A hacker stole $27 million in Ethereum from Penpie and laundered it through Tornado Cash, evading all recovery efforts. Despite legal immunity and a bounty, the hacker moved the stolen assets through Tornado Cash, making it nearly impossible to trace. The use of Tornado Cash in the Ethereum laundering process highlights serious security challenges in decentralized finance platforms. The malicious act took place on September 4, 2024, resulting in the theft of 11,261 ETH.
The stolen Ethereum was subsequently laundered through Tornado Cash, a popular cryptocurrency mixing service. Despite Penpie’s efforts to recover the funds, the hacker continued to transfer the assets, rendering them nearly untraceable. Penpie offered the perpetrator legal immunity and a chance to become a white-hat hacker if they returned the stolen assets. Additionally, Penpie proposed a bounty for anyone who could provide information leading to the recovery of the funds. However, the hacker disregarded all these offers, opting instead to launder the stolen Ethereum through Tornado Cash.
On September 8, 2024, the hacker completed the laundering process by transferring the remaining 1,661 ETH into Tornado Cash. Blockchain analysts detected the final transaction just hours after it occurred, but by then, the majority of the stolen funds had already been concealed. This incident highlights the challenges of tracing stolen cryptocurrency when mixing services like Tornado Cash are involved. Tornado Cash is a crypto-mixing service that makes tracking transactions difficult by severing the links between senders and receivers. Its privacy features make it an attractive tool for cybercriminals seeking to obscure their illicit activities.
Although efforts have been made to regulate the service, its decentralized structure has proven challenging to manage. This breach underlines the vulnerabilities of decentralized finance (DeFi) platforms like Penpie, which operates on the Pendle Finance protocol. Penpie allows users to maximize their earnings by splitting and trading yield-bearing assets. However, its decentralized nature also makes it susceptible to hacks. The hacker’s ability to launder such a significant amount of ETH without leaving a clear trail demonstrates the need for improved security in the DeFi space.