{"id":30608,"date":"2020-10-23T15:14:57","date_gmt":"2020-10-23T12:14:57","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=30608"},"modified":"2025-08-27T23:09:18","modified_gmt":"2025-08-27T20:09:18","slug":"kucoin-hacker-sent-5-million-in-ethereum-to-tornado-cash-mixer","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/kucoin-hacker-sent-5-million-in-ethereum-to-tornado-cash-mixer\/","title":{"rendered":"KuCoin hacker sent $5 million in Ethereum to Tornado Cash mixer"},"content":{"rendered":"<p>The KuCoin hacker used the Ethereum mixer Tornado Cash to obfuscate traces. The Block analyst Larry Cermak found that the attacker sent 11,520 ETH (~$4.8 million) to the service and, in batches of 100 ETH, mixed 2,800 ETH worth about $1.16 million.<!--more--><\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\\\"ltr\\\" lang=\\\"en\\\">The KuCoin hacker started to mix his Ethereum through 100 ETH batches on Tornado cash. He has about $4.8 million in the wallet. So far sent about 2800 ETH to Tornado but will likely keep going until it\u2019s all in there. <a href=\\\"https:\/\/t.co\/U0MuNAgTPu\\\">pic.twitter.com\/U0MuNAgTPu<\/a><\/p>\n<p>\u2014 Larry Cermak (@lawmaster) <a href=\\\"https:\/\/twitter.com\/lawmaster\/status\/1319566340143878145?ref_src=twsrc%5Etfw\\\">October 23, 2020<\/a><\/p>\n<\/blockquote>\n<p><script async src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script><\/p>\n<p>At the time of writing, that figure had risen to 3,000 ETH (~$1.25 million).<\/p>\n<p>The analyst is confident that all of the sent coins are likely to face the same fate. After transferring part of the stolen funds to Tornado Cash, the hacker\u2019s Ethereum address still holds 8,517 ETH (~$3.55 million).<\/p>\n<p>Cermak notes that the hacker used Tornado Cash from a public address for the first time.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\\\"none\\\">\n<p dir=\\\"ltr\\\" lang=\\\"en\\\">Ok, upon closer evaluation, this is not the first time the KuCoin hacker used Tornado cash. This is just the first time he did it from the public address and not from the side ones. Check here:<\/p>\n<p>1. <a href=\\\"https:\/\/t.co\/pCn2rpMGjT\\\">https:\/\/t.co\/pCn2rpMGjT<\/a><\/p>\n<p>2. <a href=\\\"https:\/\/t.co\/mS6sh6Z92U\\\">https:\/\/t.co\/mS6sh6Z92U<\/a><\/p>\n<p>3. <a href=\\\"https:\/\/t.co\/J5yqWNKU6C\\\">https:\/\/t.co\/J5yqWNKU6C<\/a><\/p>\n<p>\u2014 Larry Cermak (@lawmaster) <a href=\\\"https:\/\/twitter.com\/lawmaster\/status\/1319572129831129091?ref_src=twsrc%5Etfw\\\">October 23, 2020<\/a><\/p>\n<\/blockquote>\n<p><script async src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script><\/p>\n<p>Researchers laid out the hacker\u2019s actions step by step:<\/p>\n<ul>\n<li>Steal ERC-20 tokens from KuCoin;<\/li>\n<li>Convert the tokens to ETH via Uniswap and Kyber Network;<\/li>\n<li>Disperse ETH across multiple addresses;<\/li>\n<li>Use Tornado Cash to mix them and then cash out into fiat.<\/li>\n<\/ul>\n<blockquote class=\\\"twitter-tweet\\\" data-conversation=\\\"none\\\">\n<p dir=\\\"ltr\\\" lang=\\\"en\\\">What the hacker did:<\/p>\n<p>1. steal all ERC-20 tokens from KuCoin<\/p>\n<p>2. convert the permissionless ones to ETH using Uniswap (and sometimes Kyber)<\/p>\n<p>3. Disperse the ETH to multiple addresses<\/p>\n<p>4. Start using Tornado cash to mix the amounts and then likely cash-out<\/p>\n<p>\u2014 Larry Cermak (@lawmaster) <a href=\\\"https:\/\/twitter.com\/lawmaster\/status\/1319576489214513152?ref_src=twsrc%5Etfw\\\">October 23, 2020<\/a><\/p>\n<\/blockquote>\n<p><script async src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script><\/p>\n<p>Developer Udi Wertheimer noted that the hacker\u2019s share could eventually amount to a third of the total pool in the mixer.<\/p>\n<p>Cermak says that, if the activity continues, the attacker would make law enforcement work easier. He called it a &#8216;horrific&#8217; idea by the hacker.<\/p>\n<blockquote class=\\\"twitter-tweet\\\">\n<p dir=\\\"ltr\\\" lang=\\\"en\\\">Yep, very high likelihood of getting caught if he keeps going<\/p>\n<p>\u2014 Larry Cermak (@lawmaster) <a href=\\\"https:\/\/twitter.com\/lawmaster\/status\/1319568083321761792?ref_src=twsrc%5Etfw\\\">October 23, 2020<\/a><\/p>\n<\/blockquote>\n<p><script async src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script><\/p>\n<blockquote class=\\\"twitter-tweet\\\" data-conversation=\\\"none\\\">\n<p dir=\\\"ltr\\\" lang=\\\"en\\\">If we look at the total amount of ETH in Tornado Cash pool, the KuCoin hacker could be as much as a third of all ETH there. Maybe already withdrew something but still. This is a terrible idea <a href=\\\"https:\/\/t.co\/eDxr43iqEp\\\">pic.twitter.com\/eDxr43iqEp<\/a><\/p>\n<p>\u2014 Larry Cermak (@lawmaster) <a href=\\\"https:\/\/twitter.com\/lawmaster\/status\/1319580528761241600?ref_src=twsrc%5Etfw\\\">October 23, 2020<\/a><\/p>\n<\/blockquote>\n<p><script async src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script><\/p>\n<p>In comments, users noted that Tornado Cash has a regulatory-compliance function. Some argued that such actions could lead to increased pressure on mixer services.<\/p>\n<blockquote class=\\\"twitter-tweet\\\" data-conversation=\\\"none\\\">\n<p dir=\\\"ltr\\\" lang=\\\"en\\\">I was told by the torcash website that they have compliance<\/p>\n<p>\u2014 Ajit Tripathi (@chainyoda) <a href=\\\"https:\/\/twitter.com\/chainyoda\/status\/1319570220902715394?ref_src=twsrc%5Etfw\\\">October 23, 2020<\/a><\/p>\n<\/blockquote>\n<p><script async src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script><\/p>\n<blockquote class=\\\"twitter-tweet\\\" data-conversation=\\\"none\\\">\n<p dir=\\\"ltr\\\" lang=\\\"en\\\">Regulators will now consider how to shut down, tornado cash front-end\u2026<\/p>\n<p>\u2014 Alpha Wolf (@Michaelklcp) <a href=\\\"https:\/\/twitter.com\/Michaelklcp\/status\/1319570883225280512?ref_src=twsrc%5Etfw\\\">October 23, 2020<\/a><\/p>\n<\/blockquote>\n<p><script async src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script><\/p>\n<p>In May, Chainalysis analysts questioned Tornado Cash\u2019s privacy feature.<\/p>\n<p>In October, the founder of the cryptocurrency-mixing service Helix and the CEO of Coin Ninja <a href=\"https:\/\/u1f987.com\/en\/news\/fincen-imposes-first-ever-fine-on-bitcoin-mixer\">were fined<\/a> $60 million at FinCEN\u2019s request.<\/p>\n<p>Follow ForkLog on news via <a href=\\\"https:\/\/twitter.com\/ForkLog\\\" target=\\\"_blank\\\" rel=\\\"nofollow noopener noreferrer\\\">Twitter<\/a>!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The KuCoin hacker used the Ethereum mixer Tornado Cash to obfuscate traces. The Block analyst Larry Cermak found that the attacker sent 11,520 ETH (~$4.8 million) to the service and, in batches of 100 ETH, mixed 2,800 ETH worth about $1.16 million.<\/p>\n","protected":false},"author":1,"featured_media":30609,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1154,46,1411,1256,1314],"class_list":["post-30608","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-crimes","tag-ethereum","tag-kucoin","tag-privacy-and-personal-data","tag-tornado-cash"],"aioseo_notices":[],"amp_enabled":true,"views":"27","promo_type":"1","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/30608","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=30608"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/30608\/revisions"}],"predecessor-version":[{"id":30610,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/30608\/revisions\/30610"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/30609"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=30608"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=30608"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=30608"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}