Unleash Protocol: The $3.9M Heist by Hacker Hijackers

Decentralized Intellectual Property Platform Unleash Protocol Loses $3.9M in Cryptocurrency

An unauthorized contract upgrade has resulted in a loss of approximately $3.9 million in cryptocurrency for the decentralized intellectual property platform Unleash Protocol. The breach allowed for unauthorized withdrawals of assets.

The team behind the blockchain project disclosed that the attacker was able to gain enough signing power to act as an administrator of Unleash’s multisig governance system.

The company stated in a public announcement, “Our initial investigation indicates that an externally owned address gained administrative control via Unleash’s multisig governance and carried out an unauthorized contract upgrade.”

The unauthorized contract upgrade enabled asset withdrawals that were not approved by the Unleash team, deviating from their intended governance and operational procedures.

Unleash Protocol functions as an operating system for managing intellectual property by converting it into on-chain assets (tokens) that can be utilized as collateral within the DeFi ecosystem. The platform provides a monetization layer through smart contracts and automatically distributes licensing and royalty revenue to predefined stakeholders based on on-chain rules.

By executing the unauthorized smart contract upgrade, the attacker gained the ability to perform withdrawals, allowing them to steal assets such as WIP (wrapped IP), USDC, WETH (wrapped Ether), stIP (staked IP), and vIP (voting-escrowed IP).

PeckShieldAlert, a blockchain security firm, reported that the unauthorized drain resulted in losses of approximately $3.9 million. Following the withdrawals, the assets were transferred to external addresses via third-party infrastructure to minimize traceability.

The attacker reportedly deposited the stolen amounts into the Tornado Cash cryptocurrency mixing service in the form of 1,337 ETH, as per PeckShieldAlert.

Tornado Cash, a service that was sanctioned by the U.S. in 2022 and delisted in 2025 due to its involvement in laundering funds for North Korean hacking groups, allows users to obfuscate cryptocurrency transactions before transferring them to new, unlinkable wallets.

Although designed to enhance transaction privacy on public blockchains, Tornado Cash has been misused by cybercriminals to evade law enforcement tracking and asset-freezing efforts.

Following the incident, Unleash Protocol has halted all operations and initiated an investigation with the assistance of external security experts to identify the root cause of the exploit. They are also assessing remediation and recovery strategies.

Users are advised not to engage with Unleash Protocol contracts until the company issues a public announcement on its official channels confirming the safety of doing so.

Broken IAM isn’t just an IT problem – the impact ripples across your whole business.

This comprehensive guide explores why traditional IAM practices are inadequate for modern demands, showcases examples of effective IAM strategies, and offers a simple checklist for developing a scalable IAM strategy.

Get the guide