More than 2000 SOLs were stolen

lunaray
5 min readMay 5, 2022

0x01

Recently @0x_fxnction had his wallet compromised for $240k (2349 SOL). Shortly after my notifications blew up with people tagging me to investigate.

Here’s the story of where the funds went, how I was able to recover a portion of it, & who’s potentially behind the attack

wallet C2ihGhv13M7Apq9iPzsUKmcqo3v6uTQmKCnqe79UC6QP was compromised.

Transaction:

Why was this SOL all in one wallet? This was his first mistake. This was mostly DeGods profit meant to help buy a house and was being withdrawn in the next weeks.

0x02

The 2349 SOL was initially stolen from Fxnction on 4/18/22 at 7:25 UTC and transferred through multiple wallets.

a) C2ih (Fxnction) to HdvF

b) HdvF4 to BFR6

c) BFR6 to Wormhole Bridge

0x03

I then moved to the Wormhole website to see where the funds were withdrawn to.

https://etherscan.io/tx/0x4d70cdb56a5841fc707ee12ea156ac885c8f0b2d4338bae35c4ad0ed1f59262c

The attacker then swapped the SOL for 40 ETH & 102,000 DAI then deposited it into Tornado.

0x04

Just minutes later an address withdraws the same exact amount of ETH & DAI from Tornado to 0xc7.

https://etherscan.io/address/0xc7bbd917aa82e919822270a8abdcacc051fcafeb

0x05

They begin moving around the funds. The funds are swapped for USDC then transferred to 0xc7d. The hacker receives ETH from @ChangeNOW_io & transfers $50k to @LocalCoinSwap

0x06

Once alerted of the transactions I reach out to both teams. At this point it’s too late for ChangeNow but for LocalCoinSwap the funds are in escrow I reach out to the most popular vendors on the site and find a match! I immediately send them all of the details of the hack.

0x07

Shortly after the team works with the vendor to freeze the funds and investigate internal further. Well at this point great we’ve frozen $50k/$220k of the funds so not a bad start! I then look for connections to other addresses.

0x08

You can see the flow of funds in numerical order here. Strangely enough the funds are connected to 0x7e via 0xf8 (0.09 ETH & $460k received). Well who’s the owner of this wallet?

0x09

0x7e is heavily linked to @CryptoNoah_& his public wallet 0xbd9

https://opensea.io/CryptoNoah

Well who is he?

0x10

@CryptoNoah is an influencer who made $29,000,000 USD pumping and dumping meme coins. Most notably making 8 figures off of Saitama. He held nearly 3% of the supply and would make bullish tweets while dumping 6 figures worth of tokens a day.

0x11

Noah’s public wallet also sent 400 ETH into Tornado cash which coincidentally then gets withdrawn by 0x7e again just hours after. He also sent 0x7e $2.8m worth of Saitama that gets sold for ETH.

https://etherscan.io/address/0x7e46480d8e28c1d6c55be1b782084dd2c902f99f

0x12

Noah now has sent 0x7e $4.1m worth of crypto in total. 0x7e sent 0xf8 (Fxnction hacker) $460k worth of crypto! This means either: a) Noah is the perpetrator himself b) Noah knows who the hacker is since he sent 0xf8 so much $$$

0x13

After this we gathered his info and reached out to him for a comment. He did not return either of our DMs. @0x_fxnction also called his phone & Noah hung up after Fxnction mentioned the wallet address. This part personally seems suspicious to me.

0x14

I’ve managed track & recover over $50k/$220k and we’re now in communication with the @FBI for further investigation This case has been a wild one from start to finish. It is nice to see we were able to recover any funds at all as well as potentially identify the perpetrator

REF:

https://twitter.com/zachxbt/status/1521488829319892993

--

--

lunaray

Lunaray takes a leading position in smart contract auditing and consulting service for blockchain security.