Dashboard
cases / TC-2025-001
CRITICALACTIVE
tornado.cash Domain Theft Investigation
TARGET: tornado.cash|OPENED: 2025-12-09
LIVE INVESTIGATION
CRITICAL THREAT DETECTED
Domain Hijack: High-Traffic Target
tornado.cash receives 7.5K+ monthly organic searches worth $17.2K in traffic value. Attackers obtained this domain to intercept users searching for legitimate Tornado Cash services and redirect them to a phishing site that steals funds.
Domain Analytics: tornado.cash
Traffic analysis • Subdomains includedLIVE DATATHREAT MOTIVE
Organic Traffic7,538
Traffic Value$17,280
Organic Keywords164
Paid Traffic0
Top countries by traffic
🇺🇸United States2,268
🇬🇧United Kingdom471
🇫🇷France394
🇮🇩Indonesia385
🇷🇺Russia241
Top ranking keywords
tornado cash
#13,850
tornadocash
#1640
tornado cash crypto
#1165
tornado.cash
#148
tornado crypto
#1115
Traffic History↑241% change
2024-082024-112024-12
WHY THIS MATTERS: High organic traffic means thousands of users are visiting tornado.cash domain directly. Each visitor is a potential phishing victim.
DNS_INVESTIGATION
Initial IP (Dec 9)101.99.75.124
Current IP (Dec 12)213.123.60.195
ServerApache
SSL IssuerLet's Encrypt R12
StatusSUSPICIOUS
WHOIS_ANALYSIS
RegistrarGoogle Inc.
Created2019-07-17
Initial HostingShinjiru Technology Sdn Bhd (Bulletproof)
Current HostingBT UK (London)
IP Migration101.99.75.124 → 213.123.60.195
recon_output.log
# ATTACK TIMELINE SUMMARY # Mar 21, 2025 - US Treasury lifts Tornado Cash sanctions # Mar 25, 2025 - Attacker registers tornado.cash (4 days later!) # May 13, 2025 - Phishing site content created # December 9, 2025 - Initial Investigation $ dig tornado.cash +short 101.99.75.124 $ whois 101.99.75.124 | grep -i "netname\|country\|org" netname: SHINJIRU-MY country: MY org: ORG-STSB2-AP # December 12, 2025 - After exposure in crypto community $ dig tornado.cash +short 213.123.60.195 # December 16, 2025 - Site now offline $ curl -I https://tornado.cash/ curl: (28) Failed to connect: Connection timed out # ERR_CONNECTION_TIMED_OUT $ # VERDICT: Attacker took site offline after exposure $ # Investigation successful - phishing operation disrupted
INFRASTRUCTURE_COMPARISON
| Property | tornado.cash | tornadocash.eth.limo |
|---|---|---|
| Initial IP | 101.99.75.124 | |
| Current IP | 213.123.60.195 | |
| Hosting | BT UK (London) | |
| Wayback Code | DETECTED | |
| Verdict | PHISHING |
CONTRIBUTE_TO_INVESTIGATION
Have additional information about this case? Submit a lead to help the investigation.