Garden Finance exploiter moves $6.65M to Tornado Cash after $10.8M hack

Key Takeaways

Where did the stolen funds go?

The Garden Finance exploiter transferred some of the funds to Tornado Cash, while one attacker address still holds approximately $910,000 in stolen assets.

Why is this exploit especially controversial?

Before the hack, ZachXBT accused Garden Finance of laundering funds from major breaches, making Garden both an accused facilitator and victim.

The hacker behind the Garden Finance exploit has transferred $6.65 million worth of stolen crypto to Tornado Cash. 

Source: CertiK

Security firm CertiK tracked the movements today, revealing the exploiter sent 501 BNB and 1,910 ETH through the privacy mixer.

One attacker’s address still holds approximately $910,000 in stolen funds.

The original attack

Garden Finance suffered an exploit on 31 October. AMBCrypto reported that hackers drained $10.8 million across multiple blockchains, including Arbitrum, Ethereum, and Solana. Blockchain investigator ZachXBT first spotted the unauthorized withdrawals.

The team offered a 10% white-hat bounty to the attacker, but the hacker never responded. Instead, they began laundering the stolen funds through Tornado Cash this week.

Garden Finance team claims solver compromise

Garden Finance co-founder Jaz Gulati posted an update on 5 November 5. He insisted the breach hit only a third-party solver’s web2 infrastructure, not Garden’s core contracts.

“No user funds or protocol contracts were affected,” Gulati wrote. “All systems performed as intended under failure conditions.”

The team outlined plans to restore operations, strengthen solver security, and onboard additional independent solvers for redundancy.

On-chain evidence tells a different story

ZachXBT disputed Garden’s version of events. He shared screenshots of an on-chain message from a Garden deployer address to the attacker. The message admitted “our systems have been compromised across multiple blockchains.”

The contradiction between the team’s public statement and the on-chain message raised questions about the true scope of the breach.

Money laundering allegations

Before the exploit, ZachXBT had accused Garden Finance of processing stolen funds. He claimed over 25% of Garden’s activity involved laundered money from major hacks, including the $1.4 billion Bybit breach.

Former Ren Protocol developers built Garden Finance. Ren previously processed over $540 million in illicit funds before being delisted by major exchanges.

Investigators suspect the DPRK-linked hacker group “Dangerous Password” orchestrated the Garden attack.

What’s next?

The platform has not addressed the latest fund movements to Tornado Cash. With millions now mixed through a privacy protocol, recovery prospects appear slim.

The incident highlights ongoing security challenges in cross-chain DeFi infrastructure and the risks protocols face when processing questionable fund flows.