Hacker Launders $4M Stolen from Unleash Protocol Using Tornado Cash: Full Details

A hacker drains $4M from Unleash Protocol, laundering funds via Tornado Cash.

Fridah Kangai
December 31, 2025
1:30 pm

Fridah Kangai

Fridah Kangai is a dedicated crypto journalist with a sharp eye for market trends, blockchain innovation, and digital asset movements. She specializes in breaking down complex topics into clear, engaging stories for both seasoned investors and curious newcomers. With a passion for decentralization and a pulse on the ever-evolving crypto space, Fridah delivers timely, accurate, and insightful coverage. Her work bridges the gap between technology and everyday understanding in the world of cryptocurrency.

Hacker drains $4M from Unleash, launders through Tornado Cash.
Multisig breach enables attacker to steal and launder assets.
Unleash pauses operations, launches forensic probe into the hack.

A devastating security breach at the Unleash Protocol has led to the theft of nearly $4 million in digital assets. On-chain analysis and several security companies claim that a hacker was able to empty the funds and launder them through the Tornado Cash mixing service on the Ethereum blockchain.

The attack, verified by Unleash, was facilitated by a breached multisig wallet. This enabled an outside actor to acquire unauthorised administrative control of the governance system of the protocol. It is assumed that the attacker exploited a vulnerability, possibly through phishing or another security breach, to upgrade an unauthorised contract. This upgrade bypassed the regular approval procedures, which allowed the hacker to access user funds.

Also Read: Ethereum Staking Flips Bullish as Validator Demand Nearly Doubles Withdrawals

Attack Highlights Serious Vulnerabilities in Governance System

Wrapped ETH (WETH), USDC and WIP tokens are among the assets stolen in the attack and bridged to Ethereum. The hacker then transferred the stolen money in various batches of 100 ETH to Tornado Cash with the hope of covering his tracks and complicating the process of tracing the stolen money. This has rendered it much difficult to restore the money.

Unleash Protocol Incident Notice

Earlier today, we detected unauthorized activity involving Unleash Protocol smart contracts, which led to the withdrawal and transfer of user funds.

Our initial investigation indicates that an externally owned address gained administrative…
— Unleash Protocol (꧁IP OS꧂) (@UnleashProtocol) December 30, 2025

Peckshield, a security company in the blockchain industry, followed the money and its trail, which passed through Tornado Cash, stating that the attempt to hide the audit trail was coordinated. Unleash has since gone into hiatus, and the team has begun a forensic investigation to determine the extent of the attack.

Unleash Responds and Calls for User Caution

Unleash has also encouraged its users to refrain from playing on the site in the meantime. Although the attack was restricted to the administrative controls of the Unleash Protocol, the team ensured that no other protocol, such as the Story Protocol, was compromised.

The incident is an indication of a significant outlier in the governance system of the platform, specifically in its multisig wallet implementation. Hacker can bypass the standard checks and withdraw the money highlights the vulnerability of Unleash’s security architecture, raising questions about whether multisig systems can be trusted to protect valuable digital assets.

Unleash has outlined plans to update users with more information as it becomes available, but advises them to be cautious against any developments.

Also Read: Bitmine Shocks Crypto Markets After Amassing Over 4M ETH in Aggressive Buying Spree