According to Laura Shin, a reporter who delved into the scandal for her new book, the hack was apparently executed by Toby Hoenisch.
Shin reached out to Hoesnisch to present the evidence she had collected, and received a reply that said:
"Your statement and conclusion is factually inaccurate."
However, she went on to claim that he failed to answer her follow-up questions, or provide detailed rebuttals to the allegations. He later deleted his entire Twitter history.
Shin and her sources say they were able to connect the dots and get answers by using a blockchain analytics tool developed by Chainalysis. This allows transactions to be monitored closely, and on occasion, the flow of funds can later be linked to those who may have achieved anonymity at first. (Similar techniques led to the arrests of Ilya "Dutch" Lichtenstein and Heather Morgan for their alleged connection to the Bitfinex hack in 2016.)
Unable to get answers from Hoenisch, Laura Shin has formed a potential motive. The programmer had identified a slew of vulnerabilities in The DAO's code, but it appears that his warnings were not taken seriously by the project's founders. She wrote:
"This is also a tale of the big brains and big egos that drive the crypto world — and of a hacker who may have justified his actions by telling himself he simply did what the faulty code baked into The DAO allowed him to do."
In terms of how all this could have been achieved, Shin points to a vulnerability in the smart contract that meant the funds involved in a withdrawal would be sent first — with their balance updated after. By ensuring the contract didn't update, this effectively allowed the same crypto to be withdrawn over and over again:
"It was as if the attacker had $101 in their bank account, withdrew $100 at a bank, then kept the bank teller from updating the balance to $1, and again requested and received another $100."
It's unclear what — if any — actions may arise from these new allegations.