$10 Million Phishing Attack: Hacker Transfers Stolen ETH to Tornado Cash

In a significant cybersecurity incident, a hacker has moved $10 million worth of Ether from a September 2023 phishing attack to cryptocurrency mixing service Tornado Cash, highlighting ongoing security challenges in the digital asset space.

Attack Details and Fund Movement

On March 21, blockchain security firm CertiK identified that an account linked to a major cryptocurrency theft had transferred 3,700 ETH to Tornado Cash. These funds were part of a larger $24 million theft that occurred through a sophisticated phishing attack on September 6, 2023.

The victim, described as a cryptocurrency "whale" (an individual holding substantial digital assets), lost their funds in a two-phase attack. Initially, 9,579 stETH was removed, followed by 4,851 rETH—both tokens representing staked Ethereum through the Rocket Pool liquidity staking service.

Fund flow pattern after the hack:

• Conversion of stolen assets into 13,785 ETH
• Additional conversion of assets into 1.64 million Dai
• Transfer of some DAI to FixedFload exchange
• Distribution of remaining stolen funds across multiple wallets

Technical Analysis of the Breach

The attack succeeded through exploitation of token approval mechanisms. According to fraud detection project Scam Sniffer, the victim authorized an "Increase Allowance" transaction, which enabled the attacker to approve tokens for their own use.

This exploitation leverages a standard ERC-20 functionality that allows third parties to spend tokens owned by others—but only with proper authorization. Unfortunately, in phishing scenarios, victims unknowingly provide this authorization through deceptive interfaces or transactions.

The incident has sparked significant discussion within cryptocurrency security circles regarding the potential risks associated with smart contract approvals, which could be maliciously deployed for fraudulent purposes.

Broader Security Landscape

Phishing attacks remain a persistent threat to cryptocurrency holders. A recent report from Scam Sniffer revealed that nearly $47 million was lost in February alone due to phishing-related schemes, with 78% occurring on the Ethereum network. ERC-20 tokens represented 86% of all stolen funds.

The cryptocurrency sector has seen several other significant security incidents recently:

• On March 20, an outdated contract previously used by the Dolomite exchange was exploited, resulting in $1.8 million being drained from users who had granted consent to the contract.

• That same day, the Layerswap team successfully prevented further damages after their website was compromised, though hackers still managed to steal approximately $100,000 from about 50 users. Layerswap has promised to refund affected users and provide additional compensation.

Security Implications for Digital Asset Holders

These incidents underscore the critical importance of vigilance when authorizing smart contract interactions and token approvals. The exploitation of token approval functions demonstrates how attackers can leverage legitimate blockchain features for malicious purposes.

Professional trading platforms and security experts recommend regular security audits of wallet permissions and token approvals. Users should periodically review and revoke unnecessary contract permissions to minimize attack surfaces.

As sophisticated phishing attempts continue to target cryptocurrency holders, collaboration between security firms, trading platforms, and users becomes increasingly vital to develop enhanced protection mechanisms and security protocols for the digital asset ecosystem.