ZachXBT Flags 3,200 ETH Tornado Cash Move and $5.5M CCTP Bridge
Blockchain investigator ZachXBT has flagged suspicious on-chain activity involving 3,200 ETH reportedly withdrawn from Tornado Cash, with approximately $5.5 million subsequently bridged through Circle’s Cross-Chain Transfer Protocol (CCTP).

The allegation centers on a hacker who allegedly used Ethereum’s most prominent mixing service to obscure the origin of funds before moving a portion cross-chain via a stablecoin bridge. The claim remains partially verified, with no confirmed transaction hashes or wallet addresses publicly corroborated at the time of reporting. For related coverage, see SARS Draft Crypto Tax Guidance Sets August 31 Feedback Deadline.
What ZachXBT Alleged About the 3,200 ETH Movement
ZachXBT, a pseudonymous on-chain sleuth known for tracking illicit crypto flows, identified what he described as a hacker moving 3,200 ETH out of Tornado Cash. The movement represents a significant sum and follows patterns commonly associated with exploit-related fund laundering.
The investigator has previously raised concerns about crypto infrastructure vulnerabilities, and this latest flagging fits within his broader work tracking stolen funds across DeFi protocols.
It is important to note that the current evidence base for this specific claim is incomplete. No readable transaction evidence from Etherscan searches has been independently confirmed to match the exact flow described. The allegation should be treated as under review pending further on-chain verification.
How the Reported Circle CCTP Bridge Flow Could Have Worked
According to the claim, approximately $5.5 million was bridged via Circle CCTP after the initial Tornado Cash withdrawal. Circle’s Cross-Chain Transfer Protocol allows native USDC to be burned on one chain and minted on another, enabling cross-chain transfers without relying on wrapped tokens or traditional bridge liquidity pools.
The implied sequence suggests the hacker converted some portion of the withdrawn ETH into USDC, then used CCTP to move the stablecoins to a different blockchain. This two-step approach, mixing followed by bridging, complicates tracing efforts by splitting the fund trail across multiple chains.
The relationship between the 3,200 ETH figure and the $5.5 million bridged amount indicates that only a portion of the total was moved via CCTP. At current ETH valuations, 3,200 ETH would be worth substantially more than $5.5 million, suggesting either a partial conversion or that the bridging represents one leg of a broader dispersal strategy.
The exact path from Tornado Cash withdrawal to CCTP bridge execution still requires readable transaction evidence to confirm. No specific transaction hashes have been published in connection with this report.
Why Tornado Cash Plus CCTP Routing Matters for Crypto Security
The combination of a privacy mixer and a cross-chain bridge represents one of the more effective laundering patterns available on public blockchains. Tornado Cash severs the on-chain link between deposit and withdrawal addresses, while CCTP moves funds to an entirely different network.
For investigators, this layered approach creates multiple breakpoints in the tracing process. Similar patterns have been observed in previous cases where large ETH amounts were transferred to Tornado Cash following suspected exploits.
Security monitors tracking Ethereum-based exploits have increasingly noted that attackers combine mixer services with legitimate bridge infrastructure. The use of Circle’s own protocol, rather than a less regulated bridge, adds a layer of complexity since CCTP transactions pass through Circle’s attestation service.
This raises questions about whether bridge operators could implement screening on mixer-sourced funds. The broader implications for cross-chain investigations remain an active area of discussion among blockchain forensics teams, as demonstrated by cases like the suspected Mining Express ETH-to-DAI swap flagged by other investigators.
What Remains Unverified
The current research record for this report carries a partial verification status. No fully confirmed transaction trail has been established from publicly available data at the time of writing.
Key missing elements include specific wallet addresses involved in both the Tornado Cash withdrawal and CCTP bridge transaction, transaction hashes that would allow independent verification on Etherscan, and a direct link to ZachXBT’s original post containing the allegation.
The article uses cautious attribution language throughout because the verified facts supporting the headline claim could not be independently confirmed through available on-chain data. Readers should treat this as an unconfirmed allegation from a credible but single source until additional evidence emerges.
Cases involving crypto fraud investigations often develop over days or weeks as investigators publish follow-up findings, and additional details about this specific movement may surface in subsequent disclosures.
FAQ About ZachXBT, Tornado Cash, and Circle CCTP
Who is ZachXBT?
ZachXBT is a pseudonymous blockchain investigator who tracks illicit fund flows, scams, and exploits across crypto protocols. He has built a reputation for identifying and publicly flagging suspicious wallet activity, often before formal law enforcement actions occur.
What is Tornado Cash?
Tornado Cash is an Ethereum-based mixing protocol that breaks the on-chain link between sender and receiver addresses. Users deposit tokens into a pool and later withdraw from a different address, making it difficult to trace the origin of funds through standard blockchain analysis.
What does Circle CCTP do?
Circle’s Cross-Chain Transfer Protocol enables native USDC transfers between supported blockchains. Unlike traditional bridges that lock and mint wrapped tokens, CCTP burns USDC on the source chain and mints an equivalent amount on the destination chain through Circle’s attestation process.
Why are 3,200 ETH and $5.5 million notable figures?
A movement of 3,200 ETH from a mixing service represents a large single withdrawal that typically signals exploit-related laundering rather than routine privacy usage. The $5.5 million bridged via CCTP suggests a deliberate cross-chain dispersal strategy designed to complicate fund recovery efforts.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.








