4 million USD worth of Ethereum stolen! Hacker money laundering exposed in full, multi-signature mechanism compromised

Unleash Protocol disclosed on Tuesday that it suffered a loss of 1,337 ETH worth approximately $4 million. Peckshield and CertiK tracking show that hackers laundered funds through Tornado Cash, sending multiple 100 ETH transactions to mixing services. The attackers gained unauthorized control of the multi-signature governance system, possibly executing unapproved contract upgrades via social engineering to bypass checks and withdraw funds.

Tornado Cash Laundering Tracking Report

According to on-chain activity and reports from multiple security firms, hackers are attempting to launder money using the Tornado Cash protocol on Ethereum. Tornado Cash is a cryptocurrency mixing service that pools user funds to break the traceable link between source and destination, making it difficult for law enforcement to track the flow of funds.

Peckshield notes that the attacker appears to have sent many 100 ETH blocks to this popular crypto mixing service. This batch transfer strategy is typical of money laundering, as transferring large sums at once is more likely to trigger monitoring systems. Splitting the 1,337 ETH into 13 to 14 transactions of 100 ETH each, spaced out over time, reduces the risk of immediate detection.

CertiK has begun flagging suspicious Wrapped ETH and IP token withdrawals, which are sent to an external account seemingly set up with SafeProxyFactory. This technical detail reveals the attacker’s expertise; SafeProxyFactory is a contract factory used to deploy new multi-signature wallets in Gnosis Safe (now Safe). The hacker used this tool to create temporary wallets to receive stolen funds, demonstrating a deep understanding of the Ethereum ecosystem.

Affected assets include WIP, USDC, WETH, stIP, and vIP, most of which have been bridged to Ethereum and sent to Tornado Cash. The bridging process itself complicates tracking, as assets cross multiple contracts and addresses, diluting traceability with each transfer. Once in Tornado Cash, funds are mixed with other users’ deposits, forming a “black box,” making it impossible to link input and output funds.

It’s noteworthy that Tornado Cash has been sanctioned by the U.S. Treasury since 2022; using the service itself is illegal. However, sanctions have not fully halted its operation because Tornado Cash is a decentralized smart contract protocol that cannot be shut down like centralized services. The fact that hackers are willing to risk legal repercussions by using Tornado Cash indicates their awareness of tracking techniques.

How Multi-Signature Governance Systems Can Be Compromised

Earlier Tuesday, Unleash disclosed a security breach. The project has suspended operations and begun forensic analysis. The attack appears to have originated from a breach of the multi-signature mechanism. Unleash posted on X: “Our preliminary investigation indicates that an externally owned address gained control through Unleash’s multi-signature governance and performed an unauthorized contract upgrade.”

In other words, the attacker gained management control over Unleash Protocol’s governance system without authorization, possibly through social engineering phishing or other security vulnerabilities, enabling them to execute upgrades bypassing normal checks and extract user funds. Such attack patterns are not uncommon in DeFi, but successfully breaching multi-signature mechanisms raises serious concerns.

Multi-signature wallets are a common asset protection mechanism in DeFi protocols. They require multiple private keys to sign transactions, theoretically preventing a single compromised key from stealing funds. However, this attack shows that multi-signature systems are not foolproof.

Three Possible Failures of Multi-Signature Mechanisms

Social Engineering Attacks: Hackers trick multiple signers via phishing emails or fake messages to leak private keys

Insider Malfeasance: Internal personnel holding multi-signature keys collude or are bribed to cooperate with hackers

Contract Exploits: Vulnerabilities in the multi-signature contract code itself allow attackers to bypass signing requirements

Unleash’s statement emphasizes that the “externally owned address” gained control, implying this may not be an insider threat but an external attacker who obtained sufficient signing authority through technical or social engineering means. The unauthorized upgrade allowed asset extraction outside of Unleash’s governance and operational procedures, indicating the attacker had full administrative control.

Story Protocol Ecosystem Security Warning

Unleash states: “This incident stems from the governance and permission framework of the Unleash protocol,” adding that “the impact appears limited to specific Unleash contracts and management controls,” and “there is no evidence that the Story Protocol contracts, validators, or underlying infrastructure have been compromised.” This statement aims to confine the damage scope to Unleash itself, avoiding broader implications for the entire Story Protocol ecosystem.

Unleash is one of many prominent applications built on Story Protocol. Story Protocol is a relatively new Layer 1 protocol focused on tokenizing intellectual property rights. The project’s backer, PIP Labs, has raised $140 million from top-tier investors. If this laundering incident raises concerns about the security of the Story Protocol ecosystem, it could impact other applications built on the protocol and the overall valuation.

The Unleash team has warned users not to interact with the protocol and promised to share updates once reliable information is available regarding the attack and potential remedies. Pausing protocol operations is a standard response to prevent further exploitation, but it also temporarily restricts legitimate users from accessing their assets.

From a broader perspective, this laundering event exposes the governance risks inherent in DeFi protocols. While multi-signature mechanisms are safer than single signatures, they still rely on human operation, which is the most vulnerable link. As DeFi’s locked value continues to grow, attacks targeting governance systems may become more frequent and sophisticated.