Over the years, Centralized Exchanges used to be the main focus of hackers until they shifted their attention to Defi Protocols and Bridges. According to data on “The Block”, over $2.66 Billion in crypto has been stolen from Defi Protocols between February 2020 to October 2022.
When hackers launch successful attacks, they turn to tools such as Crypto Mixers to further obfuscate the footprints of illegal transactions.
What is Tornado Cash?
Tornado Cash is a Smart Contract Crypto Mixer built on the Ethereum blockchain. Tornado Cash is also a non-custodial mixer—meaning: no entity runs it, therefore, Tornado Cash runs on auto-pilot.
Tornado Cash allows its users to deposit assets (a maximum of 100ether per transaction) and then provide the user with a cryptographic note that would be needed as evidence of deposit when the user wants to withdraw the assets.
Tornado Cash has proven to be the best and the most populous mixer amongst others—one reason is due to its frequent use by hackers.
Since its creation in August 2019, Tornado Cash has since mixed over $7.6 billion worth of ether and about 30% of the funds sent through it are known to have come from hackers.
October alone saw the highest number of crypto attacks than every other month of 2022 put together.
The following are some of the Defi protocols whose assets were stolen by hackers and then sent to Tornado Cash for further obscurity from the beginning of 2022 to October 2022.
AXIE INFINITY-RONIN BRIDGE HACK
Axie Infinity is a decentralized blockchain game built on the Ethereum network. The game was built by a team called Sky Mavis and it rewards its players with cryptocurrencies and NFTs.
Ronin bridge is an Ethereum sidechain built for Axie Infinity, it enables users to transfer assets between the sidechain and the Ethereum mainnet.
On March 23, 2022, a hacker had carted away with Ethereum and USDC which amounted to a whopping sum of $620M from Axie Infinity’s Ronin Bridge, making it the biggest crypto heist of all time to date.
The attack was later discovered on the 29th of March after which the attacker had already moved a bulk of the stolen assets to tornado cash for ease of passage for laundering.
The hacker stole 173,600 Ethereum and 25.5 million USDC tokens from the bridge exploit; with the bear market rocking the crypto space today, those coins are now worth $297M.
On April 14, 2022, the FBI released a report linking the attack to two North Korean hacking groups, The Lazarus group and BlueNorOff (aka APT38).
A month after that, The Block also released a report from an exclusive interview they had with two staff of Sky Mavis. According to one of the staff, “the attack started as a fake job offer in which a senior engineer at Sky Mavis showed interest. During one of the interviews between the Engineer and the hacker, the Engineer received a PDF file containing the job details, which he downloaded and then opened on the company’s computer system”. This simple approach paved the way for the hacker to penetrate the Ronin system.
- In April, Sky Mavis raised US$150 million from Binance, Animoca Brands, a16z, Dialectic, and Paradigm to pay back all affected users.
- On April 22, 2022, Binance recovered $5.8 million and attributed the funds to the stolen funds of the Ronin Bridge attack. The CEO of Binance CZ highlighted in the tweet that the attackers had started moving the stolen proceeds and part of it found its way into 86 accounts in Binance.
- On September 8, 2022, Chainlysis rolled out a report claiming that with the help of law enforcement and leading organizations in the cryptocurrency industry, over $30 million of the stolen funds (approximately 10% ) had been seized from the Hackers of Ronin Bridge.
On June 23, 2022, A hacker took over Harmony’s Layer-1 Blockchain Bridge and stole Cryptos worth $100M.
The hacker stole Wrapped Ethereum (WETH), AAVE, SUSHI, DAI, USDT and USDC, and then swapped them all for ETH.
Three days after the hack, the Harmony team announced a 1% bounty offer for the stolen funds (a bounty many considered to be an insult to the hacker). The hacker refused the offer and on the following day, Peckshield announced that the hacker had started moving the funds to Tornado Cash in batches.
Transit Swap is a Cross-Bridge Decentralise Finance (Defi) Platform.
On October 1, 2022, the Transit Swap Finance team announced that a hacker had attacked Transit swap and that the team had also halted services immediately to curb further damages.
The following day the team came out with a detailed report on the attack一claiming that the hacker took advantage of a bug in the code. The vulnerability of in code allowed the attacker to drain over $21 Million from the wallets of users who had approved the protocol swap contracts.
The team also noted that they had gotten some information leading to the IP address of the hacker and also highlighted that the discovery of the information of the hacker was due to the joint efforts of the SlowMist Team, the Bitrace Team, the Peckshield security team, the Token Pocket team, and the Transit Finance team.
Later that day, the team announced again, that 70% of the assets were returned by the hacker due to the joint effort of all collaborators.
On October 10, 2022, Transit Swap Team tweeted an update about the hack一alleging that a pact had been reached and the hacker would return 10,000 BNB while he keeps 2,500 BNB as a white hat hack bounty reward.
Hours later Peckshield reported an interaction between the hacker and Tornado Cash. According to on-chain transactions, the hacker had successfully returned the remaining 10,000 BNB and moved his own 2,500 BNB through Tornado Cash.
TEMPLE DAO EXPLOIT:
On October 11, 2022, a Twitter user was the first to notice the TempleDAO exploit, and 23 minutes later, Blockchain Security Firm, Peckshield, also quoted the tweet—stating that the DAO was exploited. According to Peckshield, the user had already moved the stolen funds of 1,831 $ETH which amounted to $2.34 Million, to a new wallet. The stolen funds amounted to 4% of the total assets of TempleDAO.
Later that day, STAX, a DEX powered by TempleDAO released a thread statement on Twitter recounting what had happened to the Defi company. They also warned users not to deposit in any of its contracts until further notice and promised the affected users remediation in due time.
On October 16, 2022, Peckshield made another follow-up tweet of the hack on Twitter; apparently, the hacker ignored the white hat hack bounty that was put out by the devs of TempleDAO, and instead they started moving the stolen assets to Tornado Cash in a bid to white-wash them.
On October 18, 2022, The official account of BitKeep on Twitter, released a report stating that the BitKeep Swap feature was hacked and that the attack which saw a loss of $1 million, occurred on the BNB Chain.
PeckShield, being the first to release a tweet about the hack, stated that the $1 Million BNB Coins were later moved through Tornado Cash.
The hacker carried out a simultaneous attack on the Polygon and Binance Smart Chain Networks. All the stolen ERC-20 tokens were converted to Stablecoins and bridged to BSC Network. The hacker then purchased BNB with the bridged Stablecoins and deposited all the BNBs in Tornado Cash.
BitKeep gave assurances to the affected users on a full compensation plan, and on the 21st of October, the compensation plan was rolled out—stating step-by-step instructions on what users needed to do for them to get refunded.
On August 8th, Tornado Cash was sanctioned by the U.S. Treasury’s Office of Foreign Assets Control (OFAC) for its role in laundering over $455 million worth of cryptocurrency stolen by the North Korean hacking organization Lazarus Group.
It is estimated that so far in 2022, North Korea-linked groups have stolen approximately $1 billion of cryptocurrency from Defi protocols.
Although Tornado cash has been sanctioned, its compliance is rather complicated and that is due to its non-custodial nature, its encoded smart contract design, and its decentralized development team—all these coupled together are the forces still driving Tornado Cash even after its sanctions.
L O A D I N G
. . . comments & more!