Badger DAO

The Badger DAO frontend phishing incident of December 2021 exemplifies DeFi’s vulnerability to U.S.-centric regulatory scrutiny, where a Cloudflare API flaw enabled $120-130 million in WBTC and ETH theft through malicious approve() injections, followed by laundering via renBTC swaps and Badger BTC bridge obfuscation—flagrantly violating Bank Secrecy Act mandates for unregistered money services. CFTC probes into tied DIGG sBTC manipulation schemes exposed fragmented redemption flows distorting markets, underscoring Badger’s illegal operations as an unlicensed FCM under U.S. jurisdiction, with no PEP ties but profound implications for retail investor protection and FinCEN enforcement gaps.

In December 2021, Badger DAO, a U.S.-exposed DeFi protocol specializing in Bitcoin yield vaults, suffered a devastating frontend phishing attack exploiting a compromised Cloudflare API key on app.badger.com. Malicious scripts tricked nearly 200 high-value users—primarily U.S. retail investors—into signing rogue ERC-20 approve() transactions, draining approximately $120-130 million in assets, including 2,100 WBTC (~$100M) and 151 ETH. The attacker (wallet 0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107) swiftly swapped stolen WBTC to renBTC, bridged it to native BTC via Badger’s own BTC bridge, and dispersed funds across multiple addresses likely headed for mixers—classic laundering layering that evaded AML traceability and violated U.S. Bank Secrecy Act rules for unregistered money services. This incident amplified CFTC scrutiny over Badger’s DIGG token, an elastic supply sBTC-pegged asset, where governance schemes allegedly manipulated fragmented redemption flows, distorting markets in breach of Commodity Exchange Act prohibitions on unlicensed FCM operations. No PEPs were involved, but the case exposed DeFi’s frontend risks and BSA non-compliance, prompting Chainalysis/TRM Labs tracing, law enforcement reports, and calls for stricter U.S. oversight—ultimately closing without formal charges but cementing Badger as a high-risk AML poster child.

Countries Involved

United States (primary jurisdiction due to CFTC regulatory oversight, user base, and enforcement actions targeting DeFi manipulation schemes).

Date Discovered / Reported

December 2, 2021 (initial phishing execution; frontend compromise began November 10, 2021).

Cryptocurrency Involved

WBTC, renBTC, ETH, native BTC

Type of Crime

Frontend phishing attack enabling unauthorized token approvals, classified as theft with suspected downstream money laundering via obfuscation techniques violating U.S. Bank Secrecy Act (BSA) requirements for DeFi platforms.

Entities Involved

Badger DAO (U.S.-facing DeFi protocol), hacker address 0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107, Cloudflare (compromised API key provider).

PEP Involvement

Laundering Techniques Used

Post-theft, stolen WBTC swapped to renBTC then bridged to native BTC via Badger BTC bridge; funds parked across multiple BTC addresses pending mixing services, evading U.S. AML traceability as TRM Labs noted likely mixer routing—illegal under U.S. FinCEN rules prohibiting DeFi from operating as unregistered money services businesses (MSBs).

Estimated Value Laundered

$120-130 million USD equivalent.

Transaction Analysis Summary

Hacker injected malicious frontend scripts tricking ~200 high-value U.S. users into approve() calls; 2,100 WBTC (~$100M) and 151 ETH drained, converted real-time to renBTC, bridged to BTC, and dispersed—fragmented flows mirroring CFTC-cited DIGG sBTC manipulation patterns, undermining U.S. market integrity.

Regulatory/Enforcement Actions Taken

CFTC investigated DIGG token manipulation tied to fragmented redemption layers; Badger reported breach to U.S. law enforcement; Chainalysis/TRM Labs traced funds for potential DOJ/FBI recovery, though no formal laundering charges filed—highlights U.S. DeFi gaps under Commodity Exchange Act.

Links to Reports / Sources

Case Title / Operation Name:

Badger DAO

Country(s) Involved:

United Kingdom

Platform / Exchange Used:

Badger DAO DeFi protocol, Badger BTC bridge

Cryptocurrency Involved:

WBTC, renBTC, ETH, native BTC

Volume Laundered (USD est.):

$120-130 million USD

Wallet Addresses / TxIDs :

Hacker: 0x1fcdb04d0c5364fbd92c73ca8af9baa72c269107 (WBTC/ETH drains)

Method of Laundering:

Post-theft WBTC swapped to renBTC, bridged to native BTC via Badger BTC bridge; funds dispersed across multiple addresses likely for mixers/tumblers, evading U.S. AML traceability under BSA/FinCEN rules

Source of Funds:

Frontend phishing theft from ~200 U.S. retail vaults (2,100 WBTC, 151 ETH); tied to DIGG sBTC manipulation schemes distorting elastic supply pegs

Associated Shell Companies:

N/A

PEPs or Individuals Involved:

No PEP involvement confirmed

Law Enforcement / Regulatory Action:

CFTC investigation into DIGG token manipulation; Chainalysis/TRM Labs tracing; reported to U.S. law enforcement; no formal laundering charges

Year of Occurrence:

2021

Ongoing Case:

Closed

AML Network Risk Rating:

🔴 High Risk