Sancionated Crypto Mixer Tornado Cash Hijacked

Following a tweet by samczum and subsequent investigations by journalists at Bloomberg, the sanctioned crypto mixer has suffered the cryptocurrency version of a hostile takeover.

Sancionated Crypto Mixer Tornado Cash Hijacked

According to the tweet, samczum, a security researcher for crypto investment firm Paradigm, said that an attacker granted themselves 1.2 million fake votes on Saturday. As the fake votes exceeded the 700,000 legitimate votes, it allowed the attacker to gain complete control over the governance of Tornado Cash.

Tornado Cash can be broadly described as a crypto mixer. That being namely a service, a set of programs that mix potentially identifiable cryptocurrency funds with vast sums of other funds.

Such a service is favored by those who want to keep their cryptocurrency transactions private. To do this, the service anonymizes fund transfers between services and does not require Know Your Customer (KYC) checks.

As a result, the risk of the service being used for money laundering is very high; as Coin Telegraph states,

...the risk of employing crypto mixers to launder money or conceal earnings is pretty considerable. Mixers and online gambling sites have the most severe money laundering issues, as they process most dirty currencies. Mixers, for example, have consistently processed about a quarter of all incoming illicit Bitcoin (BTC) each year, while the proportion laundered through exchanges and gambling has remained relatively steady (66 to 72%).

Due to this high risk of possible money laundering and Tornado Cash being accused of accepting funds from Lazarus, the infamous state-sponsored hacking group, the crypto mixer has been sanctioned.

US Treasury Department imposed sanctions on Tornado Cash in August 2022 after saying the aforementioned North Korean hackers used the service to launder illicit gains.

It is believed that North Korea’s Lazarus laundered about 450 million USD through the service, a Treasury official, Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson, said,

Treasury is sanctioning Tornado Cash, a virtual currency mixer that launders the proceeds of cybercrimes, including those committed against victims in the United States…Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors regularly and without basic measures to address its risks. Treasury will continue aggressively pursuing actions against mixers that launder virtual currency for criminals and those who assist them.

How the Attack Happened

Regardless of the sanctions imposed by the US Treasury, or the public’s general feeling about the crypto mixer, they did suffer a cyber attack that effectively resulted in the attacker being able to withdraw all of the locked votes, drain all of the tokens in the governance contract and brick the router.

According to the security researcher samczsun, the attacker shared the malicious proposal to be voted on by holders of TORN, Tornado Cash’s governance token, but used a similar proposal previously voted on.

The new proposal contained an additional function; it can be assumed that the attacker hoped that it would not be easily detected by including a malicious function at the end.

The function included in the proposal that was passed by voters allowed the attacker to use the emergencyStop function to update the proposal logic to grant themselves fake votes.

According to an article published by Coin Telegraph, a community member confirmed the attack and provided some advice to prevent further losses,

The attack comes as a reminder to crypto investors to vet proposal descriptions and logic. An active community of Tornado Cash, who goes by the name Tornadosaurus-Hex or Mr. Tornadosaurus Hex, confirmed that all funds in governance are potentially compromised and requested all members to withdraw all funds locked in governance.

This was not the only proposal or malicious contract put forward by the attacker. The attacker attempted deploying a contract that could potentially revert the changes made while still suggesting to the community that funds should be withdrawn.

Since news of the attack came out, a previous Tornado Cash developer has stated that they are working on building a new crypto mixing service from scratch, which addresses the “critical flaw” existing in Tornado Cash. The developer went on to state his intentions, saying,

the community to defend against hackers abusing the anonymity sets of honest users without requiring blanket regulation or sacrificing on crypto ideals.

It can be argued that Tornado Cash was the preferred money laundering method for hackers and other criminal organizations. According to analytics firm Dune Analytics, over 8 billion USD have been sent through Tornado Cash since the service started in 2019.

This has netted the company 20 million USD in fees alone, showing that there is certainly a financial motive for allowing threat actors to use the platform. Regardless, the event highlights the possibility of threat actors gaining governance of blockchain protocols through malicious proposals, bringing awareness of the issue to more legitimate blockchain applications.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal