When DAO governance fails: how TOP was taken over and what Tornado Cash has to do with It

In early June, an unusual incident shook a cryptocurrency project. A decentralized protocol was taken over not through a technical exploit, but through governance manipulation backed by liquidity. GetBlock AML Research examines how TOP lost approximately $1.6 million.

Key Takeaways

• On June 9, 2026, an attacker withdrew approximately 664 ETH worth $2.7 million from Tornado Cash and used the funds to gain control of TOP, a decentralized trade settlement protocol on Ethereum. After securing majority voting power, the attacker minted new TOP tokens and sold them for roughly $1.6 million in profit. The incident occurred more than a year after U.S. authorities removed Tornado Cash addresses from sanctions lists.
• Before sanctions were imposed, Tornado Cash accounted for roughly half of all cryptocurrency obfuscation activity across blockchain networks. Its market share peaked at around 59% in Q2 2022. Following OFAC sanctions in August 2022, that figure dropped to approximately 16%, but by the end of 2025 it had recovered to more than 40%.
• The TOP takeover illustrates a fully traceable on-chain attack chain: funds are withdrawn from a crypto mixer, used to acquire governance control, leveraged to approve the issuance of new tokens, and ultimately converted into profit through token sales.
• The case highlights that funds originating from privacy and mixing services remain a significant risk factor in governance attacks against blockchain projects and can be traced long after the legal status of those services changes.

The Trail Leads Back to Tornado Cash

On June 9, 2026, an attacker withdrew approximately 664 ETH, worth about $2.7 million, from Tornado Cash and used the funds to seize control of TOP, a small Ethereum-based decentralized protocol.

After gaining control of the project's governance process, the attacker proposed and approved the issuance of new TOP tokens to an address under their control. Those tokens were subsequently sold, generating an estimated $1.6 million in profit.

Every step of the operation is recorded on-chain and can be traced from the initial withdrawal to the final proceeds.

Connection between the attacker's address and the Tornado Cash smart contract. Source: TRM Labs

To understand the significance of the incident, it is necessary to examine the history of Tornado Cash itself—one of the most controversial, debated, and legally complex projects in the cryptocurrency industry over the past several years.

Why Tornado Cash Remains So Controversial

Tornado Cash is an Ethereum-based privacy protocol launched in 2019.

Its primary function is to break the public link between the sender and recipient of cryptocurrency transactions. Users deposit ETH into a smart contract and later withdraw an equivalent amount to a different address, making it significantly more difficult for observers to trace ownership of funds.

A key feature of Tornado Cash is that its core smart contracts are immutable. Once deployed, no one can stop them, alter their functionality, or redirect user funds.

Although the protocol has legitimate privacy use cases, by mid-2022 it had processed more than $7 billion in transactions. At the time, Tornado Cash facilitated nearly half of all cryptocurrency obfuscation activity across blockchain networks. It was also widely used by ransomware operators, cybercriminals, and the North Korean hacking group Lazarus.

In August 2022, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) added Tornado Cash to the SDN sanctions list under Executive Order 13694. It marked the first time U.S. authorities effectively sanctioned open-source software rather than a specific individual or organization.

The decision immediately sparked controversy. Critics argued that the government had exceeded its legal authority. In 2023, Tornado Cash developers Roman Storm and Roman Semenov were charged with money laundering and sanctions-related offenses.

Following the sanctions, some individuals began sending small amounts of Tornado Cash-linked cryptocurrency to public wallets belonging to prominent figures. The goal was to demonstrate the practical absurdity of a situation in which even unwilling recipients could potentially face sanctions compliance concerns.

In November 2024, the U.S. Court of Appeals for the Fifth Circuit ruled in Van Loon v. Treasury Department that immutable smart contracts do not constitute "property" under the relevant law and that OFAC had exceeded its statutory authority.

On March 21, 2025, the U.S. Treasury removed Tornado Cash from the sanctions list. However, the criminal cases against its developers continued separately. As of June 2026, the protocol itself is no longer sanctioned, though its creators remain involved in ongoing legal proceedings.

Decentralization vs. the system: why the US lifted sanctions on Tornado Cash

The US Treasury Department’s restrictive measures had little effect on the crypto mixer, which continued to process user transactions

Читать дальше

Despite continuing debate over whether software developers should be held responsible for how their code is used—and whether governments should be able to sanction decentralized protocols—Tornado Cash remains one of the most widely used cryptocurrency mixing services on Ethereum.

More Than $700 Million Has Flowed Through Tornado Cash in 2026

When Tornado Cash addresses were sanctioned in August 2022, the protocol’s share of the crypto-mixing market dropped sharply to around 16%. However, by the fourth quarter of 2025, its market share had climbed back above 40%.

Throughout 2026, Tornado Cash accounted for just over 20% of all cryptocurrency mixer activity. It remains the largest mixer within the Ethereum ecosystem, with weekly inflows ranging from approximately $10 million to $80 million.

Weekly transfer volumes to Tornado Cash smart contracts in 2026. Source: TRM Labs

Looking at the broader market, crypto mixers processed more than $3 billion per quarter in 2021. Activity later declined to roughly $1 billion per quarter throughout most of 2023 and 2024.

Volumes began recovering in 2025, reaching nearly $2.7 billion per quarter. While Wasabi became the largest mixer by inflow volume in 2026, Tornado Cash remains the second-largest mixer globally and the largest among Ethereum-based services.

How the TOP Protocol Was Taken Over

TOP is a relatively small Ethereum-based project with a total token supply of just 16,384 TOP.

Governance is managed through Aragon DAO, where voting power is determined by the number of tokens held. As a result, anyone who acquires a majority of the token supply effectively gains control over the project’s governance decisions.

The token was traded through a Balancer V1 liquidity pool.

A critical weakness in the governance design was the absence of a timelock mechanism. This meant a proposal could be created, voted on, and executed within a single transaction, leaving no time for review, discussion, or opposition.

Using the 664 ETH withdrawn from Tornado Cash, the attacker purchased enough TOP tokens to secure majority voting power.

The attacker then:

• Acquired a controlling stake in TOP governance;
• Passed a proposal to mint new TOP tokens to an address they controlled;
• Immediately sold the newly issued tokens through a decentralized exchange, generating approximately $1.6 million in profit.

In practice, the attacker did not exploit a software vulnerability. Instead, they used the governance system exactly as it was designed.

The problem was that governance power became concentrated in a single participant’s hands, allowing the rules of the protocol to be used for personal gain. The lack of a timelock enabled the entire operation to unfold almost instantly, giving other stakeholders no opportunity to respond.

Why Mixers Do Not Make Funds Invisible

One reason Tornado Cash remains popular among criminals is the belief that once funds pass through a mixer, their origin becomes impossible to trace. In reality, that is not always the case.

North Korean hackers: the complete dossier, description of methods and chronology of cryptocurrency thefts

Over the past few years, North Korea’s cyber units have carried out large-scale operations to infiltrate various structures and steal digital assets

Читать дальше

Blockchain investigators employ a variety of techniques, including:

• timing analysis;
• behavioral pattern analysis;
• anonymity set examination;
• tracking off-ramp points into traditional financial systems.

These methods often allow analysts to continue following the movement of funds even after they have passed through a mixing service.

As a result, assets that have interacted with mixers may continue to carry elevated risk indicators and remain subject to scrutiny regardless of whether the mixer itself is currently sanctioned.

Such investigative techniques have already played a key role in several major cases, including the $190 million Nomad bridge hack and the Nirvana Finance exploit, which resulted in the first criminal conviction tied to a smart contract attack.