Dashboard
LOADING...
LOADING_MODULE...
cases / TC-2025-001
TARGET: tornado.cash|OPENED: 2025-12-09
tornado.cash receives 7.5K+ monthly organic searches worth $17.2K in traffic value. Attackers obtained this domain to intercept users searching for legitimate Tornado Cash services and redirect them to a phishing site that steals funds.
WHY THIS MATTERS: High organic traffic means thousands of users are visiting tornado.cash domain directly. Each visitor is a potential phishing victim.
# ATTACK TIMELINE SUMMARY # Mar 21, 2025 - US Treasury lifts Tornado Cash sanctions # Mar 25, 2025 - Attacker registers tornado.cash (4 days later!) # May 13, 2025 - Phishing site content created # December 9, 2025 - Initial Investigation $ dig tornado.cash +short 101.99.75.124 $ whois 101.99.75.124 | grep -i "netname\|country\|org" netname: SHINJIRU-MY country: MY org: ORG-STSB2-AP # December 12, 2025 - After exposure in crypto community $ dig tornado.cash +short 213.123.60.195 # December 16, 2025 - Site now offline $ curl -I https://tornado.cash/ curl: (28) Failed to connect: Connection timed out # ERR_CONNECTION_TIMED_OUT $ # VERDICT: Attacker took site offline after exposure $ # Investigation successful - phishing operation disrupted
| Property | tornado.cash | tornadocash.eth.limo |
|---|---|---|
| Initial IP | 101.99.75.124 | |
| Current IP | 213.123.60.195 | |
| Hosting | BT UK (London) | |
| Wayback Code | DETECTED | |
| Verdict | PHISHING |
Have additional information about this case? Submit a lead to help the investigation.