Controversial crypto mixer Tornado Cash is facing another crisis. This time, it’s the victim

 

By Connie Lin

Over the weekend, Tornado Cash, a so-called crypto tumbler that obfuscates the origins and destinations of cryptocurrency transactions, fell victim to a hostile takeover by a hacker who snatched control of the blockchain protocol by hijacking its governance mechanism.

But then, in a bizarre twist, the hacker seemed to suffer a crisis of conscience—and on Monday, gestured at handing back the reins. The about-face has left the crypto world feeling disoriented—and naturally, suspicious.

It’s a confusing, embarrassing, and still-ongoing episode for Tornado Cash, which was already embattled over its very being. The service, which is allegedly a favorite of shadowy characters who use it to launder illicit money, has been at the eye of a storm of controversy over crypto’s role in cybercrime and dark-web dealings. Last year, it was sanctioned by the U.S. Treasury Department, which claimed that North Korea’s hacker group Lazarus had used it to transfer $450 million in stolen cash.

Tornado Cash, which mixes so-called tainted or traceable cryptocurrency with other streams of crypto as to muddle the trail of money, has argued that it stands for privacy on the blockchain. According to Dune Analytics, over $8 billion has passed through the service since its founding in 2019.

If you’re not caught up, here’s this weekend’s rundown:

The hacker’s attack

As per crypto custom, Tornado Cash is governed by a DAO (decentralized autonomous organization), and any individuals who own the TORN governance token can use those tokens to vote on crowdsourced proposals. On Saturday, a hacker put forth a malicious proposal that spoofed an earlier benign proposal—except this one was a Trojan horse, hiding a secret code that granted the attacker 1.2 million votes, and thus, the power of majority rule.

A security researcher at Paradigm, who goes by the screen-name samczsun, reported the attack on Twitter, writing that Tornado Cash governance had “effectively ceased to exist.”

In the immediate aftermath of the attack, panic ensued over what the hacker could do—steal a fortune in crypto tokens by draining the DAO’s treasury; brick the router so that Tornado Cash’s dashboard is wiped out of commission. (The hack affected only Tornado Cash’s governance system—not the mixing technology of the protocol itself.)

But instead, the hacker elected to withdraw just 10,000 of the TORN tokens that had been supplied by the malicious code and sell those off for a measly profit, compared to the spoils within grasp; the full 1.2 million TORN was worth over $4 million, based on the token’s price at the time.

The reversal of fortunes

In the hours after the attack, crypto community members lobbed Hail-Mary bids to save the remaining funds in the DAO’s treasure chest, knowing that resistance was likely futile.

 

But the hacker’s next play was bewildering. In another new proposal submitted to Tornado Cash’s DAO, shared in a web forum by a community member known as Mr. Tornadosaurus-Hex, the attacker indicated the intent to give back governance control by resetting the malicious haul of governance tokens back to zero.

The DAO’s members aren’t cheering yet. The reversion has yet to be “voted on” (by the hacker), and some suspect that the hacker’s proposal is a ploy to pump up TORN’s price before cashing out on the rest of the loot. TORN’s price fell by as much as 40% in the 24 hours following the attack, but rose by at least 10% after the proposal.

Meanwhile, others believe the ultimate target could be a Tornado Cash spin-out, Nova, which holds a pool of roughly 500 Ether worth $900,000 at current prices.

The key takeaway

Whether the hack proves catastrophic—opening the floodgates to a wave of copycat attacks that are dangerously hard to detect—or if it’s just, as crypto community member 0xdeadf4ce suggested, the actions of a “gigatroll” meant to teach an “expensive but not disastrous lesson,” it casts a light on a certain lawlessness that pervades crypto’s wild, wild west—an ethos that some might argue Tornado Cash itself has embodied, leaving a mess of damaged infrastructure and unpunishable sins in its wake.

Fast Company

(24)