FixedFloat—a cryptocurrency exchange that operates without “know your customer” (KYC) anti-money laundering (AML) measures—was hacked earlier this month, resulting in the loss of more than 400 Bitcoin and over 1,700 Ethereum, worth about $26 million.
Blockchain security firm BlockFence identified the Bitcoin address used in the theft, and on-chain data from a linked Ethereum address revealed multiple high-value transactions to various addresses.
According to fellow blockchain analytics firm PeckShield, the stolen funds were moved through the Ethereum mixer eXch shortly after the hack, complicating the traceability of the stolen assets. A small part of the funds were moved to HitBTC and CoinSpot, PeckShield said, labeling the wallet address “FixedFloat drainer.”
FixedFloat told Decrypt that the hack was not carried out by one of its employees and that “it was an external attack caused by vulnerabilities in our security structure.”
“The problem was in our infrastructure, which was compromised due to flaws and insufficient protection,” the company said. “This allowed the attackers to gain access to some of the functions of our service.”
Following the hack, FixedFloat initially cited "minor technical problems" and moved its systems into “maintenance mode.” This was before the full extent of the hack was disclosed, which led to confusion and concern among users.
“We did not immediately report the hack, as we were already aware of the incident and immediately began putting our service into maintenance mode to ensure security and minimize losses,” the exchange told Decrypt. “At that time, our main focus was on quickly eliminating weaknesses and strengthening overall security, which prevented us from making public statements about what happened.”
In a subsequent statement, FixedFloat assured customers their funds were safe, clarifying that the financial losses impacted only the service itself and not user-held assets. "FixedFloat does not perform the functions of a custodial service—that is, it does not store user funds. We will provide more information later," the platform tweeted.
However, once reports of the hack started to spread through social media, the platform confirmed the incident and opened up about the attack.
"We confirm that there was indeed a hack and theft of funds,” the official FixedFloat Twitter account wrote in a reply to a tweet. ”We are not ready to make public comments about this matter as we are working to eliminate all possible vulnerabilities, improve security, and investigate.
“Our service will be available again soon," it continued.
Hello,
We confirm that there was indeed a hack and theft of funds. We are not yet ready to make public comments on this matter, as we are working to eliminate all possible vulnerabilities, improve security, and investigate. Our service will be available again soon.
The exchange later assured that users’ funds remained safe and the funds stolen affected only the company’s internal operations. If so, it’s likely that the hack was from one of the exchange’s hot wallets.
FixedFloat, which advertises itself as an "instant, fully automatic cryptocurrency exchange with Lightning Network," prioritizes privacy over safety, operating without requiring account registration or identity verification. This lack of KYC measures is appealing to privacy-conscious users, but it poses significant risks for both the platform and its users in the event of a hack, as investigators have limited information to work with.
Incidents like this are less common than they were. A recent report from blockchain forensics firm Chainalysis highlighted a significant decrease in funds stolen from cryptocurrency platforms in 2023. Despite a slight increase in individual hacking incidents, the total value of stolen funds dropped by approximately 54.3% to $1.7 billion, attributed largely to a sharp decline in DeFi hacks.
FixedFloat reported that they are working with law enforcement agencies, blockchain forensics firms, and cryptocurrency exchanges to track down the hackers, who have not yet contacted the exchange. The company said it will honor all its payment obligations as soon as it resumes operations and can be certain that the exchange is once again safe to use.
Asset manager HashKey Capital has introduced a fund tracking the performance of XRP in Asia, with the aim of fostering institutional adoption in the region for the token that is used for transactions in the Ripple network.
The HashKey XRP Tracker Fund became available on Friday to institutional investors in Asia. The fund marks the first of several planned collaborations between HashKey Capital and Ripple Labs.
XRP is the fourth largest cryptocurrency by market capitalization, with a total valu...
Armed with fake Zoom calls, stolen identities, and malware, North Korea’s Lazarus Group has allegedly expanded its crypto infiltration strategy, and the industry is starting to feel it.
Kenny Li, co-founder of Ethereum layer-2 project Manta Network, said he was “targeted” in an elaborate Zoom phishing attempt by Lazarus Group in a tweet Thursday.
🚨 Just got targeted by Lazarus.
A known contact on TG reached out to me to ask for a chat. Scheduled a Zoom call. When I got on the Zoom, it asked m...
Asset manager VanEck has received approval from the U.S. Securities and Exchange Commission to list an exchange-traded fund tracking blockchain infrastructure builders and related assets.
The fund, called the Onchain Economy ETF, has a tentative debut of May 14, VanEck Head of Digital Assets Research Matthew Sigel said Thursday in a social media post. Boasting the ticker $NODE, the investment vehicle will aim to hold between 30 and 60 assets linked to the blockchain economy.
“The global econo...