Tornado Cash DAO, the privacy-focused cryptocurrency mixing service, was reportedly breached in a sophisticated cyberattack over the weekend. A series of transactions revealed that the culprit has begun moving the ill-gotten funds, stirring alarm among stakeholders and experts in the blockchain community.
Blockchain data provided by Etherscan showed the movement of 100 ether (ETH) and 38,000 Tornado (TORN) tokens from addresses linked to the unidentified assailant on Wednesday night. The audacious attacker, who cleverly camouflaged a malicious code to grant themselves counterfeit votes, currently holds over 20 ether, equivalent to $35,684, in their digital wallet and still retains possible access to Tornado Cash’s treasury.
This assault, which has put the DAO’s operations, financial resources, and future plans in jeopardy, primarily utilized these faux votes to manipulate elements of Tornado Cash, like handling TORN tokens held in the primary governance contract and withdrawing locked tokens.
The resilience of Tornado Cash
Despite the attack’s sophistication, experts quickly clarify that the Tornado Cash protocol remains untouched. The service’s core functionality was not exploited, which allows users to obscure fund movements and crypto addresses. The incident, unsettling as it may be, does not reveal any technological vulnerability within Tornado Cash’s underlying smart contracts or systems.
In a glimmer of hope for the embattled Tornado Cash, the anonymous attacker proposed a resolution earlier this week to revert all harmful changes implemented during the takeover. The move triggered a 10% increase in the price of TORN tokens at the time. The proposal is slated for voting closure on May 26, with indications suggesting a positive outcome. If successful, this would remove the malevolent code, restoring the governance of Tornado Cash’s DAO to the token holders.
However, the episode comes amid a separate controversy surrounding Tornado Cash. Several users have recently filed a lawsuit against the U.S. Treasury, alleging the sanctions against the platform violate the First Amendment. They argue that the Treasury lacks the jurisdiction to ban the mixer, insisting that such an action infringes upon their right to privacy and freedom of expression.
The U.S. Treasury, last year, enforced restrictions on Tornado Cash, citing the firm’s alleged role in financing terrorism and facilitating money laundering. In their legal challenge, the plaintiffs have contested this decision, stating that the privacy-focused software, which is not owned, managed, or alterable by any party, should not be classified as property and, therefore, is not subject to such sanctions.