An Ethereum address connected with an exploit last year of DAO Maker has laundered 500,000 DAI stablecoins through Tornado Cash, security firms PeckShield and CertiK said today.
DAO Maker (not to be confused with stablecoin project Maker DAO) is a crowd fundraising platform that suffered a hack in August 2021. Because of a bug in DAO Maker’s smart contract, a hacker was able to steal more than $7 million in stablecoins. These funds were then scattered across different addresses controlled by the hacker.
A year after the incident, one of the addresses, which was labeled by Etherscan as the exploiter of DAO Maker, has transferred $500,000 worth of DAI stablecoins through Tornado Cash. Hackers often funnel stolen assets through Tornado Cash because it allows them to obscure the transactional activity.
Tornado Cash has been in the spotlight in recent weeks, since it was sanctioned by the U.S. Treasury Department's Office of Foreign Assets Control (OFAC). Following the sanctions, all US-based individuals and entities are prohibited from interacting with the app, given its potential for money laundering.
Still, even after the sanctions were announced, Tornado Cash has continued to experience usage by hackers of decentralized finance protocols, as seen today and in other recent events.
On Aug. 19, PeckShield detected that an address responsible for a December 2021 exploit of Grim Finance moved almost $3.3 million into Tornado Cash. Then on Sept. 6, the exploiter of MonoX Finance laundered $2.1 million via Tornado Cash.
While Tornado was originally intended to ensure Ethereum users’ privacy, it also became a tool for hackers to launder assets obtained by illegitimate means. According to the U.S. Treasury Department, bad actors including North Korea’s Lazarus group have used Tornado to transact more than $7 billion worth of crypto assets since it was founded in 2019.