Chainalysis has reported that wallets linked to the suspected attacker of the recent $9.8 million THORChain theft had been moving funds through Monero, Hyperliquid, and THORChain weeks before the incident. Blockchain activity connected these wallets to those that later received the stolen funds. Notably, 43 minutes before the theft, one path transferred 8 ETH to the attacker's wallet. Additionally, between May 14 and 15, three paths bridged ETH to Arbitrum, deposited into Hyperliquid, and returned to Monero via a privacy bridge. As of Friday afternoon, the stolen funds remain unmoved, but the attacker may have tested cross-chain laundering routes in advance.