The protocol hacker moves the stolen money with Tornado Cash
A hacker's protocol depleted 1,337 ETH with compromised multi-sig management. The stolen funds were sent through Tornado Cash through opaque transaction channels. The breach is limited to streaming, and the history protocol infrastructure is not affected.
Recently, a hacker using the Unleash protocol has started laundering stolen funds through Ethereum-based privacy service Tornado Cash, which has been reported by off-chain and blockchain security firms.
The attacker is trying to hide the trail of approximately 1,337 ETH, roughly $4 million, that was leaked from Uleash earlier this week.
Security firms PeckShield and CertiK reported that the funds were transferred to Ethereum and split into multiple batches, often around 100 ETH each, before entering Tornado Cash, a popular crypto-mixing protocol.
Government control led to Unleash exploitation
The release confirmed that it had suffered a major security breach on Tuesday, resulting in approximately $3.9 million in losses.
The protocol has suspended operations and started a forensic investigation into the incident.
According to Unleash, preliminary findings indicate that a foreign-owned wallet has gained unauthorized administrative control over the protocol through a multi-signature (multi) governance system.
The attacker made an unauthorized contract modification that allowed him to withdraw users' funds without proper approval.
In a statement posted on X, the team said, “This update allowed for asset withdrawals that were not authorized by the Unleash team and occurred outside of our intended governance and operating systems.”
Security analysts suggest the compromise may be the result of phishing or another form of social engineering that allows an attacker to gain control of administrative keys and bypass standard defenses.
The stolen property was joined as a bridge.
The stolen assets are said to include Wrapped IP (WIP), USDC, Wrapped Ether (WETH), stIP and VIP tokens.
On-chain analysis shows that most of these assets were first linked to Ethereum, consolidated into ETH, and moved through Tornado Cash, a technique commonly used by hackers to thwart tracking and recovery efforts.
CertiK said it initially detected suspicious withdrawals of WETH and IP-linked tokens sent to addresses created using SafeProxyFactory, a popular smart contract framework from multisig wallets.
#CertiKinsight 🚨
We received a deposit of 1337.1 ETH (~$3.9M) from 0xc946981F5dFBFA10cf858B95d51Fc06DCD15BfE3 to Tornado Cash.
The fund tracks the suspicious withdrawal of hacked ETH and History tokens from MultiSig.… pic.twitter.com/YIFEAEwilc
— CertiK Alert (@CertiKAlert) December 30, 2025
There is no widespread ecological impact, the release says
He emphasized that the breach was limited to the management and administration contracts themselves.
The Unleash team says there is currently no evidence that the history protocol, Layer 1 blockchain Unleash, has been built.
“The impact is limited to release-specific contracts and administrative controls,” the release team said, adding that legacy protocol validators, core infrastructure and contracts will remain unaffected.
Release is one of the most high-profile applications in the History Protocol ecosystem, which focuses on tokenized intellectual property and on-chain IP management.
PIP Labs, the company behind the Story Protocol, has raised nearly $140 million from prominent investors.
Users are warned while the investigation continues
The team urged users not to interact with the protocol while the investigation is underway, and said it would provide updates on the incident and remedial measures as more confirmed information becomes available.
At the time of writing, the release has not announced any recovery efforts or plans to compensate affected users, and the hacker's use of Tornado Cash could greatly complicate any attempts to trace or recover the stolen assets.
