- The hacker moved 1,337 ETH through a compromised Unleash multisig governance wallet.
- Stolen funds were routed through Tornado Cash to obfuscate transaction trails.
- The breach is limited to Unleash; Story Protocol’s infrastructure remains unaffected.
A hacker who recently exploited Unleash Protocol has begun laundering the stolen funds through Tornado Cash, an Ethereum-based privacy service, according to blockchain and on-chain data firms.
The attacker is attempting to hide roughly 1,337 ETH—worth about $4 million—that was withdrawn from Unleash earlier this week.
Security firms PeckShield and CertiK reported that the funds were first converted to Ethereum, then split into multiple transfers, often around 100 ETH each, before being deposited into Tornado Cash, a well-known crypto-mixing protocol.
Governance takeover led to the Unleash exploit
Unleash confirmed on Tuesday that it suffered a major security incident resulting in approximately $3.9 million in losses.
The protocol paused operations and launched a forensic investigation into the breach.
According to Unleash, preliminary findings indicate an external wallet gained unauthorized administrative control over the protocol via its multisignature (multisig) governance system.
The attacker then executed an unauthorized contract upgrade that allowed user funds to be withdrawn without proper approvals.
“This upgrade enabled the removal of assets that were not approved by the Unleash team and occurred outside our planned governance and operational procedures,” the team said in a statement posted on X.
Security analysts believe the compromise may have resulted from phishing or another form of social engineering that allowed the attacker to control governance keys, effectively bypassing standard safeguards.
Stolen assets were consolidated and mixed
Reportedly stolen assets included Wrapped IP (WIP), USDC, Wrapped Ether (WETH), stIP, and vIP tokens.
On-chain analysis shows most of these assets were first converted into Ethereum, consolidated into ETH, and then sent through Tornado Cash—an approach frequently used by attackers to complicate tracing and recovery efforts.
CertiK reported detecting suspicious withdrawals of WETH and Story tokens that were sent to an external address created using SafeProxyFactory from Safe—a popular smart-contract framework for multisig wallets.
#CertiKInsight 🚨
We have detected deposits of 1337.1 ETH (~$3.9M) into Tornado Cash from 0xc946981F5dFBFA10cf858B95d51Fc06DCD15BfE3.
The fund traces to suspicious withdrawals of Wrapped ETH and Story tokens from a multisig that may have been compromised.… pic.twitter.com/YIFEAEwilc
— CertiK Alert (@CertiKAlert) December 30, 2025
No wider impact on the ecosystem, says Unleash
Unleash emphasized that the breach affected only its own governance and administrative contracts.
The Unleash team stated there is currently no evidence that Story Protocol, the layer-1 blockchain on which Unleash is built, was compromised.
“The impact appears to be limited to contracts and administrative controls specific to Unleash,” the team said, adding that validators, core infrastructure, and Story Protocol’s contracts remain unchanged.
Unleash is one of the more prominent applications in the Story Protocol ecosystem, focusing on tokenized intellectual property and blockchain-based IP management.
PIP Labs, the company behind Story Protocol, has raised approximately $140 million from prominent investors.
Users warned as investigation continues
The Unleash team urged users to avoid interacting with the protocol while the investigation is ongoing and said it will provide updates on the incident and potential remediation measures once more verified information is available.
As of this writing, Unleash has not disclosed whether it will pursue reimbursements or compensation for affected users. The attacker’s use of Tornado Cash may significantly complicate efforts to trace or recover the stolen assets.