The infamous 2016 exploit of The DAO looted 3.6 million Ether, almost 5% of the Ether in existence at the time, and led to the controversial hard fork between the Ethereum and Ethereum Classic blockchains. Today, journalist Laura Shin claims to have uncovered the DAO hacker’s identity. She alleges that one Toby Hoenisch, an Austrian programmer and CEO of defunct ICO-era crypto debit card company TenX, performed the attack.
The Investigation
Shin’s investigation shows a trail of evidence ranging from the circumstantial to the damning. On the circumstantial side, social media posts, internal team messages, and emails show that Hoenisch was very knowledgeable about both The DAO’s technical aspects, and the vulnerabilities that would ultimately be exploited.
More tellingly, the attacker’s attempted cashouts to BTC via a non-KYC exchange were conducted during Asian daytime hours – and Hoenisch was in Singapore at the time. The exchange’s customer support emails with the attacker revealed they spoke fluent English – which Hoenisch did.
However, the real meat of the allegation lies in the tracing of the funds as the attacker attempted to launder them. He or she sent 50 BTC that they had managed to get out to Wasabi Wallet, which uses a privacy-enhancing technique called a coinjoin to mix and anonymize. Blockchain forensics company Chainalysis used previously undisclosed capabilities to unravel the coinjoin, and track the stolen BTC to four exchanges.
Finally, the attacker slipped up. The BTC was swapped for privacy coin Grin, and sent to a Grin node named grin.toby.ai. This crucial piece of evidence allowed strong links to be made to Hoenisch, who routinely use toby.ai as part of his email handle and other identifying information. The ownership of the Amazon Singapore cloud server hosting the Grin node was also traced back to TenX, Hoenisch’s company. The DAO hacker’s identity was revealed.
No legal proceedings have been filed following her accusation at this time. Hoenisch has denied the allegations, and reportedly refused further contact with Shin after the intial email where she provided him with her evidence.
Privacy Implications
Hidden in this report is a very important piece of information: Chainalysis’ previously unrevealed capability to unmix Wasabi’s coinjoin transactions. Coinjoins are an important tool to provide privacy-by-deniability by obscuring the trace of who exactly has what funds. The ability to reverse this has dramatic implications for the privacy of legitimate users, not just money launderers.
It is still unknown whether this ability is specific to Wasabi, specific to Bitcoin, or whether it extends cross-chain to other privacy-enhancing protocols like Tornado Cash. Luckily, the capability is likely limited to Bitcoin. This is probable as the UTXO accounting method of Bitcoin provides a stronger link to the history of each individual coin than Ethereum’s account balance method (see more).
