TesseraDAO: Someone Printed 99 Million Tokens and Walked Away With $2.5 Million

On BNB Chain, someone with admin key access minted 99 million TSR tokens from nothing, sold all of them, bridged $2.5 million to Ethereum, and laundered 1,285 ETH through Tornado Cash. TesseraDAO has not said a word.

TesseraDAO on BNB Chain lost $2.5 million on June 1, 2026 after an attacker used admin key access to mint 99 million TSR tokens, sell them all, bridge the proceeds to Ethereum, and launder 1,285 ETH through Tornado Cash

On June 1, 2026, at 11:38 AM UTC, someone who had control of TesseraDAO's smart contract did something very simple. They printed 99 million TSR tokens. Then they sold all of them.

That is the whole exploit. No clever math. No zero-knowledge proof vulnerability. No bridge manipulation. Whoever did this had the keys. The keys let them mint. So they minted.

To understand why this worked, you need to understand how tokens are created on a blockchain. When a project launches a token, they write a smart contract that defines the rules: total supply, who can mint new coins, under what conditions. Most legitimate projects lock or renounce the minting function after launch. They do this precisely to prevent what happened to TesseraDAO. Somebody either forgot to lock it, or somebody with admin access decided not to give it up.

The attacker minted 99 million TSR from nothing. Then sold every single one into the existing liquidity pool. That pool had real money in it. People who had bought TSR legitimately had put real dollars in there. The 99 million new tokens hit the market like a wave hitting a pond. The price dropped 99%. In hours, TSR was essentially worthless.

The attacker had $2.5 million in USDT from the sale. They needed to move it.

They bridged the proceeds from BNB Chain to Ethereum. Then they sent 1,285.5 ETH into Tornado Cash, the OFAC-sanctioned mixing service that remains the preferred laundry facility for BNB Chain exploits. It is still running. People are still using it. The funds are now gone.

PeckShield and on-chain analyst Specter caught the attack approximately 19 hours after it happened. TesseraDAO issued no official statement. No acknowledgment. No compensation promise. No roadmap for recovery. The community was left with worthless tokens and a wall of silence.

The community's own reaction was telling. Multiple holders said publicly they were not convinced this was an external attack at all. When only insiders hold the admin keys, and the admin keys mint and sell 99 million tokens, the question of whether this was a hack or a self-inflicted rug becomes genuinely hard to answer. The technical mechanism is identical. The outcome is identical. The difference is intent, and intent requires information the project has chosen not to share.

This is not a new pattern. It is the same mechanism that hit StakeDAO in May 2026, when a compromised key let an attacker mint 5.4 trillion vsdCRV tokens on Arbitrum. It is the same pattern that hit UXLINK in September 2025, where billions of tokens were minted and $44 million taken. Specter noted while reporting TesseraDAO that the UXLINK exploiter was simultaneously depositing $7.1 million in stolen proceeds into Tornado Cash.

The assembly line is running. Mint. Dump. Bridge. Launder. Next project.

Manuel Araoz, the founder of blockchain security firm OpenZeppelin, said recently that he considers all of DeFi unsafe, arguing that coding agents are now better at finding vulnerabilities than human defenders are at patching them. The TesseraDAO attack does not require that level of sophistication. No AI needed. No advanced cryptography. Just a key and a mint function that nobody revoked.

As of publication, TesseraDAO has made no public statement. The $2.5 million is gone. The 1,285.5 ETH is in a mixer. Nobody has been identified. Nobody has been charged.