FixedFloat—a cryptocurrency exchange that operates without “know your customer” (KYC) anti-money laundering (AML) measures—was hacked earlier this month, resulting in the loss of more than 400 Bitcoin and over 1,700 Ethereum, worth about $26 million.
Blockchain security firm BlockFence identified the Bitcoin address used in the theft, and on-chain data from a linked Ethereum address revealed multiple high-value transactions to various addresses.
According to fellow blockchain analytics firm PeckShield, the stolen funds were moved through the Ethereum mixer eXch shortly after the hack, complicating the traceability of the stolen assets. A small part of the funds were moved to HitBTC and CoinSpot, PeckShield said, labeling the wallet address “FixedFloat drainer.”
FixedFloat told Decrypt that the hack was not carried out by one of its employees and that “it was an external attack caused by vulnerabilities in our security structure.”
“The problem was in our infrastructure, which was compromised due to flaws and insufficient protection,” the company said. “This allowed the attackers to gain access to some of the functions of our service.”
Following the hack, FixedFloat initially cited "minor technical problems" and moved its systems into “maintenance mode.” This was before the full extent of the hack was disclosed, which led to confusion and concern among users.
“We did not immediately report the hack, as we were already aware of the incident and immediately began putting our service into maintenance mode to ensure security and minimize losses,” the exchange told Decrypt. “At that time, our main focus was on quickly eliminating weaknesses and strengthening overall security, which prevented us from making public statements about what happened.”
In a subsequent statement, FixedFloat assured customers their funds were safe, clarifying that the financial losses impacted only the service itself and not user-held assets. "FixedFloat does not perform the functions of a custodial service—that is, it does not store user funds. We will provide more information later," the platform tweeted.
However, once reports of the hack started to spread through social media, the platform confirmed the incident and opened up about the attack.
"We confirm that there was indeed a hack and theft of funds,” the official FixedFloat Twitter account wrote in a reply to a tweet. ”We are not ready to make public comments about this matter as we are working to eliminate all possible vulnerabilities, improve security, and investigate.
“Our service will be available again soon," it continued.
Hello,
We confirm that there was indeed a hack and theft of funds. We are not yet ready to make public comments on this matter, as we are working to eliminate all possible vulnerabilities, improve security, and investigate. Our service will be available again soon.
The exchange later assured that users’ funds remained safe and the funds stolen affected only the company’s internal operations. If so, it’s likely that the hack was from one of the exchange’s hot wallets.
FixedFloat, which advertises itself as an "instant, fully automatic cryptocurrency exchange with Lightning Network," prioritizes privacy over safety, operating without requiring account registration or identity verification. This lack of KYC measures is appealing to privacy-conscious users, but it poses significant risks for both the platform and its users in the event of a hack, as investigators have limited information to work with.
Incidents like this are less common than they were. A recent report from blockchain forensics firm Chainalysis highlighted a significant decrease in funds stolen from cryptocurrency platforms in 2023. Despite a slight increase in individual hacking incidents, the total value of stolen funds dropped by approximately 54.3% to $1.7 billion, attributed largely to a sharp decline in DeFi hacks.
FixedFloat reported that they are working with law enforcement agencies, blockchain forensics firms, and cryptocurrency exchanges to track down the hackers, who have not yet contacted the exchange. The company said it will honor all its payment obligations as soon as it resumes operations and can be certain that the exchange is once again safe to use.
Crypto exchange Kraken is willing to hit some pretty tight deadlines, as the exchange works to elevate its brand and market share through a new business solution dubbed Kraken Embed, according to the company’s Head of Payments and Blockchain Brett McLain.
In an interview with Decrypt, McLain said that Kraken’s recent tie-up with bunq, a Netherlands-based neobank, was the result of a last-minute shift—and a blueprint for how the company could expand its presence through relationships with similar...
Public Keys is a weekly roundup from Decrypt that tracks the key publicly traded crypto companies. This week:
Choppy week for Coinbase
Coinbase flagged a $400 million cybersecurity breach this week—one of the biggest in the company’s history. The most troubling aspect is that the exploit arose because an overseas contractor was bribed to steal customer data.
In a video posted online, CEO Brian Armstrong said that criminals were able to gain access to sensitive user data, including names, addres...
Hong Kong investment group Avenir snapped up another 3.4 million shares of BlackRock's iShares Bitcoin Trust ETF (IBIT) during the first quarter, bringing its holdings of the fund to nearly $700 million, according to a U.S. regulatory filing published Thursday—further evidence that spot Bitcoin ETFs are gaining traction among financial institutions.
Avenir held 14.7 million IBIT shares worth $688 million as of March 31, according to its filing,. That marks a 30% increase from the firm's IBIT ho...
