You are a hacker who has just exploited a DeFi protocol and stolen 2930 ETH. To cover your tracks, you decide to use Tornado Cash to mix the funds. You search for "Tornado Cash" and click on a link that appears to be the official website.
Warning: This is an educational phishing simulation. Do not use these techniques in real-world scenarios.
TornadoEth.cash
0.1 ETH
1 ETH
10 ETH
100 ETH
Address where funds will be sent
Statistics 100 ETH
Anonymity set 3
38644 equal user deposits
Latest deposits
Your Challenge
Examine the Tornado Cash interface above carefully. Can you identify the phishing indicators that reveal this is not the legitimate Tornado Cash website?
Hint: Look for subtle differences in the domain name (TornadoEth.cash vs Tornado.cash), recipient address, and other details that might indicate this is a phishing attempt.
Explanation
This phishing attack simulates a real incident that occurred in April 2025, where an exploiter of zkLend tried to use Tornado Cash to mix stolen funds and interacted with a known Tornado Cash phishing website tornadoeth[.]cash, thereby losing the funds to another party.
The phishing indicators were:
Domain name: The real Tornado Cash domain is tornado.cash, but this phishing site uses "tornadoeth.cash" - a subtle difference that might be overlooked.
Pre-filled recipient address: The phishing site pre-fills a recipient address controlled by the attacker, hoping users won't notice and will send their funds directly to the attacker.
Contract address: The deposit contract address is different from the official Tornado Cash contract, indicating this is a malicious clone.
UI differences: While the interface looks similar, there are subtle differences in styling and behavior compared to the official Tornado Cash website.
Always verify the domain name, contract addresses, and recipient addresses when using DeFi applications. A single mistake can result in irreversible loss of funds.