Jimbos Protocol’s attacker launders $7.5 million with Tornado Cash

The attacker remains at large, although an $800,000 reward has been offered and a legal case has been initiated with the Department of Homeland Security's New York division.

A washing machine washing money
Jimbos Protocol lost its funds on May 28

Yesterday, blockchain analytics firm PeckShield reported that all $7.5 million stolen from Jimbos Protocol on May 28 was washed via popular cryptocurrency mixer Tornado Cash.

At first, the team behind Jimbos Protocol hoped to cooperate with the hacker and offered them a large white hat bounty of 10% of the total loot which was worth around $800,000 at the time of the event.

"The door remains open for the hacker to return the funds until they are arrested, at which point the offer will be rescinded," the team claimed on its X account (formerly Twitter), adding that then, the protocol "will be getting 100% of the funds back and they [the attacker] will go to prison."

Read also: Jimbos Protocol hacker ignores $800,000 bounty

However, the hacker decided to forgo the opportunity to receive the reward and evade responsibility for the attack legally, while law enforcement agencies, including the Department of Homeland Security's NY division, where Jimbos Protocol opened a legal case, were unable to support the team. Furthermore, when it became apparent that the attacker was unwilling to cooperate, the protocol offered a bounty to anyone who could assist in the investigation.

"In order to speed up the investigation and return of funds, we are offering the 10% bounty ($800,000) to the general public. Anyone who provides information that leads to: 1) catching the exploiter, or 2) all funds being returned, is eligible for the reward," the team promised.

Unfortunately, capturing the malicious actor proved to be more complicated, and despite all efforts, the hacker eventually managed to launder the entire loot.

Previously, PeckShield explained that the hacker exploited "the lack of slippage control of the liquidity-shifting operation so that the protocol-owned liquidity is invested into a skewed/imbalanced price range, which is exploited in a reverse swap for profit."

Jimbos Protocol was described on its website as "a proof of concept designed to test the limits of on-chain liquidity and price floors."

On June 7, the Protocol's team published the JIMBO V2 Exploit post-mortem on Medium, stating that it "plans to continue building and experimenting with the Jimbo mechanics, making changes to the liquidity structure, taxes, and borrowing." The team also mentioned the protocol’s future re-launch promising that it "will include a repayment structure for all affected parties, as well as dedicating a portion of all fees to an open security review within the community in perpetuity."

Meanwhile, the protocol's X account has been renamed into Baseline Protocol, "a permissionless algorithmic market-making system." The new name for Jimbo's Protocol has already been used, most likely by a separate initiative launched in 2020, which serves as a standard for state synchronization across different record-keeping systems.