Penpie Hacker Transports $7M from Stolen Funds via Tornado Cash

hacker

The Penpie hacker moved $7 million via Tornado Cash after stealing $27 million, underscoring the security challenges within DeFi.

The hacker behind a $27 million security breach from the decentralized finance (DeFi) project, Penpie, has transported $7 million of the stolen funds through crypto mixer Tornado Cash.

Web3 security firm Cyver Alert recently detected the hacker moving about 26% of the hacked funds via the privacy protocol.

Tornado Cash is a crypto privacy protocol developed on the Ethereum blockchain. It allows a user to deposit crypto assets into a shared pool and receive a transaction key. The user can later input the key to withdraw crypto from the pool into a different crypto wallet. It is often used to mask the whereabouts of crypto transactions.

Hacker Transfers Fund to Tornado Cash Address

According to the blockchain security firm, the attacker’s address persistently transfers the stolen funds through various transactions to Tornado Cash addresses. The hacker’s decision to use Tornado Cash is unsurprising, given its reputation as the go-to tool for laundering illicit funds in crypto.

Following the initial hack incident of $27 million, the Penpie protocol temporarily halted all deposit and withdrawal activities.

The Penpie protocol team noted that at 1745 UTC, the attacker deployed the first contract for the attack.

The protocol also noted that it contacted security specialists at Seal 911 for assistance in preventing further related attacks.

The Pendle team said that it paused all contracts,  preventing additional attempts to drain assets from Penpie and protecting approximately $105 million that the attacker could have potentially stolen.

After several rigorous checks, the development team assured that Pendle contracts were safe. It further noted that the attack was due to an issue specific to Penpie. Additionally, the dev team said that the vulnerability was found to be linked to a unique feature that allowed permissionless listing of Pendle markets on Penpie.

“At 0050 UTC, after rigorous checks and coordination with all relevant parties to confirm step 1 and 2, Pendle contracts were safely unpaused, and normal operations resumed,” the team said.

Exploit Attacks on Protocols Stealing Millions

Meanwhile, this is not the first time a protocol has fallen victim to an exploit. On July 12, 2024, DeFi protocol Dough Finance fell victim to a flash loan attack, resulting in a $1.8 million loss of Ether (ETH).

Another security attack happened on July 17, 2024, causing the loss of approximately $8 million on Li.Fi protocol, an API facilitating Ethereum Virtual Machine (EVM) and Solana (SOL) transactions.