The individual identified as the KyberSwap exploiter has transferred 1,000 Ether to the crypto mixer Tornado Cash. Blockchain monitoring firm Arkham flagged the activity on April 29, 2026. The transfers arrived in structured 100 ETH batches. The hacker’s primary wallet still holds an estimated $29 million across multiple blockchains.
On-Chain Data Reveals Structured Tornado Cash Transfers
Arkham Intelligence data shows the exploiter sent ETH in ten separate 100 ETH transactions. Each transfer followed a near-identical structure. Analysts say this pattern points to a coordinated strategy rather than impulsive movement.
据 Arkham 监测,Kyber Network 攻击者正将盗取的资金转移至混币协议 Tornado Cash。该攻击者身份已确认为 Andean Medjedovic,他于 2023 年底从 KyberSwap 窃取了 4880 万美元。此外,Medjedovic 还在两年前策划了对 Indexed Finance 的攻击,导致 1650 万美元损失。2025…
— 吴说区块链 (@wublockchain12) April 29, 2026
Tornado Cash operates as a cryptocurrency mixing service. It pools funds from multiple sources to obscure transaction trails.
Law enforcement agencies have flagged the protocol repeatedly in connection with crypto-related money laundering cases. Once assets enter Tornado Cash pools, tracing withdrawal destinations becomes significantly harder.
The KyberSwap Exploit: A $48.8 Million DeFi Hack in 2023
In November 2023, an attacker drained approximately $48.8 million from KyberSwap Elastic liquidity pools. The incident struck multiple blockchain networks simultaneously. KyberSwap’s total value locked fell by 90 percent in the hours following the breach.
Dutch authorities allege the hack originated from a hotel room in The Hague. The attacker reportedly used a fake Slovak passport to check in. The suspect left the premises the morning after the exploit, despite having paid for a full month’s stay.
Who Is Andean Medjedovic? The Suspect Behind the KyberSwap Attack
Authorities have identified Andean Medjedovic, a Canadian national from Hamilton, Ontario, as the primary suspect.
Andean Medjedovic has been identified by authorities as the primary suspect in the case. [Facebook]
He finished high school at age 14 and earned a master’s degree in pure mathematics at 18. U.S. and Dutch authorities linked him to the KyberSwap exploit as well as a 2021 attack on Indexed Finance, which resulted in $16.5 million in losses.
After the KyberSwap exploit, the attacker sent a public message to the company. It read: “Negotiations will start in a few hours when I am fully rested. Thank you.” The hacker then demanded full operational control of the Kyber platform.
He offered to return 50 percent of stolen funds. He later wrote: “I know this is probably less than what you wanted. However, it is also more than you deserve.” The U.S. Department of Justice cited both statements as grounds for an extortion charge.
DOJ Indictment and the Failed Serbian Extradition Attempt
The U.S. Department of Justice unsealed an indictment against Medjedovic in early 2025. The charges include computer fraud, wire fraud, and money laundering. Dutch authorities had already issued a European Arrest Warrant in December 2023.
Serbian police arrested Medjedovic in Belgrade in August 2024. He spent 105 days in custody before a Serbian court rejected the Dutch extradition request.
The High Court of Belgrade ruled that Dutch prosecutors had not sufficiently proved his guilt. The court also found that the alleged crimes carried penalties too minor under Serbian domestic law to justify extradition.
Suspect Linked to Bosnia After Escaping Serbian Custody
Following his release in November 2024, Medjedovic disappeared from the Serbian authorities’ view.
A DOJ filing dated January 17, 2025 stated: “Defendant is believed to be at large in Bosnia.” His parents hold Bosnian citizenship, and court records show he sought Bosnian identity documents from his father while still in custody.
Reporters from CBC News and the Balkan Investigative Reporting Network found records placing him at an address near Sarajevo.
However, a building manager confirmed authorities visited the location but never found him there. His current whereabouts remain unknown. An Interpol Red Notice for his arrest remains active.
Medjedovic’s MoneyMovementSystem Laundering Strategy
The DOJ indictment revealed that Medjedovic kept detailed personal files on cryptocurrency laundering.
One document, titled “moneyMovementSystem,” contained step-by-step instructions for moving stolen funds through crypto mixers. The file referenced using fake identification documents to open bank accounts.
The latest Tornado Cash transfers match that documented strategy. Each batch moved in identical 100 ETH increments.
Investigators note this mirrors earlier movement patterns attributed to the exploiter. The structured approach complicates automated blockchain analysis tools.
Crypto Hacker Hires Washington Lobbyist to Seek Presidential Pardon
In March 2026, lobbying firm JM Burkman & Associates disclosed it was working to secure a U.S. presidential pardon for Medjedovic.
The firm filed documents with the DOJ confirming its representation. Reports indicate Medjedovic paid approximately $300,000 for the lobbying effort.
The lobbying firm argued that Medjedovic identified legal trading opportunities within the platforms’ own rules.
It characterized his activity as comparable to high-frequency trading. Legal observers and victim representatives have rejected that framing.
Toronto attorney Benjamin Bathgate, who represents an alleged victim in a civil suit, described the conduct as market manipulation.
$29 Million Still Held in Exploiter Wallets Across Multiple Chains
Despite the April 2026 transfers, blockchain data shows the attacker’s primary wallet retains roughly $29 million in assets.
Holdings span several blockchain networks. Investigators continue to monitor all associated addresses for further movement.
Kyle Armstrong, a former FBI agent now at blockchain intelligence firm TRM Labs, noted the challenge facing the suspect. He said: “He needs to be perfect from here until eternity in obfuscating the proceeds of this exploit, which are being tracked.”
Armstrong added that converting large sums of stolen cryptocurrency into spendable funds without triggering detection grows increasingly difficult as blockchain analytics tools improve.
What the KyberSwap Case Reveals About DeFi Security Gaps
The KyberSwap case highlights a persistent vulnerability in decentralized finance protocols. Smart contract exploits can allow an attacker to withdraw funds before developers respond.
KyberSwap has since updated its security infrastructure. However, investigators note that identifying a hacker does not guarantee asset recovery.
Privacy tools like Tornado Cash continue to create obstacles for law enforcement. The gap between transparent blockchain records and real-world accountability remains a central challenge.
Regulatory bodies in the United States and Europe have intensified scrutiny of crypto mixing services in recent years. The KyberSwap investigation stands as one of the most closely watched cases in the sector.
Also Read: KelpDAO Exploiter Moves 75,700 ETH to New Wallets Minutes After Arbitrum Freezes Stolen Funds
FAQS
Q1: What recent activity has been linked to the KyberSwap hacker?
A1: The exploiter transferred 1,000 ETH in structured batches to Tornado Cash, according to blockchain data flagged by Arkham Intelligence.
Q2: Why is Tornado Cash significant in this case?
A2: Tornado Cash is a crypto mixing service designed to obscure transaction trails, making it harder for investigators to trace the destination of funds.
Q3: Who is the main suspect in the KyberSwap exploit?
A3: Authorities have identified Andean Medjedovic, a Canadian national, as the primary suspect linked to the exploit.
Q4: What charges has the U.S. Department of Justice filed?
A4: The U.S. Department of Justice has charged the suspect with computer fraud, wire fraud, and money laundering.
Q5: How much of the stolen funds are still unaccounted for?
A5: Blockchain data suggests the exploiter still controls around $29 million in assets across multiple blockchain networks.
Disclaimer:
This article is for informational purposes only and does not constitute financial, legal, or investment advice. While information is sourced from publicly available data and blockchain analytics, its accuracy cannot be guaranteed. References to entities such as Tornado Cash and the U.S. Department of Justice are for reporting purposes only and do not imply endorsement. Readers should conduct their own research and consult qualified professionals before making any financial or legal decisions.
Sources
https://coinfomania.com/kyberswap-hacker-transfers-stolen-funds-to-tornado-cash/
https://www.cbc.ca/news/world/canadian-alleged-cryptocurrency-hack-9.7066147
https://cryptonews.com/news/canadian-hacker-steals-65m-disappears-from-custody-what-happened/
