Entries related to Tornado Cash

March 28, 2024

Prisma Finance hacked for $12 million; attacker makes detailed demands

The defi protocol Prisma Finance was hacked for 3,257 ETH ($11.5 million). An attacker was able to take advantage of a flaw in the project's smart contracts, allowing them to manipulate users' positions and steal some of their collateral. Two other watchful attackers observed the attack strategy and replicated it, stealing a combined additional 173 ETH (~$610,000).

Plasma paused the protocol after detecting the attack.

The first attacker, who stole the bulk of the assets, sent an on-chain message to Prisma claiming that they had performed a "whitehat rescue", and inquired about returning the funds. In later messages, however, they asked the project to answer questions about their security practices and projects' responsibilities to users to prevent attacks. The attacker then transferred the stolen funds to Tornado Cash — indicating their return is unlikely.

In another message, the attacker was angry that Prisma had not expressed gratitude to them or remorse to their users, and was angry they had used terms like "exploit" and "attack" in their description of the incident. They demanded that the team reveal their identities, apologize, and thank the attacker in an online press conference.

March 16, 2024

Wilder World game suffers $1.8 million theft, blames contractor

(attribution)

Wilder World is a blockchain-based racing game that uses all the buzzwords: blockchains, artificial intelligence, and metaverse. On March 16, someone with access to the project deployer's private key upgraded legacy contracts and transfer the project's $WILD and $MEOW tokens to themselves. Altogether, the attacker profited 515 ETH (~$1.8 million), which they then laundered through the Tornado Cash cryptocurrency tumbler.

The project blamed the theft on a previous contractor who had the private key. They also explained that the attacker seemed to be a developer based on the fact that they had "specialized knowledge of ZERO's internal security systems".

"March' Major Private Key Compromises", CertiK [archive]

February 25, 2024

Crypto tumbler Tornado Cash suffers code exploit, putting funds at risk

(attribution)

A community member of the Tornado Cash cryptocurrency tumbler project has reported that malicious code was added to the Tornado Cash project on January 1, which has put at risk funds deposited into the service. According to the community member, a successful governance proposal two months ago resulted in a code change, but malicious JavaScript included in the change went unnoticed.

The code leaks private notes associated with deposits to a "private malicious server" owned by the person who initiated the code change. Private notes on Tornado Cash are the keys that allow a person to later withdraw the funds they have deposited into the mixing service.

This is not the first time DAO governance has gone wrong for Tornado — in May 2023, the project underwent a hostile takeover via malicious code that went unnoticed.

"Tornado Cash Reportedly Suffers Backend Exploit, User Deposits at Risk", CoinDesk [archive]

December 7, 2023

Uranium Finance hacker cashes out in Magic: The Gathering cards

Stacks of <i>Magic: The Gathering - Fallen Empires</i> booster boxes

Magic: The Gathering booster boxes (attribution)

In April 2021, an attacker stole $50 million from the defi exchange Uranium Finance. Blockchain investigator zachxbt now says that he believes this attacker has been able to cash out his ill-gotten funds... in an unusual way.

After tracing the attacker's attempts to launder the money through Tornado Cash and then obfuscate that it had come from the mixing service (something that raises flags at some exchanges), zachxbt observed the funds go to a broker of Magic: The Gathering based in the United States. Altogether, the hacker appeared to be spending millions on starter decks, alpha sets, and sealed boxes — often overpaying by 5-10%. These items routinely sell for hundreds or thousands of dollars.

The thief is probably a creative money launderer rather than an massive MTG fan, and is probably reselling the cards to further obscure the source of the money. Then again, MTG is more than a little addictive.

Tweet thread by zachxbt [archive]

November 10, 2023

Samudai treasury drained

(attribution)

The treasury of the Samudai DAO was apparently drained as an attacker compromised the project's multisignature wallets and the wallet belonging to the project's founder, Kushagra Agarwal. Altogether, around $1.25 million in ETH was stolen.

Agarwal sent a message to the thief shortly afterwards, offering a 10% "bounty" in exchange for the return of the rest of the funds. The attacker didn't seem to be interested, and in mid-January began tumbling the assets through the Tornado Cash cryptocurrency mixer.

Samudai didn't seem to publicly acknowledge the theft, even though they've posted on Twitter a few times since then. The organization had raised $2.5 million in pre-seed capital in June 2022.

Tweet by CyversAlerts [archive]
On-chain message from Kushagra Agarwal [archive]

October 10, 2023

Fintoch scammers strike again with $1.6 million FinSoul scam

A metaverse gaming project called FinSoul promised users “sandbox worlds, multiplayer sports, leisure experiences, player socializing, MMORPG,” and other features. However, on October 10, the project team made off with $1.6 million, which they then tumbled through Tornado Cash.

The team behind the FinSoul project was reportedly the same as the group who pulled off the much larger $31 million Fintoch exit scam in May. They used similar strategies, including using paid actors to pose as their executive team, to push the FinSoul scam.

"Web3 game project allegedly hired actors to pose as executives in $1.6M exit scam", CoinTelegraph [archive]

August 23, 2023

DOJ charges two founders of Tornado Cash, arrests one

(attribution)

A year after the Department of Treasury added Tornado Cash to the OFAC sanctions list, the DOJ has come in to charge the service's two founders with conspiracy charges involving money laundering, sanctions violations, and operating an unlicensed money transmitter. The Feds arrested Roman Storm, a U.S. national; Russian co-founder Roman Semenov is "at large".

The Feds claim that the two founders knew Tornado Cash was widely being used to launder hundreds of millions of dollars by North Korea, but "turned a blind eye" and claimed to be complaint with sanctions laws. They also state that they refused to implement anti-money laundering and KYC programs, as is required of money transmitting services.

These charges are likely to be controversial — as has been the sanctioning of Tornado Cash — among crypto advocates and others, as they run up against thorny First Amendment questions and conflicting ideas about who, if anyone, is liable for running decentralized services.

"Tornado Cash Founders Charged With Money Laundering And Sanctions Violations", press release

July 11, 2023

New Rodeo Finance project exploited for the second time in one week

(attribution)

An attacker manipulated a price oracle to drain 472 ETH (~$884,000) from Rodeo Finance, a new Arbitrum-based leveraged yield protocol. The thief then used Tornado Cash to tumble the funds, some of which they placed into staking programs. According to Rodeo Finance, the attacker initially exploited the protocol for closer to $1.7 million, but $810,000 was recovered. Small victories. Anyway, Rodeo paused the protocol, and stated that they are working on recovery plans.

This was actually the second attack to impact Rodeo Finance in a single week. On July 5, the same day as their public token launch, the project was exploited for around $90,000 thanks to a bug in a smart contract.

"Latest attack on Arbitrum network costs Rodeo Finance $885k in ETH", Protos
"Arbitrum-based Rodeo Finance exploited for second time, $1.5M stolen", CoinTelegraph

June 11, 2023

Sturdy Finance exploited for $775,000

(attribution)

The Sturdy Finance defi lending protocol was exploited, with hackers taking advantage of an oracle manipulation vulnerability to make off with 442 ETH (~$775,000). They subsequently transferred the funds into Tornado Cash. The total loss to the project was somewhat higher: 504 ETH (~$884,000).

Roughly an hour after the attack, the project tweeted that they were aware of the attack, and had paused all markets. On June 19 the project sent a message to the attacker, pleading with them to return the funds and threatening: "There are criminal organizations following the same evidence trails we are. This isn't going away until you return funds. We are your best option out of this."

"Attacker drains $800K from DeFi protocol Sturdy Finance", CoinTelegraph
Tweet by Sturdy Finance

May 23, 2023

Brand new $CS token exploited for almost $700,000

An attacker exploited the brand new $CS token for almost $700,000 using a flash loan exploit. They then swapped the funds into around 383 ETH ($689,400) and laundered them through Tornado Cash.

Tweet by PeckShieldAlert

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.