//Dashboard

LAST_SCAN: 2m ago

[EXIT]

LOADING_MODULE...

//Dashboard

LAST_SCAN: 2m ago

[EXIT]

MODULE_03 // COUNTER-FORENSICS

Investigation Dashboard

Active Case: Tornado.cash Phishing // Counter-Forensics

ACTIVE THREATEvidence destruction observed

CRITICAL

Active Domains

Phishing mirrors detected

WARNING

~142

Victim Volume

Estimated affected wallets

CRITICAL

$450k+

Stolen Assets

Cumulative value drained

INFO

99.8%

Intel Accuracy

False positive rate < 0.2%

Critical Evidence: Deleted Online Identities

SHA-256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

deleted_accounts_evidence.txtREAD-ONLY

SCAN_ID: 8842-ALPHA
TARGET: dev-tornado-profile
STATUS: 404_NOT_FOUND

[LOG_START]
> Initiating archival retrieval...
> Wayback Machine: HIT (2 snapshots)
> Google Cache: MISS
> Yandex Cache: HIT

[ANALYSIS]
User profile contained references to "official update" repositories which hosted malware-laden UI bundles.
Profile creation date matches domain registration of phishing gateway.

[RECOVERED_BIO]
"Building the future of privacy. Official updates here."

[DELETION_TIMESTAMP]
2024-05-21 14:32:00 UTC (approx 2h post-exposure)

Acquisition Method

Sherlock OSINT

Current Status

404 NOT FOUND

Analysis

Deletion occurred after investigation began. Strong indicator of active counter-forensics.

COURT-READY EVIDENCE

Account Status

PLATFORM	STATUS
GitHub github.com/dev-tornado...	DELETED
Twitter/X x.com/tornado_update...	DELETED
Telegram t.me/tornado_support...	ACTIVE
Discord discord.gg/tornado...	DELETED

Attacker Reaction Timeline

INVESTIGATOR ACTION2024-05-15

Initial Detection

Suspicious domain registration flagged by heuristic scanners.

ATTACKER ACTION2024-05-18

Obfuscation Layer Added

Cloudflare protection enabled on main phishing gateway.

INVESTIGATOR ACTION2024-05-20

Public Disclosure

Community alert issued regarding look-alike domain.

ATTACKER ACTION2024-05-21

Identity Scrubbing

Deletion of associated GitHub and social media accounts.

Note: Attacker is actively monitoring this investigation and responding to exposure in real-time.

Infrastructure Timeline

2023-11-10

Domain Registered

tornado-cash.org registered via Namecheap

2023-12-05

SSL Certificate Issued

Let's Encrypt certificate generated

2024-01-15

Frontend Clone Deployed

Static copy of legitimate UI hosted

Risk Assessment

The domain was registered mere days after sanctions were lifted. This timing, combined with the lack of official repository linkage, confirms this is not associated with the original Tornado Cash developer team.

HIGH CONFIDENCE: INDEPENDENT ACTOR

Torn Guard Defence Suite

MODULE_03 // COUNTER-FORENSICS

Investigation Dashboard

Active Case: Tornado.cash Phishing // Counter-Forensics

ACTIVE THREATEvidence destruction observed

CRITICAL

Active Domains

Phishing mirrors detected

WARNING

~142

Victim Volume

Estimated affected wallets

CRITICAL

$450k+

Stolen Assets

Cumulative value drained

INFO

99.8%

Intel Accuracy

False positive rate < 0.2%

Critical Evidence: Deleted Online Identities

SHA-256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

deleted_accounts_evidence.txtREAD-ONLY

SCAN_ID: 8842-ALPHA
TARGET: dev-tornado-profile
STATUS: 404_NOT_FOUND

[LOG_START]
> Initiating archival retrieval...
> Wayback Machine: HIT (2 snapshots)
> Google Cache: MISS
> Yandex Cache: HIT

[ANALYSIS]
User profile contained references to "official update" repositories which hosted malware-laden UI bundles.
Profile creation date matches domain registration of phishing gateway.

[RECOVERED_BIO]
"Building the future of privacy. Official updates here."

[DELETION_TIMESTAMP]
2024-05-21 14:32:00 UTC (approx 2h post-exposure)

Acquisition Method

Sherlock OSINT

Current Status

404 NOT FOUND

Analysis

Deletion occurred after investigation began. Strong indicator of active counter-forensics.

COURT-READY EVIDENCE

Account Status

PLATFORM	STATUS
GitHub github.com/dev-tornado...	DELETED
Twitter/X x.com/tornado_update...	DELETED
Telegram t.me/tornado_support...	ACTIVE
Discord discord.gg/tornado...	DELETED

Attacker Reaction Timeline

INVESTIGATOR ACTION2024-05-15

Initial Detection

Suspicious domain registration flagged by heuristic scanners.

ATTACKER ACTION2024-05-18

Obfuscation Layer Added

Cloudflare protection enabled on main phishing gateway.

INVESTIGATOR ACTION2024-05-20

Public Disclosure

Community alert issued regarding look-alike domain.

ATTACKER ACTION2024-05-21

Identity Scrubbing

Deletion of associated GitHub and social media accounts.

Note: Attacker is actively monitoring this investigation and responding to exposure in real-time.

Infrastructure Timeline

2023-11-10

Domain Registered

tornado-cash.org registered via Namecheap

2023-12-05

SSL Certificate Issued

Let's Encrypt certificate generated

2024-01-15

Frontend Clone Deployed

Static copy of legitimate UI hosted

Risk Assessment

HIGH CONFIDENCE: INDEPENDENT ACTOR

Torn Guard Defence Suite

Torn Guard - Privacy Defence Suite