Cryptocurrencies

Penpie Hacker Launders 11,261 ETH, Ignores Bounty and Legal Immunity

Penpie Hacker Launders 11,261 ETH, Ignores Bounty and Legal Immunity

The Penpie hacker laundered 11,261 ETH, ignoring Penpie’s bounty offer and rejecting legal immunity for returning the funds. Penpie lost $27M in a DeFi hack on September 3, 2024, with most of the stolen assets laundered through Tornado Cash. Penpie’s efforts to recover funds, including a bounty and white-hat hacker offer, were ignored as the hacker laundered the remaining ETH.

The hacker responsible for the recent Penpie exploit has transferred the last 1,661 ETH, completing the laundering of $27 million worth of stolen assets. The funds, totaling around 11,261 ETH, were moved through Tornado Cash. Despite Penpie offering a bounty and legal immunity to return the stolen funds, the hacker ignored the proposal and completed the transfer today. This concludes the hacking incident that began earlier this month, with Penpie losing substantial assets across its decentralized finance (DeFi) platform.

Penpie, built on the Pendle Finance protocol, suffered a major hack on September 3, 2024, which led to over $27 million worth of assets being stolen. The stolen assets, including various types of staked Ethereum (ETH), were converted into approximately 11,109 ETH. Notably, 1,000 ETH was laundered through Tornado Cash shortly after the breach. Penpie, hoping to resolve the situation, extended a bounty offer to the hacker, promising a reward and a chance to become a white-hat hacker without facing legal consequences. However, the hacker seemed unresponsive to these offers.

Instead, they continued to launder the funds, moving the remaining 1,661 ETH through Tornado Cash by September 8. The Penpie team’s attempt to recover the stolen assets through negotiations ultimately failed. Tornado Cash, a popular cryptocurrency mixer, has been frequently used in laundering illicit funds, including the assets stolen from Penpie. Following the hack, the majority of the stolen ETH was funneled through Tornado Cash, allowing the hacker to obscure the origin of the funds.

Penpie’s loss highlights the challenges decentralized protocols face in recovering stolen funds, particularly with the involvement of crypto mixers. Penpie’s efforts to retrieve the funds by appealing to the hacker and the wider community were unsuccessful. The decentralized nature of DeFi protocols makes it difficult to control such exploits, as demonstrated in this case. Penpie’s decision to publicly offer the hacker a bounty reflects its attempt to resolve the situation without further losses. The offer included legal immunity and a potential future in the community as a white-hat hacker.

However, the exploiter rejected the offer, continuing to launder the remaining ETH until all stolen assets had passed through Tornado Cash. This incident has highlighted vulnerabilities within DeFi protocols like Penpie. Despite attempts to mitigate the damage through communication and negotiation, the hacker’s refusal to cooperate leaves Penpie facing significant financial losses.