Hacker Exploits Unleash Protocol, Moves Stolen Funds via Tornado Cash
A significant security breach at Unleash Protocol has resulted in the theft of 1,337 ETH, valued at approximately $4 million. The hacker has begun laundering these funds through Tornado Cash, a service that provides anonymity for cryptocurrency transactions.
- Hacker drained 1,337 ETH via a compromised multisignature governance system.
- Stolen funds were sent through Tornado Cash to obscure transaction trails.
- The breach is limited to Unleash, with no impact on the underlying Story Protocol infrastructure.
Security Breach Details
Unleash confirmed on Tuesday that it experienced a serious security violation, resulting in losses estimated at $3.9 million. In response, the protocol has suspended operations and initiated a forensic investigation.
According to preliminary findings, an external wallet gained unauthorized administrative control over Unleash’s multisig governance system. This breach allowed the attacker to execute an unauthorized contract upgrade, facilitating withdrawals of user funds without appropriate approvals.
“This upgrade allowed for asset withdrawals that had not been approved by the Unleash team and occurred outside of our established governance and operational protocols,” the team stated in a recent announcement.
Security analysts have speculated that the breach may have stemmed from phishing or other forms of social engineering, enabling the attacker to undermine typical safeguards.
Laundering Tactics and Asset Tracking
The stolen assets reportedly included Wrapped IP (WIP) tokens, USDC, Wrapped Ether (WETH), stIP, and vIP. On-chain analysis indicates that most of these assets were first transferred to Ethereum, consolidated into ETH, and then funneled through Tornado Cash—a common tactic employed by hackers to hinder tracking and recovery efforts.
CertiK, a blockchain security firm, reported the initial detection of suspicious withdrawals involving WETH and other related tokens directed toward an externally controlled address created using SafeProxyFactory, a popular smart contract framework for multisignature wallets.
We have detected deposits of 1,337.1 ETH (~$3.9M) into Tornado Cash from 0xc946981F5dFBFA10cf858B95d51Fc06DCD15BfE3.
The fund traces to suspicious withdrawals of Wrapped ETH and Story tokens from a multisig that may have been compromised.… pic.twitter.com/YIFEAEwilc
— CertiK Alert (@CertiKAlert) December 30, 2025
No Wider Ecosystem Impact, Unleash Claims
Unleash has emphasized that the breach is confined to its governance and administrative contracts, reassuring users that there is currently no evidence of compromise within the Story Protocol, the layer-1 blockchain supporting Unleash.
“The impact appears limited to Unleash-specific contracts and administrative controls,” the Unleash team stated, noting that the validators, core infrastructure, and Story Protocol contracts are unaffected.
Unleash stands as a notable application within the Story Protocol ecosystem, which focuses on tokenized intellectual property and on-chain IP management. PIP Labs, the company behind Story Protocol, recently secured around $140 million in funding from prominent investors.
User Advisory Amid Ongoing Investigation
The Unleash team has urged users to refrain from interacting with the protocol as the investigation continues. They have committed to providing updates regarding the incident and potential remediation measures as further verified information becomes available.
As of now, Unleash has not clarified whether it will pursue efforts to recover funds or provide compensation to affected users, complicating any attempts to track or recover the stolen assets due to the use of Tornado Cash.
