커뮤니티

Bounty King: Investigation Series follows a team of skilled investigators as they navigate the dark world of cybercrime, uncovering hidden digital trails and solving complex mysteries with the power of AI and blockchain technology. Each case takes them deeper into the realm of online fraud, crypto hacks, and digital heists, where bounties fuel the relentless pursuit of truth. With every investigation, they piece together the puzzle—tracing lost assets and exposing the individuals behind the screens. It’s a journey of persistence, intelligence, and teamwork, where every clue brings them one step closer to justice in an ever-evolving digital landscape.Live tracking updated!The stolen ETH is currently being laundered, and the activity is being monitored in real-time through the Bybit Hack 2025 live dashboard.Live Tracking DashboardMonitoring is free—anyone can sign in with a Google account to view the data.1. Overview of the IncidentOn February 21, 2025, Bybit, a leading cryptocurrency exchange, suffered a major security breach, resulting in the theft of approximately $1.4 billion in digital assets. The attackers compromised one of Bybit’s Ethereum cold wallets, which are typically offline and considered more secure than hot wallets.Due to the urgency of the situation, our immediate priority is tracking the stolen funds. Below are the hacker’s main consolidated addresses.The primary address distributed 401,347 ETH is:0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 (Referred to as Hacker 1)The secondary address distributed 98, 048.8948 ETH  ETH is :0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e (Referred to as Hacker 2)2. Breakdown of the Stolen AssetsThe following amounts have been confirmed as stolen:401,347 ETH (~$1.12 billion)90,376 stETH (~$253.16 million)15,000 cmETH (~$44.13 million)8,000 mETH (~$23 million)3. Transaction Analysis of Hacker Address: 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2Total distributed: 400,001 ETHTransaction breakdown:40 transactions of 10,000 ETH each1 transaction of 1 ETHTotal of 41 transactionsTimeframe of initial movements:Earliest transaction: 2025-02-21 14:29:47 (UTC)Latest transaction: 2025-02-21 15:54:23 (UTC)Total duration: approximately 1 hour and 30 minutesAmong these transactions, 1 ETH was transferred to Hacker 2.For Hacker 2,A total of 98,048.75 ETH was first transferred to the address 0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92. Following this, the funds were redistributed in 10,000 ETH increments through multiple transactions.The transactions were concentrated within the timeframe of 16:04:23 to 16:05:11 (UTC).It appears that the activity in Hacker 2's wallet began after the transactions from Hacker 1 were completed.Given the current fund movement pattern, it is highly likely that the stolen assets will be deposited into Tornado Cash for obfuscation.We will continue our investigation.

We are excited to announce the addition of a new General Discussion category to our community platform. This space is designed to foster open and engaging conversations that may not fit within our existing categories of Blockchain Insight and Cyber Security.To ensure that our community remains focused, respectful, and aligned with ChainBounty's mission, we have established the following guidelines:Relevant Content: While the General Discussion category allows for a broader range of topics, we ask that all posts remain pertinent to the overarching themes of our community. Discussions explicitly about token prices, exchange listings, or similar subjects are discouraged. Such posts may be removed to maintain the integrity and focus of our platform.Respectful Communication: We encourage open and constructive dialogue. Please engage with fellow members respectfully, avoiding any form of harassment, hate speech, or discriminatory remarks.Content Moderation: Our moderation team reserves the right to remove any content that is deemed off-topic, harmful, or inconsistent with the community's values. Repeated violations may result in further action, including temporary or permanent suspension from the platform.By adhering to these guidelines, we can create a welcoming and informative environment for all members. We appreciate your cooperation and look forward to the enriching discussions that will emerge in the General Discussion category.Thank you for being a valued part of the ChainBounty community.Sincerely,The ChainBounty Team

Bounty King: Investigation Series follows a team of skilled investigators as they navigate the dark world of cybercrime, uncovering hidden digital trails and solving complex mysteries with the power of AI and blockchain technology. Each case takes them deeper into the realm of online fraud, crypto hacks, and digital heists, where bounties fuel the relentless pursuit of truth. With every investigation, they piece together the puzzle—tracing lost assets and exposing the individuals behind the screens. It’s a journey of persistence, intelligence, and teamwork, where every clue brings them one step closer to justice in an ever-evolving digital landscape.The Ionic Hack: $8.8M Heist on the Mode NetworkOn February 5, 2025, the Ionic platform, operating on the Mode network, suffered a security breach, leading to an estimated loss of $8.8 million. According to security firm QuillAudits, attackers exploited the platform by using unofficial fake LBTC (Lombard BTC) as collateral to secure loans.X Post: QuillAudits' Analysisionic stated that they are still investigating the incident.X Post: Ionic’s UpdateAnalysis of the Hacked Wallet and Fund MovementsFirst, let's organize the details regarding the hacked wallet and the movement of the associated funds.According to the incident details, the attacker's address is 0x9E34d89C013Da3BF65fc02b59B6F27D710850430, which was used to exploit the smart contract.Interestingly, before transferring the funds to Tornado Cash, the attacker moved 1,203.651 ETH to 0x15ED470607601274DF6ED71172614B67001901EB, which was then used to funnel the funds into Tornado Cash.100 ETH was sent directly from 0x9E34d89C013Da3BF65fc02b59B6F27D710850430 to Tornado Cash.1,203.651 ETH was first transferred to 0x15ED470607601274DF6ED71172614B67001901EB, which subsequently sent the funds to Tornado Cash.Notably, this intermediary address (0x15ED470607601274DF6ED71172614B67001901EB) received ETH from multiple sources, not just the attacker's wallet (0x9E34d89C013Da3BF65fc02b59B6F27D710850430).Therefore, the attacker’s wallet (0x9E34d89C013Da3BF65fc02b59B6F27D710850430) and the relay wallet (0x15ED470607601274DF6ED71172614B67001901EB) played key roles in moving the stolen assets to Tornado Cash.Figure 1: Flow of Stolen ETH to Tornado CashSource: ChainBounty Track(to be released)Among them, we identified an interesting characteristic in the wallet used just before depositing the funds into Tornado Cash.The wallet that sent 1,203.65 ETH received funds not only from the attacker's primary wallet (0x9E34d89C013Da3BF65fc02b59B6F27D710850430) but also from several other wallets.Let's examine whether these wallets are also connected to the incident.Figure 2: Source Flow of Relay Wallet to Tornado CashSource: ChainBounty Track (to be released)The key factor here is timing. If there is a connection, the related wallet must have sent funds before the attacker's wallet (0x9E34d89C013Da3BF65fc02b59B6F27D710850430) made its transaction.In this context, the wallet at the top of the list, 0x9ec235ca191e6d434b7ef70730e7fb726bf50430, appears suspicious. Here's why:According to UTC timestamps, the attacker's wallet (0x9E34d89C013Da3BF65fc02b59B6F27D710850430) transferred funds to 0x15ED470607601274DF6ED71172614B67001901EB at the following times:February 4, 16:21 UTCThe transfer occurred three times within 16 minutes, with a gap of approximately 16 minutes between transactions.This timing pattern suggests that 0x9ec235ca191e6d434b7ef70730e7fb726bf50430 warrants closer examination.Figure 3: Three Transactions from Attacker Address to Relay WalletSource: ChainBounty Track (to be released)In the meantime, at 16:32, 0.0001 ETH was sent.One might question its significance, but it’s worth examining the possible connection.Figure 4: Single Transaction from Unknown Address to AttackerSource: ChainBounty Track (to be released)Actually, when an incident occurs, often receive these kinds of requests.Figure 5: Donation Request from Community On-ChainSource: EtherscanHowever, an interesting aspect of 0x9ec235ca191e6d434b7ef70730e7fb726bf50430 is the transaction pattern.At 16:21, the first 1 ETH was transferred.At 16:30, an additional 100 ETH was sent.At 16:32, a small amount of 0.0001 ETH was received.Finally, the remaining 1,102.65 ETH was transferred.The increasing amounts (1 → 100 → 1,102.65 ETH) with time gaps suggest a manual operation.Now, the question arises—why was a small amount of ETH transferred in between these manual transactions? There’s no accompanying message as mentioned earlier, but the transaction (TX) details can be found below for reference.Additionally, the gas fee settings appear to be standard (21,000 | 21,000 (100%)), even for transactions made just before entering Tornado Cash. Using standard gas settings alone doesn’t necessarily indicate a direct connection.However, in most hacking incidents, funds are typically moved along with gas fees to ensure smooth transactions. In this case, the process seems more deliberate and unhurried, which is worth noting.Figure 6: Transaction Information from Unknown Address to AttackerSource: EtherscanLink: https://etherscan.io/tx/0x48e96238a04f4607ec8333c4633d82329708331e351d0dfa558a9503a5ee2781Tracing Microtransactions: Uncovering Fund FragmentationNow, let's trace back the wallet that received the 0.0001 ETH.Interestingly, there is a record of 0.0002 ETH being received from 0x14cb9b0d268556cc4c056801f88cfc2b1a19ce3d.0.0002 → 0.0001? It seems like the funds are being fragmented, doesn’t it?Typically, when such small transactions follow a pattern in terms of amount and timing, it suggests a deliberate intent behind the transfers.Figure 7: Small Fund DistributionSource: ChainBounty Track (to be released)Because both transactions occurred at the same time—16:32 UTC.0x14cb9b → 0x9ec235 (attacker)0x9ec235 (attacker) → 0x15ED47 (Tornado Cash deposit address)Why did this automated transaction occur right when the attacker was transferring funds to Tornado Cash? What was the intent behind it? This address itself is quite interesting. As you can see, it distributes small amounts of funds to multiple wallets.Figure 8: Suspicious Wallet DistributionSource: ChainBounty Track (to be released)What Could This Address Be?What exactly is its purpose? It appears similar to a gas fee supplier, but so far, no OSINT (Open-Source Intelligence) labels have been identified for it.However, one thing is certain: after one hop, the small amounts of ETH end up in an exchange deposit address.To investigate further, I will ask AI to analyze which exchange these funds were deposited into between January 1, 2025, and February 5, 2025. Figure 9: Suspicious Wallet Distribution – AI InvestigationSource: ChainBounty Track (to be released)The AI explains how it is connected to such a wide variety of transactions. For example, it reveals that Upbit’s user account is linked to these transactions.Figure 10: Suspicious Wallet Distribution – AI Investigation FindingsSource: ChainBounty Track (to be released)However, there is still something curious—what exactly is the purpose? Upon closer inspection, the answer becomes clear. By analyzing Upbit’s deposit wallet, we can see that large sums are deposited first, followed by smaller amounts sent to addresses with similar prefixes. This is known as address poisoning, a technique where scammers deposit small amounts into specific addresses after a significant transaction.Suspicious Transactions Identified During AnalysisThe goal of this attack is to trick the wallet owner into mistakenly sending funds to a fake address instead of the intended recipient during a future transaction.Thus, the small amounts received from unidentified addresses confirm that this is part of an address poisoning attack. In this case, at 16:30, after 100 ETH was transferred, the attacker generated a lookalike address (0x9ec235ca191e6d434b7ef70730e7fb726bf50430) within two minutes of the original transaction and then sent a small amount of funds.Unfortunately, the source of these funds could not be directly linked to the Ionic attacker. However, it has been observed that address poisoning attacks are also targeting stolen funds. A detailed analysis of the identified address poisoning attackers will be provided in a separate series.Interestingly, most of these attacks are heavily targeting Korean exchange addresses. If attackers are monitoring large ETH movements, it raises the question of why Korean exchange wallets are the primary targets despite the existence of other major exchanges. This trend suggests a deliberate focus on Korean platforms, warranting further investigation.Additionally, any further findings related to Ionic will be updated accordingly.Figure 11: Exchange Usage from Arkham Intelligence (Period: 01/02/2025 – 02/01/2025)Source: Arkham IntelligenceView on Arkham Intelligence

First, it would be great if we could post in categories like "General" or "Suggestions" on this community page.I have many questions, but there isn’t a proper place to ask them. Therefore, I apologize for posting in an unrelated category.Also, I’m unable to log in to MetaMask on my mobile phone.When I scan the QR code, it opens the MetaMask mobile app (Android),and after accepting the permissions, it redirects me back to the page, but I’m still not logged in.How can I log in to MetaMask on mobile?

GMGM

Binance gogo

Singapore, October 11th 2023 — Navigating through the vast Decentralized Finance (DeFi) and Non-Fungible Token (NFT) space requires sharp awareness and a skeptical eye. An example that underscores this imperative is the recent “Lucky Star Rug Pull” incident that took place on the Binance Smart Chain (BSC) Mainnet. This event, reported by news sources like Cointelegraph or projects like CertiKAlert, entails the unauthorized withdrawal of LSC tokens, subsequently exchanged for BUSD and accumulated at a single address, costing the stakeholders an estimated $1 Million.Our in-house research team at Uppsala Security assessed the case to uncover any noteworthy findings.Incident BreakdownThe strategy employed by the malicious actor(s) appears rather straightforward yet carefully executed. LSC tokens were illicitly withdrawn, converted to BUSD, and ultimately consolidated into a single address (0x23f8c805306Bf27AB8bf3cEbEce4B778acfFd896).In a brief, here’s how the event unfolded:Withdrawal of LSC tokens from the systemSwap of LSC tokens to BUSDConsolidation of BUSD at a single addressThe wallet addresses involved in this operation, swapping LSC tokens to BUSD and funneling them into the consolidation address, are as follows:0x9Ef72Ee68a7c841986A0C60e0FDbAE4e27446Deb0x895c414F17Ef676dd9c18D55D3358D411ba795740xFA24FcAff5A51965F762101c2BD4E46302a2Bd640x8789DA3886386740DD775C95E18820BEe339a48AExamining the consolidation address reveals an interesting aspect: it harbors a history of other incoming funds prior to this incident. Could it be a mere coincidence or an intentional confusion tactic? Or does this address serve as a confluence point for funds derived from other criminal activities?The intersection between multiple streams of incoming funds, presumably from various illicit endeavors, suggests a plausible continuity among them. This intriguing convergence propels an inquiry: is there a common threat actor masterminding multiple cyber-attacks?Image captured from the Crypto Analysis Transaction Visualization (CATV) Dashboard.On December 18th 2023, it was observed through CATV that funds were laundered to known entity MEXC Global Exchange. The Lucky Star incident serves as a grim reminder for stakeholders, developers, and investigators within the cryptocurrency ecosystem to forge ahead with elevated diligence and skepticism. Deploying advanced security protocols, conducting rigorous smart contract audits, and fostering a culture of security awareness among users are paramount.About the Crypto Analysis Transaction Visualization (CATV) ToolThe Crypto Analysis Transaction Visualization (CATV), developed exclusively by Uppsala Security’s expert team, serves as a sophisticated yet seamless forensic tool that offers in-depth insights into cryptocurrency transaction flows. This tool is designed to trace both inbound and outbound transactions linked to a specific wallet. CATV empowers users to effectively track, analyze, monitor, and graphically visualize cryptocurrency transactions, highlighting the flow of tokens and their interactions with various entities like exchanges and smart contracts.About Uppsala SecurityUppsala Security is a leading provider of innovative security tools and services, specializing in Crypto Anti-Money Laundering/Counter-Terrorist Financing (AML/CTF), Transaction Risk Management, Regulatory Compliance, and Transaction Tracking. With a team of experts dedicated to staying ahead of emerging threats, Uppsala Security empowers organizations with the knowledge and tools to safeguard their operations in the fast-paced world of cryptocurrencies.

Singapore, November 1st 2023 — In the ever-evolving landscape of cryptocurrencies, security remains a paramount concern. On October 17th, Cointelegraph released an article mentioning an incident involving one of the Fantom Foundation’s hot wallets, which led to the loss of $550,000 worth of cryptocurrency through a vulnerability in the official Fantom wallet. This serves as a stark reminder of the vulnerabilities that can be exploited in the digital realm. In this article, however, we will delve into the details of this cybersecurity breach, examining the trajectory of the stolen tokens/the perpetrators’ actions after the incident.The Fantom Foundation Hot Wallet HackThe incident, which unfolded a couple of weeks ago, sent shockwaves through the crypto community as it came to light. A few wallets belonging to the Fantom Foundation, a prominent player in the blockchain space, were drained of their assets. The stolen tokens encompassed a wide array of assets, including ETH, USDC, USDT, Frax Share, DAI, OriginToken, Republic, OMG, Livepeer, Shiba Inu, The Graph, LoopringCoin, ChainLink, Quant, WAVES, Aave, Convex Token, Immutable X, SingularityNET, Compound, Request, Curve DAO and more.The affected tokens found their way to two primary addresses: 0x2F4F1D2C5944Dba74E107d1e8E90e7C1475f4001 and 0x1d93c73d575b81a59ff55958afc38a2344e4f878.The perpetrators skillfully executed a series of swaps, converting the stolen tokens into ETH. The consolidated ETH was subsequently transferred to another address, 0x0b1F29DF74A19C44745862ab018D925501FE9596, in an attempt to conceal their trail.Our investigatory team at Uppsala Security swung into action and initiated an investigation using the Crypto Asset Monitoring Service (CAMS), tracing the origin and movement of the stolen assets. This included 68 origin hashes, 9 origin wallets and 36 initial tokens involved, some of them already being mentioned above.Image captured from the Crypto Asset Monitoring Service (CAMS) Dashboard.Further details can be found in the CAMS Dashboard as well as the Portal Case.CAMS, or Crypto Asset Monitoring Service, built by Uppsala Security, stands at the forefront of real-time monitoring solutions, providing advanced capabilities for overseeing cases related to digital assets. A standout feature is its automated fund monitoring system, reducing the need for manual oversight. CAMS maintains continuous surveillance over financial transactions, instantly identifying any fund movements and promptly alerting relevant parties. This not only boosts operational efficiency but also guarantees swift responses to potential security and compliance issues, establishing it as an essential asset in the realm of digital asset management.The hot wallet hack that affected the Fantom Foundation, like any hack that negatively impacts original asset owners, serves as a clear reminder of the significance of cybersecurity within the cryptocurrency realm. As the crypto industry continues to evolve, it becomes increasingly crucial for both projects and individuals to maintain vigilance and take proactive measures to protect their digital assets. While hackers may have briefly gained an advantage, the unwavering dedication of security experts and community assures that justice will ultimately prevail in the digital world.If you have any details about the Fantom Foundation case or if you would like to cooperate with our team on this investigation, please reach out by filling in this contact form.About Uppsala SecurityUppsala Security is a leading provider of innovative security tools and services, specializing in Crypto Anti-Money Laundering/Counter-Terrorist Financing (AML/CTF), Transaction Risk Management, Regulatory Compliance, and Transaction Tracking. With a team of experts dedicated to staying ahead of emerging threats, Uppsala Security empowers organizations with the knowledge and tools to safeguard their operations in the fast-paced world of cryptocurrencies.Disclaimer: This article is meant for informational purposes only and does not constitute financial or legal advice. Always conduct your own research and consult professionals directly.

A couple of weeks ago, the cryptocurrency community witnessed a peculiar and complex exploit within the Raft Protocol, a decentralized finance (DeFi) platform operating on the Ethereum network. This incident, now widely referred to as the “Raft Protocol Exploit,” stands out not just for its technical intricacy but also for its unusual outcome: the hacker suffering a net loss.The Exploit DetailsThe breach centered around the Interest Rate Posman (IRPM) contract (0x9AB6b21cDF116f611110b048987E58894786C244). An unidentified bad actor manipulated this contract to illegitimately mint 6.7 Million R stablecoin tokens. These tokens were swiftly swapped for 1577 Wrapped Ethereum (WETH), as detailed in the transaction with ID 0xfeedbf51b4e2338e38171f6e19501327294ab1907ab44cfd2d7e7336c975ace7.However, the hacker overlooked a crucial aspect of another smart contract, pivotal for converting these coins into Ethereum (ETH) and transferring them to their address. This contract employed ‘delegatecall,’ a function that utilizes the storage of the parent contract. Notably, the hacker’s wallet address was not initialized in this contract’s storage. Consequently, a staggering 1570 out of the 1577.57 ETH were inadvertently sent to a null address, effectively burning the majority of the stolen funds.The remaining 7.57 ETH was transferred to the exploiter’s address (0xc1f2b71A502B551a65Eee9C96318aFdD5fd439fA). These funds, along with the hacker’s initial funds, were later detected entering the TornadoCash mixer, a platform used for obfuscating the origins of cryptocurrency transactions (transaction ID: 0x6fbc085e6b1ddce157a8b06978623b4b60db176e101f7f85215190bb28a21e3d).Image captured from the Crypto Asset Monitoring Service (CAMS) Dashboard.Analysis and Community ReactionThis case has been extensively analyzed by cybersecurity experts and the cryptocurrency community. Sources such as FrankResearcher’s Twitter account and details from Neptune Mutual’s blog provided insights into the technical aspects of the exploit. Moreover, our research team at Uppsala Security created a CAMS (Crypto Asset Monitoring Service) case report, the case’s dashboard offering a comprehensive overview of the incident.The uniqueness of this exploit lies not only in its technical execution but in its financial outcome. Typically, hackers execute these attacks for financial gain, but in this case, the exploiter ended up with a net loss of approximately 4 ETH. This unexpected turn of events has sparked discussions and analyses in various online forums and social media platforms, with many speculating about the hacker’s motives and potential miscalculations.The Raft Protocol Exploit serves as a reminder of the complexities and risks inherent in DeFi platforms and smart contracts. It also underscores the need for robust security measures and continuous vigilance in the cryptocurrency space. While the financial loss to the hacker might be a deterrent to similar future attacks, it also highlights the unpredictable nature of such exploits and the need for ongoing research and development in blockchain security.ReferencesTwitter post by FrankResearcher: https://twitter.com/FrankResearcher/status/1723099971824582713Neptune Mutual’s blog post on the Raft Protocol Exploit: https://neptunemutual.com/blog/how-was-raft-protocol-exploitedUppsala Securityl’s CAMS dashboard and case report: https://portal.sentinelprotocol.io/cams-dashboard/7dbe6568-c57a-49ee-ba1a-73820777bbd7If you have any details about the Raft Protocol case or if you would like to cooperate with our team on this investigation, please reach out by filling in this contact form.About Uppsala SecurityUppsala Security is a leading provider of innovative security tools and services, specializing in Crypto Anti-Money Laundering/Counter-Terrorist Financing (AML/CTF), Transaction Risk Management, Regulatory Compliance, and Transaction Tracking. With a team of experts dedicated to staying ahead of emerging threats, Uppsala Security empowers organizations with the knowledge and tools to safeguard their operations in the fast-paced world of cryptocurrencies.Uppsala Security is headquartered in Singapore, and has branch offices in Seoul, South Korea and Tokyo, Japan. You can follow Uppsala Security on Telegram, LinkedIn, Twitter, Facebook and Medium.

Source: https://x.com/FixedFloat/status/1775172224216875223CAMS link: https://portal.sentinelprotocol.io/cams-dashboard/57dfd5d2-942b-44ac-9600-7adcf6578a08On February 16th, 2024, the crypto exchange FixedFloat experienced a significant security breach, resulting in a loss of $26 million. Just weeks later, on April 1st, 2024, a second breach was detected. This incident involved the unauthorized transfer of various digital assets, including ETH, USDT, WETH, DAI, and USDC, leading to an additional loss of $2.80 million.Our in-house research team at Uppsala Security examined the second part of the incident, which took place in the first half of April, using in-house built tools such as the Crypto Asset Monitoring Service (CAMS) and the Crypto Analysis Transaction Visualization (CATV). These tools provided more insights and helped break down the malicious actors’ activities and funds movement.Part 1: Incident Description and OverviewOn April 1st, 2024, FixedFloat suffered another hack. The hack was purportedly carried out by the same group of hackers who attacked the decentralized exchange on February 16th, 2024. The hacker’s wallet has been identified as 0xFA0200A7b73F2B36D14815336483039ecC6dea8b, which has received many outgoing transactions from the FixedFloat wallet.The graph below was generated by our Crypto Asset Monitoring Service (CAMS) tool. This tool visualizes the flow of transactions from FixedFloat to the hacker’s wallet (0xFA0200A7b73F2B36D14815336483039ecC6dea8b) and eventually to eXch/Automatic Cryptocurrency Exchange, a decentralized exchange.Image 1: Transaction Flow of the FixedFloat April Hack, generated with Uppsala Security’s Crypto Asset Monitoring Service (CAMS) toolPart 2: Transaction Flow from FixedFloat to Hacker WalletThe list of withdrawal transactions made by the hacker on the FixedFloat account are as follows (TXID, Amount, Token):A Google Spreadsheet containing the above TXIDs can be accessed here.As a result of the list of transactions above, 0xFA0200A7b73F2B36D14815336483039ecC6dea8b obtained a total of 155.7879878 ETH, 1,387,508.56 USDT, 402,254.39 USDC, 70.8044058 WETH and 238,941.23 DAI.Part 3: Swapping of ERC20 tokens to ETHThe following ERC20 tokens were swapped to ETH via multiple transactions on Uniswap (TXID, Amount Swapped In, Amount Swapped Out):A Google Spreadsheet containing the above TXIDs can be accessed here.This brings the total ETH balance of the hacker wallet to 716.8598936 ETH (155.7879878 + 28.9858 + 58.0048 + 257.6408 + 87.5903 + 58.0458 + 70.8044058).This also leaves 100,000 USDC and 239,275.83 DAI, which were not swapped.Part 4: Flow of funds to eXch / Automatic cryptocurrency exchange100,000 USDC and all 238,941.23 DAI were sent to 0xaeC73DCA60F5Ca32c603A7cd6Ffba4fbaF17fd55, then to eXch / Automatic cryptocurrency exchange , a decentralized exchange through the following TXIDs:DAI Flow (238,941.23 DAI):TXID 1: 0x11188714ae80f63797f2a2a4d40f6ab112cd1249f9bfb28bcba72b59ca3fff48From 0xFA0200A7b73F2B36D14815336483039ecC6dea8b to 0xaeC73DCA60F5Ca32c603A7cd6Ffba4fbaF17fd55TXID 2: 0xebf30d73f3f8f1d58e4b51797d3cace70028bc0617a59dae9e14005558873da9From 0xaeC73DCA60F5Ca32c603A7cd6Ffba4fbaF17fd55 to 0xf1dA173228fcf015F43f3eA15aBBB51f0d8f1123 (eXch / Automatic cryptocurrency exchange )USDC Flow (100,000 USDC):TXID 1: 0xc7698a5e27fd29486aa6ea50e6b1854ff7a430d6417bebd4cdcb68cf21cc3d88From 0xFA0200A7b73F2B36D14815336483039ecC6dea8b to 0xBd856Af6661748E76Ea6b4824874551F09CA1068TXID 2: 0x7054f76d39efa7e890776019b253b1e973acdc7bf972ba67b890ff1eed90988aFrom 0xBd856Af6661748E76Ea6b4824874551F09CA1068 to 0xf1dA173228fcf015F43f3eA15aBBB51f0d8f1123 (eXch / Automatic cryptocurrency exchange )The hacker also transfers the ETH to two separate wallets before finally sending them to eXch / Automatic cryptocurrency exchange . The flow of transactions is documented below.ETH Flow 1:TXID 1: 0x677e71f053d1aa13e197a0f7f732a12d11aaa9c81a34bfdb9d7f3713ebed52c9From 0xFA0200A7b73F2B36D14815336483039ecC6dea8b to 0xaeECB06C70EF1949693E1936Bd626cdf348c294bTXID 2: 0x7c6aefb7f1f1ad4cf0426440720389456cdf1813e82e62362b04b61765ceef01From 0xaeECB06C70EF1949693E1936Bd626cdf348c294b to 0xf1dA173228fcf015F43f3eA15aBBB51f0d8f1123 (eXch / Automatic cryptocurrency exchange )ETH Flow 2:TXID 1: 0xbfce45ef5d0790fedcfc973a2f1e5decf82a476f3ae7e8dbd489e8fa43869ca4From 0xFA0200A7b73F2B36D14815336483039ecC6dea8b to 0x9eFB278F1bBdf3c47ADC6cD81EbFb7Fc060f25b6TXID 2: 0x5b59a221949f213cddd2ab93ac3c5fc2b5e2ca75e1c92d4c84dcac3dd6cdd2bbFrom 0x9eFB278F1bBdf3c47ADC6cD81EbFb7Fc060f25b6 to 0xf1dA173228fcf015F43f3eA15aBBB51f0d8f1123 (eXch / Automatic cryptocurrency exchange )To stay updated with the latest details about the FixedFloat incident and other significant events affecting the Web3 ecosystem, please subscribe to our Medium and follow us on Twitter. If you’re eager to put your investigatory skills to work, check out Chainkeeper, our newest AI powered release currently in Beta. Our team is here to support your investigations and can be reached anytime at [email protected] Uppsala SecurityUppsala Security is a leading provider of innovative security tools and services, specializing in Crypto Anti-Money Laundering/Counter-Terrorist Financing (AML/CTF), Transaction Risk Management, Regulatory Compliance, and Transaction Tracking. With a team of experts dedicated to staying ahead of emerging threats, Uppsala Security empowers both end-users and organizations with the knowledge and tools to safeguard their operations in the fast-paced world of cryptocurrencies.Uppsala Security is headquartered in Singapore and has branch offices in Seoul, South Korea. Follow Uppsala Security on LinkedIn, Twitter, Facebook and Medium.