In 2016, an unidentified attacker stole 3.6 million ETH from the decentralized fund known as The DAO, representing one of the largest cryptocurrency heists in history. Nearly a decade later, investigative findings suggest the individual behind the attack may finally have been identified.
The attack exploited a vulnerability in The DAO’s code, allowing the hacker to slowly drain funds into newly created “child DAOs.” This resulted in the loss of approximately 31% of all ETH held in The DAO—equivalent to 5% of the entire ETH supply at the time.
In response, Ethereum developers executed a hard fork to prevent the attacker from accessing the bulk of the stolen capital. As a result, the stolen assets were converted into Ethereum Classic (ETC), which currently holds significantly lower value compared to ETH.
The Breakthrough Investigation
Crypto journalist Laura Shin, in her recently published book, claims to have identified Toby Hoenisch—co-founder and CFO of euro-pegged stablecoin project Mimo Capital—as the individual behind The DAO attack. Shin’s investigation draws upon transaction trails, blockchain forensic analysis, and Hoenisch’s own documented comments regarding security flaws in The DAO prior to the incident.
Hoenisch has publicly denied these allegations, stating that Shin’s “assertions and conclusions are factually incorrect.” Despite repeated requests for comment, he has not provided detailed counter-evidence.
Supporting Shin’s findings are early Ethereum developer Alex van de Sande and blockchain analytics firm Chainalysis, which utilized newly developed tools to trace transactions originating from the attack.
How The DAO Attack Unfolded
The DAO was designed as a decentralized venture fund, allowing token holders to vote on proposals for funding projects through a smart contract system. Created by Slock.it, it quickly became one of the most successful crowdfunding initiatives of its time, raising the equivalent of $139 million in ETH.
On June 17, 2016, an attacker began systematically draining ETH from The DAO into a separate entity later dubbed “DarkDAO.” The exploit leveraged a recursive call vulnerability—a flaw that allowed the attacker to repeatedly withdraw the same ETH balance before the contract updated its internal accounting.
The incident caused ETH’s price to drop by 33% in a single day and triggered a crisis of confidence within the Ethereum community.
The Aftermath: Ethereum Hard Fork
To mitigate further damage, a group of white-hat hackers used the same exploit to secure the remaining funds in The DAO. Meanwhile, Ethereum’s core developers and community debated how to respond to the theft.
The solution was a hard fork—a fundamental change to Ethereum’s protocol that effectively reversed the theft and created two separate blockchains: Ethereum (ETH) and Ethereum Classic (ETC). The attacker’s stolen funds remained on the ETC chain, where they remain significantly less valuable.
👉 Explore more blockchain security strategies
Tracing the Attacker
Years after the attack, new forensic techniques allowed researchers to revisit the transaction history associated with the stolen funds. The attacker had attempted to launder portions of the ETC through mixing services like Wasabi Wallet and ShapeShift.
Chainalysis developed a tool capable of de-anonymizing mixed transactions, ultimately tracing some of the funds to exchange accounts allegedly linked to Hoenisch. One exchange employee confirmed that funds were converted into privacy coin Grin and withdrawn to a node named grin.toby.ai.
Further evidence emerged when investigators identified that the same IP address hosted Bitcoin Lightning Network nodes under the name “TenX”—a company co-founded by Hoenisch.
Timeline and Circumstantial Evidence
Key findings pointing to Hoenisch’s involvement include:
- May 2016: Hoenisch emails Slock.it detailing vulnerabilities in The DAO’s code.
- Medium Articles: He publishes technical critiques highlighting security flaws.
- Social Media Activity: He publicly opposes the Ethereum hard fork after the attack.
- Geographic and Temporal Patterns: Cash-out attempts align with Singapore business hours.
- Grin Node and TenX association: Funds were withdrawn to a node linked to his online alias.
Hoenisch’s background in AI, IT security, and cryptography also aligns with the technical sophistication required to execute the attack.
Frequently Asked Questions
What was The DAO?
The DAO was a decentralized autonomous organization designed as a investor-directed venture capital fund. It raised over $139 million in ETH during its crowdfunding phase in 2016.
How did the attacker steal the funds?
The attacker used a recursive call vulnerability in The DAO’s smart contract code to repeatedly withdraw ETH without updating their internal balance, effectively draining 3.6 million ETH over several hours.
What is the difference between ETH and ETC?
Ethereum (ETH) is the result of the hard fork that followed The DAO attack, which reversed the theft. Ethereum Classic (ETC) is the original unforked blockchain where the stolen funds remain.
Why did Ethereum perform a hard fork?
The hard fork was executed to revert the stolen funds to their original owners and restore confidence in the Ethereum ecosystem. It was a controversial but widely supported decision at the time.
How was the attacker traced?
Advanced blockchain forensic tools developed by Chainalysis were used to de-mix transactions from privacy tools like Wasabi Wallet. This allowed investigators to follow the funds to specific exchange accounts.
What has been Toby Hoenisch’s response?
Hoenisch has denied all allegations, calling them “factually incorrect,” but has not provided detailed evidence to counter the claims.
Conclusion
The DAO attack remains a defining event in cryptocurrency history, illustrating both the risks of smart contract vulnerabilities and the evolving power of blockchain forensics. While the identity of the attacker may never be legally confirmed, the accumulated evidence presents a compelling case that has reignited discussion about accountability, ethics, and security in decentralized systems.
As blockchain technology continues to mature, this case underscores an evolving reality: privacy on public blockchains is increasingly difficult to maintain, and early assumptions about anonymity are being challenged by advances in tracing technology.