In-depth investigation: Who stole 3.64 million Ethereum?

Original Title: "Exclusive: Austrian Programmer And Ex Crypto CEO Likely Stole $11 Billion Of Ether"

Original Author: Laura Shin

Original Translation: Block unicorn

Austrian programmer and former cryptocurrency CEO likely stole $11 billion worth of Ether.

Who hacked The DAO in 2016 and misappropriated 3.6 million Ether? We identified the obvious hacker by tracing complex crypto transaction clues and using previously undisclosed privacy-cracking forensic tools, but he denied it.

The second-largest crypto network, Ethereum, is valued at $360 billion. Its creator, Vitalik Buterin, has over 3 million followers on Twitter, produced videos with Ashton Kutcher and Mila Kunis, and met with Vladimir Putin. In recent years, all the most popular crypto trends have launched on Ethereum: Initial Coin Offerings (ICO), Decentralized Finance (DeFi), Non-Fungible Tokens (NFT), and Decentralized Autonomous Organizations (DAO). Ethereum has spawned a slew of blockchain imitators, often referred to as "Ethereum killers."

Ethereum is also a big mystery: who committed the largest theft of Ether (the native token of Ethereum) in history by hacking The DAO? By the end of the crowdfunding in 2016, the decentralized venture capital fund had raised $139 million worth of Ether (ETH), making it the most successful crowdfunding project to date. A few weeks later, a hacker drained 31% of the ETH from The DAO (a total of 3.64 million, or 5% of all outstanding ETH at the time) into a so-called DarkDAO.

Who hacked the DAO? My exclusive investigation is based on reporting from my new book "The Cryptopians: Ideism, Greed, Lies, and the Making of the First Big Encrypted Currency Craze," which seems to target 36-year-old programmer Toby Hoenisch, who grew up in Austria and was living in Singapore at the time of the hack. So far, his most well-known role is as co-founder and CEO of TenX. TenX raised $80 million during its token launch in 2017 to create crypto debit cards, but this project effort ended in failure. The market cap of these tokens once soared to $535 million and is now just $11 million.

After receiving a document detailing evidence pointing to him as the hacker, Toby Hoenisch wrote in an email, "Your statements and conclusions are actually inaccurate." In that email, Toby Hoenisch offered to provide details to refute our findings but never replied to my repeated follow-up messages asking for those details.

Given the severity of this hack, the current trading price of ETH is about $3,000, making 3.64 million ETH worth $11 billion. The DAO theft famously and controversially prompted Ethereum to undergo a hard fork—splitting the Ethereum network in two to restore the stolen funds—ultimately leaving DarkDAO with not ETH but the far less valuable Ethereum Classic (ETC). Fork supporters once hoped ETC would fade away, but it now trades at around $30. This means the descendant wallets of DarkDAO now hold over $100 million in ETC—a hefty monument to one of the biggest mysteries in cryptocurrency.

Last year, while writing my book, I and my sources, utilizing (among other things) the powerful and secret forensic tool previously provided by crypto tracking company Chainalysis, began to believe we had figured out who did it. In fact, the story of The DAO and the six-year exploration of the hacker's identity showcase how advanced the technology for tracking transactions in the crypto world has become since the first crypto craze. Today, blockchain technology has gone mainstream. But with new applications emerging, the first use of crypto—as an anonymous shield—is fading due to regulatory pressure and the fact that transactions on public blockchains are traceable.

Co-founders Toby Hoenisch and Paul Kittiwongsunthorn at a TenX strategy meeting in Thailand in 2018

Since Toby Hoenisch would not speak to me, I can only speculate on his possible motives; as early as 2016, he discovered a technical flaw in The DAO and may have decided to strike after his warnings were not taken seriously enough by the creators of The DAO. (Julian Hosp, one of the co-founders of TenX, who now works full-time in blockchain, said of Hoenisch, "He is a super stubborn person who always believes he is right. Always.") From this perspective, it is also a story about the great wisdom and ego driving the crypto world—and how a hacker might justify his actions by telling himself he was merely doing what the faulty code in The DAO allowed him to do.

In early 2016, the Ethereum network was less than a year old, and only one entity was interested in this application: The DAO, a decentralized venture fund built on smart contracts that gave its token holders voting rights on submitted funding proposals. It was created by a company called Slock.it, which did not seek traditional venture capital but decided to create this DAO and open it up for crowdfunding—hoping its project would become one of those funded by The DAO, with the Slock.it team believing the DAO could attract $5 million.

However, when the crowdfunding began on April 30, it raised $9 million in just the first two days, with participants exchanging 1 Ether for 100 DAO tokens. As the funds poured in, some team members felt uneasy, but it was too late. By the time the funding closed a month later, 15,000 to 20,000 people had donated, and the DAO held 15% of the total Ether in existence at the time, with the price of the cryptocurrency steadily rising. Meanwhile, various security and structural issues were raised about The DAO, one of which ironically proved crucial in limiting the hacker's immediate access to the spoils. One issue was that withdrawing funds was too difficult; to get their money back, one had to first create a "child DAO" or "split DAO," which required a high level of technical knowledge.

On the morning of June 17, 2016, ETH hit an all-time high of $21.52, making the cryptocurrency in The DAO worth $249.6 million. When American Griff Green woke up that morning in Germany (he was staying at the home of Slock.it co-founders, the two brothers), he received messages on his phone from members of the DAO Slack community saying something strange was happening—seeing funds being drained. Green, the first employee of Slock.it and a community organizer, checked: indeed, there was a transaction of 258 ETH (worth $5,600 at the time) flowing out of The DAO. A few hours later, when the attack stopped, 31% of the ETH in The DAO had been drained into DarkDAO. As awareness of the attack spread, Ethereum recorded its highest trading day ever, with its price plummeting 33% from $21 to $14.

Splitting Wealth

The 2016 DAO crowdfunding sale pushed the price of Ether (ETH) to an all-time high—until the June 17 attack on The DAO caused it to crash. After the hard fork on July 20, the old blockchain began trading as Ethereum Classic (ETC).

Soon, the Ethereum community identified the vulnerability that led to the theft: the writing of the DAO smart contract allowed anyone to withdraw funds, with the smart contract first sending the funds and then updating the person's balance. The attacker used a malicious smart contract to extract funds (258 ETH at a time) and then interfered with the contract's update, allowing them to withdraw the same Ether repeatedly. It was as if the attacker had $101 in their bank account, withdrew $100, and then prevented the bank teller from updating the balance to $1, and then requested and received another $100.

Worse, once the vulnerability was made public, the remaining 7.3 million ETH in The DAO faced the risk of mimicking attacks. A group of white-hat hackers (i.e., ethical hackers) formed and used the attacker's method to transfer the remaining funds to a new child DAO. However, the attacker still held about 5% of the outstanding ETH, and given the flaws in The DAO, even the rescued ETH was vulnerable. Additionally, the clock was ticking, with a deadline of July 21—the original hacker could potentially cash out their funds transferred to DarkDAO on that date. If the community wanted to prevent the attacker from cashing out, they needed to place tokens into the hacker's DarkDAO and then into any "split DAO" (or child DAO) created by any unknown hacker in the future. (According to the rules of the DAO smart contract, if anyone else in the split DAO opposed it, the attacker would not be able to withdraw funds.) The bottom line: if the white hats missed their counterattack window, the attacker would be able to escape with the funds—meaning this informal group had to remain vigilant at all times.

Ultimately, after much arguing (in Reddit, Slack channels, emails, and Skype calls) and with Ethereum founder Buterin publicly involved, and after it seemed most of the Ethereum community supported the measure, Ethereum executed a "hard fork." On July 20, 2016, the Ethereum blockchain split in two, with all ETH existing in The DAO transferred to a "withdrawal" contract that granted original contributors the right to send their DAO tokens and retrieve ETH on the new blockchain, still attracting some speculators to support the old blockchain as Ethereum Classic (ETC) continued to exist.

Ethereum Classic, the spoils of The DAO and the attacker (in the form of 3.64 million ETC), still exists. That summer, the attacker transferred their ETC to a new wallet, which remained dormant until late October, when they began attempting to exchange the money for Bitcoin using an exchange called ShapeShift. Since ShapeShift did not require personal identification at the time, the attacker's identity remained unknown even though all their blockchain movements were visible. In the following two months, the hacker managed to obtain 282 Bitcoin (worth $232,000 at the time, now over $11 million). Then, perhaps due to ShapeShift frequently blocking their attempted trades, they gave up cashing out, leaving 3.4 million Ethereum Classic (ETC), worth $3.2 million at the time, now over $100 million.

This might be the end of the story—a nameless hacker sitting on a fortune they cannot cash out. Until last July, when one of my sources involved in the DAO rescue, a Brazilian named Alex Van de Sande (also known as Avsa), reached out, stating that Brazilian police had launched an investigation into the attack on The DAO—and whether he might be a victim or even the hacker himself. Van de Sande decided to commission a forensic report from blockchain analysis company Coinfirm to help exonerate himself (though he said the police subsequently ended the investigation). He would continue to write reports checking the cash-out attempts from 2016 in case any similar situation arose in the future.

Among the early suspects of the hack was a Swiss businessman and his accomplices, and in tracking the funds, Van de Sande and I also discovered another suspect: a developer of Ethereum Classic from Russia. But all these individuals were in Europe/Russia, and the cash-out mapping pointed to an Asian timeline from early to late—ranging from 9 AM Tokyo time to midnight—when Europeans might be asleep. (Their posting times on social media indicated they kept fairly normal working hours.) However, based on customer support emails submitted to ShapeShift by the hacker before the attack, I believe they would speak fluent English.

Starting from the Coinfirm analysis, blockchain analysis company Chainalysis found that the presumed attacker had sent 50 BTC to a Wasabi wallet, a private desktop Bitcoin wallet designed to anonymize transactions by mixing multiple Bitcoins in a so-called CoinJoin. Using a feature first disclosed here, Chainalysis broke down the Wasabi transactions and traced their outputs to four exchanges. In the final critical step, an employee from one of the exchanges confirmed to one of my sources that these funds had been exchanged for the privacy coin Grin and withdrawn to a Grin node named grin.toby.ai. (Due to exchange privacy policies, such customer information is typically not disclosed.)

The IP address of that node also hosted Bitcoin Lightning nodes: ln.toby.ai, lnd.ln.toby.ai, etc., and had remained consistent for over a year; it was not a VPN.

It was hosted on Amazon Singapore, and the Lightning explorer 1ML showed a node named TenX at that IP.

For anyone who entered the crypto space in June 2017, that name might ring a bell. That month, as the ICO craze reached its initial peak, there was an $80 million ICO called TenX. The CEO and co-founder used the handle @tobyai on AngelList, Betalist, GitHub, Keybase, LinkedIn, Medium, Pinterest, Reddit, StackOverflow, and Twitter. His name is Toby Hoenisch.

Where was he? In Singapore. Although he was born in Germany and grew up in Austria, he spoke fluent English. The cash-out transactions primarily occurred between 8 AM and 11 PM Singapore time.

The email address used for that account at the exchange was [exchange name] @toby.ai.

In May 2016, as he completed his historic fundraising campaign, Hoenisch developed a keen interest in The DAO. On May 12, he sent an email to Hosp with a tip ("profitable cryptocurrency trades coming up") to short ETH after the DAO crowdfunding period ended. On May 17 and 18, in the DAO Slack channel, he engaged in lengthy conversations, posting at least 52 comments regarding vulnerabilities in The DAO, covering various aspects of the code and nitpicking considering the structural way the code was set up, what exactly was possible.

One question prompted him to email Slock.it's CTO Christoph Jentzsch, chief technical engineer Lefteris Karapetas, and community manager Griff Green. In his email, he stated he was writing a funding proposal for a crypto card product called DAO.PAY for The DAO and added, "For our due diligence, we checked the DAO code and found some concerning things." He outlined three potential attack vectors and later sent a fourth via email. Jentzsch, a German who had been pursuing a PhD in physics before dropping out to focus on Ethereum, responded point by point, acknowledging some of Toby Hoenisch's assertions but stating that other assertions were "incorrect" or "did not work." The back-and-forth ended with Hoenisch writing, "If we find anything else, I will keep you updated."

But on May 28, 2016, Toby Hoenisch did not engage in further email communication; instead, he wrote four posts on Medium, starting with "TheDAO—No-Risk Voting." The second, "TheDAO—Ransom Withdrawals," foreshadowed the main issues with The DAO and the reason Ethereum ultimately chose to hard fork: without it, the only other option was to allow the attacker to cash out their ill-gotten gains or for some group of DAO token holders to forever follow him into the new split DAO he created while attempting to cash out. "TLDR: If you end up with a DAO contract without a majority vote, the attacker can indefinitely block all withdrawals," he wrote. The third showcased how the attacker could do this cheaply.

Given the severity of this hack, the current trading price of ETH is about $3,000, making 3.64 million ETH worth $11 billion.

His most compelling final post that day, "TheDAO—$150 Million Decentralized Governance Lesson," stated that DAO.PAY decided not to propose a vehicle after discovering "significant security vulnerabilities" and that "Slockit downplayed the severity of the attack." He wrote, "TheDAO is live… we are still waiting for Slockit to issue a warning that there is no safe exit!"

On June 3, he published his last post on Medium, "Announcing BlockOps: Blockchain Hack Challenges," stating, "BlockOps is your playground for hacking crypto, stealing Bitcoin, cracking smart contracts, and simply testing your security knowledge." Although he promised "new challenges in Bitcoin, Ethereum, and cybersecurity every two weeks," I could not find any record of him doing so.

Two weeks later, the DAO attack occurred. The morning after the attack, at 7:18 AM Singapore time, Hoenisch forwarded a tweet from Buterin made before The DAO was attacked, attempting to lure Ethereum creator Vitalik Buterin, but after learning that the vulnerability used in the attack was evident in the DAO's code. In a tweet two weeks prior, Buterin had stated that he had been buying DAO tokens since the security news broke. In the following weeks, Hoenisch posted anti-hard fork tweets on Twitter, such as one titled "Too Big to Fail is a Guarantee to Fail."

Strangely, on July 5, 2016, weeks after the attack, Toby Hoenisch and Karapetsas exchanged a Reddit DM titled "DarkDAO Counterattack"—though the content of the messages is unclear, as Toby Hoenisch had deleted all his Reddit posts. (Hosp recalled that Hoenisch told him he had deleted his Reddit account after arguing with an "idiot" about The DAO on Reddit.) Toby Hoenisch wrote, "Sorry for not reaching out first; I didn't find it and tell the community there was a way to counterattack. Anyway, I don't see any way the attacker can use it."

After Karapetsas informed Toby Hoenisch that the white hats planned to protect what remained in The DAO, Hoenisch replied, "I quit this position." Karapetsas responded, "From now on, I will keep you updated on what we are doing." Toby Hoenisch's last message in that exchange was, "If I messed up the plan, I'm sorry."

On July 24, 2016, the day after the Ethereum Classic chain was restored and began trading on Poloniex, Hoenisch tweeted, "Ethereum drama escalates: from #daowars to #chainwars. Ethereum Classic now trades as ETC and miners plan attacks on Poloniex." On July 26, he retweeted a tweet from Barry Silbert, founder and CEO of the powerful and respected Digital Currency Group, who had tweeted, "Bought my first non-Bitcoin digital currency… Ethereum Classic (ETC)."

"He really messed up (the hacker DAO); reputation is worth more than money."

Upon hearing the name Toby Hoenisch, without evidence indicating he was the DAO attacker, Karapetsas, a typically humorous Greek software developer and one of the creators of The DAO, who had interacted with him via email and Reddit, said, "He is annoying… He is very insistent on discovering many problems." Upon hearing that DarkDAO ETC had been cashed out to a Grin node using Toby Hoenisch's alias, Karapetsas observed that if Toby Hoenisch corrected this situation with the funds frozen in DarkDAO, the Ethereum community would give him "great honor" for finding the weakness and returning ETH. Similarly, Griff Green, whose current projects tend to help nonprofits and public goods thrive in the digital world, believed the hacker missed the "chance to become a hero."

Green noted that ironically, in a blog post from 2016, Toby Hoenisch wrote, "I am a white hat hacker." Twenty days later, The DAO was attacked.

As I mentioned earlier, after receiving a document listing evidence that he was the hacker and requesting comments on my book, Hoenisch wrote that my conclusions were "actually inaccurate." In that email, he stated he could provide me with more details—then did not respond to four requests for those details, nor did he reply to other fact-checking inquiries for this article. Additionally, after receiving the first detailed document outlining the facts I had gathered, he deleted nearly all of his Twitter history (though I had saved relevant tweets).

In May 2015, Toby Hoenisch and his co-founders of the crypto debit card venture (initially called OneBit) achieved some success at a Mastercard Masters of Code hackathon held in Singapore. They began using the card that year on an invite-only basis, as Hoenisch explained on Reddit, "We didn't want to launch a half-baked Bitcoin wallet that would get us in trouble for violating KYC (Know Your Customer) laws. Yes, legality is the main reason we can't ship directly." An article from Bitcoin Magazine at the time noted that Hoenisch had a background in AI, IT security, and cryptography.

In early 2017, months after the presumed DAO attackers stopped attempting to cash out their ETC, Toby Hoenisch's team (operating under the name TenX at the time) announced it had secured $1 million in seed funding from Distributed Capital (where Ethereum founder Buterin was) and other companies, followed by an $80 million ICO. By early 2018, when TenX's card issuer Wavecrest launched from the Visa network, TenX's situation began to deteriorate, meaning TenX users could no longer use their debit cards.

On October 1, 2020, TenX announced it would cease its services as its new card issuer Wirecard SG had been instructed by the Monetary Authority of Singapore to stop operations. On April 9, 2021, TenX published a blog post titled "TenX, Meet Mimo." It outlined a new business that would offer a stablecoin pegged to the Euro, with its value tied to fiat currencies like the dollar, euro, or yen. The market cap of TenX tokens soared to $535 million and is now just $11 million. TenX has rebranded itself as Mimo Capital and offered most of its worthless MIMO tokens to TenX token holders at a rate of 0.37 MIMO per TenX.

Hosp, the public face of the company, was fired by Toby Hoenisch and another co-founder in January 2019. This occurred months after some crypto publications reported on Hosp's past ties to an Austrian multi-level marketing scheme. However, before hearing evidence suggesting Hoenisch was the DAO attacker, Hosp stated he felt Hoenisch might have pushed him out due to jealousy over Hosp making $20 million by selling Bitcoin at the top of the bubble in late 2017. Meanwhile, Toby Hoenisch had seen all his cryptocurrency as a bubble—and his personal net worth—compressed.

"He came from a very poor family, he had no investment experience, he got into crypto in 2010, but he really had no money, nothing at all, when we were in Las Vegas [in the summer of 2016], he had nothing, and my investments were doing well… he was always fighting for more salary, for better things." Hosp also mentioned that Toby Hoenisch had to send money home to support his mother who raised him, as well as his sister and brother as a single parent.

With the emergence of new blockchain applications, the first use of crypto—as an anonymous shield—is retreating.

Upon hearing that Toby Hoenisch might be the DAO attacker, Hosp said he "got goosebumps" and began recalling details of his interactions with his former partner that now seemed to take on new meaning. For instance, when asked if Toby Hoenisch liked Grin (the privacy coin the hacker cashed out), Hosp said, "Yes! Absolutely, he did. He was obsessed with it… because of those stupid tokens, I lost money! I invested in them because of him, because he was so obsessed with them." He said Toby Hoenisch was also obsessed with building atomic swaps between Bitcoin and Monero—a method of exchanging between Bitcoin and the privacy coin Monero using smart contracts. At the time, Hosp found this puzzling, as he felt such a product had no market. Later, Hosp pulled up chat logs from August 2016.

When trying to recall the event he believed prompted Toby Hoenisch to shut down Reddit, Hosp began searching on his computer and muttering, "He always used tobyai." He confirmed that one of Toby's regular email addresses ended with @toby.ai.

Recalling, still shocked, Hosp said, "For some strange reason, he was very aware of what was happening… when I asked him what was going on, he knew more about the DAO hack… than I found on the internet or anywhere else."