Tornado Cash funds ‘at risk’ after hacker injects malicious code

Deposits to notorious crypto privacy tool (and hacker-favorite) Tornado Cash may be at risk after malicious code was reportedly introduced to certain user interfaces.

According to a report by ZeroTwoDAO, published on Sunday:

“If you have deposited to Tornado Cash using IPFS gateways (like ipfs.io, cf-ipfs.com, eth.link), your note would likely be exposed and the deposited funds are at risk.”

It looks like some Tornado Cash UIs (eg https://t.co/JlgMXo60xT) inject malicious code for 100 ETH deposits. Also, there are some suspicious proposals:
– https://t.co/dgB7tQHThS
– https://t.co/N147u0WTMW

Investigation ongoing. pic.twitter.com/80ZqgdMCSJ
— sudo rm -rf –no-preserve-root / (@pcaversaccio) February 24, 2024

The report goes on to explain that user interfaces hosted via the peer-to-peer Interplanetary File System (IPFS) contain ‘malicious javascript code’ that was introduced by pseudonymous community contributor Butterfly Effects in a governance proposal two months ago.

Consequently, sensitive data about deposits made via IPFS-hosted user interfaces was leaked to a server owned by the exploiter, who could then use the information to steal other depositors’ funds.

The article gives as an example an Ethereum address that withdrew a total of 3,200 ETH (worth $10 million) on Friday, before redepositing the funds into Tornado Cash the following day.

This isn’t the first time that malicious code has made its way past Tornado Cash’s decentralized governance system, however. In May 2023, a governance attack threatened to hand over full control of the protocol before the hacker had a change of heart.

With Tornado Cash’s three core developers beset by legal issues, monitoring of governance proposals has been left to token holders.

In August 2022, the US Treasury sanctioned Tornado Cash and related addresses due to its use in money laundering operations and connections to the Lazarus Group of North Korean hackers. Within a month, funds locked in the protocol had dropped by 50%.

Shortly after the announcement, developer Alexey Pertsev was arrested in the Netherlands. A year later, US-based Roman Storm and Roman Semenov were also charged with money laundering.

The team has received support from across the crypto community. However, efforts have been hampered by the nature of the sanctions.

Important campaign update:

Yesterday, @gofundme notified the campaign organizers that the fundraiser for @rstormsf's legal defense was cancelled. They cite Term 22 of their terms of service, which can be interpreted to mean they simply didn’t like the fundraiser. pic.twitter.com/xqEFZ9Ncd5
— Free Pertsev & Storm (@FreeAlexeyRoman) February 14, 2024

What is a crypto mixer?

Tornado Cash is a crypto mixing service allowing users to obscure their funding source or the trail of their transactions, information which is otherwise publicly visible via block explorers.

While its supporters argue that mixers are legitimate tools to allow for privacy in an otherwise transparent financial record, they are also wildly popular with crypto hackers.

Since the protocol was slapped with sanctions, cashing out funds that have been ‘tainted’ by association with Tornado Cash has led many to avoid using the service.

This includes the hackers, who are increasingly opting to fund their attacks through low-scrutiny exchanges, such as FixedFloat, which does not require users to pass know-your-customer (KYC) checks.

Ironically, FixedFloat itself was hacked for $26 million worth of crypto earlier this month.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.