Has The DAO Hacker That Almost Killed Ethereum Been Identified?

Key Takeaways

  • Crypto journalist Laura Shin says she has identified the person responsible for The DAO hack from 2016.
  • She points to Toby Hoenisch, a 36-year-old Austrian programmer and co-founder and CEO of TenX.
  • Hoenisch reportedly used Wasabi Wallet’s CoinJoin mixing service to obfuscate the source of the funds. Chainalysis confirmed that it was able to “de-mix” the funds and trace them to four exchanges.

Share this article

Laura Shin has pinpointed the Austrian engineer and TenX co-founder Toby Hoenisch as the likely perpetrator behind one of the biggest incidents in Ethereum’s history, The DAO hack. Hoenisch has reportedly denied the claims.

The DAO Hacker Allegedly Identified After Six Years

Newly published research claims to have identified the hacker responsible for The DAO attack on Ethereum in 2016.

Crypto journalist Laura Shin published a Forbes article today presenting what she believes is evidence of the true identity behind the infamous The DAO hack from 2016. 

Her investigation points to Toby Hoenisch, a 36-year-old Austrian programmer and co-founder and CEO of TenX, a failed crypto debit card company that raised approximately $80 million in a 2017 initial coin offering.

After being presented with evidence identifying him as The DAO hacker, Hoenisch reportedly denied Shin’s claims. “Your statement and conclusion is factually inaccurate,” he reportedly told Forbes in an email. He also offered to provide counter-evidence disputing the claims but allegedly never followed up on the promise.


The DAO was an early example of a decentralized autonomous organization on Ethereum. It intended to operate as a decentralized investor-directed venture capital fund. It launched in April 2016 by raising money through a token sale that became one of the largest crowdfunding campaigns in history. 

By May 2016, The DAO had attracted nearly 14% of all Ethereum coins in circulation to that point. A month later, the project’s smart contracts were compromised, with the attacker taking off with approximately one third of the organization’s funds. They stole about 3.6 million Ethereum, worth around $9.3 billion at current prices. In the fallout from the incident, the Ethereum Foundation, backed by the majority of the Ethereum community, decided to roll back the chain and restore virtually all of the stolen funds. This resulted in a hardfork that split the Ethereum blockchain into two chains, where the original continued as Ethereum Classic under a new ETC ticker. The hardfork was a pivotal moment in Ethereum’s history that polarized its community and endangered its future.

Shin now believes that she has identified the perpetrator that almost destroyed Ethereum as Hoenisch, who usea the @tobyai handle across almost all of his social media profiles. After confronting him with the evidence, Hoenisch denied the claims and deleted his entire Twitter feed, leaving only one cryptic post from Oct. 9, 2021, stating that he was “Moving to Mastodon.” The tweet was likely a reference to the open-source, decentralized social network of the same name. 

Chanalysis Confirms It Broke Wasabi’s CoinJoin Mixer

To support her findings, Shin pointed to several pieces of circumstantial evidence in the article, including on-chain data that showed the attacker transferring 50 Bitcoin to a non-custodial privacy wallet Wasabi and then mixing them with its native CoinJoin mixing feature to hide their tracks. 

Using a previously undisclosed capability, blockchain analytics firm Chainalysis was able to “de-mix” the Wasabi transactions and track the mixed outputs back to four exchanges. An employee at one of the exchanges then confirmed that the tainted funds were swapped for privacy coin Grin and withdrawn to a non-custodial Grin node self-named “grin.toby.ai.” That node’s IP address also hosted Bitcoin Lightning nodes “ln.toby.ai” and “lnd.ln.toby.ai,” and another node at the same address was called “TenX.”

Crypto mixers or tumblers are services used to obfuscate the history of blockchain transactions. Generally, they work by splitting the inputs of the transactions, breaking them down into many smaller outputs, and mixing many users’ funds until the outputs cannot be traced back to their original owners. On public and transparent blockchain systems like Bitcoin, mixers like Wasabi’s CoinJoin are the only and main ways users can preserve their on-chain privacy.

Without sharing any technical details, Chainalysis has now confirmed that it was able to “de-mix” or de-anonymize Bitcoin transactions that have been mixed with Wasabi’s service. The team tweeted: “This is yet another example of evidence preserved on the blockchain forever. Confirming we helped trace funds despite the attacker’s attempts to cover his tracks w/ mixers.”

In another tweet, nopara73, the pseudonymous creator of the Wasabi mixer tagged Chanalysis to ask “What’s the exact technical claim and how can we verify it?.” Chanalysis hasn’t replied or shared any further details, and Wasabi hasn’t made any official comments concerning the potential compromise of its CoinJoin mixing service.

Disclosure: At the time of writing, the author of this feature owned ETH and several other cryptocurrencies.

Share this article