Community

Drift Protocol Exploit - Forensic Investigation Report Generated: 2026-04-02 15:07 Date of Incident: April 1, 2026 Report Generated: April 2, 2026 Document Type: Blockchain Forensic Investigation Report Chains Involved: Solana, Ethereum (Cross-Chain) Total Estimated Loss: ~$285,000,000 USD Attribution: DPRK-linked Threat Actor (Lazarus Group) - High Confidence (Elliptic)Classification: Confidential - Law Enforcement / Compliance Use1. Executive Summary Drift Protocol, the largest decentralized perpetual futures exchange on Solana by total value locked, suffered a catastrophic exploit on April 1, 2026, resulting in approximately $285 million USD in stolen assets. This makes it the largest DeFi exploit of 2026 and one of the largest in DeFi history.The attacker combined three sophisticated vectors: (1) compromise of the Drift Security Council multi-sig administrator key via a durable nonces attack, (2) minting and oracle manipulation of a fictitious "CarbonVote Token" (CVT) used as fraudulent collateral, and (3) systematic draining of all Drift vaults across multiple asset classes.Following the exploit, stolen assets were rapidly liquidated via the Jupiter DEX aggregator on Solana, bridged cross-chain to Ethereum via Wormhole, deBridge, and Circle's CCTP, and converted to ETH via multiple DEX aggregators (KyberSwap, 0x Protocol, CowSwap, OpenOcean). As of the time of reporting, approximately 19,913+ ETH (~$42.6M+) is held across unlabeled Ethereum wallets with additional USDC awaiting conversion.Security firm Elliptic has attributed this exploit to DPRK-linked threat actors (Lazarus Group), citing near-identical methodology to the Bybit $1.5B hack of February 2025.Key findings:The attacker wallet HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES was created 8 days prior to the exploit and made test swaps on OKX and Jupiter as pre-staging.Circle had a ~6-hour window to freeze USDC via CCTP but failed to act, allowing tens of millions in stolen USDC to be converted to ETH.Funds are currently held in multiple Ethereum wallets, and further obfuscation (Tornado Cash, additional bridging) is considered imminent.2. Attack Timeline Time (UTC)EventTransaction / Address11:06 UTC First drain: 41M JLP tokens transferred from Drift Vault Solana: HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES 11:07-11:15 Batch draining across all asset classes (USDC, SOL, WETH, WBTC) Multiple Drift vault contracts on Solana ~11:15-11:40 Rapid Jupiter DEX swaps - all stolen tokens converted to USDC/SOL Jupiter Aggregator, Solana ~11:40-13:00 Funds distributed to 5+ Solana intermediary wallets for layering 8ubo4HbWJHKyFJYJc2Gh74dxCP7bN7Fu2Pi13KZ9rGxw, mfDuWeQsHeqtFVYZ7LoExgak9dxK7Cy4DfjwjwMGvwA, 7z73WkGcFc5XwuHsLHU6McBZhHGeG7VZvUnsvN21ipsu, 57zj6DxxCeWZPj9beYKb5XjGZvgG4HqDaLLBiruFBsjM 13:00-17:00 Cross-chain bridging: Wormhole (x10), deBridge, CCTP Solana Bridge hub: 8ubo4HbWJHKyFJYJc2Gh74dxCP7bN7Fu2Pi13KZ9rGxw 13:30 UTC First USDC arrives on Ethereum at primary receiver 0xFcC47866Bd2BD3066696662dbd1C89c882105643 ~13:30-17:49 USDC converted to ETH via KyberSwap, 0x Protocol, CowSwap 0xeF4326f42f2Eb656C58fAbF8b1d3298DC2Ab80c6, 0xfE837a3530dD566401d35BEFcd55582af7c4dFFC ~17:49 UTC 19,913 ETH ($42.6M) confirmed accumulated across Ethereum holding wallets 0xbDdAe987FEe930910fCC5aa403D5688fB440561B, 0xAa843eD65C1f061F111B5289169731351c5e57C1 17:00-ongoing SOL consolidation on Solana into holding wallets 6fhfn98cRC786cSfSraLNb61GDGs7dvEVgVmwCSw1ggD Apr 1-Apr 2 Elliptic issues DPRK attribution, ZachXBT publicly criticizes Circle Public intelligence 3. Stolen Assets Token Approximate Amount Stolen Estimated USD Value JLP (Jupiter LP Token)~41,000,000 tokens~$155,000,000USDC~90,000,000+~$90,000,000SOL (native/wrapped)~980,000 SOL~$82,000,000WETH~5,557 WETH~$11,800,000cbBTC~164 cbBTC~$11,300,000WBTC~282 WBTC~$19,500,000USDT~5,600,000~$5,600,000USDS~5,250,000~$5,250,000Other (misc DeFi tokens)-~$4,550,000TOTAL-~$285,000,0004. Fund Flow Analysis 4.1 Solana Primary Drain and Layering The primary attacker wallet HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES initiated the drain directly from Drift Protocol vaults. A total of 563 transactions were identified across the 5-hop tracing window, involving 63 unique addresses. All stolen assets were immediately liquidated via the Jupiter DEX aggregator into USDC and SOL. Funds were then distributed across at least 5 Solana intermediary wallets to begin layering:Hop From Address To Address Amount Role 1Drift VaultHkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES~$285M (all assets)Primary drainer2HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES8ubo4HbWJHKyFJYJc2Gh74dxCP7bN7Fu2Pi13KZ9rGxw~$190M+ USDC/SOLBridge hub/primary launderer2HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZESmfDuWeQsHeqtFVYZ7LoExgak9dxK7Cy4DfjwjwMGvwA~$25MIntermediary A2HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES7z73WkGcFc5XwuHsLHU6McBZhHGeG7VZvUnsvN21ipsu~$30MIntermediary B2HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES57zj6DxxCeWZPj9beYKb5XjGZvgG4HqDaLLBiruFBsjM~$22M (WBTC/SOL)Intermediary C2HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZESENjbZEiaN6Jje2CyvSHN2pRFRQvZyoSzWPxiQfDtB5sk~$12M WETHIntermediary D37z73WkGcFc5XwuHsLHU6McBZhHGeG7VZvUnsvN21ipsu6fhfn98cRC786cSfSraLNb61GDGs7dvEVgVmwCSw1ggDLarge SOLSOL Consolidation38ubo4HbWJHKyFJYJc2Gh74dxCP7bN7Fu2Pi13KZ9rGxwWormhole Bridge~$150M USDCCross-chain bridge (x10)38ubo4HbWJHKyFJYJc2Gh74dxCP7bN7Fu2Pi13KZ9rGxwdeBridge$684,358 USDCCross-chain bridge38ubo4HbWJHKyFJYJc2Gh74dxCP7bN7Fu2Pi13KZ9rGxwCircle CCTP~$40M+ USDCCross-chain bridge4.2 Cross-Chain Bridge - Solana to Ethereum 11 bridge transactions were confirmed from the primary launderer address 8ubo4HbWJHKyFJYJc2Gh74dxCP7bN7Fu2Pi13KZ9rGxw:Bridge Protocol Count Amount Destination Chain Wormhole10~$150M USDCEthereumdeBridge1$684,358 USDCEthereumCircle CCTPMultiple~$40M+ USDCEthereumAll bridge proceeds were routed to the Ethereum primary receiver: 0xFcC47866Bd2BD3066696662dbd1C89c882105643.4.3 Ethereum Conversion and Accumulation A total of 88 transactions were identified across the 5-hop Ethereum tracing window, involving 7 unique addresses.Hop From Address To Address Amount Action 1Bridge (Wormhole/CCTP)0xFcC47866Bd2BD3066696662dbd1C89c882105643~$190M+ USDCPrimary ETH receiver20xFcC47866Bd2BD3066696662dbd1C89c8821056430xfE837a3530dD566401d35BEFcd55582af7c4dFFCLarge USDCUSDC to ETH swap wallet20xbDdAe987FEe930910fCC5aa403D5688fB440561B0xFcC47866Bd2BD3066696662dbd1C89c882105643~13,000 ETHETH holding wallet B20xFcC47866Bd2BD3066696662dbd1C89c8821056430xAa843eD65C1f061F111B5289169731351c5e57C1~19,913 ETHETH holding wallet C30xfE837a3530dD566401d35BEFcd55582af7c4dFFC0xeF4326f42f2Eb656C58fAbF8b1d3298DC2Ab80c6Large USDCDEX swap router (KyberSwap/0x/CowSwap)30xfE837a3530dD566401d35BEFcd55582af7c4dFFC0x81d40f21f12a8f0e3252bccb954d722d4c464b64~$35M+ USDCUSDC aggregation wallet5. Attack Pattern Analysis 5.1 Attack Technique Classification Technique Description Admin Key CompromiseDrift Security Council multi-sig key obtained via durable nonces attack - pre-signed transactions triggered atomically.Oracle Manipulation / Flash Collateral ExploitFake CarbonVote Token (CVT) minted (750M units), seeded with ~$500 liquidity on Raydium, listed on Drift spot market via compromised admin key to inflate oracle price. Inflated CVT used as collateral to borrow and drain all real vault assets.Automated Scripted ExecutionAll 563+ Solana transactions executed within minutes using automated scripts - no human delays between hops.DEX LiquidationJupiter DEX aggregator used to immediately convert all heterogeneous tokens (JLP, WBTC, WETH, cbBTC) into fungible USDC/SOL.Multi-Wallet LayeringFunds split across 5+ intermediary wallets simultaneously for layering before bridging.Cross-Chain Obfuscation3 bridges used simultaneously (Wormhole, deBridge, CCTP) to move funds to Ethereum and complicate tracing.Stablecoin-to-Native SwapAll USDC converted to ETH on Ethereum via 4 DEX aggregators - removes stablecoin freeze risk.Multi-Wallet ETH AccumulationETH accumulated across 3+ unlabeled wallets - classic Lazarus holding pattern.5.2 Obfuscation Strategy Assessment The laundering chain demonstrates 5-layer obfuscation:Layer 1 - Token Diversification: Stolen assets span 8 different tokens across Drift vaults.Layer 2 - Rapid DEX Conversion: All tokens immediately converted to USDC/SOL via Jupiter (removes non-fungible value).Layer 3 - Address Splitting: Funds distributed to 5+ Solana intermediary wallets in parallel.Layer 4 - Cross-Chain Bridge (x3): Three different bridge protocols used to move to Ethereum, complicating chain-of-custody tracing.Layer 5 - Stablecoin Elimination: USDC converted to ETH to remove stablecoin freeze risk from Circle/Tether.This pattern is directly consistent with the Bybit $1.5B Lazarus Group hack of February 2025 and the Ronin Bridge hack of March 2022.6. Key Addresses Reference Table Address Chain Role Identified By HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZESSolanaPrimary Attacker / DrainerFirst tx 8 days pre-attack; direct vault drain8ubo4HbWJHKyFJYJc2Gh74dxCP7bN7Fu2Pi13KZ9rGxwSolanaPrimary Launderer / Bridge Hub11 confirmed bridge TXs outboundmfDuWeQsHeqtFVYZ7LoExgak9dxK7Cy4DfjwjwMGvwASolanaIntermediary Wallet AReceived from primary attacker7z73WkGcFc5XwuHsLHU6McBZhHGeG7VZvUnsvN21ipsuSolanaIntermediary Wallet BReceived from primary attacker57zj6DxxCeWZPj9beYKb5XjGZvgG4HqDaLLBiruFBsjMSolanaIntermediary Wallet C (WBTC/SOL)Received from primary attackerENjbZEiaN6Jje2CyvSHN2pRFRQvZyoSzWPxiQfDtB5skSolanaIntermediary Wallet D (WETH)Received from primary attacker6fhfn98cRC786cSfSraLNb61GDGs7dvEVgVmwCSw1ggDSolanaSOL Consolidation WalletDownstream of Intermediary B0xFcC47866Bd2BD3066696662dbd1C89c882105643EthereumPrimary ETH ReceiverWormhole/CCTP bridge destination0xfE837a3530dD566401d35BEFcd55582af7c4dFFCEthereumUSDC-ETH Swap WalletDownstream of ETH primary receiver0xeF4326f42f2Eb656C58fAbF8b1d3298DC2Ab80c6EthereumDEX Swap Router (KyberSwap/0x/CowSwap)USDC-ETH conversion contract router0xbDdAe987FEe930910fCC5aa403D5688fB440561BEthereumETH Holding Wallet B (~13K ETH)Downstream of ETH primary receiver0xAa843eD65C1f061F111B5289169731351c5e57C1EthereumETH Holding Wallet C (~19.9K ETH)Downstream of ETH primary receiver0x81d40f21f12a8f0e3252bccb954d722d4c464b64EthereumUSDC Aggregation Wallet (~$35M+)Downstream of USDC-ETH swap wallet7. Exchange Deposit Analysis As of the time of this report, no labeled exchange deposit addresses have been confirmed in the traced fund flow. Funds appear to be held in unlabeled Ethereum wallets pending further laundering steps.Status Assessment Exchange deposits identifiedNone confirmed as of Apr 2, 2026.Likely next stepsTornado Cash / privacy protocol usage; further cross-chain movement (TRON, Monero); P2P OTC off-ramp.Stablecoin freeze windowCRITICAL: ~$35M USDC in 0x81d40f21f12a8f0e3252bccb954d722d4c464b64 - freeze request to Circle required immediately.ETH freeze feasibilityLow - ETH is not freezable by issuer; requires exchange cooperation when deposited.KYC feasibilityPossible if attacker deposits to a KYC exchange; continuous monitoring required.Critical note on Circle CCTP failure: ZachXBT publicly documented that Circle had approximately a 6-hour window during which stolen USDC was actively being bridged via CCTP from Solana to Ethereum. Circle failed to freeze the funds during this window, allowing the conversion of tens of millions in USDC to ETH, placing those funds beyond the reach of stablecoin issuers. Immediate remediation of Circle's incident response protocols is recommended.8. Recommendations Immediate Actions (0-24 hours) Priority Action Target Entity Target Address CRITICALFreeze remaining USDC - Contact Circle immediatelyCircle0x81d40f21f12a8f0e3252bccb954d722d4c464b64CRITICALMonitor ETH holding wallets - Flag all outbound TXsOn-chain monitoring0xAa843eD65C1f061F111B5289169731351c5e57C1, 0xbDdAe987FEe930910fCC5aa403D5688fB440561BCRITICALExchange pre-alert - Notify all major CEXs (Binance, Coinbase, Kraken, OKX) of attacker addressesAll major exchangesAll Ethereum holding walletsCRITICALOFAC/FBI referral - Submit DPRK attribution evidence for sanctions designationUS Government agenciesAll identified attacker addressesHIGHTether freeze request - USDT held in Solana intermediary walletsTetherSolana intermediary walletsHIGHBridge KYC request - Wormhole, deBridge records for bridge hub addressWormhole Foundation, deBridge8ubo4HbWJHKyFJYJc2Gh74dxCP7bN7Fu2Pi13KZ9rGxwOngoing Investigation Actions Priority Action Details HIGHContinue tracing 0x81d40f21f12a8f0e3252bccb954d722d4c464b64~$35M+ USDC - trace downstream hops to find exchange deposit.HIGH6fhfn98cRC786cSfSraLNb61GDGs7dvEVgVmwCSw1ggD - large SOL consolidation unresolvedTrace Solana SOL wallets.MEDIUMLazarus Group known to bridge to Tron for final off-rampMonitor Tron/XRP chains.MEDIUMTornado Cash monitoringSet up monitoring for ETH holding wallets depositing to Tornado Cash contracts.MEDIUMPre-attack address OSINTFull OSINT on HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES; test swaps on OKX may reveal KYC-linked accounts.9. Conclusion The Drift Protocol exploit represents a highly sophisticated, well-planned state-sponsored attack consistent with North Korea's Lazarus Group. The attacker demonstrated advanced knowledge of Drift's internal architecture, Solana's durable nonce mechanism, and DeFi bridging infrastructure. The attack was executed with near-perfect operational security: pre-staged wallets, automated transaction scripting, multi-bridge simultaneous execution, and immediate stablecoin-to-native conversion.Fund recovery feasibility assessment:~$35M USDC in 0x81d40f21f12a8f0e3252bccb954d722d4c464b64 is recoverable if Circle acts immediately.~32,913+ ETH (~$70M+) in Ethereum holding wallets is partially recoverable if CEX deposits are detected before further laundering.Solana SOL holdings are partially recoverable via exchange cooperation.Converted ETH is at risk of imminent Tornado Cash deposit or further cross-chain movement.Overall recovery window: CRITICAL (24-72 hours). Immediate multi-stakeholder coordination between Drift Protocol, Circle, Tether, Wormhole Foundation, major CEXs, FBI, and OFAC is essential to maximize recovery probability.Crime type determination: Organized cybercrime / state-sponsored theft - DPRK Lazarus Group (High Confidence, per Elliptic).This report was generated by SentinelTX Blockchain Forensic Intelligence Platform. All findings are based on publicly available on-chain data and open-source intelligence. This report is intended for law enforcement, compliance, and legal proceedings use. Appendix: Fund Flow Diagram (Diagram reference included in the original report structure) (Diagram reference included in the original report structure)

How automated bots and shared infrastructure revealed a 10-month-old organized crime syndicate.The blockchain never forgets, but it can be incredibly complex to navigate. Recently, ChainBounty conducted a deep-dive forensic investigation into a significant asset theft involving $SUBY and other Solana-based tokens. What began as a single incident report evolved into the discovery of a professional, long-standing scam infrastructure that has now led to an active criminal investigation by the Cyber Crime Investigation Division in Seoul, South Korea.1. The Incident: Precision and AutomationOn May 30, 2025, a victim’s wallet was drained of approximately 8.2 million $SUBY tokens, along with $SSE and $DAW. The speed of the transfer was alarming.Our forensic analysis revealed that this wasn’t a manual operation. The assets were moved to an intermediary wallet (46S5bgHq...) and immediately processed through automated scripts. These bots executed swaps into stablecoins and distributed funds across multiple "hop" wallets with 0-second latency, ensuring the trail became as fragmented as possible within minutes.2. Identifying the “Cash Out” InfrastructureBy tracing the flow of stolen assets, we identified two primary exit points: Bitget Exchange and FixedFloat (a mixing service). While some deposits to these platforms occurred shortly before or after the specific $SUBY theft, our “Infrastructure Analysis” proved a definitive link. We discovered a massive, interconnected network:27 Common Fee Payers: A cluster of wallets consistently funded the gas fees for the attack wallets.63 Shared Addresses: These wallets acted as a central hub for multiple thefts over a 10-month period.The Forensic Anomaly: Why tracking the criminal organization is more effective than tracking the tokens aloneThis confirms that the attackers are not “lone wolves” but an organized syndicate operating a “Scam-as-a-Service” model on the Solana network.3. The Evidence: The Smoking GunThe most compelling evidence of organized crime was the Machine-like Transfer Patterns. Our timeline analysis showed batch processing intervals of exactly 15 to 28 seconds. This level of synchronization is only possible through a dedicated command-and-control (C2) botnet designed for money laundering.Through our investigation, we identified over $142,430 USDT funneled through the Bitget deposit addresses associated with this specific group.Press enter or click to view image in full sizeInhuman execution: Batch processing and mechanical intervals confirm the use of laundering bots.4. Active Investigation and Next StepsChainBounty has officially submitted this forensic package to the Seoul Metropolitan Police Agency. The investigation is currently focused on:KYC De-anonymization: Working with Bitget to identify the account holders behind the identified deposit addresses.Cross-Chain Tracking: Tracing funds that exited via FixedFloat into Ethereum and Bitcoin.Asset Freezing: Coordinating with exchanges to blacklist and freeze the identified criminal infrastructure.Conclusion: Vigilance in the Web3 EraThis case is a stark reminder that in the world of DeFi, your digital footprint — and that of the hackers — is permanent. At ChainBounty, we are committed to turning the tide against these scam networks.We urge the community to stay vigilant. Do not click on suspicious partnership links or authorize “blind signings” in your wallet. The scammers are professional, but so is our pursuit of justice.Join the Fight. Follow our investigation and report suspicious activities at our community: 🔗 https://community.chainbounty.io 📧 For inquiries: [email protected]

Gm

IntroductionThis report details a real-world case submitted by an applicant to ChainBounty's Victim Relief Program. The victim approached us after suffering a significant loss due to a targeted social engineering attack. ChainBounty is actively assisting the victim by providing comprehensive on-chain forensics and intelligence analysis to trace the stolen assets and identify the perpetrators for law enforcement purposes.MemeCore (M) Digital Asset Theft Incident: On-Chain Forensics & OSINT Analysis Report1. Executive SummaryThis report synthesizes the results of on-chain forensic analysis and Open Source Intelligence (OSINT) investigation regarding the digital asset theft incident that occurred between December 7 and 8, 2025.The incident appears to have originated from a social engineering attack targeting an active user of Memex, a major dApp in the MemeCore (M) ecosystem. The attacker impersonated community administrators and creators to lure the victim into a fake Telegram group, then induced them to connect their wallet to a fraudulent bot service using "high-yield staking rewards" as bait.The victim created a new wallet and transferred assets as instructed, but the flow was designed to funnel funds into the attacker's scam network.On-chain analysis reveals that the stolen funds did not end with a simple transfer. A multi-stage laundering flow was observed, involving MRC-20 token swaps within the MemeCore network, repetitive transactions based on the WM contract, cross-chain bridging via Meson Finance, inflows into Centralized Exchanges (CEX), and dispersed withdrawals across multiple exchanges.Notably, a "direct-to-exchange" flow is clearly visible in the early stages. M tokens were directly transferred from the victim's wallet to Suspect Bitget Deposit 1 (0x7a5d...), and this fund was collected into the exchange's hot wallet (0x1ab4...) within a short period. This suggests the attacker operated a direct route to the exchange alongside other methods to accelerate cash-out early on.The damage is calculated based on two criteria:Total M Token Outflow (Direct): 2,151.11 M, approx. $2,881.39 (Combined sum of direct transfers to exchange + EOA/Gathering Wallet).Total M Token Outflow (Including Bridge): 8,280.11 M, approx. $11,150.17 (Direct outflow + Meson bridge outflow included).Furthermore, clues suggesting a connection to specific social accounts and developer community profiles were identified in Gathering Wallet 2 (0x1c00...5f), which was confirmed as a key hub for money laundering. Based on this, grounds to narrow down suspect candidates have been partially secured. However, this is a circumstantial judgment based on the correlation between public information (OSINT) and on-chain data, and is not a legally confirmed conclusion.1.1 Summary StatisticsThe key flows are summarized as follows:1.2 Summary of Key Flows (4 Core Paths)Path 1: Victim → Direct Outflow to Bitget (Attempt at Immediate Cash-out)A total of 2,140.72 M (approx. $2,867) was directly transferred from the Victim Wallet (0xdc54...) to Suspect Bitget Deposit 1 (0x7a5d...).The deposit was collected into the Bitget exchange hot wallet (Bitget 6, 0x1ab4...) within minutes (approx. 3-5 mins).This flow represents the attacker sending "M tokens that are easy to cash out immediately" straight to the exchange.Path 2: Victim → Gathering Wallet 1 → Meson Bridge → Gathering Wallet 2 (Mainstream of Indirect Laundering)After WM contract processing, 5 types of MRC-20 tokens were received by the Victim Wallet and then drained to Gathering Wallet 1 (0x8325...e6).In Gathering Wallet 1, MRC-20s were swapped back to M, and 6,129 M was bridged via Meson Finance (0x25ab...48d3).6,122.87 M arrived at Gathering Wallet 2 (0x1c00...5f) on the BNB Chain.Path 3: Gathering Wallets 1, 2 → Reconsolidation at Bitget Deposit 2 (Possible Mixing with Other Victims' Funds)900.65 M from Gathering Wallet 1 and 5,007.02 M from Gathering Wallet 2 flowed into Suspect Bitget Deposit 2 (0xb408...).The combined total is 5,907.67 M. As there is a "possibility of other victims' funds being mixed," this needs to be interpreted separately from the victim's sole damage amount.Subsequent collection into Bitget 6 (0x1ab4...) was confirmed.Path 4: Multi-chain Dispersed Withdrawal from Gathering Wallet 2 (Evasion/Smurfing)From Gathering Wallet 2, after swapping M → BNB, there is a record of 37.51 BNB being dispersed and withdrawn in 48 transactions to 5 exchanges: Bybit, Bitget, MEXC, Binance, and Remitano.Activity of the same address was confirmed on Arbitrum and Base as well as BNB, reinforcing the cross-chain laundering pattern.2. Incident Mechanism and Psychological AnalysisThis incident appears to have started from a social engineering scenario targeting human trust rather than technical flaws such as system vulnerabilities. It seems to be a variation of the typical "Pig Butchering (Sha Zhu Pan)" tactic adapted to the MemeCore ecosystem context. There are indications that the attacker analyzed the community atmosphere and the victim's activity patterns beforehand to approach with a tailored script.2.1 Manipulating the Environment to Build Trust: "The Illusion of the Fake Room" The attack seems to have begun with an approach from an account mimicking an acquaintance active on Memex. In anonymous messenger environments like Telegram, profile pictures and Display Names can be configured similarly, and Usernames (Handles) are hard to distinguish with just a one-character difference. The attacker was judged to have secured trust by exploiting these characteristics. The Telegram room the victim was invited to contained multiple accounts impersonating Admins and Creators. They staged the room to look like an "Official Community" by continuing conversations or sharing profit verification screenshots even before the victim joined. In such an environment, it was easy to mistake the room for an extension of the official Memex community, which became the basis for the fraud.2.2 Technical Deception: Fake Bot and Inducing Wallet Connection Once a certain level of trust was established, the attacker guided the victim, saying, "You can receive staking rewards if you connect your wallet via the Telegram bot". The method is close to a typical Phishing or Drainer type. The wallet (0xDC54...69b) the victim newly created and connected was a "clean wallet" with almost no transaction history. The moment the victim trusted the instructions and moved assets, it is likely the attacker secured control through one (or a combination) of the following methods:Possibility that the transaction signed via the bot was actually an Unlimited Token Approval, not staking.Possibility that it was designed to execute an asset Transfer transaction during the signing or connection process.Possibility that keys or permissions were exposed to the attacker during the wallet creation/connection process. The key point is that "Wallet Connection" may have turned into an act of handing over actual asset authority, rather than simple login or authentication.3. Technical Characteristics of MemeCore Ecosystem and Asset StructureTo interpret the fund flow, it is necessary to first understand the background of the MemeCore chain where the victim's assets existed and the asset structure. This explains why the attacker performed repetitive swaps and why the laundering path developed into a specific pattern.3.1 MemeCore and Proof of Meme (PoM) MemeCore is a Layer 1 chain aimed at connecting the cultural value of Memes with an economic reward structure. It promotes Proof of Meme (PoM) as its consensus structure, which includes elements like community contribution and viral activities in the reward system alongside simple staking. The base asset of this chain is the M token. M is used for core functions such as gas fees, governance, and validator staking, and has relatively high liquidity, which is why the attacker ultimately pooled funds into M for laundering.3.2 MRC-20 Token Standard and Cash-out Constraints Tokens such as NinjaMEX, walxop, LIFT, Bubger, and Abudium identified in the swap path of this incident follow the MemeCore-specific token standard (MRC-20). These appear to be "transit tokens" temporarily passed through during the process of the attacker exchanging stolen assets on the internal DEX, rather than assets originally held by the victim. Technically similar to ERC-20, they are structured for the creation and circulation of meme tokens within MemeCore. The issue is external compatibility. Since it is rare for external chains, centralized exchanges, or bridges to directly support MRC-20, it is difficult for the attacker to move them out externally and cash them out in the MRC-20 state. Eventually, to proceed to the actual cash-out stage, they must go through the flow of: converting back to M on the internal DEX -> moving to an external chain (BNB Chain, etc.) via a bridge -> attempting cash-out via swap/dispersed withdrawal on the external chain. The massive internal swap transactions observed in the report are interpreted as reflecting the constraint of having to convert back to M for external export, along with the possibility of transit swaps intended to confuse tracking in some sections.4. Incident Timeline and Detailed Forensic ReconstructionThis incident is clearly divided into Reconnaissance & Testing on December 7 and the Main Exploit on December 8. The attacker checked the validity of the path the day before, and then stole all available assets and proceeded with rapid laundering the next day.4.1 Phase 1: Reconnaissance and Initial Infiltration (Dec 7) – Traces Left by Destination Choice Immediately after securing access rights, the attacker showed a pattern of verifying two things with small (or relatively small) transfers first, rather than moving the full amount immediately:Whether the wallet is actually usable by the attacker.Whether the exchange deposit is processed normally (no risk of detection/blocking). At 10:18 UTC, 388.717 M was transferred to Bitget Deposit 1 (0x7a5d...), and at 14:08 UTC, an additional 752 M was transferred via the same path. This flow aligns with the typical pattern of a small test followed by additional transfers. The notable point is that the receiving address 0x7a5d...337 is estimated to be a User-Assigned Deposit Address of a Centralized Exchange (Bitget), not a personal wallet. Funds flowing into this address were observed being collected into the Bitget hot wallet (0x1ab4...f23) within minutes. If cooperation with the exchange is established, there is a possibility that tracking can continue on an account basis (KYC-based).4.2 Phase 2: Full-Scale Asset Theft and Laundering (Dec 8) – Forced Conversion to M and Exfiltration The full-scale theft proceeded rapidly on December 8. In this phase, it is observed that repetitive processing of the WM contract and mass liquidation (swap) of MRC-20 tokens were carried out in parallel with simple transfers.4.2.1 WM Repetitive Processing Pattern: Between 06:45 and 06:49 UTC, 8 repetitive transactions occurred against the WM contract, confirming processing (Deposit/Withdraw) of approximately 8,000 M. This repetitive wrapping/unwrapping can be interpreted as (1) a staging to confuse tracking, or (2) a preparatory step to match the asset form required for subsequent swaps/bridging.4.2.2 Organized Outflow of 5 MRC-20 Tokens and Immediate Cash-out: Around 1:24 PM, continuous M→MRC-20 swap transactions via the internal DEX occurred in the victim's wallet, which appear to have been performed by the attacker. Subsequently, these 5 MRC-20 tokens were transferred to Gathering Wallet 1 (0x8325...eae6), where a process of converting them back to M via the Swap Router was observed. This choice is pragmatic from the attacker's perspective. The longer low-liquidity meme tokens are held, the greater the price fluctuation and tracking traces may become. It seems the attacker chose to quickly convert MRC-20 to M to increase mobility and cash-out potential.4.3 Phase 3: Cross-Chain Bridging and Final Concealment – Attempt to Evade Tracking via Chain Hopping The secured M tokens did not stay in the MemeCore chain for long and were observed moving to the BNB Chain via the Meson Finance (0x25ab...48d3) cross-chain bridge.Meson Bridge: 6,129 M Deposited.BNB Chain Arrival: 6,122.87 M received at Gathering Wallet 2 (0x1c00...5f) (Approx. 3 mins to arrive). Gathering Wallet 2 subsequently acts as a hub to send funds to exchanges or disperse them to other chains (Base, Arbitrum). It has a strong character of a "Operational Wallet" used repeatedly rather than a simple transit point.5. Fund Flow Structure AnalysisFunds drained from the victim's wallet moved largely in two directions:Direct Outflow straight to the exchange (Priority: Speed).Indirect Laundering via gathering wallets and bridges (Priority: Evasion).5.1 Key Deposit (Receiving) AddressesSuspect Bitget Deposit 1: 0x7a5d...337 / Received: 2,140.72 M (~$2,867.47) / Note: Exchange Transfer.Gathering Wallet 1 (MemeCore): 0x8325...eae6 / Received: 5 MRC-20s + 10.39 M / Note: MRC-20 → M Swap.Gathering Wallet 2 (Multi-chain Same Address): 0x1c00...285f / Received: 6,122.87 M & Multi-chain activity (BNB/Arbitrum/Base).Suspect Bitget Deposit 2: 0xb408...dd5c / Received: 5,907.67 M (~$7,969) / Note: From Gathering Wallets 1, 2 → Exchange. Caution: Possibility of mixing with other victims' funds.5.2 Characteristics and Implications in Fund Flow First, the laundering strategy is split into two. Part of it prioritized speed by sending it quickly to the exchange (Path 1), while the rest tried to make tracking difficult through bridging and multi-chain dispersion (Paths 2, 4). Second, Bitget appears repeatedly. Both the direct outflow path (0x7a5d...) and the path from the gathering wallet (0xb408...) converge to Bitget deposit addresses. In particular, 0xb408... is a common point receiving funds from both Gathering Wallet 1 and Gathering Wallet 2, making it a candidate for a key cash-out window. However, as other victims' funds may be mixed in this section, definitive conclusions should be avoided. Third, Gathering Wallet 2 (0x1c00...5f) functions as a central node that receives bridged funds and then performs exchange transfers or dispersion to other chains.5.3 Multi-Exchange Dispersed Withdrawal (Smurfing) Statistics (BNB Only) From Gathering Wallet 2 (BNB Chain) → Exchange Withdrawal Statistics:Bybit: 23.44 BNB / 16 txsBitget: 7.15 BNB / 2 txsMEXC Global: 5.06 BNB / 22 txsRemitano: 1.30 BNB / 4 txsBinance: 0.56 BNB / 4 txsTotal Exchange Withdrawals: 37.51 BNB / 48 txs / 5 Exchanges Note: After swapping M → BNB at Gathering Wallet 2, dispersed withdrawals were made to multiple exchanges. Activity of the same address was confirmed on Arbitrum and Base, reinforcing the cross-chain laundering pattern. Reference: Remitano is known as a platform widely used for P2P trading in Southeast Asia, which can serve as a reference clue for geographic profiling (Note: Do not conclude).6. Relevant Actor Intelligence AnalysisIn this investigation, by cross-examining on-chain flows and off-chain public activity traces, we secured clues to narrow down the relevant Actor (Actor A) and associated account/profile candidates. The central address of the analysis is Gathering Wallet 2 (0x1c00...5f), and OSINT information was organized around this address.6.1 Circumstances Connecting On-Chain Activity and Digital Identity In this case, some clues were observed where 0x1c00...5f, identified as a key gathering address, could be connected to external public activities. If the same address is repeatedly mentioned or exposed in specific social accounts or community profiles, it can serve as important evidence connecting on-chain addresses with off-chain activities. There are circumstances where a specific social account marked as (Redacted) posted the 0x1c00...5f address multiple times in posts related to past airdrops, whitelist registrations, faucet participation, etc. This raises the possibility that the address is associated with the account's activity to a certain level.6.2 Detailed Identity Profile (Circumstantial) In the OSINT investigation, circumstances were confirmed where the social account/handle marked as (Redacted) is connected to a specific bounty/task platform (e.g., Superteam Earn) account/profile. The following additional information is derived from this:Real Name/Legal Identity: (Redacted)Country/Region of Residence: (Redacted; Partially consistent with Remitano usage patterns, etc.)Professional Identity: (Redacted; Based on self-introduction)Tech Stack Claims: (Redacted)Activity Character: (Redacted)Additional Explanation: Meaning of "Partially Consistent with Remitano Usage Patterns" Here, "Partially consistent with Remitano usage patterns" does not mean concluding residence in a specific country/region (e.g., Vietnam) solely because Remitano appeared. It is intended to be referred to as a supplementary clue that increases probability from the perspective of Geo-profiling. specifically:Regional Character of Remitano: Remitano is known to be relatively widely used for P2P On/Off-ramp (cash-out/settlement) purposes in Southeast Asia (especially Vietnam) rather than being used equally worldwide like global major exchanges. Therefore, if Remitano is naturally included and repeatedly observed in the multi-exchange withdrawal flow, the possibility that the actor's living sphere/settlement environment touches the Southeast Asian region (including Vietnam) relatively increases.Hints form "Exchange Combination": In this case, regional P2P channels like Remitano appear alongside general-purpose exchanges like Bybit, Binance, and MEXC. This combination can be interpreted as a form often observed in dispersed withdrawals considering the final cash-out route, rather than simple investor propensity.Therefore, Remitano traces are worth referencing as a "Geographic Clue Candidate". However, it is a "Supplementary Clue," not definitive evidence. Final confirmation must be made through cooperation/investigation data such as exchange KYC, login/access logs (IP/Device), and withdrawal methods (Bank/Payment info).7. Conclusion & Our CommitmentComprehensive Conclusion This incident, occurring on December 7-8, 2025, was a social engineering-based asset theft. Funds were laundered through two parallel paths:A direct path flowing straight into the Bitget exchange (Speed).An indirect path exfiltrated to external chains via the Meson bridge after internal swaps on MemeCore (Stealth).Additionally, circumstantial evidence links "Gathering Wallet 2" (0x1c00...5f) to specific social accounts and developer profiles, providing strong identification clues for law enforcement.Response Strategy ChainBounty has advised a phased response:Phase 1: Immediate reporting to law enforcement with key TxIDs and requesting asset freezing at Bitget.Phase 2: International cooperation review for cross-border tracking.Phase 3: Continuous monitoring of suspect addresses and community education on risk factors.Need help tracking stolen funds? Recovering stolen assets starts with professional tracking. If you have been targeted by a similar exploit, do not hesitate to reach out. ChainBounty's Victim Relief Program provides the forensic evidence needed for law enforcement reporting and exchange cooperation.👉 Apply for Victim Relief Program: https://chainbounty.io/en/event/campaign-victim-support/(Disclaimer: This report is based on on-chain data and public OSINT. Identity-related content is circumstantial estimation. Final legal judgments must be confirmed through lawful procedures by law enforcement agencies.)

개선 감사합니다

일 안해요?

Disclaimer본 보고서는 2025년 12월 26일 기준의 온체인 데이터 및 공개 정보를 기반으로 작성되었습니다. 수사 진행 및 추가 데이터 확보에 따라 새로운 사실이 확인될 수 있으며, 특정 지갑 주소의 범죄 연루 여부는 사법기관의 최종 판단에 따릅니다. 추가 데이터셋 제공 또는 원자료가 필요하신 경우 [email protected] 로 연락 부탁드립니다.1. 총괄 요약1.1 사고 개요본 보고서는 2025년 12월 24일부터 26일 사이에 발생한 트러스트 월렛(Trust Wallet) 브라우저 확장 프로그램(v2.68) 침해 사고를, 확인 가능한 사실과 근거 중심으로 정리한 포렌식 분석 결과입니다. 이번 사건은 블록체인 프로토콜 자체의 취약점이 아니라, 지갑 확장 프로그램의 배포/업데이트 경로가 오염된 공급망 공격(Supply Chain Attack)으로 보는 것이 합리적입니다.공격자는 확장 프로그램 내부에 악성 자바스크립트(4482.js)를 은닉·주입했고, 사용자가 지갑을 실제로 사용하는 순간(잠금 해제, 시드 입력 등)에 니모닉 복구 문구(Seed Phrase)를 탈취하도록 설계했습니다. 니모닉이 유출되는 순간부터는 사용자의 추가 승인 여부와 무관하게 공격자가 지갑 전체를 통제할 수 있기 때문에, 피해가 짧은 시간 안에 빠르게 확산될 수 있습니다.1.2 피해 규모사건 발생 시점의 현물 가치 기준으로 확인된 피해 규모는 다음과 같습니다.총 피해 금액: USD 7,239,223.79 (약 724만 달러)피해 지갑 수: 1,311개 (EVM 1,171개 + Bitcoin 140개)관련 트랜잭션: 1,906건지갑당 평균 피해액: USD 5,521.91피해는 이더리움(Ethereum), 비트코인(Bitcoin), 폴리곤(Polygon) 등 총 8개 블록체인 네트워크에서 확인되었고, 전체 피해액의 약 92%가 이더리움과 비트코인에 집중되어 있습니다.1.3 주요 발견 사항 (1) 침해 벡터(Attack Vector) 확장 프로그램 v2.68에 포함된 악성 자바스크립트(4482.js)가 사용자의 니모닉을 수집해 api.metrics-trustwallet.com으로 전송한 정황이 확인됩니다. 이 통신은 정상 텔레메트리 또는 오류 리포팅처럼 보이도록 위장되어, 단순 모니터링에서는 이상 징후가 잘 드러나지 않게 설계된 것으로 해석됩니다. (2) 자금 세탁 및 체인 호핑(Chain Hopping) 공격자는 Relay.link 기반 크로스체인 브릿지를 활용해 BTC를 SOL을 거쳐 ETH로 전환하는 방식의 체인 호핑을 사용했습니다. 체인 간 이동이 반복될수록 추적과 환수 난이도가 급격 히 올라가며, 단일 체인 관점의 탐지·차단을 피하기 위한 난독화(Obfuscation) 전략으로 기능합니다. (3) 최종 유입 목적지(서비스 제공자/VASP) 탈취 자금 중 약 57.4%(약 USD 4.15M)가 중앙화 거래소 및 인스턴트 교환 서비스로 유입된 것으로 확인되며, 주요 유입처로 ChangeNOW, KuCoin, HTX 등이 식별됩니다. 이 구간 은 향후 동결 요청, 수사 협조, 자금 환수 절차에서 가장 현실적인 접점이 됩니다.1.4 분석 근거 및 산정 기준 본 분석은 온체인 트랜잭션 데이터와 공격자 인프라(C2) 통신 정황을 교차 검증해 결론을 도출했습니다. 피해 규모 산정은 사건 발생 시점 기준의 가격 스냅샷을 적용했고, 유동성이 없 거나 스팸 성격으로 판단되는 토큰 및 극소액 더스팅 거래는 제외했으며, 피해자 지갑 주소는 고유 주소 기준으로 중복을 제거했습니다.2. 침해 사고 재구성 및 기술적 분석 2.1 공격 타임라인 및 실행 단계 이번 공격은 단발성 사고라기보다, 최소 3주 이상 사전 준비가 이뤄진 조직적 침해로 평가됩니다. 공격자는 (1) 인프라 구축, (2) 악성 코드 개발·검증, (3) 공급망을 통한 배포, (4) 자산 탈취 및 세탁으로 이어지는 단계를 계획적으로 실행했습니다.2.1.1 인프라 준비 단계 (2025.12.08) 사건 발생 약 2주 전인 12월 8일, 공격자는 metrics-trustwallet.com 도메인을 등록하며 공격 기반을 마련했습니다 [1]. 도메인 명칭은 트러스트 월렛의 성능 모니터링 또는 텔레메트 리 서버로 오인되도록 설계된 것으로 보이며, 합법 서비스와의 혼동을 유도하는 전형적인 위장 전략입니다. 등록 대행업체(Registrar)는 ‘NICENIC INTERNATIONAL’로 확인되었고, 이 단계에서 공격자는 C2(Command & Control) 서버와 데이터 수집용 API 엔드포인트(api.metrics-t rustwallet.com)를 구성해 탈취 정보가 안정적으로 수집·저장될 수 있는 구조를 먼저 완성한 것으로 보입니다.2.1.2 공급망 오염 및 배포 (2025.12.21 ~ 12.24) 12월 21일부터 C2 서버로 향하는 초기 접속 쿼리가 관측되었으며, 이는 공격자가 악성 코드의 동작(수집·전송·은닉)이 실제 환경에서 의도대로 작동하는지 점검한 시점으로 추정됩니다. 이후 12월 24일, 크리스마스 연휴 직전 시점에 악성 코드가 포함된 트러스트 월렛 브라우저 확장 프로그램 v2.68이 구글 크롬 웹 스토어에 업로드되었습니다. 이 타이밍은 휴일 기간 동안 모니터링·대응 역량이 약해질 수 있다는 점을 노리는 ‘홀리데이 공격(Holiday Attack)’ 패턴과도 부합합니다. 2.1.3 악성 페이로드 4482.js 분석 분석 결과, 핵심 악성 행위는 확장 프로그램 내부에 은닉된 4482.js 파일에서 수행된 것으로 확인됩니다 [3]. 공격자는 탐지 회피와 분석 지연을 동시에 노린 복합 기법을 적용한 것으로 보입니다. (1) 정상 라이브러리 사칭(Impersonation) 악성 코드는 오픈소스 사용자 행동 분석 라이브러리인 posthog-js 형태로 위장했습니다. 코드 구조와 네이밍(변수·함수명), 호출 패턴을 정상 분석 도구와 유사하게 구성해 자동 스캔 이나 단순 코드 리뷰를 우회하려 한 정황이 확인됩니다 (2) 이벤트 기반 트리거(Event-driven Trigger) 악성 로직은 상시 실행되는 형태가 아니라, 사용자가 지갑 잠금 해제를 위해 비밀번호를 입력하거나 시드 구문을 입력하는 등 민감 정보가 실제로 생성·노출되는 특정 이벤트에서만 활 성화되도록 설계되었습니다. 예를 들어 GET_SEED_PHRASE 호출 등 조건이 충족될 때만 동작하도록 구현되어, 평상시에는 이상 징후가 드러나지 않게 했습니다. (3) 데이터 은닉(Data Hiding) 탈취한 니모닉 데이터는 평문으로 전송되지 않았고, HTTP 요청의 errorMessage 등 비정형 필드에 암호화된 형태로 숨겨 C2 서버로 전송된 것으로 분석됩니다. 이 방식은 네트워 크 보안 장비(IDS/IPS)나 트래픽 분석 과정에서 해당 통신이 단순 오류 리포팅 또는 로그 전송으로 오인되도록 만들어 탐지 가능성을 낮춥니다.2.1.4 자금 탈취 및 대응 (2025.12.25 ~ 12.26) 12월 25일(크리스마스 당일), v2.68로 업데이트한 사용자가 지갑을 실제로 사용(잠금 해제·시드 입력 등)하는 순간 니모닉이 유출되었고, 공격자는 자동화된 스위핑 봇(Sweeping Bot)을 통해 피해 자산을 신속히 탈취했습니다. 이후 온체인 조사자 ZachXBT 및 0xakinator의 경고를 계기로 커뮤니티 내에서 사건이 확산되기 시작했으며, 트러스트 월렛은 12월 26일 침해 사실을 공식 인정하고 v2.69 패치 버 전을 배포했습니다 3. 상세 피해 현황 및 포렌식 피해 분석 요약 피해액 산정 기준피해액은 사건 발생일인 2025년 12월 24일 시점의 가격 스냅샷(BTC $87,000, ETH $2,930, MATIC $0.10 등)을 기준으로 동일한 산정 규칙을 엄격히 적용했습니다. 이는 사건 이후 시세 변동으로 인해 피해 규모가 과대 또는 과소 추정되는 것을 방지하기 위한 보수적 접근입니다.3.1 피해자 산정 방식 본 보고서의 피해자 수 통계는 “고유 지갑 주소(Unique Wallet Addresses)”를 기준으로 산정했습니다.동일 지갑 주소는 1명의 피해자로 계산합니다.동일 주소에서 여러 트랜잭션이 확인되더라도, 지갑 주소가 동일하면 1명으로 집계합니다.더스팅(Dusting) 거래는 제외했습니다.가짜 토큰(Fake Token) 거래는 제외했습니다. 참고: 실제 개인(Individuals) 피해자 수의 한계산정된 피해자 수 1,311명은 “지갑 주소 수”입니다. 블록체인 사용자 특성상 1인이 여러 지갑을 운용하는 경우가 흔하기 때문에(자산 분산, 용도 분리, 프라이버시 목적 등), 실제 피해 개인 수는 이보다 적을 수 있습니다. 일반적인 중복 소유 가능성을 감안하면, 실제 개인 피해자 수는 약 437명~655명(지갑 수의 1/3~1/2 수준)으로 추정될 여지가 있습니다.3.2 확정 피해 규모 최종 확정치(검증 결과)는 다음과 같습니다.고유 피해 지갑(주소): 1,311트랜잭션 수: 1,906총 피해액(USD): 7,239,223.793.3 체인별 피해 내역 체인별 피해는 EVM 호환 체인과 비트코인 네트워크 양쪽에서 모두 확인되었으며, 총액 기준으로는 이더리움 네트워크가 가장 큰 비중을 차지합니다.Ethereum: 피해 지갑 909, TX 1,186, 피해액 $4,439,296.10Bitcoin: 피해 지갑 140, TX 141, 피해액 $2,233,362.26Polygon: 피해 지갑 151, TX 195, 피해액 $566,565.43Arbitrum: 피해 지갑 173, TX 203, 피해액 $70,208.29Base: 피해 지갑 116, TX 175, 피해액 $41,498.09기타(Nova, Linea, zkSync 등): 피해 지갑 56, TX 6, 피해액 $1,540.98참고: 체인별 “피해 지갑 수”는 체인 단위로 집계된 값이므로, 동일한 사용자가 여러 체인에서 피해를 입은 경우 중복 집계될 수 있습니다. 또한 브릿지/스왑 구간의 라벨링 및 분류 방식에 따라 일부 항목이 별도 분류되거나 중복 반영되는 경우가 있어, 체인별 수치를 단순 합산했을 때 전체 합계와 소폭 차이가 날 수 있습니다.3.4 주요 피해 자산 및 집중도 (Top Stolen Assets & Concentration)탈취된 자산 종류는 총 239종으로 확인되지만, 금전적 피해는 소수의 핵심 자산에 강하게 집중되어 있습니다.상위 3개 자산(ETH, BTC, MATIC) 집중도: 전체 피해액의 84.4%ETH: $3,312,855.48 (약 1,130 ETH)BTC: $2,233,362.26MATIC: $566,565.43 (약 566만 MATIC, 당시 $0.10 적용)참고: 스테이블코인 피해 USDT: $539,643.99 (전체의 약 7.5%)3.5 심층 인사이트 (Deep Insights)(1) 비트코인 피해의 특수성: “피해자 수는 적지만 금액이 크다” 비트코인 네트워크는 피해 지갑 수가 140개로 전체의 약 10.7% 수준이지만, 피해 금액은 $2,233,362.26로 전체의 약 30.9%를 차지합니다. 지갑당 평균 피해액도 약 $15,953로 높 게 나타납니다. 해석: 트러스트 월렛에서 비트코인을 보유한 일부 사용자가 해당 지갑을 트레이딩 목적보다 장기 보관(콜드 스토리지 대용) 성격으로 활용했을 가능성이 있으며, 그 결과 “소수 지갑에 고 액 피해가 집중”되는 패턴이 형성된 것으로 보입니다.(2) 피해 집중도와 ‘고래(Whale)’ 영향: 분포 왜곡의 핵심 변수 피해는 전형적인 롱테일(Long-tail) 구조를 보입니다. 다수의 소액 피해 지갑이 존재하는 동시에, 소수의 대형 피해 지갑이 총 피해액을 크게 끌어올립니다. 예를 들어, Top Victim #1(0x062a31bd836cecb1b6bc82bb107c8940a0e6a01d)의 피해 규모는 약 $2,566,742.43 수준으로, 전체 피해액($7,239,223.79)의 약 35.5%를 차지합니다. 이 단일 지갑을 제외하면, 나머지 1,310개 지갑의 평균 피해액은 약 $3,566.78로 낮아집니다(전체 평균 $5,521.91 대비 유의미하게 감소). 의미: 감염 범위는 넓었지만, ‘최종 피해 총액’은 일부 대형 피해 지갑의 존재에 의해 크게 확대되는 구조입니다. 따라서 대응 역시 (1) 상위 피해자 중심의 빠른 동결·환수 트랙과 (2) 다수 일반 피해자 대상의 표준화된 차단·신고·안내 트랙을 병행하는 것이 효율적입니다.4. 자금 흐름 및 세탁 메커니즘 공격자는 탈취 자금을 “한 번에 섞어버리는” 전통적 믹서(Mixer) 방식보다, 서로 다른 블록체인 네트워크를 반복적으로 오가는 체인 호핑(Chain Hopping)과 중앙화 거래소/인스턴트 스왑 서비스의 입금 주소를 다수로 분산시키는 방식(Deposit Dispersion)을 결합했습니다. 4.1 1단계: 자금 집금 및 통합 (Aggregation)탈취 직후 공격자는 1,300여 개 피해 지갑에서 나온 자금을 관리 가능한 소수의 중간 집금 지갑(Intermediate Aggregator)으로 모았습니다. 이는 (1) 가스비 최적화, (2) 후속 세탁 작업의 자동화, (3) 수사·분석을 어렵게 만드는 “집중-분산” 전술의 출발점입니다.A) EVM 계열 집금 허브주소: 0x463452C356322D463B84891eBDa33DAED274cB40요약: 약 169명의 피해자로부터 총 약 435만 달러를 수신의미: EVM 계열 탈취 자금의 60% 이상이 이 지점을 통과한 것으로 확인되며, 수사 관점에서 가장 중요한 1차 추적 타깃입니다.B) 비트코인 집금 허브주소: bc1q3ykewj0xu0wrwxd2dy4g47yp75gxxm565kaw6m요약: 32명의 피해자로부터 16.34 BTC(약 160만 달러)를 수신의미: 이후 크로스체인 세탁 루프가 시작되는 “출발 지점”으로 기능합니다.4.2 2단계: 크로스체인 세탁 (BTC → SOL → ETH 루프)이번 분석에서 기술적으로 가장 중요한 발견은, 공격자가 비트코인 추적을 단절시키기 위해 솔라나(Solana)와 이더리움(Ethereum)을 경유하는 3단계 세탁 루프를 구축했다는 점입니다. 단일 체인 익스플로러만 보는 방식으로는 추적이 끊기도록 설계되어 있으며, Relay.link가 그 연결고리 역할을 했습니다.(1) 비트코인 이탈(BTC Exit)출발: 비트코인 집금 지갑 bc1q3yk…행동: 약 4.75 BTC(당시 약 $465,500)를 Relay.link로 전송의도: 비트코인의 UTXO 기반 추적 흐름을 끊고, 브릿지 내부로 자금을 “이동”시켜 출처 연결을 약화시키기 위함(2) 솔라나 경유(Solana Transit)도착: 7DWfnYqLzAjsKsPcNmZU24p8mbPSNyrQhGJBMn7A7LW9수신: 약 3,391.88 SOL행동: 솔라나로 옮긴 뒤, 짧은 체류 후 다시 Relay.link를 통해 이더리움으로 이동 준비의미: 솔라나의 빠른 처리 속도와 낮은 수수료 환경은, 공격자가 짧은 시간 안에 스왑(Swap)·분할·재이동을 반복해 원천을 흐리는 데 유리합니다.(3) 이더리움 재진입 및 현금화(Ethereum Re-entry)도착: 0x91b05D18A916e4834E48378B3A4f1391C489bC4c수신: 약 124.37 ETH(약 $364,404 가치)후속: 수신 직후 ChangeNOW 입금 주소 0xe2d7adc202f7aeb2ede69b52a53ef340b5933795로 전송분석 결론이 루프는 “한 체인 안에서 끝까지 따라가는” 수사·추적 방식을 무력화하기 위한 회피 기동입니다. 특히 Relay.link가 비수탁형(Non-custodial) 구조로 운영되고 KYC 접점이 제한적이라는 점을 악용해, 추적 연결을 느슨하게 만드는 데 성공한 것으로 보입니다.4.3 서비스 제공자(VASP) 유입 및 Attribution 최종 단계에서 자금은 중앙화 거래소(CEX) 또는 인스턴트 교환 서비스(Instant Exchange)로 유입됩니다. 분석 결과, 식별된 유입 총액은 약 415만 달러로, 전체 피해액의 약 57.4% 에 해당합니다. 이는 수사기관이 영장 집행, KYC/로그 확보, 동결 조치 등을 통해 실제 회수 가능성을 검토할 수 있는 “최대 가시 범위”를 의미합니다.4.3.1 주요 유입처(상위) 요약ChangeNOW유입: $2,345,903 (식별 유입의 56.5%)특징: EVM(약 $1.74M)과 BTC(약 $0.6M) 양쪽에서 집중적으로 사용. 실질적으로 “믹서 대용”처럼 활용된 정황이 강함.FixedFloat유입: $852,341 (20.5%)특징: BTC 중심 유입. 10 ETH 단위로 쪼개 입금하는 분할(Structuring) 패턴이 관측됨.KuCoin유입: $367,236 (8.8%)특징: BTC 위주. KYC 기반 거래소이므로 계정 실명 정보 확보 가능성이 상대적으로 높음.HTX(Huobi)유입: $293,938 (7.1%)특징: EVM 자금(USDC 등) 유입 확인.그 외소규모 유입처가 추가로 존재하며, 한편으로는 상당 금액이 미추적 상태이거나 개인 지갑에 잔존하는 것으로 보임.암호화폐 자금 이동 및 분산 경로 예시 이 다이어그램은 다수의 피해자(Victims) 지갑에서 발생한 자금이 'Origin' 지갑(0x463452)으로 집금된 후, 추적을 어렵게 하기 위해 여러 중간 지갑을 거쳐 ChangeNOW, KuCoin, HTX, FixedFloat 등 다양한 거래소 및 서비스(Deposit Accounts)로 최종 분산 이체되는 자금 세탁 흐름을 보여줍니다.출처:CATV수사 포인트: ChangeNOW의 비중 ChangeNOW가 식별 자금의 과반(56.5%)을 처리했다는 점은 사건 해결 관점에서 결정적입니다. “가입 없는 교환”을 표방하더라도, 대규모·고위험 유입이 감지되면 내부 리스크 정책 에 따라 거래 보류, 추가 검증(KYC 요구), 자금 동결이 발생할 수 있습니다. 즉, ChangeNOW 대응이 곧 회수 가능성과 직결됩니다.5. 규제 및 법적 대응 전략 포렌식 분석으로 확보된 주소, 트랜잭션, 유입 서비스 정보는 즉시 집행 가능한 조치로 연결돼야 합니다. 핵심은 “시간”입니다. 입금 후 자금이 빠르게 스왑·분산·재이동되므로, 초기 24~72시간 내 대응 강도가 결과를 좌우합니다.5.1 타깃별 대응 전략 5.1.1 ChangeNOW 및 FixedFloat(인스턴트 교환 서비스) 이들 서비스는 비수탁형에 가깝지만, 스왑이 이뤄지는 순간의 트랜잭션 로그 및 운영 메타데이터를 보유합니다. 따라서 다음 조치가 필요합니다. A) 긴급 자산 동결(Freeze Request) ChangeNOW 입금 주소(예: 0xe2d7adc…) 및 FixedFloat 입금 주소로 유입된 자금에 대해 즉각적인 동결 요청이 필요합니다. 이미 출금된 경우에도, 출금 지갑(Outbound Address)은 공격자 측 통제 지갑일 가능성이 높아 2차 추적의 핵심 단서가 됩니다. B) 디지털 증거 보존 및 제공 요청 거래 시점의 접속 IP, User-Agent, 디바이스/브라우저 지문(가능 범위), 세션 타임라인 등은 공격자 위치·사용 기기 추정에 직접적으로 도움이 됩니다. “증거 보존 요청 (Preservation Request)”을 먼저 보내 로그 폐기를 막고, 이후 법적 절차로 제출을 요구하는 흐름이 바람직합니다. 5.1.2 KuCoin 및 HTX(중앙화 거래소) 이들 거래소는 AML/KYC 체계를 갖추고 있어, 계정 단위로 신원 정보 접근 가능성이 상대적으로 높습니다. A) KYC 정보 요청 예: KuCoin 입금 주소(0x0d986… 등)로 유입된 계정의 실명, 주소, 여권/신분증 사본, 셀카 인증, 계정 활동 로그 등 확보를 추진해야 합니다. B) 계정 동결 및 반환 절차 범죄수익임을 소명할 수 있다면, 해당 계정 잔고의 동결 및 피해자 반환(또는 수사기관 보관) 절차로 연결될 수 있습니다. 실무적으로는 거래소별 요구 포맷(사건번호, 관할기관 공 문, 주소·TX 해시 목록, 피해자 진술서 등)을 충족해야 합니다.5.2 크로스체인 브릿지(Relay.link)와 규제 공백 대응Relay.link 경로는 현재 규제 사각지대에 놓여 있습니다. 그러나 구조를 더 파고들면 실마리가 생길 수 있습니다.확인해야 할 핵심 질문은 다음입니다.Relay.link가 자체 유동성 풀로 스왑을 처리하는지, 또는 외부 파트너(대형 거래소/유동성 제공자)의 유동성을 API 형태로 호출하는지외부 유동성(예: 대형 거래소 연동)이 확인된다면, 그 “배후 유동성 제공자”를 대상으로 법적 요구(영장·공조 요청)를 확대할 수 있는지 구조가 밝혀질수록, 브릿지 내부에서 끊긴 것처럼 보이던 연결고리가 다시 “규제 가능한 접점”으로 이어질 가능성이 있습니다.6. 결론 및 제언 이번 트러스트 월렛 침해 사고는 확정 피해액 약 724만 달러 규모로, 소프트웨어 공급망 취약성이 사용자 자산에 얼마나 치명적인 결과를 초래할 수 있는지 분명히 보여줍니다. 공격자는 사전 인프라 구축, 정식 업데이트 채널을 악용한 배포, 그리고 크로스체인 호핑 기반 세탁까지 단계적으로 실행할 만큼 높은 준비도와 기술 역량을 드러냈습니다.다만 “완전범죄”를 노리더라도, 온체인 데이터의 투명성 때문에 모든 흐름을 영구히 숨기기는 어렵습니다. BTC → SOL → ETH → ChangeNOW로 이어지는 주요 경로는 이미 식별되었고, 전체 피해액의 57% 이상이 수사 가능한 서비스(거래소/교환 서비스)로 유입된 정황은 자산 동결 및 회수 가능성을 남깁니다.이제 핵심은 신속한 실행입니다.수사기관: 보고서에 명시된 핵심 입금 주소와 자금 흐름도를 기반으로 국제 공조 수사를 즉시 개시하고, 동결·증거 보존 절차를 우선순위로 집행해야 합니다.피해자: 공식 절차(수사 협조, 민형사 조치, 거래소 동결 요청)를 통해 권리 구제를 진행하되, 2차 사기 시도를 경계해야 합니다.지갑 서비스 제공자: 코드 서명(Code Signing) 검증 강화, 서드파티 라이브러리 감사 체계, 이상 트랜잭션 패턴 실시간 탐지 및 경보 체계 도입이 시급합니다.최종 권고: 2차 사기(Recovery Scam) 경고피해자에게 “해킹 자금을 복구해주겠다”며 접근하는 2차 사기가 빈번합니다. 공식 수사기관 및 트러스트 월렛의 공식 채널을 통한 절차 외에는 신뢰하지 말아야 합니다.

Disclaimer: This report is based on onchain data and publicly available information as of December 26, 2025. As investigations progress and additional data becomes available, new facts may emerge. Any determination of whether a specific wallet address is linked to criminal activity is ultimately up to the competent judicial and law-enforcement authorities. If you need an additional dataset or the underlying raw data, please contact at [email protected]. Executive Summary1.1 Incident overviewThis report presents a fact based forensic analysis of the Trust Wallet browser extension (v2.68) compromise observed between December 24 and 26, 2025. The evidence strongly suggests this was not a vulnerability in any blockchain protocol itself, but a supply chain compromise in the wallet extension’s distribution/update path.The attacker injected a malicious JavaScript payload (4482.js) into the extension. The payload was designed to steal users’ mnemonic seed phrases at the exact moment the wallet is actively used (for example, unlocking the wallet or entering a seed phrase).Once a seed phrase is exposed, the attacker can take full control of the wallet without any additional user approval. This is why losses can spread quickly and at scale in a short time.1.2 Confirmed damageBased on spot value at the time of the incident, the confirmed losses are:Total losses: USD 7,239,223.79 (about USD 7.24M)Victim wallets: 1,311 (EVM 1,171 + Bitcoin 140)Related transactions: 1,906Average loss per wallet: USD 5,521.91Losses were observed across eight blockchain networks including Ethereum, Bitcoin, and Polygon. Roughly 92% of total losses are concentrated in Ethereum and Bitcoin.1.3 Key findings(1) Attack vectorIndicators suggest the malicious JavaScript (4482.js) embedded in extension v2.68 collected mnemonic seed phrases and transmitted them to api.metrics-trustwallet.com. The traffic appears intentionally disguised as normal telemetry or error reporting, making it less likely to stand out in basic monitoring.(2) Laundering via chain hoppingThe attacker used a Relay.link-based cross-chain route to move value from BTC through SOL and into ETH. Repeated cross-chain moves sharply increase tracing and recovery complexity and help evade single-chain monitoring and controls.(3) Final destinations (service providers / VASPs)Approximately 57.4% of the stolen funds (about USD 4.15M) are confirmed to have flowed into centralized exchanges and instant swap services. Major identified destinations include ChangeNOW, KuCoin, and HTX. This layer is the most realistic point for freeze requests, investigative cooperation, and recovery workflows.1.4 Methodology snapshotWe derived conclusions by cross-validating on-chain transaction data against attacker infrastructure and suspected C2 communication patterns. Loss valuation uses a price snapshot from the incident window. Illiquid tokens, spam like assets, and tiny dusting transfers were excluded. Victim counting is based on unique wallet addresses with duplicates removed.2. Incident Reconstruction and Technical Analysis2.1 Attack timeline and execution stagesThis incident appears to be a coordinated operation with at least three weeks of preparation, not a one off event. The attacker executed a staged plan: (1) infrastructure setup, (2) payload development and testing, (3) supply-chain distribution, and (4) theft and laundering.2.1.1 Infrastructure preparation (2025-12-08)About two weeks before the main theft window, the attacker registered the domain metrics-trustwallet.com. The naming is likely intentional, designed to resemble a legitimate Trust Wallet monitoring or telemetry endpoint and create confusion. The registrar is identified as “NICENIC INTERNATIONAL.” At this stage, the attacker appears to have prepared C2 infrastructure and an API endpoint (api.metrics-trustwallet.com) to reliably collect and store stolen data.2.1.2 Supply-chain contamination and distribution (2025-12-21 to 12-24)Initial queries toward the C2 infrastructure were observed starting December 21, consistent with pre-deployment testing (data collection, exfiltration, and stealth). On December 24, right before the Christmas holiday period, Trust Wallet extension v2.68 containing the malicious code was uploaded to the Chrome Web Store. This timing aligns with a “holiday attack” pattern, where attackers exploit reduced monitoring and slower response during holidays.2.1.3 Malicious payload analysis: 4482.jsOur analysis indicates the core malicious behavior resides in the hidden 4482.js file. The attacker used multiple techniques aimed at both evasion and delaying analysis: (1) Impersonation of legitimate librariesThe payload masqueraded as posthog-js, a widely used open-source user analytics library. Naming, structure, and call patterns were made to look “normal,” likely to evade quick code reviews and automated scanning. (2) Event-driven activationThe malicious logic did not run constantly. It was designed to trigger only during sensitive events when secrets are exposed (for example, password entry for unlocking, seed phrase handling, or specific calls such as GET_SEED_PHRASE). This reduces suspicious behavior during routine browsing and makes detection harder. (3) Data hiding in outbound trafficSeed phrase data was not sent in plain text. Instead, it appears to have been hidden in non-standard HTTP fields such as errorMessage in encrypted or encoded form, making the traffic look like ordinary error reporting and reducing the chance of being flagged by IDS/IPS or basic traffic review.2.1.4 Theft and response (2025-12-25 to 12-26)On December 25, users who had updated to v2.68 exposed their mnemonic seeds at the moment they used the wallet (unlocking, seed entry, etc.). The attacker then used an automated sweeping bot to rapidly drain funds. Public warnings from on-chain investigators such as ZachXBT and 0xakinator amplified awareness in the community, and Trust Wallet officially acknowledged the incident on December 26 and released the patched v2.69 version.3. Detailed Victimology and Loss Assessment SummaryLoss valuation methodLosses were calculated using a strict price snapshot at the incident date (December 24, 2025), for example BTC $87,000, ETH $2,930, and MATIC $0.10. This conservative approach reduces distortion from post-incident price swings.3.1 Victim counting methodVictim counts are based on unique wallet addresses:One wallet address is counted as one victim, even if multiple transactions existDusting transfers are excludedFake token activity is excludedImportant limitation: address count is not the same as “number of people.” Many users operate multiple wallets. With typical duplication assumptions, 1,311 wallet addresses may correspond to roughly 437 to 655 individuals (about one-third to one-half of the address count).3.2 Final confirmed totals (verified)Unique victim wallets (addresses): 1,311Transaction count: 1,906Total losses (USD): 7,239,223.793.3 Losses by chainLosses were confirmed across both EVM-compatible networks and Bitcoin, with Ethereum representing the largest share by value:Ethereum: 909 wallets, 1,186 tx, $4,439,296.10Bitcoin: 140 wallets, 141 tx, $2,233,362.26Polygon: 151 wallets, 195 tx, $566,565.43Arbitrum: 173 wallets, 203 tx, $70,208.29Base: 116 wallets, 175 tx, $41,498.09Others (Nova, Linea, zkSync, etc.): 56 wallets, 6 tx, $1,540.98Note: “victim wallet count by chain” is measured per chain. If the same user is affected on multiple chains, they can be counted multiple times at the chain level. Also, bridge/swap labeling can introduce minor overlaps, so chain-level figures may not sum perfectly to the global total.3.4 Top stolen assets and concentrationA total of 239 asset types were stolen, but losses are heavily concentrated in a few major assets:Top 3 assets (ETH, BTC, MATIC): 84.4% of total lossesETH: $3,312,855.48 (about 1,130 ETH)BTC: $2,233,362.26MATIC: $566,565.43 (about 5.66M MATIC at $0.10)Stablecoin note:USDT: $539,643.99 (about 7.5% of total)3.5 Deep insights(1) Bitcoin losses: fewer victims, larger amountsBitcoin represents only 140 victim wallets (about 10.7% of all victims) but accounts for $2,233,362.26 (about 30.9% of total losses). The average loss per Bitcoin wallet is about $15,953.Interpretation: some users likely used Trust Wallet to hold BTC for longer-term storage rather than frequent trading, resulting in larger balances and heavier losses concentrated in fewer wallets.(2) Concentration and “whale effect”Losses follow a classic long-tail pattern: many small losses, plus a few very large wallets that meaningfully inflate the total.For example, Top Victim #1 (0x062a31bd836cecb1b6bc82bb107c8940a0e6a01d) lost about $2,566,742.43, roughly 35.5% of the total $7,239,223.79.If you exclude this one wallet, the average loss across the remaining 1,310 wallets drops to about $3,566.78 (down from the overall average of $5,521.91).Practical takeaway: response is most effective when run on two tracks at once: (1) an accelerated freeze/recovery track focused on the highest-loss wallets, and (2) a standardized reporting/support track for the broader victim population.4. Fund Flow and Laundering MechanicsInstead of relying mainly on traditional mixers, the attacker combined (1) repeated cross chain moves (chain hopping) and (2) broad distribution across many deposit addresses at centralized exchanges and instant swap services.4.1 Step 1: Aggregation (funneling and consolidation)Immediately after theft, the attacker consolidated funds from about 1,300 victim wallets into a small set of intermediate aggregator wallets. This improves operational efficiency (gas optimization and automation) and sets up the “concentrate then disperse” pattern that complicates investigation.A) EVM aggregation hubAddress: 0x463452C356322D463B84891eBDa33DAED274cB40Summary: received about $4.35M from roughly 169 victimsWhy it matters: more than 60% of EVM-side stolen value appears to have passed through this wallet, making it a primary investigative target.B) Bitcoin aggregation hubAddress: bc1q3ykewj0xu0wrwxd2dy4g47yp75gxxm565kaw6mSummary: received 16.34 BTC (about $1.6M) from 32 victimsWhy it matters: it functions as a launch point for the cross-chain laundering loop.4.2 Step 2: Cross-chain laundering loop (BTC → SOL → ETH)The most technically important finding is that the attacker built a deliberate three stage laundering loop through Solana and Ethereum to break Bitcoin trace continuity. This design can cause tracing to “appear to stop” if investigators only follow one chain or a single explorer. Relay.link served as the connective infrastructure.(1) BTC exitFrom: Bitcoin aggregation wallet (bc1q3yk…)Action: about 4.75 BTC (about $465,500 at the time) sent to Relay.linkIntent: weaken the UTXO-based trace line by moving funds into a bridging context(2) Solana transitTo: 7DWfnYqLzAjsKsPcNmZU24p8mbPSNyrQhGJBMn7A7LW9Received: about 3,391.88 SOLBehavior: short holding period, then prepared to move again to Ethereum via Relay.linkWhy Solana: fast finality and low fees make rapid splitting, swapping, and re-bridging easier.(3) Ethereum re-entry and cash-out pathTo: 0x91b05D18A916e4834E48378B3A4f1391C489bC4cReceived: about 124.37 ETH (about $364,404)Next: quickly forwarded to a ChangeNOW deposit address 0xe2d7adc202f7aeb2ede69b52a53ef340b5933795ConclusionThis loop is engineered to defeat linear, single-chain tracing. Relay.link’s non-custodial model and limited KYC touchpoints appear to have been used to loosen attribution links.4.3 Inflows to service providers (VASP attribution)At the final stage, funds moved into centralized exchanges (CEX) or instant swap services. The confirmed, identified inflow total is about $4.15M, roughly 57.4% of total losses. This represents the most actionable window for warrants, KYC/log requests, and freezing actions.Top identified destinationsChangeNOW: $2,345,903 (56.5% of identified inflows)Notes: heavily used across both EVM (about $1.74M) and BTC (about $0.6M). Behavior suggests it was used as a practical “mixer substitute.”FixedFloat: $852,341 (20.5%)Notes: BTC-heavy inflows. A structuring pattern was observed (for example, depositing in chunks such as 10 ETH units).KuCoin: $367,236 (8.8%)Notes: mostly BTC. As a KYC-based exchange, the chance of obtaining identity information is relatively higher.HTX (Huobi): $293,938 (7.1%)Notes: EVM inflows confirmed, including stablecoin routes.Others: additional small destinations exist; some funds remain untraced or appear to remain in attacker-controlled wallets.EVM Inflow exampleThis diagram maps the movement of funds from multiple "Victim" wallets to a central "Origin" address (0x463452). From there, the assets are distributed through various intermediate wallets before landing in deposit accounts at exchanges like ChangeNOW, KuCoin, HTX, and FixedFloat.Source: CATVInvestigative focus: ChangeNOWChangeNOW processing more than half of identified inflows is critical. Even “no-signup” swap services often apply internal risk controls for high-volume, high-risk flows, including transaction holds, enhanced verification, and potential freezes. In practice, ChangeNOW engagement is directly tied to recovery potential.5. Regulatory and Legal Response StrategyForensic findings must translate into immediate actions. Speed is the deciding factor: funds are quickly swapped, split, and moved again after deposit. The first 24 to 72 hours typically determine outcomes.5.1 Target-specific actions5.1.1 ChangeNOW and FixedFloat (instant swap services)Although these services may operate closer to non-custodial models, they still retain operational logs and metadata at the moment swaps occur. Recommended actions:A) Emergency freeze requestsSend urgent freeze requests tied to identified deposit addresses (for example, 0xe2d7adc… and other linked addresses). Even if funds already moved out, the outbound wallet addresses become high-value leads for second-stage tracing.B) Evidence preservation and production requestsRequest preservation of logs to prevent routine deletion, then pursue formal legal processes for production. Key artifacts can include access IPs, user-agent strings, device/browser fingerprints (where available), and session timelines, all of which can help infer attacker location and tooling.5.1.2 KuCoin and HTX (centralized exchanges)These exchanges typically maintain AML/KYC frameworks, making identity-level attribution more feasible.A) KYC information requestsFor accounts receiving deposits (for example, KuCoin deposit addresses such as 0x0d986… and others), pursue account holder identification, ID documents, selfie verification, and activity logs.B) Account freezes and restitution workflowsIf criminal proceeds can be substantiated, exchange balances may be frozen and routed into restitution or law-enforcement custody workflows. Operationally, each exchange has required formats (case number, authority letter, address and TX list, victim statements, etc.), which must be prepared precisely.5.2 Relay.link and the regulatory gapRelay.link currently sits in a regulatory gray area. However, deeper structure analysis may reveal actionable touchpoints. Key questions include:Does Relay.link execute swaps using its own liquidity pools, or does it route via external partners (such as major exchanges or liquidity providers) through APIs?If external liquidity is involved, can legal requests be extended to the upstream liquidity provider that sits behind the bridge flow?As the internal routing becomes clearer, links that initially look “broken” may reconnect to entities that are within regulatory reach.6. Conclusion and RecommendationsThis Trust Wallet extension compromise resulted in confirmed losses of about $7.24M, clearly demonstrating how supply chain weaknesses in widely distributed client software can translate into immediate, severe user losses. The attacker showed a high level of preparation and technical capability, executing a full lifecycle: infrastructure setup, distribution through an official update channel, and multi-chain laundering via chain hopping.Even when attackers aim for “perfect concealment,” on-chain transparency makes it difficult to hide everything indefinitely. The cross chain route (BTC → SOL → ETH → ChangeNOW) has already been identified, and the fact that more than 57% of total losses flowed into service providers (exchanges and swap services) keeps open a real window for freezes and recovery.What matters now is fast execution:For investigators: immediately initiate cross-border cooperation using the report’s deposit addresses and flow mappings, prioritizing freezes and evidence preservation.For victims: pursue relief through official procedures (working with investigators, civil/criminal actions, and formal freeze requests), while staying alert for secondary scams.For wallet providers: urgently strengthen code-signing verification, third-party library auditing, and real-time detection/alerting for suspicious transaction patterns.Final warning: recovery scamsSecondary scams are common after incidents like this. Anyone claiming they can “recover your funds” directly should be treated as suspicious. Only follow official processes through recognized law-enforcement channels and Trust Wallet’s official communications.

고쳐주세요 ㅠ

빠른 업데이트 부탁드립니다