crypto mixer

Euler hacker seemingly taking their chances, sends funds to crypto mixer

Before the move, the hacker apparently refunded at least one victim, leading to a slew of on-chain messages from other purported victims.

The hacker responsible for the $196 million attack on Euler Finance has begun moving funds into crypto mixer Tornado Cash, only hours after a $1 million bounty was launched to uncover the hacker’s identity.

Blockchain analytics firm PeckShield tweeted on March 16 that the exploiter behind the flash loan attack on the Ethereum noncustodial lending protocol was “on the move.”

The exploiter transferred 1,000 Ether (ETH), approximately $1.65 million, through sanctioned crypto mixer Tornado Cash.

#PeckShieldAlert @eulerfinance exploiter on the move
~1,000 $ETH into Tornado Cash through intermediary address 0xc66d…c9ahttps://t.co/LAkY66YpoF pic.twitter.com/0XhQV1nbgn

— PeckShieldAlert (@PeckShieldAlert) March 16, 2023

It comes only hours after Euler Labs tweeted that it was launching a $1 million reward for information leading “to the Euler protocol attacker’s arrest and the return of all funds.”

Just a day earlier, Euler sent an on-chain message to the exploiter’s address, warning it would launch a bounty “that leads to your arrest and the return of all funds” if 90% wasn’t returned within 24 hours.

The movement of the funds to the crypto mixer could indicate that the hacker is not being swayed by Euler’s amnesty offer.

Peckshield noted that around 100 ETH, worth $165,202 at the time of writing, was sent to a wallet address that is likely owned by one of the victims. An on-chain message sent by the wallet address had earlier pleaded for the attacker for the return of their “life savings.”

WOW!@eulerfinance Exploiter returned 100 $ETH to some guy who begged him for the money back as it was his life savingshttps://t.co/Gz9aCUZB0H pic.twitter.com/DhZBenqtuS

— Wazz (@WazzCrypto) March 16, 2023

This led to a slew of other victims sending messages to the address in hopes of also getting their funds returned.

One message stated they “are twenty-six families from jobless rural areas,” who lost “a million USDT in total,” adding their share of funds in the protocol was the “life-savings from our past decades of work in factories.”

Another apparent victim messaged the attacker congratulating them on the “big win” and said they invested funds into Euler they “desperately needed” for a house.

“My wife is going to kill me if we can’t afford our house […] Is there anyway [sic] you can help me? I have no idea what to tell my wife,” they wrote.

According to on-chain data, the $196 million stolen from Euler consisted of Dai (DAI), USD Coin (USDC), staked ETH and wrapped Bitcoin (WBTC).

Wallet tied to Uranium Finance hacker reawakens after 647 days, shifting $3.3M

The hacker has other associated wallets that have also shifted funds to privacy networks such as Aztec.

One of the wallets associated with the $50 million exploit of Uranium Finance in April 2021 appears to have awoken after 647 days of dormancy, with funds headed towards crypto mixer Tornado Cash.

The sudden move was highlighted on Mar 7 by cybersecurity firms PeckShield and CertiK on their respective alert accounts on Twitter.

#PeckShieldAlert After 647 days, @UraniumFinance hacker started move 2250 ETH (~$3.35m) stolen funds into @TornadoCash. On April 28, 2021, the hacker drained approximately $50 million worth of tokens from Uranium’s “pair contracts”. https://t.co/mBhMxmAdS5 pic.twitter.com/OOF3R0w3ll

— PeckShieldAlert (@PeckShieldAlert) March 7, 2023

According to data from Etherscan, the hacker moved the 2,250 Ether (ETH), worth $3.35 million, over a seven-hour period in transactions ranging from 1 ETH to 100 ETH — with all the funds heading to Tornado Cash.

This is, however, just one of the wallets associated with the hacker. Another Ethereum wallet linked to the hacker shows it was last active 159 days ago, with 5 ETH being sent to privacy-focused Ethereum zk-rollup on Aztec.

This marks yet another occasion in 2023 in which a hacker’s wallet has come out of dormancy after a lengthy hiatus. In January, the Wormhole hacker moved around $155 million worth of ETH almost a year after exploiting the Wormhole bridge for $321 million in early 2022.

The same month, a notorious hacker dubbed the “blockchain bandit” also moved around $90 million after a six-year slumber.

In February, the Wormhole hacker moved another $46 million worth of stolen funds, while popular blockchain sleuth ZachXBT highlighted via Twitter on Feb. 23 that “dormant funds left over” from the April 2018 $230 million Gate.io exchange hack by “North Korea began to move after over 4.5 years.”

Dormant funds left over from the April 2018 Gate $230m hack by North Korea began to move after over 4.5 years.

0xff8E0c9Cf3d7C0239aB157eC2D56bC1cFcD80757

A small amount was deposited to MEXC 10 hrs ago. pic.twitter.com/iHhniTtVIM

— ZachXBT (@zachxbt) February 22, 2023

Binance Smart Chain-based automated market maker Uranium Finance was exploited on April 28, 2021. The hack itself was reportedly the result of a coding vulnerability that allowed the hacker to siphon $50 million during Uranium’s v2.1 protocol launch and token migration event.

The platform seemingly shut down shortly after the hack, with its last tweet published on April 30, 2021, urging users to remove funds from its various liquidity pools.

Please read our latest medium article : “Last rewards of the money pot, please remove funds from pools” :https://t.co/W5uw0DUSXS

— Uranium Finance (@UraniumFinance) April 29, 2021

Unanswered questions

It is also worth noting that on April 28, 2021, someone claiming to be a member of the project’s development team suggested in the Uranium Discord channel that the hack may have been an inside job.

They outlined that only a small number of team members knew of the security flaw prior to the v2.1 protocol launch, and questioned the suspicious timing of the hack being just two hours before launch.

Since then, reports have gone cold on the project and its victims. However, Binance forum posts from last October suggest that users have been left out in the cold.

On Oct. 26, User “RecoveryMad” made a post asking for a follow-up on the hack, and noted that the person representing the Uranium team in the community Telegram had “vanished.”

In response, user “nofiatnolie” claimed that “No investigation was performed. It was swept up under the rug. There are still victim groups with no answers and crowd-sourced investigations [are] pointing at the developers of Uranium and others as the suspects.”

Tornado Cash left a void, time will tell what fills it — Chainalysis chief scientist

There’s a hole to be filled where Tornado Cash once was, and “junior mixers” are vying for position in the wake of the mixer’s sanction and ban by the U.S. Treasury.

The sanctions on cryptocurrency mixer Tornado Cash has left a vacuum for illicit fund mixing services, but more time is needed before we’ll know the full impact, according to Chainalysis’ chief scientist.

During a demo of Chainalysis’ recently launched blockchain analysis platform Storyline, Cointelegraph asked Chainalysis chief scientist Jacob Illum and country manager for Australia and New Zealand Todd Lenfield about the impact of the Tornado Cash ban.

Illum said whilst there is still some usage of the mixer, more time was needed to “see what’s happening” and how the ”world responds to that designation,” adding that people are trying to figure out what to do now the crypto mixer is effectively gone:

“People are getting more cautious in the space and are not sure how to interact with Tornado Cash, we’ve seen deposits into services providing similar activity go down at least temporarily, because people are measuring like ‘what does this mean for me?’”

But, where others see obstacles, some are clearly seeing an opportunity, Illum noted a crop of what he calls “junior mixers” have popped up looking to cash in on the void that Tornado Cash left.

An August report by blockchain security firm SlowMist stated that 74.6% of stolen funds on the Ethereum network were transferred to Tornado Cash in the first half of 2022, a sum of over 300,000 Ether (ETH), around $380 million.

Data from Chainalysis showed the 30-day moving average of the total daily value received by crypto mixers reached a new all-time high of $51.8 million in April.

“If the liquidity isn’t there, you effectively dry up a lot of [a mixers] capability,” Lenfield added:

“The hunting for places where there is liquidity, when it’s highly visible after things like the OFAC sanctioning of Tornado Cash, I think makes a very interesting space to keep an eye on.”

Tornado cash was sanctioned by the United States Treasury Department on Aug. 8, meaning criminal or civil penalties could be brought against U.S. citizens or entities who interact with the mixer. Over 40 cryptocurrency addresses purportedly connected to Tornado Cash were added to the Specially Designated Nationals list of the Office of Foreign Asset Control (OFAC).

Asked about the level of sophistication that law enforcement agencies had in dealing with crypto-related crime, Illum mentioned one of the biggest gaps in law enforcement at the moment is blockchain-related training:

“As [blockchain] gains adoption, there’s more people that are getting exposure to crypto, which also means that there are more agents or law enforcement personnel that need to have exposure to crypto as well.”

Lenfield noted that authorities are starting to build capabilities around cryptocurrencies, citing the Australian Federal Police’s (AFP) recent establishment of a cryptocurrency unit focused on monitoring crypto transactions:

“It is active in their minds, they are setting goals, and they’re working through that. But, as in any aspect, there’s that learning curve to get them there, but there is 100% visibility and development in this space by those agencies.”

Earlier in September, Chainalysis Crypto Incident Response team helped law enforcement recover $30 million in crypto stolen in the Ronin Bridge hack by the North Korean linked Lazarus Group who used Tornado Cash to launder stolen assets.

Tornado Cash co-founder reports being kicked off GitHub as industry reacts to sanctions

OFAC issued a statement implying prohibited transactions with Specially Designated Nationals could include “downloading a software patch from a sanctioned entity.”

Roman Semenov, one of the co-founders of Tornado Cash, has reported his account was suspended at the developer platform, GitHub, following the United States Treasury Department’s sanctioning of the privacy protocol.

In a Monday tweet, Semenov said that despite not being individually named as a Specially Designated National, or SDN, of Treasury’s Office of Foreign Asset Control, he seemed to be facing repercussions from the Treasury alleging Tornado Cash had laundered more than $7 billion worth of cryptocurrency. As SDNs, identified firms and individuals have their assets blocked and “U.S. persons are generally prohibited from dealing with them.”

My @GitHub account was just suspended

Is writing an open source code illegal now?

— Roman Semenov ️ (@semenov_roman_) August 8, 2022

Being identified as an SDN would seemingly include any contact for business purposes, which could extend to associations on GitHub. According to a joint statement from the Federal Financial Institutions Examination Council and Office of Foreign Asset Control, prohibited transactions could be interpreted to include “downloading a software patch from a sanctioned entity.”

Semenov called the move to suspend his account “a bit illogical.” However, U.S. residents have been effectively barred from using the crypto mixer, given its alleged failure “to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks,” according to Brian Nelson, Under Secretary of the Treasury for Terrorism and Financial Intelligence.

Some pro-crypto advocates have posited that the Treasury’s actions against Tornado Cash were the sanctioning of a “neutral tool” rather than the targeting of individuals responsible for using it for illicit means. Jake Chervinsky, head of policy at the Blockchain Association, claimed the U.S. Treasury Department’s decision may have “crosse[d] a line” between penalizing bad actors and those who dethe tools and technology they might use.

“It is not any specific bad actor who is being sanctioned, but instead it is all Americans who may wish to use this automated tool in order to protect their own privacy while transacting online who are having their liberty curtailed without the benefit of any due process,” said Jerry Brito, executive director of Coin Center.

Today’s action does not seem so much as a sanction against a person or entity with agency. It appears instead to be the sanctioning of a tool that is neutral in character and that can be put to good or bad uses like any other technology. https://t.co/Gr8skWKiaR

— Jerry Brito (@jerrybrito) August 8, 2022

A crypto mixer, Tornado Cash can be used to hide the trail of transactions for privacy reasons. The protocol was at the center of some major hacks and exploits in decentralized finance, including a $375-million attack on Wormhole in February and a $100-million hack on Horizon Bridge in June. The company announced in April that it was using oracle contracts from Chainalysis to block wallet addresses sanctioned by the Office of Foreign Assets Control following the Treasury Department alleging the North Korean hacking group Lazarus was behind a $600-million exploit of Ronin Bridge.

Cointelegraph reached out to Tornado Cash, but did not receive a response at the time of publication.