Verify a decision

{"actor":"system:backfill","investigation_id":"a62827db-d820-4e40-8d32-f25bf58e43f6","kind":"publish","page_slug":"garden-finance","published_at":"2026-05-19T00:20:40.477Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Garden Finance","sections":[{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]}],"sources_used":[],"summary":"Garden Finance is a cross-chain Bitcoin bridge protocol launched in 2023 by former Ren Protocol developers, using Hash Time Locked Contracts (HTLCs) and an intents-based solver network to enable atomic swaps across Ethereum, Solana, Arbitrum, Base, and other chains. On October 30–31, 2025, one of its largest solver operators was compromised via a leaked private key, resulting in approximately $11.4 million in stolen assets that were subsequently laundered through Tornado Cash. Prior to the exploit, blockchain investigator ZachXBT alleged that over 80% of the protocol's recent fee revenue was derived from laundering funds stolen in the February 2025 Bybit hack, which the Lazarus Group (DPRK) perpetrated for approximately $1.4 billion.","timeline":[{"date":"2017-01-01","event":"Jaz Gulati, Susruth Nadimpalli, Taiyang Zhang, and Loong Wang co-found Republic Protocol (later rebranded Ren Protocol) in Australia, raising approximately $67 million.","source":"","source_url":"https://www.theregister.com/2025/10/31/attackers_dig_up_11m_in/"},{"date":"2021-01-01","event":"Alameda Research acquires Ren Protocol.","source":"","source_url":"https://finance.yahoo.com/news/25-garden-finance-funds-linked-175501426.html"},{"date":"2022-11-01","event":"FTX and Alameda Research collapse; Ren Protocol shuts down, stranding approximately $12 million in user Bitcoin.","source":"","source_url":"https://finance.yahoo.com/news/25-garden-finance-funds-linked-175501426.html"},{"date":"2023-01-01","event":"Jaz Gulati and Susruth Nadimpalli launch Garden Finance as a decentralized HTLC-based Bitcoin bridge, positioning it as a successor to Ren Protocol.","source":"","source_url":"https://renproject.io/"},{"date":"2025-02-21","event":"Bybit exchange is hacked by North Korea's Lazarus Group via multi-signature authentication exploitation; approximately 401,347 ETH (~$1.4 billion) is stolen.","source":"","source_url":"https://www.cryptotimes.io/2025/06/21/zachxbt-claims-garden-finances-illicit-role-in-laundering-1-4b-bybit-hack-funds/"},{"date":"2025-06-21","event":"ZachXBT publishes on-chain investigation alleging that over 80% of Garden Finance's recent fee revenue was derived from laundering Bybit hack proceeds linked to Lazarus Group, and that 16 wallets connected to the hack executed synchronized transactions through the protocol.","source":"","source_url":"https://www.cryptotimes.io/2025/06/21/zachxbt-claims-garden-finances-illicit-role-in-laundering-1-4b-bybit-hack-funds/"},{"date":"2025-06-21","event":"Garden Finance co-founder Jaz Gulati publicly disputes ZachXBT's laundering allegations, claiming 30 BTC in fees were collected prior to the Bybit hack and citing integration of screening tools.","source":"","source_url":"https://www.bitdegree.org/crypto/news/zachxbt-claims-80-of-garden-finance-fees-tied-to-stolen-bitcoin"},{"date":"2025-10-30","event":"Garden Finance's largest independent solver operator is compromised via a private key leak. SSH logs show suspicious access from IP addresses located in Japan and China. The attacker begins draining solver assets across Ethereum, Solana, Arbitrum, and BNB Chain.","source":"","source_url":"https://decrypt.co/356301/garden-finance-shares-forensic-findings-security-breach-limited-to-solver-layer"},{"date":"2025-10-31","event":"Garden Finance publicly acknowledges the breach, offers a 10% white-hat bounty to the attacker for return of funds and exploit disclosure. Protocol goes offline. ZachXBT notes that the on-chain message to the attacker originated from a Garden team deployer address.","source":"","source_url":"https://www.theregister.com/2025/10/31/attackers_dig_up_11m_in/"},{"date":"2025-10-31","event":"Total losses estimated at approximately $5.5 million in initial reports; later revised upward to approximately $10.8–$11.4 million across multiple chains. Stolen tokens include wETH, WBTC, cbBTC, LBTC, and SEED.","source":"","source_url":"https://www.halborn.com/blog/post/month-in-review-top-defi-hacks-of-october-2025"},{"date":"2025-11-01","event":"Security firm CertiK reports that the exploiter transferred approximately $6.65 million (501 BNB and 1,910 ETH) to Tornado Cash. Approximately $1.8 million in SOL and $500K in EVM funds remain in attacker-controlled addresses.","source":"","source_url":"https://ambcrypto.com/garden-finance-exploiter-moves-6-65m-to-tornado-cash-after-10-8m-hack/"},{"date":"2025-11-01","event":"zeroShadow security analysts assess that on-chain laundering patterns from the exploit are consistent with North Korea-affiliated threat actor DangerousPassword (CryptoCore / Sapphire Sleet / UNC1069). Ernst & Young forensic report confirms private key leak as root cause.","source":"","source_url":"https://decrypt.co/356301/garden-finance-shares-forensic-findings-security-breach-limited-to-solver-layer"}]},"v":1}