The hacker is using Tornado Cash to obscure the origin and destination of the transferred ETH.
In a significant development, the exploiter behind the PancakeBunny flash loan attack, which shook the decentralized finance (DeFi) community in May 2021, has resurfaced. After a prolonged dormancy, the hacker transferred $2.9 million worth of Ether (ETH) using the privacy-centric protocol Tornado Cash.
Revisiting the PancakeBunny Hack
In May 2021, PancakeBunny, a prominent DeFi protocol on the Binance Smart Chain, fell victim to a devastating flash loan attack. The hacker exploited vulnerabilities within PancakeSwap to borrow a massive amount of Binance Coin (BNB). Subsequently, they manipulated the prices of BUNNY and BNB pairs, causing BUNNY’s value to plummet by 95%, from $150 to near zero in just half an hour.
The attack, which resulted in the loss of approximately 697,000 BUNNY tokens and 114,000 BNB tokens, severely impacted PancakeBunny’s market position and led to its eventual dissolution as a protocol and transition to a decentralized autonomous organization (DAO). Following the attack, the hacker’s wallet has remained dormant, until a recent resurgence of activity.
Three years after the infamous PancakeBunny hack, the hacker’s wallet sprang back to life on July 7, transferring 1,002 ETH, valued at approximately $2.9 million, to Tornado Cash. The hacker is using Tornado Cash to obscure the origin and destination of the transferred ETH. This privacy protocol effectively shields transactions, complicating efforts to trace and recover the stolen funds. The hacker is expected to initiate selling ETH in the near future, and still holds $11.4m in DAI.
On Sunday the @PancakeBunnyFin exploiter deposited 1002 ETH (~$2.9m) into @TornadoCash via 0xd0f2259e0bd71e849143bbc07f4e427bb6f7756b
Bunny Finance was exploited for ~$45m in May 2021
The exploiter still holds $11.4m DAI in 0x820C👇 pic.twitter.com/Jcc18Q1NIY
— CertiK Alert (@CertiKAlert) July 8, 2024
Tornado Cash Faces Legal Scrutiny
Tornado Cash is facing accusations of aiding illicit activities. Law enforcers in several jurisdictions allege that the protocol has been used to launder billions of shillings, including $275 million stolen from KuCoin by the North Korean government.
In May, Alexey Pertsev, cofounder of Tornado Cash, was convicted of money laundering by a Dutch court and sentenced to 64 months in prison. These developments highlight concerns about the potential misuse of privacy-focused protocols in facilitating criminal activities within the cryptocurrency industry.
Rise In Cryptocurrency Exploits
The cryptocurrency sector has experienced a troubling surge in exploits and thefts. Blockchain research firm TRM Labs reported that in the first half of 2024, global losses from crypto theft amounted to over $1.38 billion. This figure represents more than a double increase compared to the previous year’s total for the same period, highlighting a growing trend of cybercriminals targeting digital assets.
According to CertiK’s June report, the cryptocurrency sector faced substantial losses totaling approximately $198.3 million due to exploits, hacks, and scams, with only about $1.3 million recovered. This figure marks the second-highest monthly loss recorded in 2024. The breakdown includes approximately $4.8 million from exit scams, around $23.5 million from flash loans, and a significant $171.3 million from exploits.
next