The perpetrator behind the Cork Protocol hack has laundered approximately $11 million worth of stolen Ethereum through privacy mixer Tornado Cash, marking the first major movement of funds since the initial $12 million theft in May.
In an unexpected development, the attacker also donated 10 ETH to a legal defense fund supporting Tornado Cash developers Alexey Pertsev and Roman Storm, both currently facing regulatory investigations related to the platform.
The hack that enabled the theft occurred on May 28 through exploitation of Cork Protocol’s wstETH:weETH market. The attacker utilized a malicious hook to manipulate transactions, ultimately extracting 3,761 wrapped staked Ethereum (wstETH) in a sophisticated attack vector.
This incident highlights persistent vulnerabilities within decentralized finance ecosystems, particularly the ongoing misuse of privacy tools for laundering stolen assets. It also amplifies the tension between privacy-preserving technologies and regulatory compliance frameworks.
The case underscores critical security challenges facing DeFi protocols and raises questions about accountability mechanisms for blockchain-based privacy services within evolving regulatory landscapes.