• Three years after the Pancake Bunny flash loan attack, the hacker moved $2.9M in ETH through Tornado Cash.

Part of the stolen funds connected to Pancake Bunny — a decentralized finance protocol on the BNB Smart Chain — was funneled through the privacy protocol Tornado Cash after three years of dormancy.

Pancake Bunny suffered a flash loan attack in May 2021 and lost roughly 697,000 BUNNY tokens and 114,000 BNB, which tanked the value of its BUNNY token by 95%.

Price drop in BUNNY following the initial attack

 

Aftermath of Pancake Bunny Hack

Pancake Bunny was unable to recover the stolen funds and eventually dissolved the protocol, transforming it into a decentralized autonomous organization (DAO).

Three years later, on July 7, a wallet address linked to the Pancake Bunny hacker transferred 1,002 Ether (ETH) of stolen funds to Tornado Cash to prevent traceability.

#CertiKInsight

On Sunday the @PancakeBunnyFin exploiter deposited 1002 ETH (~$2.9m) into @TornadoCash via 0xd0f2259e0bd71e849143bbc07f4e427bb6f7756b

Bunny Finance was exploited for ~$45m in May 2021

The exploiter still holds $11.4m DAI in 0x820C pic.twitter.com/Jcc18Q1NIY

— CertiK Alert (@CertiKAlert) July 8, 2024

Stolen Funds On The Move After Many Years

Based on current market prices, the hacker siphoned roughly $3 million in Ether. According to CertiK, the Pancake Bunny exploiter currently holds $11.4 million of Dai (DAI)

Crypto security experts emphasize heavily the importance of preventive measures when it comes to protecting protocol hacks. In this effort, CertiK migrated its suite of 12 blockchain applications in Asia to a cloud computing subsidiary of Chinese e-commerce giant Alibaba.

Ronghui Gu, co-founder of CertiK said:

“For over five years, we have believed in the transformative power of blockchain technology. We look forward to empowering developers with secure blockchain development and deployment through Alibaba Cloud’s platform.”

The move allows developers expecting high resource demands during peak hours to use Alibaba Cloud’s additional computing, storage and distribution resources.

A CertiK investigation that backfired Blockchain security firm CertiK recently identified itself as the “security researcher” that cryptocurrency exchange Kraken claimed stole $3 million worth of digital assets.

Kraken chief security officer Nicholas Percoco claimed that an unnamed security team — not revealed to be CertiK at the time — had committed “extortion” by refusing to return any funds until the exchange agreed to provide “a speculated $ amount that this bug could have caused if they had not disclosed it.”