A hacker, known as Penpie, has laundered $27 million in Ethereum through the popular mixing service called Tornado Cash. Starting shortly after the hack on September 4, 2024, this attack points out some of the ongoing weaknesses in DeFi platforms. In fact, fast-moving funds by the hacker have set off several alarm bells about the efficacy of stolen asset tracking in cryptocurrency.
Swift Laundering Raises Concerns
Within just a few hours of the breach, the Penpie hacker routed some $7 million through Tornado Cash. And they were just getting started. Over the forthcoming days, they continued to move large sums in succession until a total of 11,261 ETH worth about $26.7 million had been transferred.
That’s quick work, and at this speed, many in the crypto community are finding it unbelievable for the security controls put in place around DeFi protocols.
The company tried to work out a deal with the hacker, offering them a bounty and immunity from any prosecution in exchange for their help. Penpie even went so far as to offer to hire the hacker as a white-hat security tester, who works finding vulnerabilities in the software to report back to the companies for which they work.
Four hackers have sent 20,561 $ETH ($49.3M) to #TornadoCash since the start of September!
Notably, among these hacker entities: • #Penpie exploiter quickly laundered all 11,261 $ETH ($26.7M) within only 4 days of the hack. • #WazirX exploiter still holds 54,155 $ETH ($123M),… pic.twitter.com/LNWNR4Hsvy
— Spot On Chain (@spotonchain) September 8, 2024
Despite these negotiations, which aimed to minimize losses and avoid legal action, the hacker ignored the offer and laundered the stolen $27 million through Tornado Cash.
The risks on these kinds of decentralized platforms, therefore, are greater since more hackers have switched their attention to using such privacy tools for money laundering, like Tornado Cash.
The Penpie hack is part of a broad landscape that has seen at least four hacker groups launder more than 20,561 ETH, valued at about $49.3 million, through Tornado Cash since the beginning of September.
Penpie Hacker: The Bigger Picture
The repercussions of these events go beyond just financial losses; they also beg critical questions about DeFi’s future and the balance between privacy and security. Tornado Cash has become a double-edged sword, availed to offer anonymity to its users.
What the Penpie hacker did essentially shows how the current security landscape in DeFi is not enough to prevent or limit such hacks. The fact that funds are quickly laundered through platforms like Tornado Cash presents a high risk to the entirety of the cryptocurrency ecosystem.
This is where the loopholes need to be addressed, and that requires developers, investors, and regulators to come together to curb this growing menace.
#EulerFinance Exploiter sends 1 msg to the #Penpiexyz Exploiter pic.twitter.com/Tcq3KgHssR
— PeckShieldAlert (@PeckShieldAlert) September 6, 2024
Meanwhile, to show how proud he is, the exploiter behind a $195 million flash loan attack on Euler Finance in March 2023 sent an on-chain message to the hacker. He praised his fellow thief, for not returning the money, saying:
“Good job bro. I didn’t see a hack like this for a while. I’m happy you kept all the money and didn’t let these bastards get back one dollar of what you took. You won, they lost. Good job.”
Featured image from Money, chart from TradingView