Hackers Launder $27 Million Stolen in Penpie Protocol Cyberattack via Tornado.cash, THORChain and Exch exchange
In a sophisticated hack that took place on September 3, 2024, a vulnerability in the smart contracts of the Penpie protocol was exploited, resulting in the theft of more than $27 million. Penpie, a yield protocol on Pendle designed to maximize rewards for its users, became the target of a well-coordinated attack.
The Hack and Initial Movements
The hacker, upon discovering the vulnerability, successfully drained the funds from the Penpie protocol. Shortly after, the stolen funds were distributed across seven addresses:
0xd440d2c13e9c0b86f54da4f515f68c56f0c36cc3
0x37767e2d9131c84441567da5474158b0918b65a4
0x8c37ad70ce51e54d2d75da40668e9530d337f26b
0x10f8c81386a2563f687011f4ebc8f2091cb501e8
0x688413d6cae1c0e0882e274a98e0b901fdf7233c
0xf61aa5fdb43ecbb90ff12086045c9432eee3d03e
0x415a7916c0f52a95f16034d74fb89528c0fc1b11
In an attempt to obfuscate the trail, the hacker funneled the stolen funds through the privacy-focused cryptocurrency mixing service Tornado.cash. As with many such cases, tracing the funds through Tornado.cash presented significant challenges due to the nature of transaction chain breaks that occur during mixing. However, using advanced techniques, analysts of Match Systems were able to identify probable destinations for some of the laundered funds.
0xd440d2c13e9c0b86f54da4f515f68c56f0c36cc3
0x37767e2d9131c84441567da5474158b0918b65a4
0x8c37ad70ce51e54d2d75da40668e9530d337f26b
0x10f8c81386a2563f687011f4ebc8f2091cb501e8
0x688413d6cae1c0e0882e274a98e0b901fdf7233c
0xf61aa5fdb43ecbb90ff12086045c9432eee3d03e
0x415a7916c0f52a95f16034d74fb89528c0fc1b11
In an attempt to obfuscate the trail, the hacker funneled the stolen funds through the privacy-focused cryptocurrency mixing service Tornado.cash. As with many such cases, tracing the funds through Tornado.cash presented significant challenges due to the nature of transaction chain breaks that occur during mixing. However, using advanced techniques, analysts of Match Systems were able to identify probable destinations for some of the laundered funds.
THORChain and BTC Consolidation
After passing through Tornado.cash, the bulk of the stolen assets—amounting to 4,879 ETH—were traced to the THORChain cryptocurrency bridge. From there, the funds were converted and consolidated into BTC tokens. These funds were distributed across various "collector" addresses in parts of 4 or 8 BTC totaling 188 BTC (some of the funds were mixed with funds from other hacks):
bc1qqhlf4vau5k9skw3kfleanuc52y9vwevjg3e8du
bc1q08xthryj52nf7gmk0j8v8zr8vumt2wfguvftxj
bc1q6m6xfryxqplmz07kr0g3atzrcmtnynr3d2r6xd
bc1qgasehvksj4kj9tz93l5z8eyhqenm42xf9clu7d
bc1qg62v4q5lgtqq5a87epx56nfhmv4jtmmgcf99el
bc1qv8tdsa42s7n8z3cj7ygy59lrkr3uumar7qgygy
bc1qvq79fqwnlyzsruc9qxya0m5g8nl806dtnsug3v
bc1qfyejx568ephjtwsqt2nt4kfksygsl72grqfr0g
bc1qk2g2xavrlwqq92lam6hjallx8893cdrxxkqky4
bc1qp8lptxmzj9hz3pfey37j2kp6vjgadmgfklvdyp
bc1qhkkqcmjqgld2kd7p7c7m4svgmtgylhdryzw5f8
bc1q30rt7lfkh0ezkgf3pxygp09zgaycwlwu7ea8r8
bc1qdvkwmmnwfryua36el5y2xnqt2w7x6447hy5nxc
bc1qgrglcudgxesyuv23cwxasuw0zanh6qks5eu5es
bc1qzhsge8z4ffrlrhkrw7wxd59e6u5tfd9u3lvk09
bc1qgf9t2ysgpcnxp8g2y0hk9zushxc0z3kqr682zt
bc1qq3wjvfuesc9wewkuz7nxkmhgs260exmxjqt8sd
bc1q2cm7mflnplasnxetn5mrkcqc7zwuyfjmm3vnyy
bc1q9v6dwrgncam92wwk5d8hkd4yghqt2gn8jqmqky
bc1qqc8a5e9klvh45s60szuppha669n0r0dgm4dtqn
bc1q72e5nxlzmfpv60pkf2gqhy4n9drtm2x8t77w7g
bc1qzfvpynh3eq0gcl6mw3zg0ga6z63u2ujhglhza9
bc1qw8vmz4fexld6hhjxpfua9n3j0wfxyu6xahzmp3
bc1q9t6ztrahwvh25rjtzk3ltkxwwk5ef6lwkhyx5g
bc1q9reefhx8p3vw6re3yhgvx8776xt8xczpcw0y7l
bc1qk6ty9lnyz7rg0wxsurgxswppe9mkk2r740jac6
bc1qzq435fc5umvr000nelu4r9gk5dx3xyp2zwsmy3
bc1qy6aws20q5q6rst9zs93x2jn2tg9t7xtelcqmw8
bc1qk0kkapemem6ys03e234wask5jcy8qkrrt6fm94
bc1qyj95msu7exzvvunseqy5v52xgpexecllqh76ry
bc1qhd7qyalqes9gy3yjua6rx75ywxl42x5dt6ea0k
bc1q8y9e36567433u0u5cym6neprm4e9uj0gw5wy96
bc1q2jz93p8ugmcnxvgqxdv99yz8jr5nykud4v45k4
bc1qqhlf4vau5k9skw3kfleanuc52y9vwevjg3e8du
bc1q08xthryj52nf7gmk0j8v8zr8vumt2wfguvftxj
bc1q6m6xfryxqplmz07kr0g3atzrcmtnynr3d2r6xd
bc1qgasehvksj4kj9tz93l5z8eyhqenm42xf9clu7d
bc1qg62v4q5lgtqq5a87epx56nfhmv4jtmmgcf99el
bc1qv8tdsa42s7n8z3cj7ygy59lrkr3uumar7qgygy
bc1qvq79fqwnlyzsruc9qxya0m5g8nl806dtnsug3v
bc1qfyejx568ephjtwsqt2nt4kfksygsl72grqfr0g
bc1qk2g2xavrlwqq92lam6hjallx8893cdrxxkqky4
bc1qp8lptxmzj9hz3pfey37j2kp6vjgadmgfklvdyp
bc1qhkkqcmjqgld2kd7p7c7m4svgmtgylhdryzw5f8
bc1q30rt7lfkh0ezkgf3pxygp09zgaycwlwu7ea8r8
bc1qdvkwmmnwfryua36el5y2xnqt2w7x6447hy5nxc
bc1qgrglcudgxesyuv23cwxasuw0zanh6qks5eu5es
bc1qzhsge8z4ffrlrhkrw7wxd59e6u5tfd9u3lvk09
bc1qgf9t2ysgpcnxp8g2y0hk9zushxc0z3kqr682zt
bc1qq3wjvfuesc9wewkuz7nxkmhgs260exmxjqt8sd
bc1q2cm7mflnplasnxetn5mrkcqc7zwuyfjmm3vnyy
bc1q9v6dwrgncam92wwk5d8hkd4yghqt2gn8jqmqky
bc1qqc8a5e9klvh45s60szuppha669n0r0dgm4dtqn
bc1q72e5nxlzmfpv60pkf2gqhy4n9drtm2x8t77w7g
bc1qzfvpynh3eq0gcl6mw3zg0ga6z63u2ujhglhza9
bc1qw8vmz4fexld6hhjxpfua9n3j0wfxyu6xahzmp3
bc1q9t6ztrahwvh25rjtzk3ltkxwwk5ef6lwkhyx5g
bc1q9reefhx8p3vw6re3yhgvx8776xt8xczpcw0y7l
bc1qk6ty9lnyz7rg0wxsurgxswppe9mkk2r740jac6
bc1qzq435fc5umvr000nelu4r9gk5dx3xyp2zwsmy3
bc1qy6aws20q5q6rst9zs93x2jn2tg9t7xtelcqmw8
bc1qk0kkapemem6ys03e234wask5jcy8qkrrt6fm94
bc1qyj95msu7exzvvunseqy5v52xgpexecllqh76ry
bc1qhd7qyalqes9gy3yjua6rx75ywxl42x5dt6ea0k
bc1q8y9e36567433u0u5cym6neprm4e9uj0gw5wy96
bc1q2jz93p8ugmcnxvgqxdv99yz8jr5nykud4v45k4
Additional Fund Movements
While the majority of the stolen funds were routed through THORChain, a smaller portion, approximately 4,082 ETH, was sent to the Exch exchange. This portion remains under investigation. The rest of the assets were spread across several dozen addresses post-mixing.
The Complex Web of Crypto Laundering
This attack highlights the increasingly sophisticated methods hackers are employing to steal and launder funds through decentralized platforms. Tornado.cash and cross-chain bridges like THORChain have become key tools in obscuring the origins of illicit funds, making it difficult for law enforcement and blockchain analysts to trace the full flow of the stolen assets.
The Penpie attack is a prime example of the ongoing battle between cybercriminals and cybersecurity professionals. While the use of mixers creates significant barriers to tracking, advanced demixing techniques and blockchain analysis tools have made it possible to re-establish some of the transactional links.
Match Systems, a leader in cybersecurity, has been actively involved in tracing this case, leveraging cutting-edge technologies to trace the stolen assets, even though the results remain probabilistic rather than definitive.
This attack serves as a stark reminder that as the world of decentralized finance (DeFi) continues to grow, so too will the sophistication of those seeking to exploit vulnerabilities within it.
The Penpie attack is a prime example of the ongoing battle between cybercriminals and cybersecurity professionals. While the use of mixers creates significant barriers to tracking, advanced demixing techniques and blockchain analysis tools have made it possible to re-establish some of the transactional links.
Match Systems, a leader in cybersecurity, has been actively involved in tracing this case, leveraging cutting-edge technologies to trace the stolen assets, even though the results remain probabilistic rather than definitive.
This attack serves as a stark reminder that as the world of decentralized finance (DeFi) continues to grow, so too will the sophistication of those seeking to exploit vulnerabilities within it.
The simplified visualization of the movement of funds
