The attacker(s) that exploited the Cork protocol for millions earlier this year has resurfaced to launder their loot and make a surprise donation. On Wednesday, June 25, blockchain security firm PeckShield Alert flagged renewed activity from wallet addresses tied to exploiters of the decentralized finance platform Cork Protocol. The movements marked the first recorded from the hacker since draining roughly $12 million from the protocol in May. The first transaction saw 1,410 ETH ( ETH ), worth around $3.2 million, sent to Tornado Cash , the infamous crypto mixing service commonly used by cyber attackers to obscure transaction trails. Shortly after, the attacker transferred an additional 3,110 ETH, bringing the total laundered to 4,520 ETH, approximately $11 million at current prices. #PeckShieldAlert #CorkProtocol Exploiter 2 – labeled address has transferred a total of 4,520 $ETH (worth ~$11M) to #TornadoCash & donated 10 $ETH to #Juicebox : Free Alexey & Roman (Tornado Cash developers’ legal fund) https://t.co/ITTET3M1Ak — PeckShieldAlert (@PeckShieldAlert) June 25, 2025 In a surprising twist, the attacker also sent a 10 ETH donation to a Juicebox campaign raising funds for the legal defense of Tornado Cash developers, Alexey Pertsev and Roman Storm. While the reason for the donation remains unclear, it comes as the developers face legal charges for the use of the mixer by cybercriminals and sanctioned entities. The platform has continued to be a go-to tool for laundering stolen crypto assets, especially in high-profile exploits. You might also like: Ethereum Foundation donates $500K to Tornado Cash co-founder’s defense ahead of trial The Cork Protocol attacker’s latest movements further complicate the platform’s ongoing efforts to recover the stolen funds. In a statement released earlier this month, Cork Protocol reassured users that it is still working toward asset recovery, but the transfer of funds to Tornado Cash may now further hinder those efforts. How the Cork Protocol hack happened The attack on Cork Protocol took place on May 28 around 11:39 UTC and targeted the platform’s wstETH:weETH market, leading to a loss of approximately 3,761 wrapped staked ETH (wstETH). According to the Cork team, the attacker exploited two advanced loopholes in the protocol’s code to pull off the hack, and deployed a malicious hook that bypassed usual validation checks. Exploit overview: At 11:39 UTC on May 28, Cork Protocol experienced an exploit resulting in the extraction of 3,761 wstETH from the wstETH:weETH market. Attacker targeted two sophisticated edge cases: • Vector 1: Manipulated rollover pricing just before expiry, buying 3,761… — Cork Protocol (@Corkprotocol) June 6, 2025 Upon draining the funds, decentralized exchange aggregator 1inch was used to swap the assets, making them harder to trace or recover. Cork Protocol says it continues to work closely with security partners to address the fallout and tighten security measures to guard against similar attacks in the future. Read more: MIM hacker launders $7.5m worth of stolen funds through Tornado Cash
