On April 29, 2026, fugitive hacker Andean Medjedovic moved 2,900 ETH, currently valued at approximately $6.8 million, to the sanctioned cryptocurrency mixer Tornado Cash. The transaction marks the largest single known laundering step by Medjedovic since he allegedly orchestrated two separate DeFi exploits that stole a combined $65 million from Indexed Finance and KyberSwap. He was indicted by the U.S. Department of Justice in February 2025 on charges including wire fraud, unauthorized damage to a protected computer, attempted Hobbs Act extortion, money laundering conspiracy, and money laundering. Despite the involvement of the FBI, IRS, Homeland Security Investigations, and Dutch law enforcement, Medjedovic remains at large.
Fugitive’s Latest Move
Blockchain analysis confirmed that the 2,900 ETH originated from wallets linked to the KyberSwap exploit and was funneled into Tornado Cash in a single transaction. Tornado Cash, a decentralized mixing protocol, was sanctioned by the U.S. Treasury in 2022 for its role in laundering illicit funds. Using it compounds Medjedovic’s legal exposure, as any American entity or person dealing with the mixer faces potential sanctions violations. Prosecutors have previously described Medjedovic’s hacking methods as among the “most technically sophisticated” in DeFi history.
Inside the Exploits
Medjedovic targeted both Indexed Finance (2021, ~$16.5 million stolen) and KyberSwap (November 23, 2023, ~$48.8 million stolen) using a variant of the same technique. He utilized flash loans to borrow massive amounts of digital tokens, then executed a sequence of trades engineered to cause the protocols’ automated market maker (AMM) smart contracts to miscalculate internal price variables. Since the contracts operated solely on code logic without human oversight, Medjedovic was able to withdraw funds at artificially inflated prices, generating outsized profits.
After the KyberSwap exploit, Medjedovic initially moved 800 ETH in smaller batches over several months, establishing a pattern of gradual fund dispersal. Wednesday’s transfer of 2,900 ETH is the largest single confirmed movement since the attack. On-chain data alone cannot reveal the full extent of what he has converted or moved over the past two years.
Legal Charges and Sanctions Risks
In addition to the theft charges, Medjedovic faces an attempted extortion count after allegedly demanding compensation from KyberSwap in exchange for returning a portion of stolen assets. Federal prosecutors have emphasized the severity of his crimes, noting that the combination of sophisticated technical attacks and subsequent money laundering activities represents a significant threat to the decentralized finance ecosystem.
The use of Tornado Cash post-sanctions adds another layer of legal jeopardy. If captured, Medjedovic could face extended sentences for knowingly utilizing a tool that the U.S. government has designated as a national security risk. His current whereabouts remain unknown, and law enforcement agencies continue to coordinate internationally to track him down.
The case underscores persistent challenges in DeFi security: two years after the exploits, the attacker can still move millions of dollars worth of stolen funds. Industry experts urge protocols to strengthen smart contract audits, implement real-time monitoring systems, and foster faster cross-border legal cooperation to deter similar incidents in the future.

