On February 13, 2026, the Mixin hacker, who two years ago stole approximately 200 million dollars in assets, suddenly reappeared in the on-chain view, causing collective tension in the market. A series of large on-chain transfer activities emerged surrounding approximately 59,854 ETH (about 117 million dollars) from the historical loot, including batches transferred to privacy protocols and new wallets. For the cryptocurrency market that has experienced multiple shocks, this is not just an ordinary asset migration, but another psychological shock under the potential shadow of sell pressure: will the hacker's funds, which have been dormant for two years, remain on-chain "lying flat," or will they evolve into an organized sell-off within the current price range?
Sudden Appearance After Two Years: The Resurrection of Stolen Funds
● The event traces back to a security incident two years ago: at that time, Mixin suffered a severe attack, with hackers stealing approximately 200 million dollars in cryptocurrency assets, including about 59,854 ETH. The precise composition of stolen funds and specific dates are not fully disclosed in public records and have been marked as sensitive information that should not be recklessly completed, so only a general scale description can be provided here. However, the magnitude itself is enough to cast a long shadow in any industry narrative.
● It is noteworthy that for a long time after the incident, the main addresses related to this stash of stolen funds were almost "silent" on-chain. Over approximately two years, there were no large-scale splits or frequent transfers, leaving behind only extremely limited, insufficient actions to form a systematic sell-off path. This near "playing dead" period led many observers to speculate that the hacker might be waiting for changes in regulatory environments, restructuring in the market price, or merely wearing down the patience of those tracking them.
● It is precisely because of this extended silence that the sudden large-scale activity on February 13, 2026, appears particularly dramatic: the old case that has been silent for two years is "continued" on-chain in the form of a series of transfers and mixing operations. One side relates to the historical wounds connected to the security breach two years ago, while the other side is the ETH market that is currently more sensitive in terms of market value and liquidity, intertwining two timelines at the same node, creating strong narrative tension and emotional amplification effects.
The Underlying Path of 59,000 ETH's Surging Currents
● This round of funds movement was first concentratedly disclosed by the on-chain analysis account Lookonchain. As a third-party data tracking source, Lookonchain correlated the flow of several large amounts of ETH with the addresses related to the Mixin theft based on publicly available on-chain records, hinting to the market that this might be a follow-up action from the same hacker. It’s important to emphasize that such analysis is based on visible address relationships and historical transaction traces on-chain, representing a professional but still third-party judgment. Readers should be clear about its nature when citing it, rather than viewing it as a judicially conclusive determination.
● In terms of scale, there is a significant correlation in magnitude between this round of actions and the 59,854 ETH originally stolen. Current disclosed information shows that the ongoing on-chain activity still revolves around a portion or derivative split of that historical loot, with an overall corresponding dollar value of about 117 million dollars. In a context where ETH liquidity is highly concentrated, such a volume, if sold off en masse, theoretically could have considerable impact on market prices and sentiment in a short time, which is also an important backdrop to how the "hacker awakening" has quickly amplified into a potential bearish narrative.
● Concerning the outline of the path, funds generally migrated along the classic hacker route of “old address — transit address — privacy tool/new wallet.” Initially, parts of ETH were transferred from historically highly exposed addresses to one or more transit addresses, then further pushed into mixing protocols or spread to multiple newly generated addresses, creating path noise on-chain. Current public information is insufficient to restore the precise details of each jump, so it is more suitable to describe this round of operations as “basic framework” rather than “complete script,” to avoid stitching together unverified links into seemingly solid stories.
Tornado Cash and New Wallets: Mastering Mixing and Splitting
● Among the figures repeatedly cited by various media and data accounts, two sets of data are particularly critical: one is that the hacker transferred 2,005 ETH to Tornado Cash, valued at about 3.85 million dollars at the time; the other is that shortly thereafter, 3 new wallets received a total of 2,087 ETH from Tornado Cash, approximately 4.03 million dollars. Together, these two sets of data outline a clear signal — the hacker is using privacy protocols and new addresses to pave the way for future fund splitting and potential liquidation.
● From a behavioral pattern perspective, utilizing privacy tools like Tornado Cash, in conjunction with multiple newly created wallets for fund splitting, is a standard tactic for hackers attempting to weaken on-chain traceability. By mixing funds through the mixing pool, disrupting UTXO or account system origins, and then sending funds to different new addresses in multiple random transactions, the hacker can effectively raise the barriers to traceability, making it difficult for analysts to completely link fund flows even if they grasp the entry and part of the exit, thereby gaining time and strategic space.
● However, concerning follow-up actions around these 3 new wallets, there remains high uncertainty. External circulated claims such as "all have been sold" or "sold at a specific price" lack authoritative, verifiable data support, and related trading prices and realization scales have been clearly marked as to be verified information in research briefs. At this stage, mixing "recorded on-chain fund receptions" with "possible secondary market sell-offs" can easily mislead readers into believing that sell pressure has already solidified, causing cognitive biases.
The Shadow of Sell Pressure Looms: Hacker Sell-off or Tactical Shift
● The market's most intuitive worry is: Is the hacker preparing to cash out this batch of ETH that has been dormant for many years by gradually selling it off in the current price range? Considering the total amount and dollar value of ETH involved in this round of actions, any connections with exchanges, liquidity pools, or OTC channels could psychologically be interpreted as "sell pressure could hit the market at any time." However, what can currently be confirmed on-chain is the transfer and mixing activities themselves; whether these have corresponded to specific sell orders and at what price they transact still lacks direct evidence.
● From a rigor of information standpoint, it is necessary to distinguish between "confirmed flows" and "inferences based on price and behavioral patterns." The former involves transaction records that can be verified one by one on block explorers, such as the specific amounts and times transferred from historical hacker addresses to Tornado Cash or new wallets; the latter relies more on comprehensive interpretations of price fluctuations, market order changes, and interactions of suspected related addresses with exchanges. At this current stage, packaging the latter as established facts is irresponsible and could amplify panic, potentially allowing the hacker to exploit emotional fluctuations for greater profits.
● From the hacker's perspective, a possible multi-stage sell-off strategy includes: first "washing" the on-chain path through mixing and splitting, then choosing to disperse sales in the spot market, derivatives, or across-chain ecosystems based on market liquidity conditions and emotional fluctuations. For instance, initially placing small, tentative orders to observe market absorption, then dynamically adjusting the pace of sell-offs based on price reactions; simultaneously, exploiting high volatility periods or coinciding with bearish news to conceal their sell pressure within greater market noise, thereby reducing visible price impacts of a single action. This type of game theory is not merely theoretical but is a recurring behavioral template in large-scale hacker events.
Panic of Funds and Narrative Fermentation: Resonance Between Media and On-Chain Accounts
● In the Chinese market's public opinion arena, top media like Planet Daily and Golden Finance quickly followed up on this event. The former linked the timeframe directly to “the Mixin hacker begins large-scale transfers and suspect ETH sell-offs after two years of silence,” while the latter emphasized the continuity of the on-chain path by quoting the specific data, “the hacker transferred 2,005 ETH to Tornado Cash, then 3 new wallets received 2,087 ETH.” These phrases help the audience grasp key information quickly while also invisibly reinforcing the overall narrative atmosphere that "sell pressure is approaching."
● Keywords like “large-scale transfers after two years of silence” and “suspected sell-off” carry strong emotional implications. For readers accustomed to quickly obtaining information through headlines and summaries, it is easy to preconceive the event as “the hacker has already begun a crazy sell-off” before they have carefully read the on-chain details. In an already volatile market environment, such preconceived notions could amplify the impulse to sell, leading some holders to choose to reduce their positions early to avoid imagined worst-case scenarios, thereby self-fulfilling the existence of “sell pressure” at a behavioral level.
● In this process, on-chain data accounts like Lookonchain and traditional media have formed a kind of narrative "resonance structure": the former provides high-frequency, granular on-chain observations, while the latter integrates and packages these fragmented information into a more easily disseminable news framework. The problem is that the pace mismatch between the data side "to be verified" and the media side "must give a title" can easily create information bias in the market if not handled carefully. For investors, learning to distinguish between "original on-chain facts," "third-party inferences," and "media rhetoric" is a key ability to remain calm in similar events.
The Hacker Hasn't Gone Far: Potential Suspense and Ongoing Observation
What can be relatively confidently described is that the relevant addresses of the Mixin hacker initiated a round of large-scale migration focusing on 59,854 ETH around February 13, 2026, including transferring 2,005 ETH to Tornado Cash, and a total of 2,087 ETH received by 3 new wallets. These records prove that the hacker is "manipulating" the chips in hand again, but they do not precisely restore the complete scale, pace, and ultimate direction of the sell-off. The current amount of ETH or other assets still in control of the hacker, as well as how much has been liquidated, remain undecided open questions at this stage.
For ordinary investors, a more practical response strategy is to closely monitor a few key indicators that can be continuously tracked: firstly, changes in the flow of funds between historical hacker addresses, identified transit addresses, and the newly appearing wallets; secondly, whether these addresses have begun to interact with centralized exchanges, cross-chain bridges, or mainstream DeFi protocols; and thirdly, market sentiments and transaction volume structures around the "hacker sell-off" narrative, such as whether there has been a significant volume drop, panic selling, or abnormal liquidations of derivatives leverage. Considering these dimensions holistically often provides a clearer picture of risk than simply looking at a news headline.
In a stage where information has yet to be fully established, the biggest caution is against over-interpretations built on "to be verified data." Whether taking unconfirmed sell prices as established facts or treating vague balance estimates as absolute accurate chip counts will amplify emotional decisions in position management. Rather than frequent chasing highs and lows in the imagined "hacker sell-off," it is better to control overall positions and leverage levels under the premise of acknowledging coexisting risks and uncertainties, incorporating potential extreme situations into the risk budget. The hackers may not dump all their chips in a short time, but market participants can certainly plan ahead for the worst-case scenarios by leaving a safe margin.
Join our community to discuss together and grow stronger!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh
OKX welfare group: https://aicoin.com/link/chat?cid=l61eM4owQ
Binance welfare group: https://aicoin.com/link/chat?cid=ynr7d1P6Z
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
