FixedFloat—a cryptocurrency exchange that operates without “know your customer” (KYC) anti-money laundering (AML) measures—was hacked earlier this month, resulting in the loss of more than 400 Bitcoin and over 1,700 Ethereum, worth about $26 million.
Blockchain security firm BlockFence identified the Bitcoin address used in the theft, and on-chain data from a linked Ethereum address revealed multiple high-value transactions to various addresses.
According to fellow blockchain analytics firm PeckShield, the stolen funds were moved through the Ethereum mixer eXch shortly after the hack, complicating the traceability of the stolen assets. A small part of the funds were moved to HitBTC and CoinSpot, PeckShield said, labeling the wallet address “FixedFloat drainer.”
FixedFloat told Decrypt that the hack was not carried out by one of its employees and that “it was an external attack caused by vulnerabilities in our security structure.”
“The problem was in our infrastructure, which was compromised due to flaws and insufficient protection,” the company said. “This allowed the attackers to gain access to some of the functions of our service.”
Following the hack, FixedFloat initially cited "minor technical problems" and moved its systems into “maintenance mode.” This was before the full extent of the hack was disclosed, which led to confusion and concern among users.
“We did not immediately report the hack, as we were already aware of the incident and immediately began putting our service into maintenance mode to ensure security and minimize losses,” the exchange told Decrypt. “At that time, our main focus was on quickly eliminating weaknesses and strengthening overall security, which prevented us from making public statements about what happened.”
In a subsequent statement, FixedFloat assured customers their funds were safe, clarifying that the financial losses impacted only the service itself and not user-held assets. "FixedFloat does not perform the functions of a custodial service—that is, it does not store user funds. We will provide more information later," the platform tweeted.
However, once reports of the hack started to spread through social media, the platform confirmed the incident and opened up about the attack.
"We confirm that there was indeed a hack and theft of funds,” the official FixedFloat Twitter account wrote in a reply to a tweet. ”We are not ready to make public comments about this matter as we are working to eliminate all possible vulnerabilities, improve security, and investigate.
“Our service will be available again soon," it continued.
Hello,
We confirm that there was indeed a hack and theft of funds. We are not yet ready to make public comments on this matter, as we are working to eliminate all possible vulnerabilities, improve security, and investigate. Our service will be available again soon.
The exchange later assured that users’ funds remained safe and the funds stolen affected only the company’s internal operations. If so, it’s likely that the hack was from one of the exchange’s hot wallets.
FixedFloat, which advertises itself as an "instant, fully automatic cryptocurrency exchange with Lightning Network," prioritizes privacy over safety, operating without requiring account registration or identity verification. This lack of KYC measures is appealing to privacy-conscious users, but it poses significant risks for both the platform and its users in the event of a hack, as investigators have limited information to work with.
Incidents like this are less common than they were. A recent report from blockchain forensics firm Chainalysis highlighted a significant decrease in funds stolen from cryptocurrency platforms in 2023. Despite a slight increase in individual hacking incidents, the total value of stolen funds dropped by approximately 54.3% to $1.7 billion, attributed largely to a sharp decline in DeFi hacks.
FixedFloat reported that they are working with law enforcement agencies, blockchain forensics firms, and cryptocurrency exchanges to track down the hackers, who have not yet contacted the exchange. The company said it will honor all its payment obligations as soon as it resumes operations and can be certain that the exchange is once again safe to use.
