Blockchain intelligence firm TRM Labs has highlighted a notable incident involving Tornado Cash, underscoring persistent risks in decentralized finance even after significant regulatory shifts. On June 9, 2026, an attacker withdrew approximately 664 ETH—valued at around $2.7 million—from Tornado Cash pools. These funds were then deployed to gain controlling interest in TOP, a modest Ethereum-based decentralized trade-settlement protocol.
According to the insights from TRM Labs, the perpetrator minted additional tokens and offloaded them on decentralized exchanges, netting roughly $1.6 million in profits.
This marks a textbook example of a governance-layer attack enabled by mixer-derived capital.
TOP operates with a limited total supply of just 16,384 tokens and uses an Aragon DAO for governance, where voting power aligns directly with token holdings.
Without a timelock mechanism, proposals could pass and execute instantly in a single transaction once majority control was secured.
The attacker capitalized on this design by purchasing enough tokens to dominate votes, proposing and enacting a minting action in their favor, then swapping the new supply for profit in a Balancer liquidity pool.
Tornado Cash, launched in 2019, functions as an Ethereum mixer that severs visible on-chain connections between deposit and withdrawal addresses through fixed smart contract pools.
While it serves legitimate privacy needs, it gained notoriety for handling over $7 billion in deposits by mid-2022, including funds tied to ransomware, cybercriminals, and state actors like North Korea’s Lazarus Group. Its market dominance in crypto mixing reached nearly 59% in Q2 2022.
In August 2022, the US Treasury’s OFAC placed Tornado Cash on its SDN list—the first such action against open-source immutable software—citing its role in laundering illicit proceeds.
Usage plummeted to about 16% of mixing activity post-sanctions. Legal challenges followed, culminating in a November 2024 Fifth Circuit ruling that immutable smart contracts do not qualify as sanctionable “property.” OFAC delisted the addresses in March 2025.
Criminal cases against developers Roman Storm and Roman Semenov continue on separate grounds.
Despite the delisting, Tornado Cash has rebounded strongly.
By late 2025, it reclaimed over 40% of mixing volume and captured more than 20% in 2026 year-to-date, remaining the top mixer on Ethereum networks with weekly inflows ranging from $10 million to $80 million.
Overall mixer volumes across blockchains have fluctuated but recovered toward pre-sanction levels.
TRM Labs emphasizes that funds originating from mixers like Tornado Cash retain traceable characteristics through advanced techniques, including behavioral analysis, timing correlations, and anonymity-set evaluation.
In the TOP case, the full chain—from withdrawal to governance capture to profit extraction—remains on-chain and attributable.
Mixer-sourced capital now serves as an early warning indicator for potential governance attacks, allowing compliance teams to monitor token accumulations against voting supplies proactively.
This incident illustrates evolving threats in DeFi. That being, attackers leverage privacy tools for seed funding, exploit weak governance (such as absent timelocks), and extract value swiftly.
As protocols mature in 2026, proper and adequate safeguards like timelocks, gradual ownership thresholds, and enhanced monitoring will prove essential to deter such takeovers. TRM Labs has concluded in its latest update that Tornado Cash’s resilience highlights that while legal debates evolve, on-chain traceability and risk signaling continue to enable investigators and platforms in mitigating downstream harms.
