Tornado Cash, a service that allows users to mask cryptocurrency transactions, suffered a hostile takeover by hackers through a malicious governance proposal.
Samczsun, a security researcher at crypto investment firm Paradigm, said on Twitter that an attacker granted themselves 1.2 million fake votes on Saturday. As the fake votes exceeded the 700,000 legitimate votes, it allowed the attacker to gain full control over the governance of Tornado Cash.
Tornado Cash couldn’t immediately be reached for comment via its Twitter page.
Tornado Cash is a blockchain protocol that is governed by a network of computers. TORN, the governance token of Tornado Cash, enables its holders to vote for changes in the protocol.
“Now that they have all the votes, they can do whatever they want. In this case, they simply withdrew 10,000 votes as TORN and sold it all,” Samczsun said in a tweet.
Soon after the news of the exploit, crypto exchange Binance said that it will temporarily pause deposits of TORN. The token fell as much as 44% on Sunday, data from CoinGecko showed.
Tornado Cash is allegedly the preferred tool for hackers and criminals to launder stolen or illicitly acquired funds. Data from Dune Analytics showed over $8 billion had been sent through Tornado Cash since the service started in 2019.
The US Treasury Department imposed sanctions on Tornado Cash in August after saying the service was used by North Korean hackers to launder illicit gains. North Korea’s Lazarus Group laundered about $450 million through the service, a Treasury official said then.