A crypto journalist claims she has unmasked the man who was allegedly responsible for hacking The DAO in 2016 — an attack that led to 3.64 million ETH being stolen, and the Ethereum blockchain splitting into two following a controversy.According to Laura Shin, a reporter who delved into the scandal for her new book, the hack was apparently executed by Toby Hoenisch. The programmer is known for creating TenX — a crypto debit card project that raised $80 million in an initial coin offering in 2017. Her reporting notes that the value of this project’s tokens ballooned to $535 million before crashing to $11 million at the time of writing.The ETH stolen in this attack would theoretically be worth $11 billion at the time of writing. But after The DAO was targeted, a controversial proposal sparked a hard fork that resulted in the creation of Ethereum and Ethereum Classic. Although this greatly diminished the value of the stolen crypto, it’s still worth an eye-watering $100 million.
Shin reached out to Hoesnisch to present the evidence she had collected, and received a reply that said:
“Your statement and conclusion is factually inaccurate.”
However, she went on to claim that he failed to answer her follow-up questions, or provide detailed rebuttals to the allegations. He later deleted his entire Twitter history.
Shin and her sources say they were able to connect the dots and get answers by using a blockchain analytics tool developed by Chainalysis. This allows transactions to be monitored closely, and on occasion, the flow of funds can later be linked to those who may have achieved anonymity at first. (Similar techniques led to the arrests of Ilya “Dutch” Lichtenstein and Heather Morgan for their alleged connection to the Bitfinex hack in 2016.)
Unable to get answers from Hoenisch, Laura Shin has formed a potential motive. The programmer had identified a slew of vulnerabilities in The DAO’s code, but it appears that his warnings were not taken seriously by the project’s founders. She wrote:
“This is also a tale of the big brains and big egos that drive the crypto world — and of a hacker who may have justified his actions by telling himself he simply did what the faulty code baked into The DAO allowed him to do.”Overall, 31% of the ETH in The DAO ended up being siphoned away — and news of the theft resulted in the cryptocurrency’s value plunging by 33% in a single day, all the way down to $14. Given how Ethereum was barely a year old at the time, it could have been fatal for the project.
In terms of how all this could have been achieved, Shin points to a vulnerability in the smart contract that meant the funds involved in a withdrawal would be sent first — with their balance updated after. By ensuring the contract didn’t update, this effectively allowed the same crypto to be withdrawn over and over again:
“It was as if the attacker had $101 in their bank account, withdrew $100 at a bank, then kept the bank teller from updating the balance to $1, and again requested and received another $100.”
It’s unclear what — if any — actions may arise from these new allegations.