Hacker moves $10M from 2023 phishing incident to Tornado Cash

The funds were taken from a crypto whale in 2023 when the holder signed transactions that allowed the attacker to access the funds.

An account linked to a phishing attack in September 2023 has moved $10 million in Ether (ETH) to the crypto-mixing protocol Tornado Cash.

Hacker transferring funds to Tornado Cash.

On March 21, blockchain security firm CertiK flagged an account linked to the $24 million hack transferring 3,700 ETH to Tornado Cash. The funds were taken from a crypto whale in a phishing incident on Sept. 6, 2023.

At the time, the investor lost $24 million in staked ETH on the liquid staking provider Rocket Pool. The hack was done in two transactions — one took 9,579 stETH, while the other drained 4,851 rETH from the crypto whale.

Scam Sniffer, an anti-scam project, said that the victim signed an “Increase Allowance” transaction which enabled token approvals for the hacker. With smart contracts, the feature allows third parties to spend ERC-20 tokens belonging to others if given approval.

The token allowances feature has been talked about a lot within the crypto space, with some warning users about how developers could deploy malicious smart contracts for scams.

Blockchain security company PeckShield flagged that the attacker swapped the assets for 13,785 ETH and 1.64 million Dai (DAI). Some of the DAI was transferred to the FixedFload exchange, while most of the stolen funds were moved into other wallets.

Phishing attacks continue to be a huge headache for the crypto space. Scam Sniffers crypto phishing report showed that in February, almost $47 million was lost to crypto phishing scams.

The report highlighted that 78% of the thefts happened on the Ethereum network, and ERC-20 tokens took up 86% of all the assets stolen.

Token approvals have also caused recent losses for crypto users. On March 20, an old contract previously used by the Dolomite exchange was used to drain $1.8 million from users.

The exploit affected users who authorized approvals for the contract. Because of this, Dolomites development team urged users to revoke approvals given to the old contract address.

While some attacks lead to millions lost, some efforts to steal crypto are thwarted very quickly. On March 20, the Layerswap team prevented any further damage from a breach of its website after intervention from its domain provider.

Despite this, the hackers still drained about $100,000 in assets from 50 users. The protocol said that it would refund the affected users and provide additional compensation for the inconvenience.