A hacker robbed $27 million in Ethereum from Penpie and laundered it using Tornado Cash. Penpie offered a bounty and legal immunity, but the criminal ignored their attempts to recover the funds. Tornado Cash facilitated the obscuration of the stolen ETH, making retrieval efforts futile. The breach, which occurred on September 4, 2024, resulted in the theft of approximately 11,261 ETH. The perpetrator disregarded Penpie’s efforts to recuperate the funds and moved all the missing ETH through the crypto-mixing service.
Despite Penpie's attempts to negotiate by offering the culprit a bounty and a chance to work with them as a white-hat hacker, the thief dismissed these proposals. Penpie also announced a 10% bounty for anyone providing information leading to the recovery of the stolen assets. However, the hacker transferred the entire $27 million in Ethereum through Tornado Cash, which is known for its ability to obscure cryptocurrency transactions. On September 8, 2024, the hacker completed the final transfer of 1,661 ETH into Tornado Cash, marking the final step in laundering all the stolen Ethereum.
On-chain analyst Yu Jin reported that this transaction occurred just three hours before it was detected. Tornado Cash, a network designed to blend crypto payments, enables users to eliminate the identifiable links between senders and receivers. Because of this technology, it has become a favored tool for cybercriminals. Despite efforts to regulate it, Tornado Cash’s autonomous and private nature makes it challenging to manage. The Penpie hack highlights the significant security challenges faced by decentralized finance (DeFi) platforms.
Penpie, built on the Pendle Finance protocol, aims to enhance liquidity provision and yield farming while offering features to let users split and trade yield-bearing assets, maximizing returns. Yet, the distributed structure of DeFi stages makes them vulnerable to attacks. The thief’s ability to launder $27 million without being traced underscores the difficulties in securing digital assets in this ecosystem. As of now, there has been no recovery of the stolen funds, leaving Penpie and its users with significant financial losses. This situation raises an important question for the entire DeFi community: How can these platforms improve their security measures to prevent such breaches in the future?