A warning about possible risks has been issued by the creators of Tornado Cash for crypto investors who have made deposits through IPFS gateways between January 1st and February 24th.
Specifically, developers suspect that a malicious individual may have exposed Tornado Cash deposits during this time interval, redirecting them to a server under their control.
Let’s see below all the details.
Risks for funds deposited in the new year: the crypto warning from Tornado Cash
As anticipated, the developers of Tornado Cash, a crypto mixer based on smart contracts, have issued a warning of possible scam for users who have made deposits through the IPFS financial services company’s gateways starting from January 1st.
According to developers, the deposit information of these users may have been exposed to a “malicious JavaScript code”.
It is suspected that an exploiter leaked the deposits of Tornado Cash during this period on a server under their control.
In a post on Medium, which confirms the presence of the code, developers revealed that it had been hidden by the governance proposal presented by Butterfly Effects, a developer from the Tornado Cash community.
However, developers specify that the leak of deposits seemed to only concern the IPFS distributions of Tornado Cash.
For those who have interacted with the contract using local interfaces, the situation is declared safe, as changes to commits can be “easily verified,” according to the post on Medium.
Meanwhile, developers have described how the exploiter used the code to steal funds from at least one depositor:
“The above function encodes private deposit notes so that they are displayed as call data and hides the window.fetch function to avoid being detected as a function that discloses deposit information to an exploiter’s personal server.”
To prevent future similar attacks, developers have advised depositors to use a recommended and previously used IPFS contextual hash distribution.
Furthermore, they have invited TORN token holders to oppose any proposal also used by the exploiter.
GoFundMe suspends fundraising for Tornado Cash legal defense
The US crowdfunding platform GoFundMe has recently stopped the fundraising campaign for the legal defense of Roman Storm and Alexey Pertsev, co-founder and developer of Tornado Cash.
The decision was made on February 14, citing a violation of the terms of service and the potential exposure to damages or liability.
The fundraising campaign, started after an appeal by Storm for financial support against accusations of facilitating sanctions evasion through their service, had already raised $30,000 out of a goal of $1.5 million.
Ryan Adams from Bankless Ventures, one of the contributors, announced his intention to redirect his $10,000 donation to Storm through cryptocurrency.
Despite the suspension on GoFundMe, the campaign continued on JuiceBox, a cryptocurrency funding platform, accumulating 316.75 Ether.
This has raised debates on the coherence of GoFundMe’s policies, considering that the platform has allowed similar campaigns in the past.
Storm and Pertsev face various federal charges, including conspiracy to commit money laundering, violation of sanctions, and operating an unlicensed money transfer business.
Even though they maintain their innocence, Storm, released on a $2 million bail, is confined to specific states in the United States awaiting trial.
The NSA informant Edward Snowden has expressed his support for Storm, highlighting the importance of privacy and fair legal defense on social media.
This has brought further attention to the case, especially in light of Tornado Cash’s involvement in laundering over half a billion dollars in 2023, despite US sanctions in 2022.
The mixer was connected to the Lazarus group, affiliated with North Korea, and recorded a significant decrease in transaction volume after the restrictive measures of 2023.