A corrupt entry point was discovered within the IPFS version of Tornado Cash, a popular cryptocurrency mixer. Researcher Gas404 brought attention to this vulnerability. After Tornado Cash shut down, the source code was used to create new darknet mixers.
The backdoor was implanted in a governance proposal submitted by one of the developers on January 1. It went undetected for almost two months after being voted on. Using the backdoor, the attacker was able to redirect copies of deposit certificates to a third-party server.
These certificates serve as private keys for assets deposited into the mixer and can be used to access the funds after mixing. As a result, users who made deposits using IPFS gateways during this period may have had their funds stolen.
The extent of the damage is still being determined. It is worth noting that in August 2022, Tornado Cash was added to the sanctions list by OFAC for their involvement in laundering over $7 billion in criminal funds. In the same month, Alexey Pertsev was arrested. In April 2023, he was placed under house arrest.