More than 2000 SOLs were stolen

5 min readMay 5, 2022


Recently @0x_fxnction had his wallet compromised for $240k (2349 SOL). Shortly after my notifications blew up with people tagging me to investigate.

Here’s the story of where the funds went, how I was able to recover a portion of it, & who’s potentially behind the attack

wallet C2ihGhv13M7Apq9iPzsUKmcqo3v6uTQmKCnqe79UC6QP was compromised.


Why was this SOL all in one wallet? This was his first mistake. This was mostly DeGods profit meant to help buy a house and was being withdrawn in the next weeks.


The 2349 SOL was initially stolen from Fxnction on 4/18/22 at 7:25 UTC and transferred through multiple wallets.

a) C2ih (Fxnction) to HdvF

b) HdvF4 to BFR6

c) BFR6 to Wormhole Bridge


I then moved to the Wormhole website to see where the funds were withdrawn to.

The attacker then swapped the SOL for 40 ETH & 102,000 DAI then deposited it into Tornado.


Just minutes later an address withdraws the same exact amount of ETH & DAI from Tornado to 0xc7.


They begin moving around the funds. The funds are swapped for USDC then transferred to 0xc7d. The hacker receives ETH from @ChangeNOW_io & transfers $50k to @LocalCoinSwap


Once alerted of the transactions I reach out to both teams. At this point it’s too late for ChangeNow but for LocalCoinSwap the funds are in escrow I reach out to the most popular vendors on the site and find a match! I immediately send them all of the details of the hack.


Shortly after the team works with the vendor to freeze the funds and investigate internal further. Well at this point great we’ve frozen $50k/$220k of the funds so not a bad start! I then look for connections to other addresses.


You can see the flow of funds in numerical order here. Strangely enough the funds are connected to 0x7e via 0xf8 (0.09 ETH & $460k received). Well who’s the owner of this wallet?


0x7e is heavily linked to @CryptoNoah_& his public wallet 0xbd9

Well who is he?


@CryptoNoah is an influencer who made $29,000,000 USD pumping and dumping meme coins. Most notably making 8 figures off of Saitama. He held nearly 3% of the supply and would make bullish tweets while dumping 6 figures worth of tokens a day.


Noah’s public wallet also sent 400 ETH into Tornado cash which coincidentally then gets withdrawn by 0x7e again just hours after. He also sent 0x7e $2.8m worth of Saitama that gets sold for ETH.


Noah now has sent 0x7e $4.1m worth of crypto in total. 0x7e sent 0xf8 (Fxnction hacker) $460k worth of crypto! This means either: a) Noah is the perpetrator himself b) Noah knows who the hacker is since he sent 0xf8 so much $$$


After this we gathered his info and reached out to him for a comment. He did not return either of our DMs. @0x_fxnction also called his phone & Noah hung up after Fxnction mentioned the wallet address. This part personally seems suspicious to me.


I’ve managed track & recover over $50k/$220k and we’re now in communication with the @FBI for further investigation This case has been a wild one from start to finish. It is nice to see we were able to recover any funds at all as well as potentially identify the perpetrator





Lunaray takes a leading position in smart contract auditing and consulting service for blockchain security.