Crypto NewsCybersecurity NewsNews

Sanctioned Tornado Cash Forcefully Hijacked By Hackers


Tornado Cash, a controversial crypto platform that allows users to transact in cryptocurrency, suffered a forceful takeover by hackers through a malicious governance proposal.

Samczsun, a security researcher at investment firm Paradigm, posted on Twitter that an attacker granted themselves 1.2 million fake votes on Saturday.

Moreover, with 700,000 fake votes, it essentially allows the threat actors to gain complete access to the governance of Tornado Cash.

Hackers Takeover Impact TORN

Samczsun said in his tweet that he couldn’t reach Tornado Cash for comment via Twitter. Notably, the platform is a blockchain protocol, and TORN, its governance token, allows token holders to vote on proposed changes in the service.

Arguably, with complete autonomy, the threat actors can do whatever they want. Essentially, they simply withdrew 10,000 votes as TORN and sold it all.

The U.S. Treasury Department imposed sanctions on Tornado Cash in August after confirming North Korean hackers used the service to launder illicit gains. North Korea’s Lazarus Group laundered about $450 million through the service.

However, moments after hackers took over, crypto exchange Binance temporarily paused deposits of TORN. The token steadied on Monday after sliding on Sunday, its price slumped by over a third to about $4.56 in contrast with an intraday high on Saturday.

Threat Actors Submit Proposal to Undo Attack

The threat actors submitted a to revert Tornado Cash’s governance to token holders, but not everyone in the community acquiesces to the plan.

The Tornado Cash token (TORN) is up 10% after a proposal submitted by a wallet address linked to a recent attack on the decentralized autonomous organization’s (DAO) governance state looks to reverse the malicious changes.

Furthermore, The attacker posted a new proposal to restore the state of governance, user Tornadosaurus-Hex wrote in the Tornado Cash community forum, adding that there is a probability the attacker would execute it.

Given the attacker’s holdings of TORN governance tokens, it appears the proposal will pass when voting closes on May 26, when the proposal passes, the malicious code that the attacker attached to the protocol, will be removed.