Stolen funds enter privacy mixer
Nearly $6.2 million from the SagaEVM exploit has been moved into Tornado Cash, according to blockchain security firm CertiK. This is a common tactic hackers use when they want to obscure transaction trails and make fund recovery difficult, perhaps impossible.
The exploit happened on January 21, targeting what Saga describes as an “L1 to launch L1s.” After confirming the attack, the team paused the SagaEVM chainlet at block height 6593800. They said mitigation was underway and they were focused on finding a solution.
How the funds were moved
CertiK’s report shows the attackers first distributed the stolen assets across five separate wallets. Then they funneled everything into Tornado Cash through multiple transactions. The total stolen was close to $7 million in various assets—USDC, yUSD, ETH, and tBTC—all transferred to the Ethereum mainnet.
The exploiter’s wallet was identified and shared with exchanges and bridges for blacklisting. But with $6.2 million now in the privacy mixer, recovery efforts face serious challenges. Tornado Cash does exactly what it was designed to do: help funds disappear.
What happened during the exploit
According to a post-mortem shared on January 21, the incident involved coordinated contract deployments, cross-chain activity, and subsequent liquidity withdrawals. The team paused the chain out of caution while investigating.
Their focus was stopping further impact by keeping SagaEVM paused, validating the full scope using archive data and execution traces, and hardening relevant components before restarting. The main components affected were the SagaEVM chainlet, Colt, and Mustang. Other parts like the Saga SSC mainnet, protocol consensus, validator security, and other chainlets weren’t touched.
“There has been no consensus failure, validator compromise, or signer key leakage,” the document stated. “The broader Saga network remains structurally sound.”
Root cause and next steps
With support from Cosmos Labs engineers, the team traced the issue back to the original Ethermint codebase. So it was an inherited vulnerability, not something new they introduced.
Cosmos Labs acknowledged the incident, saying they’ve been working closely with Saga and external security partners to investigate and remediate the confirmed vulnerability. They contacted EVM chains they considered affected and provided short-term mitigations.
“As always, we recommend all projects continue to implement baseline security practices such as rate-limiting and security monitoring to strengthen early detection and mitigation,” they wrote on X.
The Saga team says their next steps include completing root cause validation, patching and hardening affected cross-chain and deployment components, coordinating with ecosystem partners, and publishing a more comprehensive technical post-mortem.
Meanwhile, the latest deposit adds to Tornado Cash’s complicated history—a tool with legitimate privacy uses that’s also become a favorite for hackers trying to launder stolen funds after exploits.
