Tornado Cash added to U.S. sanctions list

The U.S. Office of Foreign Assets Control (OFAC) added Tornado Cash to its SDN list: a list of "Specially Designated Nationals And Blocked Persons" with whom U.S. individuals and organizations are prohibited from doing business.

Tornado Cash is the most prominent cryptocurrency tumbler (or "mixer") and has been used in a multitude of instances to launder proceeds from cryptocurrency hacks and scams. In a press release, the Treasury Department named the North Korea-sponsored Lazarus Group's $625 million hack of Axie Infinity in March, the $100 million theft from Horizon Bridge in June, and the $190 million hack of the Nomad bridge in August as contributing to the decision.

Although Tornado Cash had claimed to be complying with sanctions in the wake of the Axie hack, the Treasury Department wrote in their press release that, "Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks".

Tornado Cash is also widely used to maintain privacy in a world where transactions are publicly visible, and it remains to be seen how the cryptocurrency ecosystem will react to this major development. Tornado Cash is also relatively decentralized in its operations, meaning it may be difficult for the sanctions list to be kept up to date and for the sanctions to be enforced.

The fallout from the sanction was swift: in the days following the action, Tornado's source code repository was removed from Github and the accounts of some of its developers were suspended; the project's Gitcoin funding page was taken down; and the project's own website, governance pages, and Discord server went offline.

Reaper Farm exploited for around $1.7 million

Yield farming project Reaper Farm suffered an exploit that resulted in a $1.7 million loss. The attackers discovered a vulnerability that allowed them to withdraw anyone else's funds. They then bridged funds to Ethereum, then laundered them through Tornado Cash. After discovering the exploit, Reaper Farms used the same vulnerability to remove funds from the remaining vulnerable vaults to prevent the attacker from stealing more.

Shortly after the exploit, Reaper Farms announced they plained to raise capital via "the sale of vested $OATH tokens from our treasury with desirable terms", which would then be used alongside other assets in their treasury to compensate users.

PREMINT NFT tool hacked, user wallets drained

PREMINT is an NFT service intended to help project creators build access lists for new NFT projects based on various qualifications. The project was compromised on July 17, and users were asked to sign transactions that allowed hackers to drain all assets from their wallets. 314 NFTs were stolen, including from pricey collections such as Bored Ape Yacht Club, Otherside, Moonbirds Oddities, and Goblintown. The thiefs were able to flip the stolen NFTs for 270 ETH ($375,000), which they then tumbled through Tornado Cash.

On July 20, PREMINT's CEO announced they would be compensating all users affected by the hack by sending them ETH equivalent to the floor price of the stolen NFTs. "I realize that the NFTs stolen were not all floor NFTs... You might feel like this compensation isn’t enough. But I don’t think there’s any other scalable and objective way to do this," he said. The total repayment will amount to about 340 ETH ($525,000). PREMINT also bought the two most expensive stolen NFTs from their new owners for the prices they had paid to buy them from the hacker—92 ETH ($138,000) for a Bored Ape and 12 ETH ($17,800) for an Azuki. Those NFTs were returned to their original owners.

More than $8.17 million stolen in phishing attack targeting Uniswap users

In a successful, broadly-targeted phishing campaign, more than 70,000 addresses connected to Uniswap were airdropped tokens that baited users into approving transactions that allowed attackers to control their wallets. After some initial confusion that there might be a vulnerability in Uniswap itself, it was determined that the thefts were being perpetrated through the airdrop, which also linked users to a website that resembled the authentic Uniswap site. Users were tricked into signing the contract, and cryptocurrency and NFTs were stolen from wallets.

One single wallet targeted by the phishing attack lost more than $6.5 million worth of Ether and Bitcoin, and another targeted by attackers lost around $1.68 million worth of those currencies.

Hackers steal $1.43 million from Omni NFT lending platform

Hackers used a flash loan attack to steal around 1,300 ETH ($1.43 million) from the NFT lending platform Omni. Omni allows users to borrow cryptocurrency against their NFTs.

Hackers used NFTs from the popular Doodles collection as collateral to borrow wETH, then withdrew all but one of the NFTs, allowing them to perform a re-entrancy attack. The attacker then laundered the funds using the Tornado Cash cryptocurrency tumbler.

According to Omni, only funds belonging to the platform that were being used for testing were taken by the attacker.

Hacker steals over $1.2 million from Inverse Finance, their second such exploit in under three months

A hacker was able to perform an oracle manipulation attack enabled by flash loans to siphon crypto worth around $1.26 million from Inverse Finance. The loss to the protocol was higher, at around $5.8 million. The attacker has already moved most of the stolen funds to the Tornado Cash cryptocurrency tumbler.

Inverse Finance is a borrowing and lending protocol that was hit with a different oracle manipulation attack in early April, which resulted in a $15.6 million loss.

GYM Network exploited for $2.1 million

Attackers stole around $2.1 million from the GYM Network defi project after exploiting a bug in a recently-deployed contract that failed to check the identity of the caller. The attackers quickly transferred the stolen funds to the Tornado Cash cryptocurrency tumbler to cover their tracks.

GYM Network promised to use the entire project treasury to bolster the price of their token, which tanked as a result of the massive sell-off. "We can't promise that it will bring the price back to 0.20$ but we will use it All to recover this attack," they wrote on Telegram.

Bored Apes Discord compromised again, 32 NFTs stolen and flipped for $360,000

Phishing message from Bored Apes DiscordPhishing message from Bored Apes Discord (attribution)
Scammers were able to compromise the Discord account of a Bored Apes community manager, then use it to post an announcement of an "exclusive giveaway" to anyone who held a Bored Ape, Mutant Ape, or Otherside NFT. When users went to mint their free NFT, the scammers were able to steal their pricey NFTs. The scammer quickly flipped the stolen NFTs for a total of around 200 ETH (about $360,000), then began transferring funds to Tornado Cash.

The Bored Apes Discord was also compromised on April 1, along with those of several other big-name NFT projects.

"Feminist Metaverse" token exploited for $533,000

The "Feminist Metaverse" ($FM) token suddenly plunged in value by 99.7% after an attacker stole 1,838 BNB ($533,000). The hacker quickly transferred the stolen funds to the Tornado Cash tumbler to help hide their tracks.

The project advertised on its website its plans to "Create Feminist economics in the form of a DAO to balance the male-dominated world." The project's whitepaper explains how the metaverse will apparently "greatly reduce the impacts on women’s normal work and inequality in wages brought by their physiological differences and pregnancy. As a consequence, it helps eliminating a number of unresolved problems in the real world like gender discrimination, inequality in wages, sexual harassments, sexual assaults, trafficking of women and child marriage." It's not clear what specifically the "Feminist Metaverse" project was hoping to achieve.

Attacker steals $3 million from Fortress Protocol

An attacker was able to steal 1,048 ETH (~$2.65 million) and 400,000 DAI from the Fortress Protocol borrowing and lending platform in what appears to have been an oracle manipulation attack. The attacker quickly moved their ~$3 million in stolen funds to the Tornado Cash cryptocurrency tumbler to obscure their tracks.

The exploit caused the $FTS token to drop 42%. The creators of Fortress urged people not to supply any assets to the pool as the attack was ongoing, and tweeted "we need the support of all of our partners and key organizations in the community to assist and try to freeze and bring back the funds!"

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.