Another Suspect in Ethereum’s DAO Hack Emerges, Putting Coin Mixing Under Question
A prominent crypto journalist has published a remarkable j’accuse article claiming to unmask the identity of the 2016 hack on The DAO, which saw a raider make off with ETH 3.6m, now worth over USD 9.4bn. However, what is possibly more important, it put the popular coin mixing technology under question.
Writing for Forbes, Laura Shin explained that her research, in conjunction with that of the blockchain analytics firm Chainalysis, had traced the hack to the Austrian programmer Toby Hoenisch, the co-founder of the now-defunct TenX payments platform, one of the top 10 ICOs of 2017, that was turned into Mimo Capital.
Cryptonews.com has contacted Hoenisch with a request for comment.
“After being sent a document detailing the evidence pointing to him as the hacker, Hoenisch wrote in an email, “Your statement and conclusion is factually inaccurate.” In that email, Hoenisch offered to provide details refuting our findings—but never answered my repeated follow-up messages to him asking for those details,” Shin wrote.
In her article, Shin explained how Chainalysis data had traced a “presumed attacker” who had “sent bitcoin (BTC) 50 to a Wasabi Wallet address. The wallet makes use of “mixing” technology that aims to anonymize transactions by mixing numerous blockchain movements together at once in a CoinJoin.
She claimed that “using a capability” that was “being disclosed here for the first time,” Chainalysis had “de-mixed the Wasabi transactions and tracked their output to four exchanges.”
For some notable observers, the fact that Chainalysis appears to have developed the ability to de-mix Wasabi transactions was a major revelation with potentially significant consequences for the entire sector.
the wording here isn’t very revealing— Udi Wertheimer (@udiWertheimer) February 22, 2022
there’s no doubt that *some* (perhaps most) wasabi transactions – and coinjoins in general – can be trivially demixed
the real question is, can they demix txs employing known best practices
Shin continued, explaining that “an employee at one of the exchanges confirmed to one of my sources that the funds were swapped for” a privacy coin named grin (GRIN) – and then withdrawn to a Grin blockchain node called grin.toby.ai.
Further, she added:
“The IP address for that node also hosted Bitcoin Lightning nodes: ln.toby.ai, lnd.ln.toby.ai, etc., and was consistent for over a year; it was not a VPN.”
The hosting of the node was traced to Amazon Singapore, while “Lightning explorer 1ML showed a node at that IP called TenX.”
Shin also claimed that the email address used on the same exchange account ended in “@toby.ai.”
She added that “in May 2016, as it was finishing up its historic fundraise, Hoenisch was intensely interested in The DAO” – and had even “trolled” the Ethereum co-creator Vitalik Buterin “by retweeting something Buterin had said before The DAO was attacked” on the morning after the hack.
In discussing the alleged attacker and his possible motives for the raid, Shin claimed that insiders thought Hoenisch could have “instead remedied the situation” by exposing network flaws and later returning the ETH.
She noted that in a 2016 blog post, Hoenisch had written, “I’m a white hat hacker by heart.’’ This, she wrote, was just 20 days before the DAO attack.
Chainalysis also toasted the report – and the nods to its new investigative methods – in a Twitter post.
Congrats to @laurashin on her new book & reporting into the alleged hacker behind the 2016 DAO attack. This is yet another example of evidence preserved on the blockchain forever. Confirming we helped trace funds despite the attacker's attempts to cover his tracks w/ mixers https://t.co/hKqyi2DkAj— Chainalysis (@chainalysis) February 22, 2022
There was further sleuthing from crypto community members on Twitter – including a confirmation from the Cake DeFi boss Julian Hosp, another co-founder of TenX, who “confirmed” that Hoenisch had sent him a “tip […] to short ETH once the DAO crowdfunding ended.”
But some warned about the dangers of pointing the finger – and claimed that legal action could well follow.
At some point it has to become libel.— IamNomad (@IamNomad) February 22, 2022
Even if one in five is the guy, the other 4 have reputation damage
The old addage of "he didn't want to talk to so he had to be the guy" doesn't work in anything but made for TV movies
Many will be thinking through @laurashin's excellent investigative work for some time. Two upsides include:— Andrew M. Bailey (@resistancemoney) February 22, 2022
1. Renewed focus on building privacy tools that work.
2. Recent market entrants remembering (or learning for the first time) the DAO, its blowup, and what it showed.
Good article. I have no idea how accurate it is, but it seems more than plausible. Also worth noting the evidence was generated years after the hack. https://t.co/QBHCujN7HR— Rick Dudley (afdudley.eth) (@AFDudley0) February 22, 2022
And apparently a huge thanks to the anonymous exchange employee who revealed the IP address of their client 😉— Alex Van de Sande (avsa.eth) (@avsa) February 22, 2022
yes though it is quite hard for a bystander to tell if some or any the claimed links would pass legal proof standards, as there are lots of third party claims. if the evidence were good, then why not tell interpol (quietly)?— Adam Back (@adam3us) February 22, 2022
I agree and curious if there is data to study or if authorities can confirm this. I have ran into media claims before that were based on forensics claims that were claims/conjectures but without proof. Curious to learn more. https://t.co/yUH5vPkERZ— Gabor Gurbacs (@gaborgurbacs) February 22, 2022
Yup. Wasabi coin joins are dead.— Alex Van de Sande (avsa.eth) (@avsa) February 22, 2022
Only privacy is a cryptographically proven method, like ZCash or Tornado. And even the latter is iffy because the pool size is very limited (and many nodes are likely honeypots) https://t.co/BCHhqYKPm3