Two Months Before Tornado Cash: The Cyrus Finance Solana Side-Channel

Part 1 followed 600 BNB. That left 210 unaccounted for — two 100-BNB deposits and one 10-BNB deposit out of the attacker's original nine. Loose ends in a trace are not the same as no leads; they're usually the leads you didn't run down yet. So I ran them down.

The short version, before the screenshots: most of the remaining 210 BNB exited Tornado Cash through the same kinds of pools, into the same shape of laundering architecture, and landed in the same Hyperliquid spot positions as the rest. But not all of it. 1.67 BNB peeled off through a different bridge entirely, on a route the attacker had been quietly preparing since January — two months before the exploit. That detour leads somewhere Part 1 never went: Solana.

This article exists not because the second trail is dramatically different from the first, but because the trace isn't actually complete without it — and because what looked like a closed case turned out to have a second chain attached to it. $516K went into Tornado on March 22. Part 1 followed roughly two-thirds of it. Here's the rest.

The Two 100-BNB Deposits

After extending the time window on the same Dune query from Part 1, two more BNB transactions surfaced with the same mechanics. Both 100-BNB withdrawals landed at 0xf39ac3F1532b1fe5102A67B48F81ab470BF8335F.

That address then sent the funds in 14 transactions to different addresses — and each of them followed the same pattern as the six from Part 1: through LI.FI, bridge to Arbitrum, then to Hyperliquid via Wagyu-funded gas wallets.

Pattern is identical: Bridge via LI.FI → Arbitrum/Axelar → Hyperliquid → internal SELF transaction.

The 10 BNB: Manual Search

The 10-BNB deposit was the hardest part. The 10-BNB Tornado pool has significantly higher throughput than the 100-BNB pool — far more noise to filter through. Knowing the pattern helped, but there was no shortcut: I had to check transactions one by one.

Multiple different addresses were used to bridge BNB through LI.FI. The pattern was the same: bridge to Arbitrum, then from Arbitrum to Hyperliquid. The Hyperliquid address still holds the funds, like all the others.

The Anomaly: Mayan Protocol and the Solana Route

From wallet 0x8783f817605d44dFf735d0cFe3daBfCca0E65e7b, most funds followed the regular path. But 1.67 BNB went differently.

Wallet 0x87a26566dBB3bf206634C1792a96Ff4989E3F56E bridged to SOL via Mayan Protocol — not LI.FI, not Across, not Axelar. A different bridge entirely.

By itself, that's slightly interesting. Then you track the destination wallet on Solana:

And you look at the transaction history.

Five months ago — in January 2026, two months before anyone at Cyrus Finance had a bad day — this Solana wallet received a transfer from the attacker's original EOA: 0xf96EB14171b71aC16200013753DFF3e91043b63b. That address is confirmed as the attacker by CertiK's on-chain analysis.

This is not a coincidental reuse. The Solana address was part of the infrastructure before the exploit existed. The attacker set it up two months in advance, used it for pre-attack testing, and then funneled a small portion of the post-exploit funds back through the same route.

What This Confirms

The Solana connection does two things analytically. First, it ties the post-exploit fund flows back to the pre-exploit attacker address through a cross-chain link that doesn't appear in any EVM explorer. Second, it extends the timeline: this wasn't improvised on March 22. The infrastructure — including the Solana side-channel — was built in January.

The full fund flow: Tornado Cash (BSC) → collector → splitter → 14+ intermediate wallets → LI.FI/Across/Axelar → Arbitrum → Wagyu gas → Hyperliquid spot (XMR1). And separately: Tornado Cash → Mayan Protocol → Solana (BBBdzZiYobo1nMd6e3sdMca9BMeD67yTGHEdHpJY7jH7).

Was the Solana address connected to the drain itself? That's another story, and a more interesting one.