- Hacker Protocol drained 1,337 ETH via compromised Unleash multisig governance.
- The stolen funds have been sent through Tornado Cash to obscure transaction trails.
- The breach is limited to Unleash, and Story Protocol infrastructure is unaffected.
A hacker who recently exploited Unleash Protocol has begun laundering stolen funds through the Ethereum-based privacy service Tornado Cash, according to on-chain data and blockchain security firms.
The attacker is attempting to obscure the trail of roughly 1,337 ETH, valued at close to $4 million, drained from Unleash earlier this week.
Security companies PeckShield and CertiK have reported that the funds were transferred to Ethereum and broken into multiple batches, often around 100 ETH each, before being deposited into Tornado Cash, a well-known crypto mixing protocol.
Governance takeover led to the Unleash exploit
Unleash confirmed on Tuesday that it had suffered a significant security breach, resulting in approximately $3.9 million in losses.
The protocol has paused operations and launched a forensic investigation into the incident.
According to Unleash, preliminary findings indicate that an externally owned wallet gained unauthorised administrative control over the protocol via its multisignature (multisig) governance system.
The attacker then executed an unauthorised contract upgrade that enabled withdrawals of user funds without proper approvals.
“This upgrade enabled asset withdrawals that were not approved by the Unleash team and occurred outside our intended governance and operational procedures,” the team said in a statement posted on X.
Security analysts suggest the compromise may have been the result of phishing or another form of social engineering that allowed the attacker to gain control over governance keys, effectively bypassing standard safeguards.
The stolen assets bridged and mixed
The stolen assets reportedly included Wrapped IP (WIP), USDC, Wrapped Ether (WETH), stIP, and vIP tokens.
On-chain analysis shows that most of these assets were first bridged to Ethereum, then consolidated into ETH and routed through Tornado Cash, an approach commonly used by hackers to hinder tracking and recovery efforts.
CertiK said it initially detected suspicious withdrawals of WETH and IP-related tokens that were sent to an externally owned address created using Safe’s SafeProxyFactory, a popular smart contract framework for multisig wallets.
We have detected deposits of 1337.1 ETH (~$3.9M) into Tornado Cash from 0xc946981F5dFBFA10cf858B95d51Fc06DCD15BfE3.
The fund traces to suspicious withdrawals of Wrapped ETH and Story tokens from a multisig that may have been compromised.… pic.twitter.com/YIFEAEwilc
— CertiK Alert (@CertiKAlert) December 30, 2025
No broader ecosystem impact, says Unleash
Unleash emphasised that the breach was confined to its own governance and administrative contracts.
The Unleash team stated there is currently no evidence that Story Protocol, the Layer 1 blockchain Unleash is built on, was compromised.
“The impact appears limited to Unleash-specific contracts and administrative controls,” the Unleash team said, adding that Story Protocol’s validators, core infrastructure, and contracts remain unaffected.
Unleash is one of the higher-profile applications in the Story Protocol ecosystem, which focuses on tokenised intellectual property and on-chain IP management.
PIP Labs, the company behind Story Protocol, has raised around $140 million in funding from prominent investors.
Users warned as investigation continues
The Unleash team has urged users not to interact with the protocol while the investigation is ongoing and said it will provide updates on the incident and potential remediation measures as more verified information becomes available.
As of the time of writing, Unleash had not disclosed whether it plans to pursue fund recovery efforts or compensation for affected users, and the use of Tornado Cash by the hacker may significantly complicate any attempts to trace or reclaim the stolen assets.
