Looks like The DAO hacker used Grin... 🤔

Source: Exclusive: Austrian Programmer And Ex Crypto CEO Likely Stole $11 Billion Of Ether


Real hax0rs use Grin


In a final, crucial step, an employee at one of the exchanges confirmed to one of my sources that the funds were swapped for privacy coin Grin and withdrawn to a Grin node called grin.toby.ai. (Due to exchange privacy policies, normally this sort of customer information would not be disclosed.)

Interesting how they did withdraw Grin to grin.toby.ai ?

I did read the article multiple times and also some interesting part:

The IP address for that node also hosted Bitcoin Lightning nodes: ln.toby.ai, lnd.ln.toby.ai, etc., and was consistent for over a year; it was not a VPN.

“that node” is referring to the previous paragraph, which mentions grin.toby.ai , seems like more people are monitoring GRIN network than I had imagined?


And the email address used on that account at the exchange was [name of exchange]@toby.ai.

_$ host toby.ai
toby.ai mail is handled by 1 aspmx.l.google.com.
toby.ai mail is handled by 10 alt3.aspmx.l.google.com.
toby.ai mail is handled by 10 alt4.aspmx.l.google.com.
toby.ai mail is handled by 5 alt1.aspmx.l.google.com.
toby.ai mail is handled by 5 alt2.aspmx.l.google.com.

depends on endpoint encryption if this is not the achilles heel

1 Like

He should have used slatepacks to protonmail over tor or tor directly, amature.

1 Like

Since I have a history with ETC and the article identifies the DAO hacker as a person being on ETC and liking Grin, I’ll start off by saying I’m not that guy nor have I heard about him before reading the article.

Now to the article itself. I find the article odd at best. The whole thing looks more like an ad for Chainalysis and their ability to “demix coinjoin” from Wasabi wallet as well as marketing for her book. On top of that, it tries to picture a privacy coin (Grin) as the bad guy. Why would the hacker buy huge amounts of Grin given the inflation rate? It just doesn’t make much sense to me when you have Monero and ZCash if you want to unlink your outputs while also retaining the value much better (at this time).

This whole thing goes against the “Don’t trust, verify” mentality. The article says “we traced X is guilty” without revealing any trace… They should either show what they found or not write such accusations at all. Imagine if that guy is not the hacker and they just publicly accused him of being. This could bounce back hard.


Indeed an odd article, quite sensationalized, no hard proof.
Wasabi wallet CoinJoins, like any CoinJoins can be traced using a Sudoku implementation, which is not revolutionizing and very simple to implement. I wrote one which in its basis is 5 lines of Python code and it does the job well. Note, for newer equal value CoinJoins Sudoku cannot be used since you trace by trying all kind of output combinations to find a combination that matches the input value.

Also note that Grin transactions are not traced. The guy uses an account that also did lightning node transactions of which the IP can be traced, hence they knew the IP.
He might have bought grin and send it to either a node which did not use tor, which would be rather stupid, so more likely ChainAnlysis simply looked for Grin nodes and saw one with the same IP as the Lightning node of which they knew the IP. So there is no actual tracing or breaking anonymity of Grin transactions. They just got his IP by normal tracing and noticed a Grin node running with the same IP. Actually it is not even clear if he used Grin for his transactions, or just run a Grin node.


Any publicity is good publicity to me. It is known and true that minimal mimblewimble has it’s privacy hurdles with interactive transactions.

Isn’t it true that older transaction methods meant that withdrawing from exchanges has at times involved entering an IP address of your wallet/node? So in that case he could have entered the DNS name directly, or he entered the IP and someone otherwise gained the knowledge that the record on his domain points to that IP. No complex network monitoring necessary, unless I’m misunderstanding older transaction mechanisms that were in use.

As Julian Hosp was mentioned int the article here is his statement as of today (80min ago):

I will post this link and let you speculate

Yes it did. Although I find it hard to believe anyone who wants to launder money would do that. My guesd is they got the IP from lightning transactions and then noticed that that IP also was in the list of IP’s running a Grin node.

I think he must have thought he was in the clear after the Wasabi transactions, considered it already laundered.

The author states that an employee at the exchange confirmed that they were withdrawn to that node (technically should probably say wallet). It is completely plausable that they would have that detail in their records so I see no reason why it would be made up. Occam’s razor.

Something inside of me tells me that many things are true. Because there is a demonstrable coin transfer from stock market to him name. Also, deleting this person’s tweets supports the situation. A righteous person would not do such an act.

The interesting thing is that this person revealed himself using privacy coin. Also losing money by converting his money to Grin… He was probably hopeful of Grin in the long term but it seems that he will not see the long term. It’s just funny.

We also see how choices make a person. After doing the hack, if he would say that I did this hack and i want a reward, then he would make money properly. However, he seems to have chosen the wrong way, as he thought he would not be able to make as much money with the prize as the money he stole.
So, he succumbed to his greed and lost everything.


Is there any hint for when these transactions took place? The article is jumping in the timeline between multiple dates and it is not clear to me, when the Grin transaction happened.

The cash-out transactions occurred mainly from 8 A.M. until 11 P.M. Singapore time.

Time of day, but no date.

coinswap @scilio coinswap will help hax0rs

Who Hacked The DAO? This Crypto CEO Likely Stole $11 Billion Of Ether In The 2016 Hack | Forbes - YouTube go at 3:19