Non-KYC crypto exchange FixedFloat hacked for $26M in Bitcoin, Ethereum

FixedFloat – a cryptocurrency exchange that operates without “Know Your Customer” (KYC) anti-money laundering (AML) measures – was hacked earlier this month, resulting in the loss of more than 400 Bitcoin and 1,700 Ethereum, to the tune of $26 million.

A blockchain security firm has identified the Bitcoin address used in the theft, and on-chain data from a linked Ethereum address has revealed several high-value transactions to different addresses.

According to fellow blockchain analytics firm PeckShield, the stolen funds were moved through Ethereum mixer eXch shortly after the hack, complicating the process of tracking the stolen assets. A small part of the money was transferred to HitBTC and CoinSpot, PeckShield, labeled the wallet address “FixedFloat drainer”.

FixedFloat told Decrypt that the hack was not carried out by one of its employees and was an “external attack caused by vulnerabilities in our security architecture.”

“The problem was in our infrastructure, which was compromised due to defects and lack of adequate protection,” the company said. This allowed the attackers to gain access to some functionality of our service.

After the hack, FixedFloat initially cited “minor technical issues” and moved its systems into “maintenance mode.” This was before the full extent of the hack was revealed, causing confusion and anxiety among users.

“We did not report the hack immediately as we were aware of the incident early and immediately put our service into maintenance mode to ensure security and minimize losses,” the exchange told Decrypt. “At that time, our main focus was on quickly eliminating vulnerabilities and strengthening overall security, which prevented us from making a public statement about what happened.”

In a subsequent statement, FixedFloat clarified that the financial loss affected not only the service itself, but also assets owned by users, while ensuring that their customers' funds are safe. “FixedFloat does not perform escrow services – that is, it does not store users' money. We will provide more information later,” the platform said on Twitter.

However, after reports of the hack started circulating on social media, the platform confirmed the incident and made public about the attack.

The official FixedFloat Twitter account responded on Twitter: “We can confirm that there was indeed a hacking and theft of funds.” We are not ready to comment publicly on this issue as we are working to eliminate all potential vulnerabilities. Improve safety and inspection.

“Our service will be available again soon,” he continued.

The exchange later confirmed that users' funds were safe and that the stolen funds only affected the company's internal operations. If so, the hack is likely a fresh wallet from one of the exchanges.

The official FixedFloat site remains active at the time of writing.

FixedFloat advertises itself as a “fast and fully automated cryptocurrency exchange with the Lightning Network” and prioritizes privacy over security, working without the need for account registration or identity verification. This lack of KYC measures appeals to privacy-conscious users, but poses a significant risk to both the platform and its users, as investigators have limited data to work with.

Such events are less than they used to be. Blockchain forensics firm Chinalysis recently revealed that the amount of money stolen from cryptocurrency platforms dropped significantly in 2023. Despite a slight increase in individual hacking incidents, the total value of stolen funds fell by an estimated 54.3% to $1.7 billion, mostly due to heavy spiking. The decline of DeFi hacks.

FixedFloat reports that they are working with law enforcement agencies, blockchain forensics companies and cryptocurrency exchanges to track down the hackers, which has not yet been linked to the data exchange. The company says it will honor all payment obligations once it's up and running and can ensure the exchange is safe to use again.

Edited by Ryan Ozawa.