Hackers used Tornado Cash, an Ethereum mixer, to launder 4,600 ETH coins worth $15 million stolen from a Singapore-based cryptocurrency exchange, according to a security consultant who made the discovery.

A cryptocurrency mixer or tumbler is a service that mixes different streams of potentially identifiable cryptocurrency, making the transactions more anonymous and harder to trace. The crypto owner transfers the money to the mixing service, which mixes it with currency from other users and transfers the mixed currency to the desired address, meaning there is no connection between the original transaction and this address.

Crypto mixers are often used to launder the proceeds of organized crime, though some people believe that they are also used to protect the privacy of activists or other people who are politically vulnerable.

Tornado cash is an Ethereum mixer protocol, which launched in early 2020 and promises to improve transaction privacy by obscuring the on-chain link between the source and recipient of ether.

Peck Shield, a security consultancy, was the first to spot the anomaly in on-chain data and indicated that the 4,600 ether were being sent through the mixer in batches of 100 ether.

The issues came to light when users began reporting that their funds were missing, even those with two-factor authorization enabled.

Singapore crypto exchange Crypto.com stopped all withdrawals from the platform and forced users to rest their two-factor authentication after “unauthorized activity” was detected online. However, CEO Kris Marszalek insisted that all funds were “safe,” not acknowledging that the company had been hacked.

Some thoughts from me on the last 24 hours:

– no customer funds were lost
– the downtime of withdrawal infra was ~14 hours
– our team has hardened the infrastructure in response to the incident

We will share a full post mortem after the internal investigation is completed.

— Kris | Crypto.com (@Kris_HK) January 18, 2022

The company became the latest crypto exchange to be hit by online thieves after users reported that Ethereum and other cryptocurrencies were wiped from their accounts. All customers have been reimbursed, according to Marszalek.

“Obviously, it’s a great lesson and we are continuously strengthening our infrastructure. Given the scale of the business, these numbers are not particularly material and customer funds were not at risk,” said Marszalek.

The U.S. Financial Crimes Enforcement Network (FinCEN) said that mixers like Tornado Cash may fall under the definition of a money transmitter, and therefore have “obligations” set by the Bank Secrecy Act (BSA), according to a previous statement to CoinDesk.

Other crypto mixers have been shut down in recent years. For example, Bestmixer suspended its work in 2019 after a visit by European police and Helix was shut down by the FBI in 2021 for laundering darknet funds.

Crypto.com has seen its profile rise through a series of expensive sponsorship deals involving Formula One, European football teams and stadium naming rights. This is hardly the kind of PR the company needs.

The @cryptocom loss is about $15M with at least 4.6K ETHs and half of them are currently being washed via @TornadoCash https://t.co/PUl6IrB3cp https://t.co/6SVKvk8PLf pic.twitter.com/XN9nmT857j

— PeckShield Inc. (@peckshield) January 18, 2022

Photo: mdesigner125 / iStock 

Listen to GHOGH with Jamarlin Martin | Episode 74: Jamarlin Martin Jamarlin returns for a new season of the GHOGH podcast to discuss Bitcoin, bubbles, and Biden. He talks about the risk factors for Bitcoin as an investment asset including origin risk, speculative market structure, regulatory, and environment. Are broader financial markets in a massive speculative bubble?