Gathered Evidence

// Structured findings from tornado.cash domain investigation

Total Findings

Confirmed

Suspicious

Suspect Accounts

Active/404

1/20

DNS_RESOLUTION

CONFIRMED

Domain

tornado.cash

Initial IP (Dec 9)

101.99.75.124 (Shinjiru, Malaysia)

Current IP (Dec 12)

213.123.60.195 (BT UK, London)

Server Type

Apache

Expected IP

3.135.72.151 (AWS)

WHOIS_ANALYSIS

CONFIRMED

Registrar

Google Inc.

Created Date

2019-07-17

Domain Status

clientHold (Seized/Suspended)

Initial Hosting (Dec 9)

Shinjiru (Bulletproof, Malaysia)

Current Hosting (Dec 12)

BT UK (London)

IP Migration

101.99.75.124 → 213.123.60.195

Migration Trigger

Moved after investigation exposure

SSL_CERTIFICATE

SUSPICIOUS

Issuer

Let's Encrypt R12

Valid From

December 5, 2025

Certificate Type

Domain Validation (DV)

Issue

Recent issuance after domain seizure

SOURCE_CODE_ANALYSIS

COMPROMISED

Wayback Machine Code

DETECTED - WB$wombat artifacts

Source Origin

Homepage scraped from archive.org

Attack Method

Links redirect to malicious app clone

App Clone

Identical UI redirects to attacker-controlled app