Deposits made to Tornado Cash, a well-known crypto privacy tool favored by hackers, may be at risk after a malicious code was inserted into certain user interfaces.

Tornado Cash, a decentralized privacy solution on the Ethereum blockchain, offers users non-custodial and anonymous transactions through a cryptocurrency mixer, enhancing privacy and security.

The security breach came to light through a Medium post by Gas404, a community member. The attack appears to have been orchestrated by an individual posing as a Tornado Cash developer who embedded malicious JavaScript code within the project’s user interface. This code stealthily captured and transmitted users' private deposit notes to an unauthorized external server. These deposit notes serve as crucial access keys for managing funds within Tornado Cash.

The encoded private deposit notes were covertly sent to the attacker's server under the guise of routine function calls, meaning users' private information was leaked without their awareness whenever they interacted with specific Tornado Cash functions.

The exploit primarily targeted users accessing Tornado Cash via IPFS gateways, like ipfs.io and cf-ipfs.com, which lead to the decentralized web where Tornado Cash operates. The malicious code was hidden within a governance proposal, making detection challenging for average users.

This code redirected user deposit information to a server controlled by the attacker.

All Tornado Cash servers deployed on the IPFS network since January 1, 2024, are believed to have been impacted.

In August 2022, the Tornado Cash crypto mixer was sanctioned by the US authorities for its involvement in laundering money for North Korean hackers. Although the original website of the service was seized, the open-source codebase of Tornado Cash continued to exist independently, giving rise to new mixing services built upon the same framework.