The hacker behind the $6 million Summer.fi exploit is actively laundering stolen funds through Tornado Cash.

Approximately $1 million in ETH has already been routed through the privacy mixer. The attack on July 6 targeted two USDC vaults within the Lazy Summer Protocol. The root cause was an incomplete offboarding process for a strategy adapter, allowing the attacker to manipulate asset valuations and extract funds using flash loans.

Summer.fi paused all vault activities after the incident. The protocol's native SUMR token fell over 5% in value. Security firms PeckShield and CertiK monitored the exploit in real-time.

The use of Tornado Cash, sanctioned by the US Treasury in 2022, significantly hinders the tracing and recovery of the stolen cryptocurrency. This event highlights the critical operational risks in decentralized finance and adds to the ongoing regulatory debate over privacy tools.