Analysis of PancakeBunny Exploiter's Transfer via Tornado Cash

In a recent revelation, the individual responsible for the PancakeBunny project breach has been identified orchestrating significant fund transfers through Tornado Cash. Having been the mastermind behind the $45 million exploit in May 2021, this exploiter has reemerged to shuffle stolen assets, drawing renewed interest from the digital currency community after a prolonged hiatus.

Recently, the perpetrator of the PancakeBunny breach executed a transaction moving 1002 ETH, valued at $2.9 million, utilizing Tornado Cash for anonymity. This platform is widely utilized for masking transaction details. Security specialists at CertiK Alerts raised the alarm on this transfer, signaling that the funds were funneled through the wallet address 0xd0f2259e0bd71e849143bbc07f4e427bb6f7756b.

The Bunny Finance Exploitation: A Synopsis

The breach that occurred in May 2021, resulting in losses of approximately $45 million for users, was instigated through a flash loan assault. The attacker, by manipulating a substantial asset pool from PancakeSwap, engineered fluctuations in the price of BUNNY tokens.

The exploiter's strategy entailed price distortion via flash loans, artificially inflating BUNNY token values. Subsequently, the artificially boosted tokens were injected into the market, triggering a rapid devaluation and facilitating the siphoning off of significant profits.

Current Asset Holdings of the Exploiter

Despite the substantial transfer of embezzled funds, the exploiter still commands $11.4 million in DAI, housed at wallet address 0x820C.

This case underscores the significance of Tornado Cash in obfuscating the provenance of misappropriated funds, presenting challenges for individual regulators and security specialists in the endeavor to track and recuperate lost cryptocurrencies. While Tornado Cash serves as a tool for privacy enhancement among ordinary users, it is concurrently a favored mechanism for money laundering among cybercriminals.