Cyber Threats in DeFi: How Standards Vulnerabilities, Social Engineering, and Mixers Like Tornado Cash Are Undermining Crypto Platform Security and User Trust

The hacker who exploited the decentralized finance protocol Voltage Finance in 2022 for $4.67 million has been active again, moving 100 ETH (approximately $182,000 at the current rate) through the Tornado Cash mixer. This fact was recorded by blockchain security company CertiK on May 6, 2025, and confirmed by an analysis of transactions on the blockchain 1 3 5 .

Description of the 2022 incident

In March 2022, an attacker exploited a vulnerability in the ERC-677 token standard — a built-in callback function — to conduct a reentrancy attack. This attack allowed the hacker to repeatedly withdraw funds from the Voltage Finance lending pool before the balance was updated, resulting in the theft of significant amounts of various cryptocurrencies, including Ethereum, stablecoins USD Coin (USDC), Binance USD (BUSD), Wrapped Bitcoin (WBTC), and other tokens 1 3 5 .

Hacker’s actions after hacking

Following the exploit, the attacker’s address was flagged on Etherscan and exchanges were advised to block any transactions from the address. Voltage Finance attempted to contact the hacker and offered a reward for the return of the stolen funds 1 .

The address from which the 100 ETH were transferred to Tornado Cash has been dormant since November 2024, with the last transaction occurring 166 days ago. This suggests that the hacker did not use the stolen assets for some time and then decided to partially move them through a mixer to make tracking more difficult 1 .

The Importance of Tornado Cash in Operation

Tornado Cash is a crypto mixer that obfuscates the origins of cryptocurrency by mixing assets from different wallets, making them difficult to trace. The protocol has been used by hackers to launder stolen funds. In 2022, Tornado Cash was sanctioned by the US Treasury Department because it was used by the North Korean hacker group Lazarus to hide traces of a $625 million hack of Axie Infinity 4 .

The use of Tornado Cash by the Voltage Finance hacker follows a typical money laundering scheme, where after a long period of inactivity, the stolen tokens are transferred to a mixer to make it more difficult to trace them back and withdraw them 1 4 .

Context and implications

In 2024–2025, the number of major crypto thefts increased significantly. In April 2024, the total amount of stolen funds increased by 1163%, which was due to several large-scale attacks, including the theft of 3,520 BTC (about $330 million) from an elderly US citizen using social engineering. At the same time, cases of return of stolen funds were also recorded in the same month, for example, the exploit of the decentralized exchange KiloEx for $7.5 million was fully compensated four days after the attack 1 .

Voltage Finance also suffered a second attack in March 2024, when $322,000 was stolen from Simple Staking pools. In response, the protocol offered a $50,000 reward for the funds to be returned and initiated cooperation with law enforcement 1 .

What measures are law enforcement taking to track funds moved through Tornado Cash?

The movement of 100 ETH to Tornado Cash more than two years after the hack suggests that the hacker is still using the stolen assets while attempting to hide their origin. This case highlights the importance of ongoing monitoring and analysis of blockchain transactions to detect and combat criminal activity in decentralized finance.

The Voltage Finance incident is thus a shining example of the security challenges in DeFi, where smart contract vulnerabilities are leading to multi-million dollar losses and attackers are using sophisticated methods to hide their tracks using mixers like Tornado Cash 1 3 5 .

Law enforcement agencies use a range of measures and modern technologies to track funds moved through the Tornado Cash mixer, despite the high degree of anonymity that this protocol provides.

Basic measures and methods of monitoring

Blockchain transaction and behavioral pattern analysis. Crypto forensics experts study transaction chains, identify the regularity of transfers, grouping of addresses, and intermediate wallets through which funds pass. For example, when investigating the Harmony Bridge attack, analysts identified 857 transactions at regular intervals, distributed across multiple addresses, which helped deanonymize some of the output addresses after Tornado Cash 3 .
Use of specialized AML services and blockchain analytics. Companies such as HAPI Explorer, Chainalysis, Elliptic and others use machine learning algorithms and big data analysis to identify suspicious transactions and connections between wallets. They form databases of “dirty” addresses and help exchanges and law enforcement freeze funds and block transactions with them 4 .
Sanctions and legal pressure. In August 2022, the US Treasury Department added Tornado Cash to the sanctions list, recognizing the mixer as a tool for laundering more than $7 billion, including funds stolen by the Lazarus hacker group. Tornado Cash smart contracts were recognized as “property” and blocked, and the co-founders of the service were arrested and charged with facilitating money laundering. This allowed law enforcement agencies to restrict access to the service and conduct investigations using legal mechanisms 2 5 6 .
Cooperation with crypto exchanges and the blockchain community. Law enforcement agencies exchange information with exchanges and analytical companies to quickly identify and block suspicious addresses, as well as track attempts to withdraw funds after using a mixer. Exchanges require users to confirm the legality of the origin of funds, which reduces the risk of laundering through centralized platforms 4 .
Operational and investigative measures. As part of criminal cases, law enforcement officers conduct investigations, establish the identities of those involved, including developers and operators of mixers, and cooperate with international partners to suppress the activities of criminal schemes 10 6 .

Technical limitations and challenges

Tornado Cash uses zero-knowledge proofs (zk-SNARKs) that break the connection between deposits and withdrawals, making it difficult to directly link transactions. However, complex analysis of behavioral patterns, time intervals, and related transactions allows partial restoration of asset movement chains.

How ERC677 Standards Affect Security of Decentralized Protocols

Law enforcement and analytics companies are using a combination of technical blockchain analysis methods, legal measures, and international cooperation to detect and prevent money laundering through Tornado Cash. Despite the high degree of anonymity, modern crypto forensics tools can successfully track a significant portion of illegal transactions and facilitate the recovery of stolen assets.

The use of the ERC-677 standard in decentralized protocols has both positive and potentially negative impacts on security due to the specifics of its functionality.

Features of the ERC-677 standard

ERC-677 extends the base ERC-20 standard by adding a transferAndCall function that allows a single transaction to simultaneously transfer tokens and call a function on the recipient smart contract. This simplifies interactions between tokens and contracts by eliminating the need for two separate transactions (transfer and call), reducing gas costs and improving usability 2 4 .

Impact on safety

Advantages:
- Reduced transaction count and gas costs: Simultaneous transmission and function invocation reduces the likelihood of errors due to inconsistency between two transactions, which increases the overall reliability of operations.
- Automation and integration. The ability to call a contract function immediately after token transfer allows for more complex and secure interaction scenarios, such as atomic purchases or automatic participation in staking without additional user actions 1 2 .
Risks and Vulnerabilities:
- Reentrancy attacks. As demonstrated by the Voltage Finance exploit, the built-in callback function implemented in ERC-677 can be used by attackers to perform reentrancy attacks, where the called contract re-initiates the transfer function before the previous operation has completed. This allows an attacker to repeatedly withdraw funds from the protocol if the smart contract is not sufficiently secured 1 .
- Complexity of implementation. The expansion of functionality increases the complexity of smart contracts, which requires more thorough auditing and testing. Errors in the implementation of callback functions can lead to critical vulnerabilities.
- Dependency on correct call handling. If the receiving contract does not handle the call correctly, this may result in blocked tokens or unexpected errors.

What implications could hacks like this have for trust in DeFi platforms?

The ERC-677 standard increases the functionality and ease of interaction of tokens with other smart contracts, which facilitates the development of decentralized applications and improves the user experience. However, the expanded capabilities of callback functions require increased attention to security when developing protocols. Insufficient protection against reentrancy attacks and other exploits can lead to serious financial losses, as happened in the case of Voltage Finance.

Therefore, when using ERC-677, developers need to implement proven security patterns such as the checks-effects-interactions pattern and conduct deep auditing of smart contracts to minimize the risks of exploitation of vulnerabilities associated with the extended functionality of the standard 1 2 7 .

Hacks in decentralized finance (DeFi) platforms like the one on Voltage Finance have a serious negative impact on user and investor trust in such protocols, which has a number of important implications.

Key implications for trust and the DeFi ecosystem

Deterioration of platform reputation and user base. Hacking attacks and large-scale thefts of funds make users fear for the safety of their assets, leading to an outflow of liquidity and a decrease in activity on the affected platforms. This reduces the attractiveness of DeFi for new and existing users 1 5 .
Growing risk perception and investor caution. Hack losses, smart contract vulnerabilities, and high crypto asset volatility are increasing the perception of instability and unpredictability in DeFi, especially among institutional investors and conservative market participants. This is limiting the inflow of large capital and slowing the development of the sector 3 6 .
Increased security and auditing requirements: Following high-profile breaches, there is increased pressure on projects to conduct deep code audits, implement multi-layered security measures, and engage cybersecurity experts. This increases development costs and timelines, but is necessary to restore trust 7 8 .
Regulatory attention and possible restrictions. Large-scale incidents attract the attention of regulators, which can lead to tighter regulations and control over DeFi platforms. In the absence of clear regulations, this creates additional uncertainty and risks for market participants 6 7 .
Anti-fraud technologies are evolving. In response to threats, DeFi is actively implementing AI and blockchain analytics solutions to help identify suspicious activity and prevent attacks, which over time helps build user trust 2 .

What is the role of blockchain security companies like CertiK in preventing such attacks?

Hacks and exploits in DeFi undermine trust in decentralized protocols, causing financial losses and slowing the growth of the industry. However, they also stimulate the development of better security mechanisms, higher audit standards, and a better regulatory framework. Transparency, developer accountability, and the active adoption of innovative security technologies remain key to restoring and strengthening trust.

Thus, security and reliability remain the main challenges for the sustainable development of DeFi, and successfully overcoming these risks will determine the future of decentralized finance.

Blockchain security companies like CertiK play a key role in preventing attacks on decentralized protocols and securing the Web3 ecosystem. Their activities cover several important areas:

1. Audit and formal verification of smart contracts

CertiK conducts deep audits of smart contract code , identifying vulnerabilities and errors before protocols are launched to the network. Using formal verification methods , the company mathematically proves the correctness of contracts, which significantly reduces the risk of exploits such as reentrancy attacks, which were used in the case of Voltage Finance 1 2 .

2. Use of artificial intelligence and automation

CertiK uses advanced artificial intelligence (AI) technologies to automatically scan and monitor protocols in real time. This allows you to quickly detect suspicious activity, anomalies and potential threats, preventing attacks at an early stage 1 2 .

3. Continuous monitoring and alerts

The CertiK platform includes tools such as Skynet that provide continuous monitoring of blockchain projects and instant notification of potential security incidents. This helps developers and users quickly respond to threats and minimize damage 2 .

4. Educational and consulting support

CertiK provides guidance on security best practices, helps project teams implement effective security measures and raise awareness of Web3 risks. This contributes to the formation of a security culture and the reduction of vulnerabilities 2 5 .

5. Rebuilding trust and collaborating with industry

The company helps restore trust in decentralized platforms by providing transparency and proven security. CertiK works closely with crypto exchanges, developers, and law enforcement agencies to help identify and block suspicious transactions, as well as facilitate incident investigations 1 5 .

What social engineering techniques do attackers use to commit large-scale cryptocurrency thefts?

The role of CertiK and similar companies is to comprehensively protect the blockchain ecosystem through auditing, formal verification, automated monitoring, and educational support. Their work significantly reduces the likelihood of successful attacks on DeFi protocols, facilitates timely detection of threats, and strengthens the trust of users and investors in decentralized platforms.

Attackers who commit large-scale cryptocurrency thefts widely use social engineering techniques aimed at deceiving and manipulating victims in order to obtain confidential information, access to accounts and funds. The main methods include:

Phishing is the sending of fake emails or messages that imitate official notifications from exchanges, wallets or services, with the aim of forcing the user to follow a malicious link, enter a login, password or private keys 1 2 3 4 .
Impersonation – the attacker poses as a bank employee, support service, law enforcement agency employee, or company executive in order to gain trust and obtain the necessary information or access 1 2 7 .
Pretexting is the creation of a plausible pretext for contacting a victim, such as offering help with a software update or participation in a rewards program, to trick the user into revealing data or installing malware 1 2 4 .
Use of internal slang and terminology – To increase trust, attackers study the corporate language and specifics of the organization’s work in order to appear more convincing 1 6 .
Keylogging and malware – sending attachments containing viruses, trojans or keyloggers that record keystrokes and transmit the data to attackers 1 2 .
Shoulder surfing is the physical observation of the entry of passwords or other sensitive information, for example, over the victim’s shoulder 1 8 .
Use of anonymous and replaceable communication channels – attackers use IP address changes, spoofing of phone numbers, instant messengers and “bookmarks” to transfer stolen funds, which makes them difficult to track 5 .
Long-term trust-building and multi-stage schemes – attacks can last for months, including correspondence, calls and even personal meetings until the victim takes the desired action (transfers data, installs software) 2 3 .
Using fear, urgency and promises – Attackers create pressure, for example by threatening to block an account or promising prizes, to force the victim to respond quickly and disclose information 6 .
Involvement of insiders and informants – criminal groups may have “spies” in banks or telecommunications services who provide information about customers and security systems 5 .

These social engineering techniques allow hackers to bypass technical barriers and gain direct access to users’ crypto wallets and accounts, making them one of the most effective tools for committing large-scale cryptocurrency thefts. Therefore, the most important protection measure remains raising user awareness and implementing multi-factor authentication, as well as regular training of employees of organizations 1 2 5 .

What specific social engineering schemes do attackers use to steal cryptocurrency?

Cryptocurrency attackers employ a variety of specific social engineering schemes aimed at manipulating victims into stealing their funds. The main ones include:

1. Phishing and fake sites

Fraudsters create exact copies of popular cryptocurrency exchanges, wallets or DeFi platforms to trick users into entering logins, passwords and private keys. Often, fake links are used with minor changes to the website address that are difficult to notice 1 5 6 .

2. Imitation of support service and famous people

Attackers pose as support staff from MetaMask, Binance, or other services, as well as crypto influencers or community managers. They copy profiles, names, and even verification badges to gain the victim’s trust and convince them to disclose sensitive information 1 5 .

3. Divorce via email and instant messengers

The victim receives a letter or message with a story about an account being hacked, the need for urgent recovery or security update. The scammer offers to “help” with generating a new seed phrase, while asking to provide the old one, which gives full control over the wallet 2 .

4. Fake apps and extensions

Fake versions of popular crypto wallets (for example, MetaMask, Trust Wallet) are created, which steal private keys and user funds when installed 5 6 .

5. Fake sweepstakes and investment offers

Scammers organize fake contests, airdrops or investment projects with promises of high profits to force users to transfer funds or reveal keys 5 .

6. Multi-stage personalized attacks

Before the attack, the attackers collect information about the victim from social networks (X, Discord, Telegram, Reddit), identify newcomers bragging about their income or NFTs, and develop a customized deception scenario. They establish a trusting relationship using real data and gradually push the victim to hand over access 1 5 7 .

7. Using a sense of urgency and fear

Fraudsters create pressure by threatening to block an account or lose funds so that the victim acts quickly and without verification, for example, by clicking on a malicious link or entering secret data 1 7 .

8. Pig Butchering

This is a long-term scheme where scammers establish a trusting relationship with the victim, often through instant messaging or social media, creating the illusion of a romantic or business relationship to convince the victim to invest large sums in fictitious projects, who then disappear with the money 10 .

Conclusion

Attackers use a combination of technical and psychological manipulation techniques, from phishing and fake sites to multi-stage, personalized attacks that build trust and create a sense of urgency. To protect yourself, it’s important to remain vigilant, verify sources of information, not reveal private keys, and use multi-factor authentication.

What psychological tricks do scammers use to create a sense of urgency in crypto attacks?

Fraudsters in crypto attacks actively use psychological techniques to create a sense of urgency in the victim , which makes them act quickly and impulsively, without including critical thinking. The main methods for creating this effect include:

Emotional pressure and stress . Fraudsters create a tense dialogue during which a person absorbs only a small part of the information (about 15%), which leads to emotional overload and a decrease in the ability to rationally assess the situation. This prevents the victim from making informed decisions and contributes to rash actions 1 .
Artificial time constraints . Attackers set strict time limits for making a decision, such as “confirm the data within 10 minutes” or “transfer funds within 5 minutes.” This forces the victim to focus on urgency rather than analyzing the situation, which reduces critical perception and increases the likelihood of error 1 2 3 .
Creating an atmosphere of fear and threat of harm . Fraudsters hint at or directly talk about possible negative consequences – account blocking, loss of funds, arrest or fines if the victim does not comply with their demands immediately. Such manipulation distracts attention from the details and increases pressure 1 6 .
Appeal to authority . Posing as employees of banks, law enforcement agencies, or well-known companies, scammers use an official tone and professional jargon to convince the victim of the need for urgent action 5 6 .
Playing on pity and sympathy . Sometimes the urgency is reinforced by emotional stories about the misfortune of loved ones or those in need, which further pushes the victim to quickly transfer funds 2 5 .

Final conclusion

Creating a sense of urgency is a classic and effective scam technique that shifts the victim’s thinking from rational to emotional, forcing them to make decisions based on fear or impulse. To resist such manipulation, it is important to remain calm, resist time pressure, verify information through official channels, and not disclose sensitive data under the threat of urgency.

The modern decentralized finance (DeFi) ecosystem continues to grow rapidly, opening up new opportunities for users and investors. However, as popularity and volumes of funds grow, so do the security threats. Incidents such as the Voltage Finance attack demonstrate how vulnerable protocols can be due to technical features, such as the use of the ERC-677 standard, which, despite its convenience and advanced functionality, creates additional risks, in particular those related to reentrancy attacks.

In addition to technical vulnerabilities, social engineering methods that attackers actively use to steal cryptocurrencies pose a significant threat. Phishing, imitation of support services, creating a sense of urgency, and multi-stage personalized schemes allow criminals to bypass even the most advanced technical barriers by directly influencing the human factor – the weakest element in the security chain.

In response to these challenges, blockchain security companies like CertiK play a critical role. Not only do they conduct deep audits and formal verification of smart contracts, identifying and remediating vulnerabilities before they are exploited, but they also provide ongoing monitoring, prompt alerts on suspicious activity, and educational support for developers and users. Together with law enforcement and analytics companies, they help track and block illicit transactions, including those that go through anonymizing services like Tornado Cash.

However, despite technical and organizational measures, restoring and strengthening trust in DeFi platforms remains a challenge. Every major hack undermines user and investor confidence, slowing down the development of the industry and attracting the attention of regulators. Therefore, key factors for sustainable growth are not only improving security technologies and legal regulation, but also raising awareness among all market participants about the risks of social engineering and the need for responsible behavior.

Ultimately, security in DeFi is a complex task that requires a synergy of technical innovation, sound risk management, and continuous interaction between developers, users, security companies, and law enforcement agencies. Only such an approach will minimize threats, increase the sustainability of the ecosystem, and ensure long-term trust in decentralized financial platforms.