TesseraDAO, a project built on the BNB Chain, suffered a major security breach. A hacker created 99 million TSR tokens illegally and quickly sold them for around $2.4 million, causing the token’s value to plummet by 99% in just a few hours.
On-chain analyst Specter (@SpecterAnalyst) was the first to notice the exploit, pinpointing the attacker’s digital address. They also confirmed the stolen funds were then sent to Tornado Cash, a privacy tool that has been sanctioned by the U.S. government.
The On-Chain Evidence
On June 1, 2026, at 11:38:25 AM UTC, a transaction occurred where an attacker minted 99,000,000 TSR tokens. Data from BscScan shows the attacker’s address (0x2201037A1755eC48eC5f00Fea21A10A9E56f2Dd8) created these tokens directly from the zero address and sent them to the wallet 0x6f2b45B950d1739EF67C76F4106df6d6E84904cB. The transaction hash is 0x25093e573c116562c8839dc67a15ac21761271006a8dfe50b18fa475564bfcd1.
The creation of tokens from the special address ‘0x000…000’ is the key technical indicator of this exploit. Unlike simply sending tokens from one account to another, creating tokens from this address means entirely new tokens are being generated. This suggests the attacker either gained unauthorized access to the contract’s ability to create tokens—perhaps by compromising an administrator’s key—or found a flaw in how the project was designed to create new tokens.
The price of TSR crashed dramatically over a few hours on the PancakeSwap exchange. Its market value plummeted from around $4 million to almost nothing. Currently, TSR is valued at approximately $213,720 – a 99% decrease from its value before the incident. The price of TSR itself also dropped by 99%.
Funds Routed Through Tornado Cash
Specter verified that the hacker sent the stolen funds to Tornado Cash, a privacy tool sanctioned by the U.S. Treasury in August 2022 for helping launder over $7 billion in illegal cryptocurrency. Even with these sanctions, Tornado Cash continues to be the main method used to clean money stolen from attacks on the BNB Chain.
Security researcher Specter has discovered that the hacker who stole $44 million worth of UXLINK tokens in September 2025 is currently using Tornado Cash to hide the stolen funds. Approximately $7.1 million in UXLINK tokens from the hack have recently been deposited into the privacy mixer.
From what I’ve been able to gather, TesseraDAO hasn’t officially addressed the recent exploit. However, within the community, there’s a growing concern that this wasn’t a typical external hack. Many are suggesting it might be a ‘rug pull,’ meaning someone within the project potentially compromised the deployer or admin keys. This raises serious questions about whether the incident was an inside job rather than an external attack.
A Clear 2026 Pattern
The recent TesseraDAO hack is part of a growing trend in 2026 of attackers exploiting minting functions in contracts. They create fake tokens without proper backing and quickly sell them on decentralized exchanges, leaving token holders with losses.
All four incidents share a common problem: someone created tokens that weren’t authorized by the project’s planned release schedule. It doesn’t matter if this happened because a security key was stolen, a hidden flaw existed in the code, the minting process lacked proper checks, or someone intentionally caused it – the result is the same. Unapproved tokens are created, quickly sold on decentralized exchanges, and the money earned is then hidden using Tornado Cash to cover up the source of the funds.
Why It Keeps Happening
Many token contracts include a ‘mint’ function – normally used for legitimate purposes like rewarding users, distributing tokens, or creating initial supplies. However, a weakness in how these functions are built can allow unauthorized users to create new tokens if they have the correct access or find a flaw in the code.
As a crypto investor, one of the biggest risks I see is when a project puts all the power to create new tokens (or ‘minting’) in the hands of just one person or a small group. It basically means the entire project’s security relies on keeping *their* accounts safe. We saw a perfect example of this with the Alephium exploit recently. The tech itself – the way it verified transactions – was actually working fine. The problem was hackers got control of enough of the ‘guardian’ accounts – three out of four, to be exact – and were able to approve fake transactions that looked totally legitimate. It really highlighted how crucial it is for projects to distribute control and avoid single points of failure.
Smaller projects, like TesseraDAO, are often even more vulnerable to attacks. Many projects launching on BNB Chain use standard token creation tools that haven’t been properly secured, checked for weaknesses, or moved to more secure wallet setups with multiple approvals. Security experts at Hacken have found that most BNB Chain hacks in recent years haven’t been caused by complex coding errors, but by simple failures to control who has access to project funds.
Currently, those holding TSR tokens are stuck with an asset that has lost almost all of its value, with no clear way to regain those losses. Furthermore, the funds have been obscured using Tornado Cash, making it nearly impossible to track them through standard blockchain analysis.
Read More
- USD CNY PREDICTION
- Silver Rate Forecast
- Gold Rate Forecast
- EUR HKD PREDICTION
- USD THB PREDICTION
- USD AUD PREDICTION
- CNY JPY PREDICTION
- USD RUB PREDICTION
- GBP EUR PREDICTION
- EUR HUF PREDICTION
2026-06-02 14:13