mixer notorious for obscuring digital trails. This transaction, traced to an address linked to the original exploit, marks the hacker’s first move since the account lay dormant for 166 days, according to Etherscan records.
The saga began in March 2022, when the attacker exploited a flaw in the ERC677 token standard’s callback function, executing a cunning reentrancy attack to siphon funds from Voltage Finance’s lending pool. The haul included a mix of stablecoins like USDC and Binance USD, alongside wrapped Bitcoin and Ethereum tokens. In the aftermath, Voltage Finance flagged the hacker’s address on Etherscan, alerted exchanges to block transactions, and even extended an olive branch, offering a bounty to negotiate the return of the stolen assets.
Yet, this was not the only blow to Voltage Finance. On March 18, the protocol’s Simple Staking pools fell prey to another breach, with $322,000 pilfered. A subsequent investigation, detailed in a March 20 report, pointed to a possible inside job by a developer linked to the staking pools. Though unconfirmed as the culprit, the suspect’s access was swiftly revoked, and law enforcement was engaged, alongside a $50,000 bounty offered to recover the funds.
The broader cryptocurrency landscape has been no less turbulent. April saw losses soar by 1,163%, driven largely by a staggering $330.7 million theft of 3,520 Bitcoin from an elderly American’s wallet through sophisticated social engineering. Excluding this outlier, the month’s losses totalled $34 million, a 21% rise from March. However, glimmers of restitution emerged: the hacker behind a $7.5 million KiloEx exploit returned all funds within four days, and the ZKsync Association reclaimed $5 million in tokens stolen from its April 15 airdrop contract breach.
