Highlights:
- The Penpie hacker laundered $27M in Ethereum via Tornado Cash despite Penpie’s offer of a bounty and legal immunity.
- The stolen funds, totaling 11,261 ETH, were transferred in batches to Tornado Cash, making recovery efforts futile.
- The Penpie hack highlights the security vulnerabilities in DeFi platforms, with the stolen funds remaining untraceable.
The Penpie hacker has successfully laundered $27 million worth of stolen Ethereum through Tornado Cash, disregarding all attempts by the DeFi platform to recover the funds. The hacker moved the stolen assets in batches, using the notorious crypto mixer to obscure the transactions, making it nearly impossible to trace the funds.
On September 4, 2024, the hacker exploited a vulnerability in Penpie’s security, leading to the theft of 11,261 ETH, valued at approximately $27 million at the time. Despite the company’s efforts to negotiate with the hacker, including offering a bounty and legal immunity, all attempts were dismissed.
Final Transfer Through Tornado Cash
On September 8, 2024, the hacker completed the final transaction, transferring 1,661 ETH through Tornado Cash. Etherscan reported that this transaction was detected only three hours after it occurred, marking the completion of the laundering process.
The Penpie hacker has deposited the last 1,661 ETH into Tornado Cash today. This means that the $27 million in assets (about 11,261 ETH) stolen from Penpie by the Penpie hacker have all been transferred through Tornado. Penpie had earlier told the hacker that it was willing to… https://t.co/cFpp3cGotq
— Wu Blockchain (@WuBlockchain) September 8, 2024
Tornado Cash has become a preferred tool for cybercriminals due to its ability to anonymize cryptocurrency transactions. The service blends multiple transactions, effectively severing the link between the sender and receiver. While this provides a layer of privacy, it also makes it difficult for authorities and affected parties to track and recover stolen funds.
The Penpie hack underscores the ongoing security challenges faced by decentralized finance platforms. Built on the Pendle Finance protocol, Penpie allows users to maximize returns through yield farming and liquidity provision. However, its distributed nature also makes it vulnerable to sophisticated attacks.
According to blockchain security firm PeckShield, the hacker started laundering the stolen funds on September 6 by transferring 7,262 ETH ($17.4 million) to an intermediary address. This address then sent 5,600 ETH ($13.4 million) to Tornado Cash. The hacker continued this pattern until all 11,261 ETH had been laundered.
#PeckShieldAlert @Penpiexyz_io exploiter -labeled address has moved 7.262K $ETH (worth ~$17.4m) to an intermediary address 0x2Dc1…18a0, after which it laundered 5.6K $ETH (worth ~$13.4M) via #TornadoCash pic.twitter.com/qthhFCLQ85
— PeckShieldAlert (@PeckShieldAlert) September 6, 2024
Failed Negotiations and Bounty Offer
Penpie made several efforts to recover the stolen funds, including a proposal to the hacker to work with them as a white-hat hacker. This offer included a bounty and assurance of no legal consequences if the funds were returned. However, the hacker ignored these overtures and continued to launder the stolen assets.
The platform also announced a 10% bounty for anyone providing information, which led to the recovery of the stolen Ethereum. Despite this, the hacker successfully transferred the entire amount through Tornado Cash, a tool known for anonymizing cryptocurrency transactions. This move effectively rendered Penpie’s efforts futile.
Crypto Phishing Losses Raised by 215% in August
Cryptocurrency phishing attacks dramatically rose in August, with financial losses soaring to $63 million—a 215% increase from July. The spike was largely attributed to a single incident on August 20, when a decentralized finance (DeFi) protocol hack resulted in a $55 million loss. The attack occurred when a crypto holder unknowingly authorized a transaction, transferring 55.47 million Dai to a phishing address, underscoring the growing sophistication of phishing scams in the crypto ecosystem.
🚨 [1/7] ScamSniffer's August Phishing Report
In August, around 9,145 victims lost about $63 million to crypto phishing scams 😱🔒.
While the number of victims dropped by 34% from July, the stolen amount surged by 215%. pic.twitter.com/lm3dCtBQVH— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) September 3, 2024
Moreover, the victim’s attempt to retrieve the stolen funds failed, as the ownership of the assets had already shifted. This incident highlights the heightened risks in cryptocurrency, where even a small oversight can lead to massive financial losses. These attacks’ increased frequency and severity emphasize the need for heightened vigilance and security measures within the crypto community.