Cryptohack Roundup: Tornado Cash, Privacy Pools

Also: Web3's August Losses, Stake, Binance
Cryptohack Roundup: Tornado Cash, Privacy Pools
Image: Shutterstock

Every week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week, Tornado Cash's co-founder reportedly pleaded not guilty to all charges, Vitalik Buterin and others published a law-abiding alternative to the sanctioned mixer, a report says hackers stole over $23 million in August, Stake resumed operations after a multimillion-dollar hack, Binance is set to delist privacy coins in Belgium, and a U.S. judge has made new orders against Celsius CEO Alex Mashinsky.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

Tornado Cash

Tornado Cash co-founder Roman Storm pleaded not guilty to charges of money laundering, U.S. sanctions violations and operating an unlicensed money transmitting business, Inner City Press reported. His alleged co-conspirator and mixer co-founder Roman Semenov, who was also accused of facilitating North Korean hackers in laundering stolen funds on the platform, is at large. Tornado developer Alexey Pertsev, who was arrested in 2022 on similar charges, was released from jail in April and is currently under house arrest, awaiting trial.

Privacy Pools

A new research paper proposes an alternative to Tornado Cash called Privacy Pools that would give users financial privacy while being compliant with regulations. The paper is co-authored by Ethereum co-founder Vitalik Buterin, developer Ameen Soleimani, researcher Jacob Illum from Chainalysis, and academics Matthias Nadler and Fabian Schar. They describe the protocol as "a novel smart contract-based privacy-enhancing protocol" that uses zero-knowledge proofs to determine if the funds on the platform originated from lawful sources without revealing the complete transaction history, filtering transactions linked to illicit activities.

Web3 August Losses

Hackers stole $23.4 million in August, and Coinbase-incubated Base network, Ethereum and BNB Chain accounted for 62% of all chain losses in the month, bug bounty platform Immunefi said. Hacks made up nearly $15.8 million of the August total, while fraud accounted for $7.6 million. Decentralized finance became the primary target, and centralized finance steered clear of "major exploits." So far in 2023, Web3 companies have suffered a total loss of $1.25 billion across 211 cybersecurity and fraud incidents, the report said.


Crypto betting platform Stake said it had resumed transactions on its platform five hours after hackers pilfered millions of dollars from it on Monday. The company did not detail the cause of the exploit or how much was stolen, but said that user funds remained safe. Blockchain security firm Beosin estimated the theft amount to be $41.35 million.

The FBI attributed the theft to North Korean state hackers known as the Lazarus Group.*


Binance is set to delist privacy coins in Belgium on Sept. 21, months after it halted trading of the tokens in France, Italy, Poland and Spain. The delisted coins include Monero, MobileCoin, Firo and Horizen. The company confirmed the move to The Block. Privacy coins anonymize transactions, making it harder to track the source and destination of funds, as well as the transaction value - a feature that makes the coins attractive for hackers looking to launder stolen funds.

Celsius Network

A federal judge on Tuesday ordered that law enforcement freeze bank accounts and property connected to Alex Mashinsky, co-founder of bankrupt crypto firm Celsius Network. District Judge John G. Koeltl of the U.S. District Court for the Southern District of New York said the Department of Justice could freeze the former CEO's accounts at Goldman Sachs and Merrill Lynch under the names of holding companies as well as accounts at First Republic Securities, SoFi Bank and SoFi Securities under his own name. Also included in the order is a house in Austin, Texas, which has been for sale since July 2022, around the time the company filed for bankruptcy. The company is no longer allowed to do business in the United States following separate actions by the Federal Trade Commission and the Securities and Exchange Commission in July.

*Update Sept. 7, 2023 20:02 UTC: Adds FBI attribution of theft to the Lazarus Group.

About the Author

Rashmi Ramesh

Rashmi Ramesh

Assistant Editor, Global News Desk, ISMG

Ramesh has seven years of experience writing and editing stories on finance, enterprise and consumer technology, and diversity and inclusion. She has previously worked at formerly News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.