Unleash Protocol disclosed on Tuesday that it suffered a loss of 1,337 ETH worth approximately $4 million. Peckshield and CertiK tracking show that hackers laundered funds through Tornado Cash, sending multiple 100 ETH transactions to mixing services. The attackers gained unauthorized control of the multi-signature governance system, possibly executing unapproved contract upgrades via social engineering to bypass checks and withdraw funds.
Tornado Cash Laundering Tracking Report
According to on-chain activity and reports from multiple security firms, hackers are attempting to launder money using the Tornado Cash protocol on Ethereum. Tornado Cash is a cryptocurrency mixing service that pools user funds to break the traceable link between source and destination, making it difficult for law enforcement to track the flow of funds.
Peckshield notes that the attacker appears to have sent many 100 ETH blocks to this popular crypto mixing service. This batch transfer strategy is typical of money laundering, as transferring large sums at once is more likely to trigger monitoring systems. Splitting the 1,337 ETH into 13 to 14 transactions of 100 ETH each, spaced out over time, reduces the risk of immediate detection.
CertiK has begun flagging suspicious Wrapped ETH and IP token withdrawals, which are sent to an external account seemingly set up with SafeProxyFactory. This technical detail reveals the attacker’s expertise; SafeProxyFactory is a contract factory used to deploy new multi-signature wallets in Gnosis Safe (now Safe). The hacker used this tool to create temporary wallets to receive stolen funds, demonstrating a deep understanding of the Ethereum ecosystem.
Affected assets include WIP, USDC, WETH, stIP, and vIP, most of which have been bridged to Ethereum and sent to Tornado Cash. The bridging process itself complicates tracking, as assets cross multiple contracts and addresses, diluting traceability with each transfer. Once in Tornado Cash, funds are mixed with other users’ deposits, forming a “black box,” making it impossible to link input and output funds.
It’s noteworthy that Tornado Cash has been sanctioned by the U.S. Treasury since 2022; using the service itself is illegal. However, sanctions have not fully halted its operation because Tornado Cash is a decentralized smart contract protocol that cannot be shut down like centralized services. The fact that hackers are willing to risk legal repercussions by using Tornado Cash indicates their awareness of tracking techniques.
How Multi-Signature Governance Systems Can Be Compromised
Earlier Tuesday, Unleash disclosed a security breach. The project has suspended operations and begun forensic analysis. The attack appears to have originated from a breach of the multi-signature mechanism. Unleash posted on X: “Our preliminary investigation indicates that an externally owned address gained control through Unleash’s multi-signature governance and performed an unauthorized contract upgrade.”
In other words, the attacker gained management control over Unleash Protocol’s governance system without authorization, possibly through social engineering phishing or other security vulnerabilities, enabling them to execute upgrades bypassing normal checks and extract user funds. Such attack patterns are not uncommon in DeFi, but successfully breaching multi-signature mechanisms raises serious concerns.
Multi-signature wallets are a common asset protection mechanism in DeFi protocols. They require multiple private keys to sign transactions, theoretically preventing a single compromised key from stealing funds. However, this attack shows that multi-signature systems are not foolproof.
Three Possible Failures of Multi-Signature Mechanisms
Social Engineering Attacks: Hackers trick multiple signers via phishing emails or fake messages to leak private keys
Insider Malfeasance: Internal personnel holding multi-signature keys collude or are bribed to cooperate with hackers
Contract Exploits: Vulnerabilities in the multi-signature contract code itself allow attackers to bypass signing requirements
Unleash’s statement emphasizes that the “externally owned address” gained control, implying this may not be an insider threat but an external attacker who obtained sufficient signing authority through technical or social engineering means. The unauthorized upgrade allowed asset extraction outside of Unleash’s governance and operational procedures, indicating the attacker had full administrative control.
Story Protocol Ecosystem Security Warning
Unleash states: “This incident stems from the governance and permission framework of the Unleash protocol,” adding that “the impact appears limited to specific Unleash contracts and management controls,” and “there is no evidence that the Story Protocol contracts, validators, or underlying infrastructure have been compromised.” This statement aims to confine the damage scope to Unleash itself, avoiding broader implications for the entire Story Protocol ecosystem.
Unleash is one of many prominent applications built on Story Protocol. Story Protocol is a relatively new Layer 1 protocol focused on tokenizing intellectual property rights. The project’s backer, PIP Labs, has raised $140 million from top-tier investors. If this laundering incident raises concerns about the security of the Story Protocol ecosystem, it could impact other applications built on the protocol and the overall valuation.
The Unleash team has warned users not to interact with the protocol and promised to share updates once reliable information is available regarding the attack and potential remedies. Pausing protocol operations is a standard response to prevent further exploitation, but it also temporarily restricts legitimate users from accessing their assets.
From a broader perspective, this laundering event exposes the governance risks inherent in DeFi protocols. While multi-signature mechanisms are safer than single signatures, they still rely on human operation, which is the most vulnerable link. As DeFi’s locked value continues to grow, attacks targeting governance systems may become more frequent and sophisticated.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Brother Ma Ji Huang Licheng's 25x ETH long position was partially liquidated again, with a liquidation price of approximately $1926.
Gate News Report, March 8th, on-chain data shows that due to a short-term slight decline in the market, Big Brother Magi Huang Licheng's 25x Ethereum long position was partially liquidated again. He currently holds 2,500 ETH, with an unrealized loss of about $200,000, and a liquidation price of approximately $1,926.
GateNews7m ago
ETH drops 1.36% in 15 minutes: Deteriorating macro sentiment and liquidity crunch trigger spot selling pressure
From 02:45 to 03:00 on March 8, 2026 (UTC), ETH prices fluctuated sharply within the range of 1,936.0 to 1,969.18 USDT. The 15-minute candlestick yield was -1.36%, with an amplitude of 1.68%. The short-term downtrend intensified, market attention significantly increased, trading activity was high, and panic sentiment dominated.
The main driver of this anomaly was the widespread decline in global risk assets and escalating extreme panic sentiment. Major US stock indices experienced a sharp pullback, and the VIX fear index soared to 29.49 (+24.17%), leading to
GateNews25m ago
Wave ETH whale withdrew 6,898.98 ETH from a certain CEX this morning, worth 13.58 million USD
Gate News Report, March 8 — According to on-chain analyst Ai Yi's monitoring, a large trader who made a profit of $185,000 through ETH swing trading on March 3 has made another move. Three hours ago, this address withdrew 6,898.98 ETH, worth $13.58 million, at a withdrawal price of $1,968.58. The last swing buy-in point for this address was at $2,056, with a suspected sell point at $2,083, and the holding period was a total of 3 days.
GateNews1h ago
Price Predictions 3/6: BTC,ETH,BNB,XRP,SOL,DOGE,ADA,BCH,HYPE,XMR
Bitcoin (CRYPTO: BTC) faced a renewed test after a brief relief rally, sliding back below the $68,500 mark as sellers reasserted control. The move comes after the asset briefly flirted with the $74,000 threshold, a level that previously functioned as a ceiling during the latest ascent. Traders now e
CryptoBreaking1h ago
Sky Co-founder Rune opens 7x leveraged short positions on ETH and the NASDAQ 100, planning to add four more positions.
Gate News Report, March 8: According to Onchain Lens monitoring, Sky co-founder Rune has opened a 7x leveraged short position on ETH and the Nasdaq 100 (U.S. Nasdaq 100 Index). Previously, Rune was long on crude oil futures CL (WTI crude oil, U.S. crude oil futures benchmark) and Brent Oil (Brent crude oil, international crude oil futures benchmark). Currently, their account still holds
GateNews2h ago
Ethereum ICO slept for 10 years and suddenly moved 401 ETH
A cryptocurrency wallet that participated in Ethereum's 2014 ICO has moved 401.1 ETH for the first time in over a decade, potentially preparing to sell. Initially purchased for $124, the ETH is now worth around $802,200, reflecting a profit of about 6,469 times.
TapChiBitcoin2h ago
