How Tornado Cash Helped Hackers Launder Money in 2022
Over the years, centralized exchanges used to be the main focus of hackers until they shifted their attention to Defi protocols and bridges. According to data on “The Block”, over $2.66 billion in crypto has been stolen from Defi Protocols between February 2020 and October 2022.
When hackers launch successful attacks, they turn to tools like Crypto Mixers to further hide the footprints of illegal transactions.
What is Tornado Cash?
Tornado Cash is a Smart Contract Crypto Mixer built on the Ethereum blockchain. Tornado Cash is also a non-custodial mixer – meaning: no devices run it, therefore Tornado Cash runs on autopilot.
Tornado Cash allows users to deposit assets (maximum 100 Ether per transaction) and then provide the user with a cryptographic note that will be required as proof of deposit when the user wishes to withdraw the assets.
Tornado Cash has proven to be the best and most populous mixer among others – one reason being the frequent use of hackers.
Since its creation in August 2019, Tornado Cash has since mixed over $7.6 billion worth of ether, and approximately 30% of the funds sent through it are known to have come from hackers.
October alone saw the highest number of crypto attacks than any other month in 2022 combined.
The following are some of the Defi protocols whose assets were stolen by hackers and then sent to Tornado Cash for further obscurity from early 2022 to October 2022.
AXIE INFINITY-RONIN BRIDGE HACK
Axie Infinity is a decentralized blockchain game built on the Ethereum network. The game was built by a team called Sky Mavis and it rewards its players with cryptocurrencies and NFTs.
Ronin bridge is an Ethereum sidechain built for Axie Infinity, it allows users to transfer assets between the sidechain and the Ethereum network.
On March 23, 2022, a hacker had made off with Ethereum and USDC amounting to a whopping $620 million from Axie Infinity’s Ronin Bridge, making it the biggest crypto heist of all time.
The attack was later discovered on March 29, after which the attacker had already moved a large portion of the stolen assets to Tornado Cash to facilitate the passage for money laundering.
The hacker stole 173,600 Ethereum and 25.5 million USDC tokens from the bridge exploit; with the bear market rocking the crypto space today, these coins are now worth $297 million.
On April 14, 2022, the FBI released a report linking the attack to two North Korean hacker groups, The Lazarus group and BlueNorOff (aka APT38).
A month after that, The Block also released a report from an exclusive interview they had with two Sky Mavis employees. According to one of the employees, “the attack started as a fake job offer in which a senior engineer at Sky Mavis showed interest. During one of the interviews between the engineer and the hacker, the engineer received a PDF file containing the job details, which he downloaded and then opened on the company’s computer system” .This simple approach paved the way for the hacker to penetrate the Ronin system.
- In April, Sky Mavis raised $150 million from Binance, Animoca Brands, a16z, Dialectic and Paradigm to refund all affected users.
- April 22, 2022, Binance recovered $5.8 million and attributed the funds to the stolen funds from the Ronin Bridge attack. The CEO of Binance CZ highlighted in the tweet that the attackers had started moving the stolen earnings and part of it found its way to 86 accounts in Binance.
- On September 8, 2022, Chainlysis rolled out a report claiming that with the help of law enforcement and leading organizations in the cryptocurrency industry, over $30 million of the stolen funds (approximately 10%) had been seized from the Hackers of Ronin Bridge.
On June 23, 2022, a hacker took over Harmony’s Layer-1 Blockchain Bridge and stole $100 million worth of cryptos.
The hacker stole Wrapped Ethereum (WETH), AAVE, SUSHI, DAI, USDT, and USDC, then exchanged them all for ETH.
Three days after the hack, the Harmony team has advertised a 1% bounty offer for the stolen funds (a bounty many considered an insult to the hacker). The hacker refused the offer and the next day, Peckshield announced that the hacker had started moving the funds to Tornado Cash in groups.
EXCHANGE OF TRANSIT
Transit Swap is a Cross-Bridge Decentralize Finance (Defi) platform.
On October 1, 2022, the Transit Swap Finance team announced that a hacker had attacked the Transit swap and that the team had also stopped services immediately to limit further damage.
The next day, the team came out with a detailed report on the attackclaim that the hacker exploited a flaw in the code. The code vulnerability allowed the attacker to drain over $21 million from the wallets of users who had approved the protocol exchange contracts.
The team also noted that they had obtained some information that led to the IP address of the hacker and also highlighted that the discovery of the information of the hacker was due to the joint efforts of the hacker. The SlowMist Teamit The Bitrace Teamit Peckshield the security team Token pocket team, and Transit Finance team.
Later that day, the team announced again, that 70% of the assets were returned by the hacker due to the joint efforts of all collaborators.
On October 10, 2022, the Transit Swap Team tweeted an update about the hack that claimed a pact had been made and the hacker would return 10,000 BNB while keeping 2,500 BNB as a reward for the white hat hack.
Hours later Peckshield reported an interaction between the hacker and Tornado Cash. According to on-chain transactions, the hacker had returned the remaining 10,000 BNB and moved his own 2,500 BNB through Tornado Cash.
TEMPLE DAO EXPLOIT:
October 11, 2022 was a Twitter user first to notice The TempleDAO exploit, and 23 minutes later Blockchain Security Firm, Peckshield, also cited the tweet – saying that the DAO was exploited. According to Peckshield, the user had already moved the stolen funds of 1831 $ETH amounting to $2.34 million to a new wallet. The stolen funds represented 4% of the total assets of TempleDAO.
Later that day, STAX, a DEX powered by TempleDAO has issued a thread statement on Twitter tells what had happened to the Defi company. They also warned users not to deposit any of the contracts until further notice and promised the affected users a fix in good time.
October 16, 2022 made Peckshield another follow-up tweet of the hack on Twitter; apparently the hacker ignored the white hat bounty which was put out by the developers of TempleDAO and instead they started moving the stolen assets to Tornado Cash in an attempt to launder them.
October 18, 2022, the official account of BitKeep on Twitter, issued a report which says that the BitKeep Swap feature was hacked and that the attack that caused a loss of $1 million happened on the BNB chain.
PeckShield, as the first to drop a tweet about the hackstated that the $1 Million BNB coins were later moved through Tornado Cash.
The hacker carried out a simultaneous attack on Polygon and Binance Smart Chain Networks. All the stolen ERC-20 tokens were converted to Stablecoins and connected to the BSC Network. The hacker then bought BNB with the bridged Stablecoins and deposited all the BNB into Tornado Cash.
BitKeep assured the affected users of a full compensation plan, and on October 21, the compensation plan was rolled out – with step-by-step instructions on what users needed to do to get their money refunded.
On August 8, Tornado Cash was sanctioned by the US Treasury’s Office of Foreign Assets Control (OFAC) for its role in laundering over $455 million of cryptocurrency stolen by the North Korean hacking organization Lazarus Group.
It is estimated that so far in 2022, North Korea-affiliated groups have stolen approximately $1 billion worth of cryptocurrency from Defi protocols.
Even though Tornado Cash has been sanctioned, its compliance is quite complicated and that is due to its non-custodial nature, its coded smart contract design and its decentralized development team – all these connected together are the forces that still drive Tornado Cash even after the sanctions . .
. . . comments & more!