Cork Protocol exploiter launders stolen funds via Tornado Cash, donates 10 ETH to developers’ legal fund

The attacker(s) that exploited the Cork protocol for millions earlier this year has resurfaced to launder their loot and make a surprise donation.

On Wednesday, June 25, blockchain security firm PeckShield Alert flagged renewed activity from wallet addresses tied to exploiters of the decentralized finance platform Cork Protocol. The movements marked the first recorded from the hacker since draining roughly $12 million from the protocol in May.

The first transaction saw 1,410 ETH (ETH), worth around $3.2 million, sent to Tornado Cash, the infamous crypto mixing service commonly used by cyber attackers to obscure transaction trails. Shortly after, the attacker transferred an additional 3,110 ETH, bringing the total laundered to 4,520 ETH, approximately $11 million at current prices.

In a surprising twist, the attacker also sent a 10 ETH donation to a Juicebox campaign raising funds for the legal defense of Tornado Cash developers, Alexey Pertsev and Roman Storm. 

While the reason for the donation remains unclear, it comes as the developers face legal charges for the use of the mixer by cybercriminals and sanctioned entities. The platform has continued to be a go-to tool for laundering stolen crypto assets, especially in high-profile exploits.

The Cork Protocol attacker’s latest movements further complicate the platform’s ongoing efforts to recover the stolen funds. In a statement released earlier this month, Cork Protocol reassured users that it is still working toward asset recovery, but the transfer of funds to Tornado Cash may now further hinder those efforts.

How the Cork Protocol hack happened

The attack on Cork Protocol took place on May 28 around 11:39 UTC and targeted the platform’s wstETH:weETH market, leading to a loss of approximately 3,761 wrapped staked ETH (wstETH).

According to the Cork team, the attacker exploited two advanced loopholes in the protocol’s code to pull off the hack, and deployed a malicious hook that bypassed usual validation checks.

Upon draining the funds, decentralized exchange aggregator 1inch was used to swap the assets, making them harder to trace or recover.

Cork Protocol says it continues to work closely with security partners to address the fallout and tighten security measures to guard against similar attacks in the future.