커뮤니티

The DeFi space is no stranger to sophisticated attacks, but the recent exploit of Ambient Finance (formerly CrocSwap) stands out for its meticulous preparation and invisible execution. On June 7, 2026, an attacker exploited a surplus collateral accounting vulnerability in Ambient Finance’s CrocSwapDex contract on the Ethereum mainnet.Within a mere 12 seconds—across consecutive blocks 25266404 and 25266405—approximately $110,600 was drained from the protocol. However, this wasn't your typical smash-and-grab flash loan attack. The orchestrator deployed advanced evasion tactics, making this case a fascinating study for Web3 security professionals.🛠️ The Exploit Mechanism: Zero-Cost AmplificationThe core of the exploit targeted a flaw in the surplus collateral accounting logic of the single-contract DEX architecture. By strategically cycling calls through the HotProxy, WarmPath, and ColdPath execution layers, the attacker manipulated internal surplus balances to withdraw ETH without actually locking up corresponding real collateral.To fund the exploit, the attacker utilized a classic DeFi weapon: Balancer V2's zero-fee flash loans. In the most devastating of the two sequential attacks (Block 25266405), they borrowed 50 ETH and 1 USDC at absolutely zero cost, executed the accounting manipulation, and extracted 83.72 ETH and 55,913 USDC. The flash loan was repaid within the very same transaction, securing a risk-free profit.PhaseFrom (Entity)To (Entity)Amount / ActionBlock / DatePreparationInitial Funder (0xb180...cc8a)Orchestrator EOA (0x0003...02af)0.4 ETH (Seed funding)May 19, 2026Exploit #1(USDT)Balancer V2 (0xba12...f2c8)Exploit Contract #1 (0x0461...e4f)3 ETH + 1 USDT (Flashloan)25266404Exploit Contract #1Ambient CrocSwapDex (0xaaaa...f688)Surplus Accounting Exploit25266404Ambient CrocSwapDexExploit Contract #14.32 ETH (Withdrawal)25266404Exploit #2(USDC)Balancer V2Exploit Contract #2 (0xaac1...c1b)50 ETH + 1 USDC (Flashloan)25266405Exploit Contract #2Ambient CrocSwapDexSurplus Accounting Exploit25266405Ambient CrocSwapDexExploit Contract #283.72 ETH (Withdrawal)25266405Laundering& BribeExploit Contracts (#1, #2)Uniswap V4 PoolsUSDC/USDT → ETH SwapInternal TxsProfit Router (0x0003...dd0f)Titan Builder (0x4838...5f97)~35.24 ETH (MEV Bribe)25266404~5Profit RouterAttacker Profit Wallet (0x0008...394a)~35.24 ETH (Net Profit)25266404~5AftermathAttacker Profit WalletUnknown / Bridges / Private BundlesFull Drain (Current Bal: 0)Post-Exploit🥷 The Ultimate Stealth Play: A 50% MEV BribeWhat makes this exploit truly remarkable is how the attacker managed to bypass public mempool detection. Typically, massive transactions broadcasted to the public mempool can be front-run or blocked by MEV (Maximal Extractable Value) bots or defensive monitoring systems.To guarantee atomic on-chain execution, the attacker bypassed the public mempool entirely. They submitted the exploit transactions as a private MEV bundle directly to Titan Builder, a dominant Ethereum block builder.The cost of this invisibility? A staggering 50% of the total profits. The attacker routed 55,913 USDC through Uniswap V4 to swap it into ETH, and then paid approximately 35.24 ETH (worth around $59,300 at the time) as a direct coinbase bribe to Titan Builder. By sacrificing half their loot to secure a 50/50 profit split, the attacker ensured their transaction was included in consecutive blocks without any chance of defensive intervention.🕵️‍♂️ A Pre-Planned, Highly Coordinated OperationForensic analysis reveals that this was not an opportunistic, spur-of-the-moment hack. The attacker seeded their infrastructure 20 days before the attack (around May 19, 2026) with an initial 0.4 ETH funding.They deployed at least six "vanity address" smart contracts (all starting with 0x000...) generated deliberately to obfuscate fund flows and create visual clustering on-chain.As of the latest intelligence, the primary profit wallet (which received the remaining ~35.24 ETH) has been fully drained, likely moved via private bundle transfers or cross-chain bridges. However, the attacker's orchestrator EOA remains operationally active, holding residual balances across **Ethereum (**725),BNBChain(**54), Arbitrum (**41),andBase(20).🔍 What’s Next?The Ambient Finance exploit serves as a stark reminder that DeFi attackers are prioritizing execution certainty and stealth over profit maximization. Security communities must look beyond standard re-entrancy bugs and closely audit intra-contract state consistencies.For investigators and law enforcement, the trail hasn't completely gone cold. The focus now shifts to deeper multi-chain tracing of the active Orchestrator EOA, and potentially submitting a formal cooperation request to Titan Builder to unmask the private bundle submitter's identity.Stay safe, stay vigilant, and always audit the smart contracts.Appendix: Trace graph

A forensic breakdown of the June 2026 Raydium AMM V3 exploit — and where the money wentOn June 10, 2026, a single attacker quietly drained $1.34 million from a Solana-based decentralized exchange using a smart contract that the protocol had officially retired five years earlier. No alarm was triggered in real time. No user interface exposed the vulnerable pools. The attacker simply knew something most people had forgotten: dead code, if left callable on-chain with real assets still inside it, never truly dies.This is a forensic reconstruction of the Raydium legacy AMM V3 exploit — how it was executed, how the funds were laundered, and what investigators found when they followed the money on-chain.The Victim: Raydium and Its Forgotten PoolsRaydium is one of Solana's largest decentralized exchanges, operating more than $777 million in total value locked (TVL) and handling $148 million in daily trading volume at the time of the incident. Its current infrastructure — the Concentrated Liquidity Market Maker (CLMM) and AMM V4 — is actively maintained, audited, and widely regarded as secure.The vulnerability had nothing to do with any of that.The attacker instead targeted the legacy AMM V3 program, a smart contract Raydium had phased out in 2021 when it migrated to newer, more capital-efficient architecture. The old program was never formally disabled. It remained on-chain, callable by anyone, with five deprecated liquidity pools — Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, and RAY-SOL — still holding real assets inside them.Those five pools collectively held approximately:The Exploit: Forging a Key to an Unlocked VaultTo understand the attack, you need to understand how liquidity pools track ownership. In any standard automated market maker, when you deposit assets into a pool, you receive LP (Liquidity Provider) tokens in return. These tokens represent your proportional share of the pool. When you withdraw, you burn your LP tokens, and the contract releases your share of the underlying assets — but only after verifying that the LP tokens you're burning are the legitimate ones issued by that specific pool.That verification step — confirming the LP mint address matches the pool's authorized mint — is a fundamental security check. Raydium's legacy AMM V3 program did not perform it.The attack sequence was elegant in its simplicity:The attacker created a brand-new SPL token mint — a completely fake LP token with no connection to any real Raydium pool.The attacker minted a single unit of this counterfeit token.The attacker called the legacy withdraw function, passing the fake mint as if it were the pool's legitimate LP token.The old contract accepted it. Without checking the mint address, the contract treated the attacker as a 100% LP shareholder and released the pool's entire reserve.The sequence was repeated across all five deprecated pools.As pseudonymous Raydium contributor 0xInfra confirmed on X: the exploit was "a self-contained logic flaw" in the deprecated program. There was no key compromise, no oracle manipulation, no authority-level breach. Just missing input validation in code that had been sitting dormant on-chain, with real money inside it, for five years.The On-Chain Forensic TrailThe following analysis is based on on-chain tracing of 1,058 transactions across 372 addresses emanating from the attacker's wallet within 30 days of the incident.Attacker's primary Solana address: 4WnPebowR4HHfumvNPaDjG6Pa5Hi1jxLm6xmmBq33QVkBy the time on-chain investigators began tracing the wallet, the balance was already $0. The attacker had moved fast.Phase 1 — Asset Aggregation and Swap (Hour 0)Immediately after draining the five pools, the attacker consolidated the stolen assets. The 5,603 SOL was routed through a Solana DEX aggregator (5m2LUcmZqA26QxzALdrZqiVoFAkrVKji4FFfzzLKn9pa) and converted to USDC — a deliberate move to unify all proceeds into a single stablecoin before cross-chain transfer. The attacker did not attempt to liquidate through any Solana-native exchange.Phase 2 — Structuring: The Peel Chain PatternRather than moving funds in a single large transfer — which would be immediately flagged — the attacker deployed a textbook structuring / peel-chain technique. The $893,700 USDC was broken into a series of near-identical outbound transfers:$93,690 × 7 transactions → Intermediary cluster A (D5YqVMoSxnqeZAKAUUE1Dm3bmjtdxQ5DCF356ozqN9cM)$100,000 × 5 transactions → Intermediary cluster B (FkaLnX17cXZGyeu3kZGdHCNdFMJJzBrPPYVvd18B3MZp)$319,996 → Intermediary C (8Dz5HLLQKzXtwm8SxgcYzJqMzotinWgQFTiytjW35nwd)$255,261 → Intermediary D (6gxqegc6C9c2TYbNn8fjsVXvcctjdLahUtV45KrMEnpn)$191,797 → Intermediary E (997p6CNyaJquJd54ytDnqyr16e5yv4QUnVv2eWCZN62J)$191,809 → Intermediary F (AaegV4PEhkrvuayWDr8Yv2DxPWqUwjFBHFoMF6z8nwiW)$191,652 → Intermediary G (ByCFj1x3G9UszbTeFqekG1Zx91uG6GYgZKEn9e8ey13N)$193,700 → Intermediary H (GJvewfRjqTUPtx6WsBSUnaFbdgXwgXnWfpDyLm65T4YA)$127,815 → Intermediary I (Hrvy5r62HFT2BdFEF95jW61crTcortQztGxD5zx3NrQw)Each of these intermediary addresses received funds, held them briefly, then forwarded them onward. This layering pattern — splitting a large sum into multiple similar-sized transfers across numerous addresses — is a recognized money-laundering typology. The objective is to generate noise, making it harder to reconstruct the total fund flow from any single transaction.Phase 3 — Reconvergence at the Bridge Preparation HubAfter the peel-chain dispersion, the funds did not stay scattered. All nine intermediary clusters funneled their USDC back into a single bridge preparation hub address (2snHHreXbpJ7UwZxPe37gnUNf7Wx7wv6UKDSR2JckKuS).This reconvergence is a telling pattern. The dispersion was not intended to permanently split the funds — it was a layering maneuver to create forensic noise. Once the "layering" phase was complete, everything was reunited for the final cross-chain exit. The total time between the exploit and this reconvergence was measured in hours, not days.Phase 4 — Cross-Chain Bridge: Solana to EthereumFrom the bridge preparation hub, the entire balance was bridged from Solana to Ethereum. The specific bridge protocol has not been confirmed via on-chain corroboration at the time of writing — this hop is reported based on PeckShield's tracking and should be treated as a credible but unverified lead pending direct on-chain confirmation of the Ethereum-side receiving address.What is confirmed by multiple independent security researchers: the funds arrived on Ethereum shortly after leaving Solana.Phase 5 — The Final Destination: Tornado CashOn the Ethereum side, the attacker moved swiftly:810 ETH deposited into Tornado Cash — the primary mixing event, representing approximately $1.26 million of the total stolen amount. Tornado Cash, removed from the U.S. Treasury's sanctions list in March 2025, remains the exit ramp of choice for DeFi exploiters seeking to break the on-chain trail.7 ETH transferred to FixedFloat — a smaller tranche sent to a non-custodial swap service, likely to convert a portion of funds into another asset or chain with reduced traceability.Once funds enter Tornado Cash in sufficient volume, transaction-level tracing — at least by conventional methods — terminates. No funds have been reported frozen or flagged by any centralized exchange.The Complete Fund Flow [5 Deprecated AMM V3 Pools on Solana] ↓ Fake LP mint exploit — June 10, 2026 [Attacker Wallet: 4WnPebowR4HHfumvNPaDjG6Pa5Hi1jxLm6xmmBq33QVk] | ├─ SOL 5,603 → DEX Swap Hub → converted to USDC | ├─ USDC → Structuring / Peel Chain (9 intermediary addresses) | $93,690 ×7 | $100,000 ×5 | $319K | $255K | $191K ×3 | $127K | └─ All USDC → Bridge Prep Hub (2snHHreXbpJ7UwZxPe37gnUNf7Wx7wv6UKDSR2JckKuS) | Cross-Chain Bridge (Solana → Ethereum) | ┌──────────────┴──────────────┐ 810 ETH 7 ETH Tornado Cash FixedFloat [Trail ends] [Swap / convert] The Investigation Anchor: KuCoinHere's the detail that matters most for any law enforcement or compliance action: the attacker's wallet was initially funded through KuCoin.Before the exploit, the attacker received operating funds — likely for gas and test transactions — from an account on KuCoin, a centralized exchange with mandatory KYC registration. This represents the most viable attribution anchor in the entire case. KuCoin holds identity records for the account that funded the attacker's wallet. A formal legal request (court order, MLAT, or voluntary cooperation request from a relevant jurisdiction) to KuCoin could yield the attacker's real-world identity.This is the single most actionable lead for investigators.Raydium's Response: Full ReimbursementRaydium's response was swift and unambiguous. Within hours of the exploit being flagged, the protocol confirmed that:No active users, current pools, or modern infrastructure were affected.The deprecated AMM V3 program had not been accessible via the UI since 2021.All affected liquidity providers would be fully reimbursed from the project treasury.This is not the first time Raydium has faced this situation. The December 2022 incident — a $4.4 million loss caused by a private key compromise — was similarly handled through a governance-approved reimbursement using buyback fees and vested team tokens. That incident was structurally different (an operational breach, not a code vulnerability), but the compensation commitment reflects an established pattern in how the protocol handles security failures.At the time of writing, RAY traded near $0.57, down less than 1% on the day of the incident — a remarkably muted market reaction, likely attributable to the credible reimbursement commitment and the fact that no active user positions were touched.What This Means for DeFi SecurityThe Raydium June 2026 exploit is not a novel attack. It is, in many ways, a familiar one — a legacy codebase vulnerability, a deprecated program left callable on-chain, real assets left sitting in retired infrastructure. The attack method (fake mint address bypass) belongs to a documented vulnerability class. A March 2026 symbolic-execution study examining 8,714 bytecode-only Solana contracts flagged 467 with potential bugs, citing missing key/mint verification as one of the most common failure modes.There are three systemic lessons here:1. Deprecated ≠ Disabled A contract phased out of the UI is not a contract that has been deactivated. On a permissionless blockchain, if a program is deployed and callable, anyone can call it — regardless of whether the interface still exposes it. Protocol teams must treat deprecated on-chain programs as live attack surfaces until they are formally neutralized (which, on Solana, means migrating or closing the program accounts).2. Legacy Assets in Legacy Code The deeper failure here is not just that the old AMM V3 existed on-chain, but that real assets remained inside it. When Raydium migrated to AMM V4 and CLMM in 2021, a full asset migration from the deprecated pools should have been part of the transition. Five years of dormancy, combined with real liquidity, created the exact conditions the attacker exploited.3. Laundering Playbooks Are Predictable The attacker followed a pattern that security researchers have documented extensively: structuring → cross-chain bridge → mixer. The predictability cuts both ways. It makes tracing easier for investigators, but it also demonstrates that mixers and bridges remain the laundering infrastructure of choice for DeFi exploiters. The centralized funding point (KuCoin) is the only meaningful deviation from a fully anonymous operation — and it may prove to be the attacker's critical mistake.Recovery ProspectsBluntly: the $1.34 million is unlikely to be recovered in full.810 ETH inside Tornado Cash is, for practical purposes, currently untraceable at the transaction level. FixedFloat, a non-custodial swap service, offers limited recourse. The bridge destination address on Ethereum was not confirmed with on-chain corroboration at time of publication.What investigators do have:The complete Solana-side fund flow reconstructed hop-by-hopKuCoin as a KYC-linked funding source — the strongest attribution leadThe attacker's primary Solana address (4WnPebowR4HHfumvNPaDjG6Pa5Hi1jxLm6xmmBq33QVk) fully mappedA documented structuring pattern that constitutes on-chain evidence of deliberate layeringThe KuCoin lead is real. Whether it results in an arrest depends on the jurisdiction, the response timeline, and whether KuCoin's cooperation yields actionable identity records before the statute of limitations becomes a concern.ConclusionThe Raydium June 2026 exploit is a $1.34 million lesson about the hidden risks of deprecated infrastructure. The vulnerability was not exotic. The attack required no zero-days, no insider access, no flash loan engineering. It required only the observation that an old contract with missing input validation still held real money — and the knowledge of how to ask for it.The attacker executed a professional laundering sequence: structuring, peel chains, cross-chain bridging, and mixing. But they made one mistake that most sophisticated exploiters avoid: funding their operational wallet through a KYC-registered exchange before the attack.That connection to KuCoin is the thread investigators should pull.Forensic analysis conducted using on-chain data from the Solana mainnet and OSINT from PeckShield, on-chain investigator Specter, and published security research. All address attributions are based on confirmed on-chain fund flows. The Ethereum-side bridge destination has not been independently confirmed on-chain at time of publication and is reported on the basis of security researcher findings. This post is for informational and investigative purposes only.

Most people imagine a crypto hack involving stolen private keys, phishing campaigns, or sophisticated smart contract vulnerabilities.The AISOTH exploit was none of those.The attacker needed no special permissions, no compromised keys, and no hidden backdoor.Instead, they used only public functions available to every user and extracted over $30,000 in profit from a single atomic transaction.Even more surprisingly, five days later, the funds remain untouched in the attacker’s wallet.This is the story of how a seemingly harmless presale design turned into a risk-free arbitrage opportunity.Executive SummaryChain: BNB Smart ChainLoss: $30,314.76Attack Type: Presale Instant Claim ExploitCapital Required: $0 (Flash Loan Funded)Transactions Required: 1Special Permissions: NoneCurrent Status: Funds remain in attacker’s walletUnlike most DeFi exploits, the attacker did not break the protocol.The protocol behaved exactly as designed.That design was the problem.The Critical MistakeAISOTH operated a standard presale model.Users would:Buy tokens during presaleWait for the claim periodClaim their tokens laterAt least, that was the intended flow.The vulnerability existed because the protocol never actually enforced the waiting period.The contract checked only one thing:“Has this address purchased tokens?”It never checked:“When were those tokens purchased?”As a result, anyone could:Buy → Claim → Sellall within the same transaction.That single missing condition created a completely risk-free arbitrage opportunity.Why the Economics Were BrokenThe attack was only possible because of a massive price gap.The discount itself wasn’t the issue.Presales commonly offer discounted tokens.The issue was allowing those discounted tokens to become immediately liquid.Once that happened, the market effectively offered free money.All an attacker needed was enough temporary capital.Flash loans solved that problem instantly.The Entire Attack Happened in One TransactionThe exploit was executed atomically.If any step failed, everything would revert.If it succeeded, the attacker walked away with profit.This eliminated virtually all risk.Step 1 — Borrow FundsThe attacker borrowed:5,746.57 USDTfrom a PancakeSwap liquidity pool using a flash loan.No collateral.No upfront capital.Step 2 — Buy Presale TokensThe borrowed USDT was sent to the AISOTH presale contract.The attacker received an allocation of:164,187 AISat the presale price.At this stage, everything looked like normal user behavior.Step 3 — Trigger the VulnerabilityImmediately after purchasing, the attacker called:The contract approved the request.No waiting period.No vesting.No claim window.The attacker instantly received all presale tokens.This was the critical failure point.Step 4 — Accept the Token TaxAISOTH included transfer-tax mechanics.Several thousand tokens were burned or distributed through protocol fees.After deductions, the attacker held:159,262 AISThe reduction was insignificant compared to the arbitrage opportunity.Step 5 — Dump on PancakeSwapThe attacker sold all received AIS tokens into the existing PancakeSwap market.Result:36,075.73 USDT receivedThe presale discount had now been converted directly into cash.Step 6 — Repay Flash LoanThe flash loan was repaid immediately.Repayment:5,760.97 USDTRemaining profit:30,314.76 USDTTotal attacker capital invested:$0Execution time:One blockThe Most Interesting PartMost exploiters begin laundering funds almost immediately.That has not happened here.As of June 10, 2026:No exchange depositsNo bridge activityNo mixersNo secondary walletsThe funds remain parked in the original attacker-controlled address.This leaves two possibilities.Scenario 1 — Strategic DelayThe attacker may be waiting for monitoring activity to cool down before moving funds.This is common among experienced exploiters.Scenario 2 — White Hat IntentThe attacker may have conducted the exploit to demonstrate the vulnerability and could be preparing a disclosure or negotiation with the protocol team.At the moment, on-chain evidence supports neither theory conclusively.What Developers Should LearnThis incident highlights a recurring lesson in DeFi security.The biggest risks are not always code bugs.Sometimes they are economic bugs.The AISOTH contracts functioned exactly as written.The vulnerability emerged because the economic assumptions behind the design were never enforced on-chain.Three principles stand out:Presale Discounts Must Have LockupsIf discounted tokens can be sold immediately, the discount becomes an arbitrage mechanism.Assume Infinite CapitalFlash loans mean attackers effectively have unlimited temporary liquidity.Designs that rely on capital constraints are already broken.Test Economic Behavior, Not Just CodeUnit tests verify technical correctness.They do not verify economic safety.Protocols need adversarial simulations that ask:“What happens if every public function is used in the most profitable way possible?”ConclusionThe AISOTH exploit did not require hacking.It required reading the rules.The attacker simply followed the protocol’s intended execution path and discovered that the path itself created free money.One transaction.Zero capital.Zero permissions.Over $30,000 in profit.The most dangerous vulnerabilities are often the ones that execute exactly as designed.

🕵️ FAKE UNISWAP / ANGELFERNO DRAINER CAMPAIGN — FORENSIC TRACE REPORTDate of Analysis: May 26, 2026 | Case Ref: CASE-20260526-AFDRSUMMARYA live, actively draining phishing campaign is targeting Uniswap users via sponsored Google Ads. The operation deploys the AngelFerno drainer-as-a-service kit — a scam-as-a-service platform previously linked to front-end attacks against OpenEden and Curvance. Two primary collector wallets have aggregated $400,000+ in stolen assets, with the broader campaign responsible for $1.27M+ since March 2026 according to Security Alliance (SEAL).Attack vector: Victims search "Uniswap" on Google → click sponsored ad → land on a pixel-perfect phishing clone → connect wallet → sign a malicious approval transaction → all tokens/ETH are swept instantly by the drainer contract.Critical finding: Both drainer wallets remain active as of May 25–26, 2026, with the largest movements occurring within the past 48 hours.ON-CHAIN TRACE🔴 Drainer Wallet #10x37925684BA178821b4436E06e67f5dBD6cfA49Bb Primary ETH aggregator — most active of the twoActivity window: May 12 – May 25, 2026 (34 traced transactions, 109 total analyzed)DateTX HashFrom → ToAmountNotesMay 120x5b2be8...d232Victim 0x18c5...eb7e → Drainer #10.759 ETHDrain eventMay 120xaec8e69ebd54c5673a983d389f619b85c5a7ddc8ff1f552dbaf797bcdafe85d9Drainer #1 → 0xe245...1b3a3.845 ETHLayering hopMay 120x8e178cc8339c6edbd5c384fa7ab15a877904da98c258ac67e19d6a11b42e6ebfDrainer #1 → Relay.link1.201 ETHCross-chain bridge (Base → ETH)May 120x158da6...f81bStargate Finance → chain5,098 USDTStablecoin bridge-outMay 120xaa4607...f68cDrainer #1 → 0x Protocol5,098 USDTToken swap/launderingMay 160x02faa0...0340Feeder 0xc237...35a6 → Drainer #11.286 ETHETH consolidationMay 240x7caf0c...c7bcDrainer #1 → 0x Protocol18,082 USDCSwap out USDCMay 240x05e274...46d1Drainer #1 → 0x02e5...b2a912.9B MogMeme token dumpMay 250x589e10...4588Drainer #1 → 0x02e5...b2a94.65 PAXGGold-backed token drained from victimMay 250xcb5811...d633Relay.link Relayer → Drainer #14.680 ETHInbound bridge receiptMay 250xad3ee71e425192734ade50a40ca26d2140f66cf33cf9d06ad29167a5ccec79ccRelay.link Relayer → Drainer #13.127 ETHInbound bridge receiptMay 250x9ca97bea5de3f2677a06e45ac61b9ceeceefc81e738ae99345769eb60076715eRelay.link Relayer → Drainer #11.830 ETHInbound bridge receiptMay 250x96d703...7b0eDrainer #1 → Relay.link0.001 ETHTest/probe txMay 250x76bb7ae7360056f16774c58201fc844a4aa75dd1d15dfc28fd96c17e7a00365fDrainer #1 (Base) → Relay.link3.135 ETHCross-chain bridge Base→Ethereum confirmedMay 250x428c0f...c017Feeder 0xca7d...4589 → Drainer #10.892 ETHFund consolidationCross-chain bridge confirmed (Relay protocol):TX 0x76bb7ae7360056f16774c58201fc844a4aa75dd1d15dfc28fd96c17e7a00365f (Base) bridges 3.135 ETH → Ethereum main drainer, destination TX 0xad3ee71e425192734ade50a40ca26d2140f66cf33cf9d06ad29167a5ccec79ccNEAR Intents bridge detected:Two NEAR Intents inbound deliveries totaling 2.260 ETH (0x39a85b...ef79 + 0xec85c5...2c8b), suggesting funds were laundered through the NEAR protocol ecosystem before being returned to Ethereum.🔴 Drainer Wallet #20x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2 High-volume batch collector — 51 inbound transactions in 72 hoursActivity window: May 23 – May 25, 2026 (51 traced transactions — most recent activity: May 25, 2026)This wallet's transaction profile is highly abnormal: the vast majority of inbound txs originate from 0xca11bde05977b3631167028862be2a173976ca11, which is the canonical Multicall3 contract deployed at the same address across all EVM chains. This is a hallmark of the AngelFerno drainer kit — it batches victim asset sweeps using Multicall3 to maximize throughput per block and reduce per-victim gas costs.DateTX HashAmountNotesMay 240x3667fa7015f66af98c0b2fe6deefda170665ed54cec10d8424866d970c4869a317.58 ETHLargest single Multicall3 sweepMay 240xb08a80b1b9ac26cf55a23e1479601a2cfe568a01e563f9d4e97f8f50a8617bb111.43 ETHMulticall3 batch drainMay 240x348886dcf90959a019a1a62a105f52701f533bcf4292b67b0ea3beec8625ed2f11.40 ETHMulticall3 batch drainMay 230x6727ce4b417c3ade48c7a73ec1de7e99a367ffb403f7c630c6fd9331e68bda57617B KISHU tokensMeme token sweepMay 250xa14c313b684c3eddaec8e1cdc6332a6d8eb2e4f998c9376661c9611a52187039170K ORX tokensToken sweepThe 30+ additional inbound transactions from 0xca11 across May 24–25 represent a rolling wave of victim drains occurring in near real-time.🟡 Key Intermediary / Hop AddressesAddressRoleEvidence0xe245f57734ef7f2a868cc549ca1003e658781b3aLayering hop walletReceived 3.845 ETH from Drainer #1 (TX: 0xaec8e69ebd54c5673a983d389f619b85c5a7ddc8ff1f552dbaf797bcdafe85d9); also receives gas from Multicall30x02e5be68d46dac0b524905bff209cf47ee6db2a9Token dump aggregatorReceives PAXG, Mog, XEN, PERP, NMT, SPCX, sato — likely sells via OTC or DEX0xca7ded7e4f4ba8ab3b10009236ae6d1b95094589Feeder wallet AConsolidates ETH to Drainer #1: 0.892 ETH + 0.290 ETH0xada5bb90d0de0bd1b6f3938708f49295a8d1f7cbFeeder wallet BMinor ETH top-up to Drainer #1 (0.035 ETH)0x4cd00e387622c35bddb9b4c962c136462338bc31Relay.link bridgeConfirmed cross-chain movement Base ↔ Ethereum0x2cff890f0378a11913b6129b2e97417a2c302680NEAR Intents bridgeRouted 2.26 ETH through NEAR protocol ecosystemCURRENT STATUS OF FUNDS (as of May 26, 2026)Drainer #1 — 0x37925684BA178821b4436E06e67f5dBD6cfA49BbTotal current portfolio: ~$169,268ChainAssetBalanceEst. USDEthereumETH (native)~62 ETH equivalent$162,138BaseUSDC6,577.83 USDC~$6,578BaseaBasWETH (Aave)0.2599 WETH~$544BaseAERO0.0795~$0.08EthereumKISHU Inu108.9B~traceEthereumORX30,016—PolygonMATIC~$4.40dustBNB ChainBNB~$3.91dust⚠️ ACTIVE: ~$6,578 USDC still parked on Base chain + ~$162K ETH value on Ethereum. No CEX deposit detected yet for these funds — the attacker is holding or continuing to launder.Drainer #2 — 0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2Total current portfolio: ~$228 (Polygon MATIC) + tokensChainAssetBalanceNotesPolygonMATIC~$227.93EthereumKISHU Inu617BMeme token — low liquidityEthereumORX170,092IlliquidAvalancheAVAX$0.00Swept/emptiedArbitrumETH$0.00Swept/emptiedFinding: Drainer #2 has been nearly fully swept outbound — ETH was consolidated and moved. The Multicall3 batch operations flooding this address represent the actual drain engine; the real ETH value has been passed through and laundered onward. The residual KISHU/ORX tokens are likely to be OTC-sold or simply abandoned.ANALYSIS & RECOMMENDATIONSLaundering Architecture — Confirmed TechniquesThe AngelFerno campaign employs a 4-layer laundering stack:Layer 1 — Victim Drain (via Malicious Approval): Victims sign an approve() transaction on the phishing site, granting the drainer contract unlimited allowance. AngelFerno uses the Multicall3 contract (0xca11bde05977b3631167028862be2a173976ca11) to batch-sweep all victim assets in a single block — ETH, ERC-20 stablecoins, LP tokens, and NFTs simultaneously.Layer 2 — Token Conversion (via DEX aggregators): Stolen tokens (USDC, USDT, PAXG, meme tokens) are routed through 0x Protocol (0x0000000000001ff3684f28c67538d4d072c22734) and Uniswap V2 Router to convert into ETH or USDC — a standard "dirty → clean native" laundering step.Layer 3 — Cross-Chain Layering (Relay + NEAR Intents): Proceeds are bridged across chains to break the on-chain trace:Relay.link bridge confirmed (Base ↔ Ethereum): TX 0x76bb7ae7360056f16774c58201fc844a4aa75dd1d15dfc28fd96c17e7a00365fNEAR Intents bridge: 2.26 ETH routed through NEAR ecosystem and returned to EthereumStargate Finance USDT bridge: 5,098 USDT bridged outbound (May 12)Layer 4 — Consolidation & Off-ramp (Pending): No confirmed CEX deposit detected yet. Current holding pattern (~$169K on Drainer #1) suggests the operator is either waiting for Google to remove the ads and then bulk cashing out, or has a private OTC arrangement. The token dump address 0x02e5be68d46dac0b524905bff209cf47ee6db2a9 receives illiquid tokens and is the likely OTC/DEX liquidation point.Phishing Infrastructure Patterns (OSINT-confirmed)TechniqueDetailsPunycode / Cyrillic domainsURLs using Cyrillic homoglyph substitution (e.g., uniswаp.org with Cyrillic 'а') — visually indistinguishable from real domainHidden iframesMalicious approval payload embedded in hidden iframes to evade Google's ad review crawlersCompromised advertiser accountsOperators buy/steal aged Google Ads accounts with established reputation to pass automated reviewCloakingServes different content to Google's review bots vs. real users (real users get drainer, bots get legit Uniswap clone)GraphQL proxyProxies Uniswap's own GraphQL endpoint to display victim's real wallet balance inside the phishing UI — reinforces legitimacy and enables targeted draining of the highest-value positionsScam-as-a-ServiceAngelFerno is a commercial kit — operators pay a % of stolen funds to the AngelFerno developersRisk ScoreMetricScoreOverall Risk Score🔴 98/100 — CRITICALMoney Laundering Probability97%Cross-chain obfuscation✅ Confirmed (Relay + NEAR Intents + Stargate)DEX laundering✅ Confirmed (0x Protocol, Uniswap V2)Mixer usage❌ Not detected (yet)CEX deposit (KYC exposure)⚠️ Not yet confirmed — funds still heldActive campaign status🔴 LIVE — last drain May 25, 2026 (≤24h ago)Attribution to AngelFerno family✅ High confidence (Multicall3 batch pattern, SEAL/Protos confirmation)Recommended ActionsImmediate (0–24 hours):Relay.link cooperation request — Relay bridge confirmed funds movement between Base and Ethereum. Contact Relay.link security team with TX 0x76bb7ae...365f and 0xad3ee71...79cc to identify any linked KYC data or IP logs.NEAR Intents / NEAR Foundation cooperation — Two NEAR Intents bridge deliveries totaling 2.26 ETH. The NEAR-side source address may be traceable and may be linked to a NEAR-registered entity.Google Ads abuse report escalation — File formal abuse reports with Google's Trust & Safety team citing both drainer wallet addresses, the Multicall3 drain pattern, and SEAL's documented campaign tracking. Uniswap Labs and ZachXBT have already applied public pressure; a formal legal hold request from law enforcement would be more effective.Victim alert distribution — Broadcast both drainer addresses (0x37925684BA178821b4436E06e67f5dBD6cfA49Bb and 0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2) and the hop wallet (0xe245f57734ef7f2a868cc549ca1003e658781b3a) to all major CEXs for pre-emptive freeze requests. If the operator attempts to cash out via Binance, Coinbase, Kraken, OKX, or Bybit, these flags will trigger compliance review.Revoke emergency advisory — Victims who interacted with any Uniswap-lookalike site in the past 30 days should immediately check and revoke all token approvals via revoke.cash or [filtered].io/tokenapprovalchecker.Follow-up (24–72 hours):Trace 0x02e5be68d46dac0b524905bff209cf47ee6db2a9 — This token dump aggregator receives all illiquid stolen tokens (PAXG, Mog, XEN, PERP, NMT, SPCX). It may interact with a known OTC desk or NFT marketplace that has KYC.Trace 0xe245f57734ef7f2a868cc549ca1003e658781b3a — The 3.845 ETH hop from Drainer #1 is parked here with minimal outbound activity. This wallet may be staged for a future CEX deposit. Monitor urgently.SEAL coordination — Security Alliance is actively tracking this campaign (356+ malicious ads blocked). Share this trace with SEAL radar at radar.securityalliance.org.Base chain follow-up — Drainer #1 holds 6,577 USDC and 0.26 WETH deposited into Aave (aBasWETH) on Base. This Aave position may be unwound in coming days; monitor the Base chain activity of 0x37925684BA178821b4436E06e67f5dBD6cfA49Bb closely.Fund Recovery Feasibility: MODERATE-LOW. The ~$169K currently held by Drainer #1 has not yet been deposited to a regulated CEX — this is the window for a freeze request. However, if the operator off-ramps via OTC or DEX, recovery becomes effectively impossible. Time is critical.

A SquidRouterModule exploit reportedly hit Safe accounts across Ethereum and Base, draining roughly $3.2 million before funds were consolidated into DAI.WHAT HAPPENED:Attackers abused missing identity validation in SquidRouterModule and used a Foundry-based exploit contract to call the DelegateBundler route.The result:• 86 Safe accounts affected• USDC, ENA, and USDT drained• Assets swapped through attacker-seeded Uniswap V3 pools• Around 3.07 million DAI consolidated after laundering stepsLAUNDERING FLOW:The attack path shows clear pre-planning:→ Tornado Cash-funded attacker EOA→ Exploit execution across Safe wallets→ Liquidity manipulation through worthless “u” token pools→ DAI conversion→ Relay.link and NEAR Intents Bridge movement attemptsKey addresses to monitor:• Attacker EOA: 0x9bdc730183821b6bb2b51be30b77c964fa645b91• DAI hub: 0xa447f71782135ab96a71374271a749ff7aa54859• Unknown 90 ETH wallet: 0xe12e0f117d23a5ccc57f8935cd8c4e80cd91ff01CHAINBOUNTY ANALYSIS:This was not a simple wallet drain. It targeted Safe execution infrastructure and abused delegated transaction pathways at scale.The Tornado Cash funding, attacker-seeded liquidity pools, and rapid DAI consolidation suggest a prepared operation rather than opportunistic theft.The current priority is a freeze-versus-bridge race. If the 3.07 million DAI hub has not exited to centralized venues, blacklist coordination may still reduce recovery loss.PROTECT YOURSELF:• Revoke SquidRouterModule permissions on Safe wallets immediately• Review delegated module routes connected to treasury execution• Monitor DAI consolidation wallets before funds move through bridges or swap aggregators

Verus Bridge Exploit: How a $10 Transaction Drained $11.4 MillionOn May 18, 2026, the Verus-Ethereum Bridge lost approximately $11.4 million in a single exploit transaction. The attacker paid roughly $10 in fees. The bridge released everything.What makes this incident especially alarming is that the system behaved exactly as designed.This exploit exposed a deeper structural weakness still present across many cross-chain bridges in DeFi.What Happened?The Verus-Ethereum Bridge enables asset transfers between the Verus blockchain and Ethereum.The protocol relied on a notary system where at least 8 out of 15 notaries had to cryptographically sign a state root before it was accepted as valid.The bridge successfully verified those signatures.But it failed to verify whether the underlying assets on the Verus side actually existed.According to Blockaid, the root cause was:“Missing source-amount validation in the checkCCEValues process.”In simple terms, the attacker was able to create a cross-chain transfer request with an empty source-side payload. No real assets were locked on the Verus chain.The notaries signed the state root because the cryptographic structure itself appeared valid. The bridge then accepted that state and released real funds from its Ethereum reserves.The result: approximately $11.4 million drained from the bridge.This Isn’t a New Type of AttackThe attack category is painfully familiar.Major bridge exploits caused by source-destination validation failures include:Wormhole — $325M lostNomad — $190M lostFour years later, the same fundamental validation issue is still being exploited.Pre-Attack ActivityRoughly 14 hours before the exploit, the attacker’s execution wallet received 1 ETH from Tornado Cash.Tornado Cash Funding Address0x47ce0c6ed5b0ce3d3a51fdb1c52dc66a7c3c2936Attacker Execution Wallet0x5aBb91B9c01A5Ed3aE762d32B236595B459D5777This type of pre-funding pattern closely resembles operational behavior previously associated with organized threat actors, including Lazarus Group-linked activity seen before the Drift Protocol and KelpDAO exploits in April 2026.Attribution in the Verus incident remains unconfirmed.The Exploit TransactionExploit Transaction Hash0x6990f01720f57fc515d0e976a0c4f8157e0a9529194c4c15d190e98d087eb321Target Bridge Contract0x71518580f36feceffe0721f06ba4703218cd7f63The stolen assets were moved into the following holding wallet:Holding Wallet0x65Cb8b128Bf6e690761044CCECA422bb239C25F9Assets DrainedImmediately after the exploit, the attacker swapped the stolen tBTC into ETH using a swap contract.tBTC Swap Contract0x00000011f84b9aa48e5f8aa8b9897600006289beAfter consolidation, the attacker controlled approximately:5,402 ETH (~$11.4M)Where Did the Money Go?The stolen funds split into two major routes.Route A — USDC Flow Into BinanceThe USDC funds were routed through a DEX address before reaching a Binance deposit wallet. Holding Wallet ↓ DEX Routing Address 0xbee3211ab312a8d065c4fef0247448e17a8da000 ↓ ⚠ Binance Deposit Address 0xb300000b72deaeb607a12d5f54773d1c19c7028d Additional WETH and USDT inflows were also detected at the Binance deposit address.This is currently the strongest actionable lead in the investigation.If Binance compliance responds quickly, investigators may still have an opportunity to:Freeze assetsIdentify linked KYC accountsTrace additional laundering activityRoute B — ETH Laundering PathThe ETH moved through an intermediate address before disappearing further downstream. Holding Wallet ↓ Intermediate Address 0x83928b7f2a85bdde9854f27a1e78aac29316f23b ↓ Current Balance: 0 ETH Final Destination: UNKNOWN The ETH has already left the intermediate address.Investigators are now monitoring for:Mixer usageAdditional bridge hopsExchange depositsOTC cash-out activityPriority Actions1. Emergency Binance Freeze RequestCritical address:0xb300000b72deaeb607a12d5f54773d1c19c7028dBecause the wallet received direct exploit proceeds, there is sufficient basis for an emergency freeze request and KYC disclosure inquiry.Every hour matters.2. Continue ETH Route TrackingTracking target:0x83928b7f2a85bdde9854f27a1e78aac29316f23bAll outbound transactions from this address should be mapped and flagged across major exchanges before the attacker reaches a successful cash-out point.The Bigger Problem With Bridge SecurityAccording to PeckShield, at least eight major bridge exploits occurred between February and mid-May 2026, resulting in combined losses exceeding $328.6 million.The Verus exploit is simply the latest example.The economics are staggering:Attack cost: ~$10Profit: ~$11.4MEstimated ROI: ~1,140,000xWhat makes this even more frustrating is that the fix appears relatively straightforward.According to Blockaid, the bridge needed an additional validation step to confirm source-side asset amounts before releasing destination-side funds.That validation did not exist.And it is the same class of failure that contributed to the Wormhole and Nomad exploits years earlier.Final ThoughtsThe Verus Bridge exploit was not just a smart contract bug.It exposed a broader issue still affecting cross-chain infrastructure today:Many bridges verify cryptographic validity without verifying actual economic reality.A valid signature does not necessarily mean valid collateral exists.Until cross-chain security standards enforce both layers of verification, bridges will likely remain one of the most heavily exploited sectors in DeFi.

활동하는 재미가 없네요

test

Blockchain Forensics Investigation ReportDrift Protocol, Solana’s leading decentralized perpetual futures exchange by TVL, suffered a critical exploit on April 1, 2026, with losses estimated at $285 million. The scale of the breach positions it as the most significant DeFi exploit of 2026 and among the largest historically.

Drift Protocol Exploit - Forensic Investigation Report Generated: 2026-04-02 15:07 Date of Incident: April 1, 2026 Report Generated: April 2, 2026 Document Type: Blockchain Forensic Investigation Report Chains Involved: Solana, Ethereum (Cross-Chain) Total Estimated Loss: ~$285,000,000 USD Attribution: DPRK-linked Threat Actor (Lazarus Group) - High Confidence (Elliptic)Classification: Confidential - Law Enforcement / Compliance Use1. Executive Summary Drift Protocol, the largest decentralized perpetual futures exchange on Solana by total value locked, suffered a catastrophic exploit on April 1, 2026, resulting in approximately $285 million USD in stolen assets. This makes it the largest DeFi exploit of 2026 and one of the largest in DeFi history.The attacker combined three sophisticated vectors: (1) compromise of the Drift Security Council multi-sig administrator key via a durable nonces attack, (2) minting and oracle manipulation of a fictitious "CarbonVote Token" (CVT) used as fraudulent collateral, and (3) systematic draining of all Drift vaults across multiple asset classes.Following the exploit, stolen assets were rapidly liquidated via the Jupiter DEX aggregator on Solana, bridged cross-chain to Ethereum via Wormhole, deBridge, and Circle's CCTP, and converted to ETH via multiple DEX aggregators (KyberSwap, 0x Protocol, CowSwap, OpenOcean). As of the time of reporting, approximately 19,913+ ETH (~$42.6M+) is held across unlabeled Ethereum wallets with additional USDC awaiting conversion.Security firm Elliptic has attributed this exploit to DPRK-linked threat actors (Lazarus Group), citing near-identical methodology to the Bybit $1.5B hack of February 2025.Key findings:The attacker wallet HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES was created 8 days prior to the exploit and made test swaps on OKX and Jupiter as pre-staging.Circle had a ~6-hour window to freeze USDC via CCTP but failed to act, allowing tens of millions in stolen USDC to be converted to ETH.Funds are currently held in multiple Ethereum wallets, and further obfuscation (Tornado Cash, additional bridging) is considered imminent.2. Attack Timeline Time (UTC)EventTransaction / Address11:06 UTC First drain: 41M JLP tokens transferred from Drift Vault Solana: HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES 11:07-11:15 Batch draining across all asset classes (USDC, SOL, WETH, WBTC) Multiple Drift vault contracts on Solana ~11:15-11:40 Rapid Jupiter DEX swaps - all stolen tokens converted to USDC/SOL Jupiter Aggregator, Solana ~11:40-13:00 Funds distributed to 5+ Solana intermediary wallets for layering 8ubo4HbWJHKyFJYJc2Gh74dxCP7bN7Fu2Pi13KZ9rGxw, mfDuWeQsHeqtFVYZ7LoExgak9dxK7Cy4DfjwjwMGvwA, 7z73WkGcFc5XwuHsLHU6McBZhHGeG7VZvUnsvN21ipsu, 57zj6DxxCeWZPj9beYKb5XjGZvgG4HqDaLLBiruFBsjM 13:00-17:00 Cross-chain bridging: Wormhole (x10), deBridge, CCTP Solana Bridge hub: 8ubo4HbWJHKyFJYJc2Gh74dxCP7bN7Fu2Pi13KZ9rGxw 13:30 UTC First USDC arrives on Ethereum at primary receiver 0xFcC47866Bd2BD3066696662dbd1C89c882105643 ~13:30-17:49 USDC converted to ETH via KyberSwap, 0x Protocol, CowSwap 0xeF4326f42f2Eb656C58fAbF8b1d3298DC2Ab80c6, 0xfE837a3530dD566401d35BEFcd55582af7c4dFFC ~17:49 UTC 19,913 ETH ($42.6M) confirmed accumulated across Ethereum holding wallets 0xbDdAe987FEe930910fCC5aa403D5688fB440561B, 0xAa843eD65C1f061F111B5289169731351c5e57C1 17:00-ongoing SOL consolidation on Solana into holding wallets 6fhfn98cRC786cSfSraLNb61GDGs7dvEVgVmwCSw1ggD Apr 1-Apr 2 Elliptic issues DPRK attribution, ZachXBT publicly criticizes Circle Public intelligence 3. Stolen Assets Token Approximate Amount Stolen Estimated USD Value JLP (Jupiter LP Token)~41,000,000 tokens~$155,000,000USDC~90,000,000+~$90,000,000SOL (native/wrapped)~980,000 SOL~$82,000,000WETH~5,557 WETH~$11,800,000cbBTC~164 cbBTC~$11,300,000WBTC~282 WBTC~$19,500,000USDT~5,600,000~$5,600,000USDS~5,250,000~$5,250,000Other (misc DeFi tokens)-~$4,550,000TOTAL-~$285,000,0004. Fund Flow Analysis 4.1 Solana Primary Drain and Layering The primary attacker wallet HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES initiated the drain directly from Drift Protocol vaults. A total of 563 transactions were identified across the 5-hop tracing window, involving 63 unique addresses. All stolen assets were immediately liquidated via the Jupiter DEX aggregator into USDC and SOL. Funds were then distributed across at least 5 Solana intermediary wallets to begin layering:Hop From Address To Address Amount Role 1Drift VaultHkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES~$285M (all assets)Primary drainer2HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES8ubo4HbWJHKyFJYJc2Gh74dxCP7bN7Fu2Pi13KZ9rGxw~$190M+ USDC/SOLBridge hub/primary launderer2HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZESmfDuWeQsHeqtFVYZ7LoExgak9dxK7Cy4DfjwjwMGvwA~$25MIntermediary A2HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES7z73WkGcFc5XwuHsLHU6McBZhHGeG7VZvUnsvN21ipsu~$30MIntermediary B2HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES57zj6DxxCeWZPj9beYKb5XjGZvgG4HqDaLLBiruFBsjM~$22M (WBTC/SOL)Intermediary C2HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZESENjbZEiaN6Jje2CyvSHN2pRFRQvZyoSzWPxiQfDtB5sk~$12M WETHIntermediary D37z73WkGcFc5XwuHsLHU6McBZhHGeG7VZvUnsvN21ipsu6fhfn98cRC786cSfSraLNb61GDGs7dvEVgVmwCSw1ggDLarge SOLSOL Consolidation38ubo4HbWJHKyFJYJc2Gh74dxCP7bN7Fu2Pi13KZ9rGxwWormhole Bridge~$150M USDCCross-chain bridge (x10)38ubo4HbWJHKyFJYJc2Gh74dxCP7bN7Fu2Pi13KZ9rGxwdeBridge$684,358 USDCCross-chain bridge38ubo4HbWJHKyFJYJc2Gh74dxCP7bN7Fu2Pi13KZ9rGxwCircle CCTP~$40M+ USDCCross-chain bridge4.2 Cross-Chain Bridge - Solana to Ethereum 11 bridge transactions were confirmed from the primary launderer address 8ubo4HbWJHKyFJYJc2Gh74dxCP7bN7Fu2Pi13KZ9rGxw:Bridge Protocol Count Amount Destination Chain Wormhole10~$150M USDCEthereumdeBridge1$684,358 USDCEthereumCircle CCTPMultiple~$40M+ USDCEthereumAll bridge proceeds were routed to the Ethereum primary receiver: 0xFcC47866Bd2BD3066696662dbd1C89c882105643.4.3 Ethereum Conversion and Accumulation A total of 88 transactions were identified across the 5-hop Ethereum tracing window, involving 7 unique addresses.Hop From Address To Address Amount Action 1Bridge (Wormhole/CCTP)0xFcC47866Bd2BD3066696662dbd1C89c882105643~$190M+ USDCPrimary ETH receiver20xFcC47866Bd2BD3066696662dbd1C89c8821056430xfE837a3530dD566401d35BEFcd55582af7c4dFFCLarge USDCUSDC to ETH swap wallet20xbDdAe987FEe930910fCC5aa403D5688fB440561B0xFcC47866Bd2BD3066696662dbd1C89c882105643~13,000 ETHETH holding wallet B20xFcC47866Bd2BD3066696662dbd1C89c8821056430xAa843eD65C1f061F111B5289169731351c5e57C1~19,913 ETHETH holding wallet C30xfE837a3530dD566401d35BEFcd55582af7c4dFFC0xeF4326f42f2Eb656C58fAbF8b1d3298DC2Ab80c6Large USDCDEX swap router (KyberSwap/0x/CowSwap)30xfE837a3530dD566401d35BEFcd55582af7c4dFFC0x81d40f21f12a8f0e3252bccb954d722d4c464b64~$35M+ USDCUSDC aggregation wallet5. Attack Pattern Analysis 5.1 Attack Technique Classification Technique Description Admin Key CompromiseDrift Security Council multi-sig key obtained via durable nonces attack - pre-signed transactions triggered atomically.Oracle Manipulation / Flash Collateral ExploitFake CarbonVote Token (CVT) minted (750M units), seeded with ~$500 liquidity on Raydium, listed on Drift spot market via compromised admin key to inflate oracle price. Inflated CVT used as collateral to borrow and drain all real vault assets.Automated Scripted ExecutionAll 563+ Solana transactions executed within minutes using automated scripts - no human delays between hops.DEX LiquidationJupiter DEX aggregator used to immediately convert all heterogeneous tokens (JLP, WBTC, WETH, cbBTC) into fungible USDC/SOL.Multi-Wallet LayeringFunds split across 5+ intermediary wallets simultaneously for layering before bridging.Cross-Chain Obfuscation3 bridges used simultaneously (Wormhole, deBridge, CCTP) to move funds to Ethereum and complicate tracing.Stablecoin-to-Native SwapAll USDC converted to ETH on Ethereum via 4 DEX aggregators - removes stablecoin freeze risk.Multi-Wallet ETH AccumulationETH accumulated across 3+ unlabeled wallets - classic Lazarus holding pattern.5.2 Obfuscation Strategy Assessment The laundering chain demonstrates 5-layer obfuscation:Layer 1 - Token Diversification: Stolen assets span 8 different tokens across Drift vaults.Layer 2 - Rapid DEX Conversion: All tokens immediately converted to USDC/SOL via Jupiter (removes non-fungible value).Layer 3 - Address Splitting: Funds distributed to 5+ Solana intermediary wallets in parallel.Layer 4 - Cross-Chain Bridge (x3): Three different bridge protocols used to move to Ethereum, complicating chain-of-custody tracing.Layer 5 - Stablecoin Elimination: USDC converted to ETH to remove stablecoin freeze risk from Circle/Tether.This pattern is directly consistent with the Bybit $1.5B Lazarus Group hack of February 2025 and the Ronin Bridge hack of March 2022.6. Key Addresses Reference Table Address Chain Role Identified By HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZESSolanaPrimary Attacker / DrainerFirst tx 8 days pre-attack; direct vault drain8ubo4HbWJHKyFJYJc2Gh74dxCP7bN7Fu2Pi13KZ9rGxwSolanaPrimary Launderer / Bridge Hub11 confirmed bridge TXs outboundmfDuWeQsHeqtFVYZ7LoExgak9dxK7Cy4DfjwjwMGvwASolanaIntermediary Wallet AReceived from primary attacker7z73WkGcFc5XwuHsLHU6McBZhHGeG7VZvUnsvN21ipsuSolanaIntermediary Wallet BReceived from primary attacker57zj6DxxCeWZPj9beYKb5XjGZvgG4HqDaLLBiruFBsjMSolanaIntermediary Wallet C (WBTC/SOL)Received from primary attackerENjbZEiaN6Jje2CyvSHN2pRFRQvZyoSzWPxiQfDtB5skSolanaIntermediary Wallet D (WETH)Received from primary attacker6fhfn98cRC786cSfSraLNb61GDGs7dvEVgVmwCSw1ggDSolanaSOL Consolidation WalletDownstream of Intermediary B0xFcC47866Bd2BD3066696662dbd1C89c882105643EthereumPrimary ETH ReceiverWormhole/CCTP bridge destination0xfE837a3530dD566401d35BEFcd55582af7c4dFFCEthereumUSDC-ETH Swap WalletDownstream of ETH primary receiver0xeF4326f42f2Eb656C58fAbF8b1d3298DC2Ab80c6EthereumDEX Swap Router (KyberSwap/0x/CowSwap)USDC-ETH conversion contract router0xbDdAe987FEe930910fCC5aa403D5688fB440561BEthereumETH Holding Wallet B (~13K ETH)Downstream of ETH primary receiver0xAa843eD65C1f061F111B5289169731351c5e57C1EthereumETH Holding Wallet C (~19.9K ETH)Downstream of ETH primary receiver0x81d40f21f12a8f0e3252bccb954d722d4c464b64EthereumUSDC Aggregation Wallet (~$35M+)Downstream of USDC-ETH swap wallet7. Exchange Deposit Analysis As of the time of this report, no labeled exchange deposit addresses have been confirmed in the traced fund flow. Funds appear to be held in unlabeled Ethereum wallets pending further laundering steps.Status Assessment Exchange deposits identifiedNone confirmed as of Apr 2, 2026.Likely next stepsTornado Cash / privacy protocol usage; further cross-chain movement (TRON, Monero); P2P OTC off-ramp.Stablecoin freeze windowCRITICAL: ~$35M USDC in 0x81d40f21f12a8f0e3252bccb954d722d4c464b64 - freeze request to Circle required immediately.ETH freeze feasibilityLow - ETH is not freezable by issuer; requires exchange cooperation when deposited.KYC feasibilityPossible if attacker deposits to a KYC exchange; continuous monitoring required.Critical note on Circle CCTP failure: ZachXBT publicly documented that Circle had approximately a 6-hour window during which stolen USDC was actively being bridged via CCTP from Solana to Ethereum. Circle failed to freeze the funds during this window, allowing the conversion of tens of millions in USDC to ETH, placing those funds beyond the reach of stablecoin issuers. Immediate remediation of Circle's incident response protocols is recommended.8. Recommendations Immediate Actions (0-24 hours) Priority Action Target Entity Target Address CRITICALFreeze remaining USDC - Contact Circle immediatelyCircle0x81d40f21f12a8f0e3252bccb954d722d4c464b64CRITICALMonitor ETH holding wallets - Flag all outbound TXsOn-chain monitoring0xAa843eD65C1f061F111B5289169731351c5e57C1, 0xbDdAe987FEe930910fCC5aa403D5688fB440561BCRITICALExchange pre-alert - Notify all major CEXs (Binance, Coinbase, Kraken, OKX) of attacker addressesAll major exchangesAll Ethereum holding walletsCRITICALOFAC/FBI referral - Submit DPRK attribution evidence for sanctions designationUS Government agenciesAll identified attacker addressesHIGHTether freeze request - USDT held in Solana intermediary walletsTetherSolana intermediary walletsHIGHBridge KYC request - Wormhole, deBridge records for bridge hub addressWormhole Foundation, deBridge8ubo4HbWJHKyFJYJc2Gh74dxCP7bN7Fu2Pi13KZ9rGxwOngoing Investigation Actions Priority Action Details HIGHContinue tracing 0x81d40f21f12a8f0e3252bccb954d722d4c464b64~$35M+ USDC - trace downstream hops to find exchange deposit.HIGH6fhfn98cRC786cSfSraLNb61GDGs7dvEVgVmwCSw1ggD - large SOL consolidation unresolvedTrace Solana SOL wallets.MEDIUMLazarus Group known to bridge to Tron for final off-rampMonitor Tron/XRP chains.MEDIUMTornado Cash monitoringSet up monitoring for ETH holding wallets depositing to Tornado Cash contracts.MEDIUMPre-attack address OSINTFull OSINT on HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES; test swaps on OKX may reveal KYC-linked accounts.9. Conclusion The Drift Protocol exploit represents a highly sophisticated, well-planned state-sponsored attack consistent with North Korea's Lazarus Group. The attacker demonstrated advanced knowledge of Drift's internal architecture, Solana's durable nonce mechanism, and DeFi bridging infrastructure. The attack was executed with near-perfect operational security: pre-staged wallets, automated transaction scripting, multi-bridge simultaneous execution, and immediate stablecoin-to-native conversion.Fund recovery feasibility assessment:~$35M USDC in 0x81d40f21f12a8f0e3252bccb954d722d4c464b64 is recoverable if Circle acts immediately.~32,913+ ETH (~$70M+) in Ethereum holding wallets is partially recoverable if CEX deposits are detected before further laundering.Solana SOL holdings are partially recoverable via exchange cooperation.Converted ETH is at risk of imminent Tornado Cash deposit or further cross-chain movement.Overall recovery window: CRITICAL (24-72 hours). Immediate multi-stakeholder coordination between Drift Protocol, Circle, Tether, Wormhole Foundation, major CEXs, FBI, and OFAC is essential to maximize recovery probability.Crime type determination: Organized cybercrime / state-sponsored theft - DPRK Lazarus Group (High Confidence, per Elliptic).This report was generated by SentinelTX Blockchain Forensic Intelligence Platform. All findings are based on publicly available on-chain data and open-source intelligence. This report is intended for law enforcement, compliance, and legal proceedings use. Appendix: Fund Flow Diagram (Diagram reference included in the original report structure) (Diagram reference included in the original report structure)