Pancake Bunny hacker siphons $2.9M of Ether through Tornado Cash

After three years of dormancy, the Pancake Bunny hacker transferred $3 million in stolen ETH via Tornado Cash, highlighting ongoing security challenges in the DeFi space.
After three years of dormancy, the Pancake Bunny hacker transferred $3 million in stolen ETH via Tornado Cash, highlighting ongoing security challenges in the DeFi space.

Part of the stolen funds connected to Pancake Bunny — a decentralized finance protocol on the BNB Smart Chain — was funneled through the privacy protocol Tornado Cash after three years of dormancy.

Pancake Bunny suffered a flash loan attack in May 2021 and lost roughly 697,000 BUNNY tokens and 114,000 BNB (BNB), which tanked the value of its BUNNY token by 95%.

Price drop in BUNNY/BNB trading pair following the initial attack: Poocoin.app

Aftermath of Pancake Bunny hack

Pancake Bunny was unable to recover the stolen funds and eventually dissolved the protocol, transforming it into a decentralized autonomous organization (DAO).

Three years later, on July 7, a wallet address linked to the Pancake Bunny hacker transferred 1,002 Ether (ETH) of stolen funds to Tornado Cash to prevent traceability.

Source: CertiK

Stolen funds on the move after many years

Based on current market prices, the hacker siphoned roughly $3 million in Ether. According to CertiK, the Pancake Bunny exploiter currently holds $11.4 million of Dai (DAI).

Tracking Pancake Bunny’s lost funds. Source: CertiK

Related: Crypto losses reach $1.19B in H1 2024: CertiK calls for better security

Crypto security experts emphasize heavily the importance of preventive measures when it comes to protecting protocol hacks. In this effort, CertiK migrated its suite of 12 blockchain applications in Asia to a cloud computing subsidiary of Chinese e-commerce giant Alibaba.

CertiK’s existing suite of product offerings. Source: CertiK

Ronghui Gu, co-founder of CertiK said:

“For over five years, we have believed in the transformative power of blockchain technology. We look forward to empowering developers with secure blockchain development and deployment through Alibaba Cloud’s platform.”

The move allows developers expecting high resource demands during peak hours to use Alibaba Cloud’s additional computing, storage and distribution resources.

A CertiK investigation that backfired Blockchain security firm CertiK recently identified itself as the “security researcher" that cryptocurrency exchange Kraken claimed stole $3 million worth of digital assets.

Kraken chief security officer Nicholas Percoco claimed that an unnamed security team — not revealed to be CertiK at the time — had committed “extortion” by refusing to return any funds until the exchange agreed to provide “a speculated $ amount that this bug could have caused if they had not disclosed it.”

Magazine: ‘Raider’ investors are looting DAOs — Nouns and Aragon share lessons learned