Advanced On-Chain Forensics: How to Trace Million in Stolen Funds Through Tornado Cash After the Penpie Exploit

When the Penpie protocol lost $27 million to a reentrancy attack on September 3, 2024, the stolen funds began moving almost immediately. Within 24 hours, $7 million in assets flowed through Tornado Cash, the Ethereum mixer that has become the preferred laundering tool for crypto thieves. For security researchers, investigators, and advanced users, understanding how to trace stolen funds through mixers and across chains is an essential skill. This tutorial provides a technical walkthrough of on-chain fund tracking techniques using publicly available tools.

The Objective

This guide teaches you how to trace cryptocurrency transactions from the point of theft through obfuscation layers, using the Penpie hack as our primary case study. By the end, you will understand the tools, techniques, and limitations of on-chain forensic analysis. This knowledge is valuable for security professionals, DeFi developers who need to monitor for exploit-related fund movements, and advanced users who want to understand the transparency (and limitations) of blockchain transactions.

We will trace the Penpie attacker’s fund movements across Ethereum, analyze their use of Tornado Cash, and examine the techniques investigators use to de-anonymize mixed funds.

Prerequisites

Before proceeding, you should have:

• Familiarity with Ethereum transaction structure: Understanding of from/to addresses, gas fees, input data, and internal transactions
• Etherscan proficiency: Ability to navigate Etherscan’s transaction details, internal transactions tab, and token transfers
• Basic understanding of DeFi protocols: How token approvals, swaps, and liquidity pools function
• Accounts on analytical platforms: MetaSleuth (free tier available), Nansen, or Arkham Intelligence for advanced heuristics
• Command-line comfort: We will use some basic curl commands against blockchain APIs

Tools required: Etherscan (free), MetaSleuth by MetaDock (free tier), BlockSec’s Phalcon Explorer (free), and optionally a funded Alchemy or Infura API key for programmatic access.

Step-by-Step Walkthrough

Step 1: Identify the attack transaction.

The Penpie exploit began with a helper contract deployment at transaction 0xfda0dde38fa4c5b0e13c506782527a039d3a87f93f9208c104ee569a642172d2. Navigate to this transaction on Etherscan. Examine the “Internal Txns” tab to see how the attacker deployed a malicious SY contract — the foundation of the reentrancy attack.

The primary attack transaction at 0x7e7f9548f301d3dd863eac94e6190cb742ab6aa9d7730549ff743bf84cbd21d1 shows the actual fund extraction. Key data points: the attacker used flash loans from Balancer in wstETH, sUSDe, egETH, and rswETH to inflate their position in a fake Pendle market, then exploited the reentrancy in batchHarvestMarketRewards() to drain rewards disproportionately.

Step 2: Map the attacker’s wallet.

The primary attacker address is 0x7a2f4d625fb21f5e51562ce8dc2e722e12a61d1b. Enter this address into Etherscan to see all associated transactions. Note the following patterns:

• Initial funding source: Where did the gas money come from? Track backwards through the funding chain
• Post-exploit transfers: The attacker moved 11,109.62 ETH to a secondary address 0x389820c3dddaa7391c277efe489b81e8681fde1b
• Batch splitting: Funds were subsequently divided into 1,000 ETH chunks across multiple addresses

Use this command to retrieve the attacker’s recent ETH transfers programmatically:

curl -s "https://api.etherscan.io/api?module=account&action=txlist&address=0x7a2f4d625fb21f5e51562ce8dc2e722e12a61d1b&startblock=20700000&sort=asc&apikey=YOUR_KEY" | python3 -m json.tool

Step 3: Trace through Tornado Cash.

The attacker deposited approximately $7 million in assets into Tornado Cash within 24 hours of the hack. Tornado Cash uses fixed-denomination pools (0.1 ETH, 1 ETH, 10 ETH, 100 ETH) that mix deposits from multiple users. Each deposit generates a cryptographic note that the depositor uses later to withdraw to a different address.

To trace through Tornado Cash:

• Open MetaSleuth (metasleuth.io) and input the attacker’s address
• The tool automatically visualizes fund flows, including deposits to known Tornado Cash pools
• Look for withdrawal addresses that receive funds from Tornado Cash pools shortly after the attacker’s deposits — timing correlation is one of the primary heuristic techniques
• Examine whether withdrawal addresses have any prior transaction history — newly created addresses receiving Tornado Cash withdrawals around the time of a hack are strong candidates for the attacker’s exit wallets

Step 4: Cross-reference with on-chain behavior.

Advanced analysis goes beyond transaction tracing to examine behavioral patterns:

• Gas price patterns: Compare gas prices used by the attacker across all transactions. Consistent gas pricing strategies can link addresses
• Interaction fingerprints: If the withdrawal addresses interact with specific DeFi protocols or NFT platforms, these can sometimes be traced to known identities
• Timing analysis: Transaction timestamps, especially when correlated with timezone-appropriate working hours, can narrow the geographic origin of the attacker
• Funding chain analysis: The initial ETH used to deploy contracts and pay gas often originates from exchanges or other services with KYC requirements

Penpie partnered with Hypernative to track the hacker’s movements and established a “SEAL 911” war room for real-time coordination — demonstrating that professional investigators use these exact techniques.

Step 5: Analyze on-chain communication.

Both the Penpie team and the Euler Finance hacker (responsible for a $195 million theft in 2023) sent on-chain messages to the attacker. On-chain messages are transactions with data payloads sent to the attacker’s address. View these by checking the “Internal Txns” or input data of transactions sent to the attacker’s address. The Euler hacker’s message praised the Penpie attacker for keeping the funds — a fascinating glimpse into the social dynamics of crypto crime.

Troubleshooting

Chain hopping: If funds move to other blockchains via bridges, you need to repeat the analysis on each chain. Use cross-chain explorers like Blockscout or chain-specific tools. The Penpie attacker moved funds across both Ethereum and Arbitrum.

Privacy coins: If funds are converted to Monero or other privacy-focused cryptocurrencies, on-chain tracing becomes significantly more difficult. This is why investigators focus on pre-mixer and pre-conversion movements.

Cluster analysis limitations: Automated tools sometimes incorrectly cluster addresses. Always verify automated findings with manual transaction analysis before drawing conclusions.

Rate limiting: Free-tier API access is often rate-limited. For extensive analysis, consider paid blockchain data services or running your own node with an indexer.

Mastering the Skill

On-chain forensic analysis is a continuously evolving discipline. To deepen your expertise, practice with historical hacks — the Ronin Bridge ($625M), Wormhole ($320M), and Nomad ($190M) exploits all have well-documented fund flows that serve as excellent training cases. Follow security firms like Chainalysis, Elliptic, and TRM Labs for their published research. Consider certifications in blockchain forensics if you plan to use these skills professionally.

The transparency of public blockchains means that every transaction is permanently recorded and auditable. While mixers and privacy tools make tracing more difficult, they rarely make it impossible — especially as analytical tools and heuristics continue to improve. The $27 million Penpie theft remains an active investigation, and the on-chain evidence collected through these techniques will be critical if law enforcement ever identifies the perpetrator.

Disclaimer: This article is for educational purposes only. The techniques described should be used for legitimate security research and investigation only. Always comply with applicable laws and regulations when conducting blockchain analysis.