Another day, another cryptocurrency exchange falls victim to a massive data breach. This time, it’s FixedFloat, a non-KYC Bitcoin and Ethereum crypto exchange targeted in a wallet-drainer attack.
FixedFloat, a decentralized crypto exchange, has been hacked for at least $26 million worth of Bitcoin and Ethereum. The attack, initially attributed to minor technical issues, has led to frozen transactions and missing funds.
For your information, FixedFloat is an automated crypto exchange with 26% of its web traffic coming from the US. It integrates with Lightning Network for Bitcoin transactions.
As seen by Hackread.com, users reported frozen transactions and missing funds on the X exchange since February 17, with 409 Bitcoin (Approximately $21 million) and 1,728 Ether tokens (approximately $4.7 million) drained on February 18.
The exchange is investigating the security incident. FixedFloat’s website is also displaying an error message on all pages, stating “ERROR – Technical work is underway, we will be back soon! If you need to contact us, you can do this via chat.”
The stolen funds were sent to the Ethereum exchange. Threat researcher going by the X (formerly Twitter) handle of “Officer’s Notes” revealed that the hacker first transferred ETH to different ETH addresses and finally moved them to the eXch exchange. They then sent funds to two HitBTC addresses, which received their initial ETH deposits in 2021. This seems to be an attempt to create a false trail.
. @FixedFloat hacked, resulting in ~1,728 ETH (worth ~$4.85m) and & 409 BTC (worth ~$21m) stolen. The drainer already transferred most of the stolen ETH to eXch on Ethereum. 26M$ loss in total!
— Officer's Notes (@officer_cia) February 19, 2024
Drainer on Ethereum (1700 ETH stolen): 0x85c4fF99bF0eCb24e02921b0D4b5d336523Fa085… https://t.co/imeXB1h7Jv pic.twitter.com/oquw373NOG
“I don’t see any addresses (other than the hacker’s address) that link these 2 HitBTC deposit addresses…Most likely, the hacker created only a false trail,” the researcher explained on X (Twitter). This was confirmed by the Web3 security platform Cyvers on X as well.
The cryptocurrency exchange confirmed it was an external attack, rubbishing rumours of insider involvement. Users and analysts initially claimed FixedFloat developers were behind the hacking, but the exchange denied any internal involvement.
Although the company is yet to reveal the core information on how it happened, cybersecurity researchers are positive that the hack was caused by vulnerabilities and insufficient security measures, allowing the attacker to bypass defences and access core service functions.
Wallet Drainer Attack?
As to what type of vulnerabilities, researchers believe that it was a wallet drainer attack. A wallet drainer attack is a malicious technique employed by cybercriminals to steal cryptocurrency from unsuspecting victims’ wallets. It typically involves exploiting vulnerabilities in smart contracts or tricking users into granting unauthorized access to their funds.
FixedFloat stated that no user funds were affected, but the hack affected 30 outstanding orders, which the exchange will pay as soon as its services resume.
FixedFloat faced criticism for not reporting the hack immediately, while the company maintains it was focusing on minimizing loss and eliminating vulnerabilities. The platform expects full operations to resume soon and release a detailed report after the investigation is complete.
Surge in Drainer Attacks
Nevertheless, it is concerning that cryptocurrency exchanges have become a prominent target of scammers lately. Last month Group-IB Global Pvt. Ltd. disclosed details of a phishing operation dubbed Inferno Drainer targeting cryptocurrency wallet providers. The scammers targeted over 100 brands and 16,000 malicious domains, stealing over $80 million in digital assets from November 2022 to November 2023. The team reaped $87 million in illicit profits and scammed over 137,000 victims.
In June 2023, Pink Drainer, a notorious hacker group, successfully executed a series of high-profile Discord and Twitter hacks targeting projects like Evomos, Pika Protocol, OpenAI CTO, and Orbiter Finance. Online scam detector ScamSniffer confirmed Pink Drainer stole around $3 million from nearly 1,932 victims.
RELATED ARTICLES
- Multilingual malware hits Android devices for phishing
- Scammers Selling Twitter (X) Gold Accounts Fueling Phishing
- Hacker stole $55M in crypto from DeFi lender bZx via phishing
- Hackers Aim at Crypto Wallets with Namecheap Phishing Emails
- Crypt losses reach $1.75 Billion in 2023; CeFi and Hacks Blamed