One of the most significant hacks in the history of crypto has gone unsolved for almost six years, after an unknown attacker siphoned 3.6 million Ether – worth over US$9bil (RM37.66bil) at current prices – from a decentralised fund known as TheDAO. Now, journalist Laura Shin says in a new book that she may have discovered the person behind it.

The 2016 attack on TheDAO was the result of a flaw in its code allowing an attacker to slowly drain funds from the main platform into other newly-created DAOs, relying on good actors to engage with those offshoot DAOs to stop the attacker from withdrawing funds entirely.

That year, a hacker exploited that flaw to steal around 31% of TheDAO’s total Ether stash, which at the time was around 5% of all ETH ever created. In order to stop that person getting away with most of the cash, Ethereum developers were forced to split its blockchain in two. The result was that the hacker was not left with the ETH we know today, but Ethereum Classic – worth far less than ETH, valuing the total token pile at around US$94mil (RM393.43mil) in today’s prices.

Detailing the findings of her book in a Forbes summary on Tuesday, Shin pointed to Toby Hoenisch, co-founder and chief financial officer of Euro-pegged stablecoin project Mimo Capital, as the alleged hacker. Shin cited a web of data and evidence based on tracked transactions and comments made by Hoenisch about security flaws in TheDAO before the attack occurred.

Hoenisch denied to Shin that her findings were accurate. Hoenisch did not immediately respond to Bloomberg requests for comment.

Research carried out by Shin, early Ethereum developer Alex van de Sande, crypto research firm Chainalysis and others alleged that Hoenisch had brought the specific flaw exploited in the 2016 hack to the attention of TheDAO several weeks before it occurred.

In a statement to Bloomberg, Shin said her findings provide “extremely strong evidence of the attacker’s identity”, alleging Hoenisch’s knowledge of TheDAO provided him with the means and motivation to carry out the hack.

Following the theft, the attacker tried to obscure some of their activity by transferring funds through the privacy mixer Wasabi Wallet. A tool newly developed by Chainalysis de-mixed these transactions, allowing researchers to find the exchanges that subsequently received the stolen funds in accounts allegedly managed by Hoenisch.

Wasabi Wallet did not immediately respond to a request for comment.

“Now that Chainalysis has disclosed with my book and article that it has the ability to de-mix Wasabi transactions, I imagine a number of people who have used that mixer for illicit purposes are feeling insecure today,” Shin said in an email.

“This may get them wondering if blockchain forensics will catch up to them later, even if they use the latest crypto obfuscation techniques today.” – Bloomberg