Key Highlights:
- CrediX attackers have routed 50% of the stolen funds through Tornado Cash.
- Hackers gained admin access to mint uncollateralized tokens and drain liquidity pools.
- CrediX’s website and social media accounts have vanished after promising quick user refunds.
A major DeFi security crisis is affecting CrediX and its community more than a week after the protocol was hacked for $4.5 million on August 4, 2025. According to CertiK, a blockchain security firm, the attacker has now laundered half of the stolen funds to crypto mixer Tornado Cash and about 630 ETH (around $2.8 million) remains in their wallet.
Anatomy of the CrediX Attack
CrediX, a decentralized lending protocol on the Sonic blockchain, was hit by a targeted governance exploit, not a basic code flaw. The investigations that have been carried out show that the attacker quietly gained top-level admin rights through the protocol’s access control just days before striking. Using these privileges, they minted uncollateralized synthetic tokens and siphoned large amounts of real assets from lending pools.
Right after the hit, the funds were bridged from Sonic to Ethereum and were split across multiple wallets. CertiK’s monitoring shows roughly half went to Tornado Cash, a crypto mixer that hides the whereabouts of the transactions, making it difficult to trace stolen funds.
Tornado Cash: The Double-Edged Mixer
Tornado Cash, a decentralized privacy tool, is something that hides the link between a sender and a receiver in Ethereum transactions. This gives the users a strong anonymity but the same feature also keeps it under fire from regulators, and hackers often use it to launder stolen crypto.
The CrediX hack has been through the same playbook, the loot is simply pushed through the mixer to get the investigators off of their backs. Use of this mixer has become very common these days. Earlier this year, Infini protocol lost $50 million when a former developer used a hidden backdoor to empty vaults. The stolen crypto was swapped, and then sent to Tornado Cash to erase the entire trail of transactions. This made the recovery impossible and exposed the risks of unchecked admin powers in DeFi.
A Broader Pattern: Tornado Cash in Major Crypto Heists
Tornado Cash has played an important role in cleaning dirty crypto from some of the industry’s biggest hacks. Regulators and blockchain sleuths link it to over $7 billion in stolen funds, including the 2022 Ronin Bridge hack that has been tied to North Korea’s Lazarus Group. When the U.S. Treasury’s temporary ban was lifted in early 2025, experts did warn of a comeback and the CrediX case proves them right.
Infini was just one example. Funds from major DeFi exploits, exchange breaches like Bybit and CoinDCX, and even pump-dumps have all been funneled through Tornado Cash. Its “crypto washing machine” label took center stage in the 2025 trial of developer Roman Storm, where testimony showed it’s still the go-to for hackers and scammers looking to hide their tracks.
Fallout: CrediX Vanishes, Users in the Dark
After the attack, CrediX’s website went offline and all official updates stopped. The project had promised to reimburse users within 48 hours but the project’ social channels went silent. Now speculation is growing over whether this is an exit scam, especially since the attacker’s swift grab of admin controls hints at an insider job or help, or it could be a serious governance breakdown.
Chances of recovering the $2.8 million still sitting in the attacker’s wallet look slim. Any further move into Tornado Cash will likely make the funds disappear for good, leaving users with little hope of seeing their money again.
Also Read: CrediX DeFi Platform Hit by $4.5M Exploit, Admin Access Abused