In an odd turn of events, the hacker who recently hijacked cryptocurrency mixer Tornado Cash ultimately returned control of the protocol to its team. It’s worth noting that this hacker used Tornado Cash to launder the very funds stolen during the attack. This incident highlights the platform’s widespread use by cybercriminals and the risks associated with such privacy-enhanced solutions.
Tornado Cash, an OFAC-sanctioned cryptocurrency mixing service, has long been a popular choice for hiding the financial traces of illicit transactions. In the latest attack, the hacker managed to steal 483,000 TORN, the protocol’s native token, and converted a significant portion into ETH. The stolen tokens were worth about $900,000 at the time.
The attack began on May 21, when a vulnerability in Tornado Cash’s governance system was exploited. The hacker submitted a malicious proposal for voting, which allowed them to seize control of the crypto mixer and drain all tokens from the governance contract. Following the conversion to Ether, the laundered funds were put through Tornado Cash, ironically using the service’s own technology against it.
In a surprising twist, the hacker ultimately returned control of Tornado Cash to the team after contacting its community. The incident led to a drop in the TORN token’s price from over $7 to around $4. Although the token has since regained some of its value, it’s still trading bearish at just above $4.
Tornado Cash’s notoriety stems from its ability to facilitate near-untraceable anonymous crypto transactions, making it a preferred platform for money launderers and cybercriminals looking to hide their funds. According to Dune Analytics data, over $8 billion has been laundered through Tornado Cash since 2019. However, the platform’s popularity among illicit actors has not been without consequences.
In August 2022, the US Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash for facilitating illegal transactions and violating anti-money laundering laws. The Lazarus Group, a group of North Korean hackers, reportedly leveraged Tornado Cash to process over $455 million in stolen funds from various attacks. Moreover, OFAC alleged that more than $7 billion in digital assets have been laundered via Tornado Cash since its inception in 2019.
Despite the US Treasury’s sanctions and negative public sentiment, Tornado Cash remains a popular option for criminals engaging in money laundering. This incident serves as yet another testament to the challenges associated with striking a balance between financial privacy and the potential for abuse by malicious actors.