- The hacker drained 1,337 ETH through a compromised multisig management on Unleash Protocol.
- Stolen funds were routed through Tornado Cash to obscure transaction trails.
- The breach appears limited to Unleash; the core infrastructure of the Story Protocol remains intact.
A hacker who recently exploited Unleash Protocol has begun laundering the stolen funds via the Ethereum-based privacy service Tornado Cash, according to on-chain analytics and blockchain security firms.
The attacker is attempting to obscure roughly 1,337 ETH—valued at nearly $4 million—taken from Unleash earlier this week.
Security firms PeckShield and CertiK report that the funds were moved onto Ethereum and split into several batches—frequently around 100 ETH each—before being deposited into Tornado Cash, a well-known cryptocurrency mixing service.
Compromised multisig governance led to Unleash exploit
Unleash confirmed on Tuesday that it experienced a major security breach that resulted in approximately $3.9 million in losses.
The protocol paused operations and launched a forensic investigation into the incident.
According to Unleash, initial findings indicate that an external wallet obtained unauthorized administrative control over the protocol via the multisignature governance system.
The attacker then executed an unauthorized contract update that allowed withdrawals of user funds without the required approvals.
“This update enabled the withdrawal of assets that were not approved by the Unleash team and occurred outside our intended governance and operational procedures,” the team said in a statement posted on X.
Security analysts suggest the compromise may have resulted from phishing or another form of social engineering that allowed the attacker to take control of management keys, effectively bypassing standard safeguards.
Stolen assets consolidated and mixed
The stolen assets reportedly included Wrapped IP (WIP), USDC, Wrapped Ether (WETH), stIP, and vIP tokens.
On-chain analysis shows most of these assets were first moved onto Ethereum, consolidated into ETH, and then routed through Tornado Cash—an approach commonly used by hackers to hinder tracking and recovery efforts.
CertiK initially detected suspicious withdrawals of WETH and Story-related tokens sent to an external address created using SafeProxyFactory from Safe, a popular smart contract framework for multisig wallets.
#CertiKInsight 🚨
We have detected deposits of 1337.1 ETH (~$3.9M) into Tornado Cash from 0xc946981F5dFBFA10cf858B95d51Fc06DCD15BfE3.
The fund traces to suspicious withdrawals of Wrapped ETH and Story tokens from a multisig that may have been compromised.… pic.twitter.com/YIFEAEwilc
— CertiK Alert (@CertiKAlert) December 30, 2025
No wider impact to the Story ecosystem, says Unleash
Unleash emphasized that the breach was confined to its own governance and administrative contracts.
The team stated there is currently no evidence that Story Protocol—the layer-1 blockchain on which Unleash is built—was compromised.
“The impact appears limited to contracts and administrative controls specific to Unleash,” the Unleash team said, adding that Story Protocol validators, critical infrastructure, and other contracts remain unaffected.
Unleash is one of the more prominent applications within the Story Protocol ecosystem, which focuses on tokenized intellectual property and on-chain IP management.
Labs, the organization behind Story Protocol, has raised roughly $140 million from leading investors.
Users warned as investigation continues
The Unleash team urged users not to interact with the protocol while the investigation is ongoing and said it will share updates and any remediation plans as verified information becomes available.
As of this writing, Unleash has not disclosed whether it plans to pursue fund recovery or compensation for affected users. The attacker’s use of Tornado Cash may significantly complicate any tracking or recovery attempts.