Ethical Hacking News
A $3.9 million heist has been uncovered at Unleash Protocol, a decentralized intellectual property platform, due to an unauthorized contract upgrade by an attacker who used Tornado Cash for mixing stolen assets. The incident highlights the need for robust security measures within DeFi platforms and underscores the importance of smart contract audits.
The decentralized intellectual property platform Unleash Protocol has been hacked, resulting in $3.9 million worth of cryptocurrency stolen. The hack highlights vulnerabilities within the DeFi ecosystem and the need for robust security measures. Unleash Protocol's multisig governance system was exploited to gain administrative control, allowing asset withdrawals and theft. The stolen assets were laundered through Tornado Cash, a sanctioned service used for cryptocurrency mixing. The incident emphasizes the importance of robust security protocols in decentralized platforms and the need for developers to prioritize security.
The decentralized intellectual property platform, Unleash Protocol, has fallen victim to a sophisticated cyber attack that resulted in the theft of approximately $3.9 million worth of cryptocurrency. The incident highlights the vulnerabilities present within the DeFi ecosystem and the need for robust security measures to protect against such attacks.
Unleash Protocol, which operates as an operating system for managing intellectual property (IP), converts IP into on-chain assets (tokens) that can be used as collateral within the DeFi ecosystem. The platform provides a monetization layer through smart contracts and automatically distributes licensing and royalty revenue to predefined stakeholders according to on-chain rules.
However, on December 31st, 2025, an attacker successfully executed an unauthorized contract upgrade that allowed asset withdrawals. This upgrade was carried out by an externally owned address that gained administrative control via Unleash's multisig governance system, which enabled the theft of WIP (wrapped IP), USDC, WETH (wrapped Ether), stIP (staked IP), and vIP (voting-escrowed IP) assets.
The stolen assets were then bridged via third-party infrastructure and transferred to external addresses in order to reduce traceability. According to PeckShieldAlert, the attacker deposited the stolen amounts into the Tornado Cash cryptocurrency mixing service in the form of 1,337 ETH.
Tornado Cash, a service that enables users to route cryptocurrency through obfuscation mechanisms before withdrawing it to new, unlinkable wallets, has been sanctioned by the U.S. in 2022 and delisted in 2025 for its role in laundering funds for North Korean hacking groups. The use of Tornado Cash by the attacker is a stark reminder of the risks associated with relying on third-party services for cryptocurrency mixing.
In response to the incident, Unleash Protocol has paused all operations and launched an investigation with the help of external security experts to determine the root cause of the exploit. The company is also evaluating remediation and recovery measures to prevent similar incidents in the future.
While this incident serves as a wake-up call for the DeFi ecosystem, it highlights the importance of robust security protocols within decentralized platforms like Unleash Protocol. The use of multisig governance systems and smart contract audits can play a crucial role in preventing such attacks.
As the cryptocurrency landscape continues to evolve, it is essential that developers prioritize security and implement measures to prevent similar incidents from occurring in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/Hacking-the-Unleash-Protocol-A-39-Million-Heist-Exposed-ehn.shtml
https://www.bleepingcomputer.com/news/security/hackers-drain-39m-from-unleash-protocol-after-multisig-hijack/
Published: Wed Dec 31 10:00:19 2025 by llama3.2 3B Q4_K_M
