Re: Mixin hack! CEO Begs Hackers To Return Funds and Take $20m Reward

[Josefjix]

Mixin has been in touch with the hacker, directly on the blockchain! They sent a message through the Blockchain and it reads;

“Hey, most of the assets you took are our users’s money, so how about giving them back and buy a coffee for yourself for finding a bug on our "Decentralized system'?”

They are offering a $20m bounty to the Lazarus group out of the $200m scammed. No assets has been frozen till now, is the $20m enough to let go $180m?

Well update from the Mixin CEO

After several days, we have completed most of the asset tally work, and the situation is much more optimistic than expected. The losses are not as significant as estimated. Again, we remind everyone to avoid making transactions, market making, etc., on Mixin Network, for now, to prevent unnecessary losses.

[1714273569]

1714273569

[1714273569]

1714273569

[1714273569]

1714273569

[1714273569]

1714273569

[1714273569]

1714273569

[1714273569]

1714273569

[LoyceV]

They are offering a $20m bounty to the Lazarus group out of the $200m scammed.

Do you have a source for this statement? It's not in your screenshot, and I haven't found any evidence that the Lazarus Group is behind this.
A $20M bug bounty might work for a hacker who's in over his head, and $20M is enough to lead a very luxurious life without having to launder $200M and being on the lookout for the rest of your life. But if it's North Korean state hackers, none of this applies. They're lucky if they get food tonight.

[Rikafip]

Do you have a source for this statement? It's not in your screenshot, and I haven't found any evidence that the Lazarus Group is behind this.

Same here, couldn't find any info whatsover and @zachxbt is the guy who usually mentioned Lazarus Group and even he is quiet regarding that so I guess this is only OP's assumation since those guys are the main suspects for the last few hacks (Stake, Atomic etc)


@OP we already have Mixin Safe hack thread (https://bitcointalk.org/index.php?topic=5467994.0)so why not share this there instead spreading conversation across several threads.

[Josefjix]

They are offering a $20m bounty to the Lazarus group out of the $200m scammed.

Do you have a source for this statement? It's not in your screenshot, and I haven't found any evidence that the Lazarus Group is behind this.
A $20M bug bounty might work for a hacker who's in over his head, and $20M is enough to lead a very luxurious life without having to launder $200M and being on the lookout for the rest of your life. But if it's North Korean state hackers, none of this applies. They're lucky if they get food tonight.

The Lazarus group are the number one suspect as of now although investigation is still ongoing.

@OP we already have Mixin Safe hack thread ([url]https://bitcointalk.org/index.php?topic=5467994.0)so[/url] why not share this there instead spreading conversation across several threads.

I didn't realise it until now because I was just reading the discussion on the project's main ANN and didn't think it was proper to discuss it there because the OP could easily lock the thread now that the service is down. However, my updates are more appropriate for this board.

More updates!

Could it be an inside job?


One year before the hack:

June 18, 2022: 0x1795, an address connected to the hack, received 5 $ETH from Mixin (0xB0Cf). This address transferred 51 $ETH to address 0xd07A on August 6, 2021 and deposited 5.9 $ETH on Binance (0x4b83) on July 5, 2022.

October 20, 2022: ETH miner 0xab3B sent 118 $ETH to 0xfc73, a user of Gate.io and OKX.

November 9, 2022: Mixin address(0xB0Cf) sent 10,000 $ETH to 0x5D5a.

September 16, 2023: 0x5D5a sent 100 $ETH in gas to 0x4701.

During the hack:

September 22, 2023: 0xfc73 sent 0.5 $ETH in gas to 0x52e8, a wallet connected to the Mixin hack. This wallet holds $94M worth of $ETH.

September 22, 2023: 0xd07A sent 50 $ETH as gas to 0xb5d6, another hack-related wallet holding $71,000 in $ETH, moments before the attack. This transfer was done so that the hacker could disperse tokens from Mixin's addresses through 0x52E8 for the attack.

September 22, 2023: 0xb5d6 (hacker wallet) sent 0.3 $ETH as gas to 0x3b5f, an address that swapped USDT into DAI to avoid being frozen out of stolen funds.

September 23, 2023: Disperse.app address 0xD152 sent 0.0025 $ETH in gas to Mixin wallet 0x68EF. It is likely that the hacker used Disperse.app to distribute tokens.

After the hack:

September 23, 2023: One hour after the hack, Mixin user 0x6e05 retrieved 30 $ETH from the platform, perhaps sensing that a hack was taking place.

September 25, 2023: Mixin announced the stoppage of deposits and withdrawals, two days after it got hacked for $200M.

September 25, 2023: Mixin wallets sent 988 $UNI to a hacker-related address (0xCD65) that now holds $8M in crypto assets.

September 25-26, 2023: Mixin wallets sent $9M worth of crypto funds, including $HMT, $UNI, $ETH, and $USDC, to 0x4701.

September 26, 2023: 0x68EF, a Mixin wallet that received gas from the hacker (0xD152), transferred $USDC and $HMT to 0x4701. It is likely that 0x4701 is an address controlled by Mixin to secure their remaining tokens, although Mixin has yet to confirm this.

More can be found Here for the Blockchain specialists.

[just4kicks]

most of "big hacks" are an inside job tbh...
hard to believe something this advanced gets mysteriously "hacked" lol

a must watch documentary - Trust No One: The Hunt for the Crypto King - NETFLIX

[serveria.com]

They are offering a $20m bounty to the Lazarus group out of the $200m scammed.

Do you have a source for this statement? It's not in your screenshot, and I haven't found any evidence that the Lazarus Group is behind this.
A $20M bug bounty might work for a hacker who's in over his head, and $20M is enough to lead a very luxurious life without having to launder $200M and being on the lookout for the rest of your life. But if it's North Korean state hackers, none of this applies. They're lucky if they get food tonight.

The Lazarus group are the number one suspect as of now although investigation is still ongoing.

@OP we already have Mixin Safe hack thread ([url]https://bitcointalk.org/index.php?topic=5467994.0)so[/url] why not share this there instead spreading conversation across several threads.

I didn't realise it until now because I was just reading the discussion on the project's main ANN and didn't think it was proper to discuss it there because the OP could easily lock the thread now that the service is down. However, my updates are more appropriate for this board.

More updates!

Could it be an inside job?


One year before the hack:

June 18, 2022: 0x1795, an address connected to the hack, received 5 $ETH from Mixin (0xB0Cf). This address transferred 51 $ETH to address 0xd07A on August 6, 2021 and deposited 5.9 $ETH on Binance (0x4b83) on July 5, 2022.

October 20, 2022: ETH miner 0xab3B sent 118 $ETH to 0xfc73, a user of Gate.io and OKX.

November 9, 2022: Mixin address(0xB0Cf) sent 10,000 $ETH to 0x5D5a.

September 16, 2023: 0x5D5a sent 100 $ETH in gas to 0x4701.

During the hack:

September 22, 2023: 0xfc73 sent 0.5 $ETH in gas to 0x52e8, a wallet connected to the Mixin hack. This wallet holds $94M worth of $ETH.

September 22, 2023: 0xd07A sent 50 $ETH as gas to 0xb5d6, another hack-related wallet holding $71,000 in $ETH, moments before the attack. This transfer was done so that the hacker could disperse tokens from Mixin's addresses through 0x52E8 for the attack.

September 22, 2023: 0xb5d6 (hacker wallet) sent 0.3 $ETH as gas to 0x3b5f, an address that swapped USDT into DAI to avoid being frozen out of stolen funds.

September 23, 2023: Disperse.app address 0xD152 sent 0.0025 $ETH in gas to Mixin wallet 0x68EF. It is likely that the hacker used Disperse.app to distribute tokens.

After the hack:

September 23, 2023: One hour after the hack, Mixin user 0x6e05 retrieved 30 $ETH from the platform, perhaps sensing that a hack was taking place.

September 25, 2023: Mixin announced the stoppage of deposits and withdrawals, two days after it got hacked for $200M.

September 25, 2023: Mixin wallets sent 988 $UNI to a hacker-related address (0xCD65) that now holds $8M in crypto assets.

September 25-26, 2023: Mixin wallets sent $9M worth of crypto funds, including $HMT, $UNI, $ETH, and $USDC, to 0x4701.

September 26, 2023: 0x68EF, a Mixin wallet that received gas from the hacker (0xD152), transferred $USDC and $HMT to 0x4701. It is likely that 0x4701 is an address controlled by Mixin to secure their remaining tokens, although Mixin has yet to confirm this.

More can be found Here for the Blockchain specialists.

Yeah, this does look suspicious. Also not clear why they did only announce the hack two days after it actually happened? At this point there are more questions than answers...

As to the bug bounty, it could actually work (only if it's not an inside job  ) as the criminals won't need to launder that money and risk being caught.

[dkbit98]

$20M Bug bounty reward?!  
I don't know if this is true statement or not, but it sounds like a desperate move from Mixin CEO...
I said many times that using cloud for anything serious is worst thing you can do, that is just computer from someone else.
In last few days I saw several users claiming on social media how they lost coins in this hack, but I didn't see any proof for their claims.
Strange thing in this situation is that all Mixin websites work as usual for me, and there are no information about this hack.

[ScamViruS]

What you have posted is actually in the news already  https://news.bitcoin.com/mixins-20-million-plea-platform-transmits-onchain-bid-to-reclaim-stolen-assets/. The most important thing to think about is how these hack incidents happen so easily, because they have millions of dollars of customers, they are responsible for providing security for that money, but currently it seems that hack incidents are happening very easily. Insiders are most likely behind these hacks. Because these hack incidents are not so easy to happen without insiders, but they cannot be exposed because we do not have evidence.

[serveria.com]

$20M Bug bounty reward?!  
I don't know if this is true statement or not, but it sounds like a desperate move from Mixin CEO...
I said many times that using cloud for anything serious is worst thing you can do, that is just computer from someone else.
In last few days I saw several users claiming on social media how they lost coins in this hack, but I didn't see any proof for their claims.
Strange thing in this situation is that all Mixin websites work as usual for me, and there are no information about this hack.

Furthermore, it's not even clear what was the origin of the funds and why Mixin were keeping it (apparently in a hot wallet). Were those users' funds? Then why nobody is complaining? Which service of Mixin stored so many coins? Wallet? Messenger? 

[Josefjix]

$20M Bug bounty reward?!  
I don't know if this is true statement or not, but it sounds like a desperate move from Mixin CEO...
I said many times that using cloud for anything serious is worst thing you can do, that is just computer from someone else.
In last few days I saw several users claiming on social media how they lost coins in this hack, but I didn't see any proof for their claims.
Strange thing in this situation is that all Mixin websites work as usual for me, and there are no information about this hack.

Furthermore, it's not even clear what was the origin of the funds and why Mixin were keeping it (apparently in a hot wallet). Were those users' funds? Then why nobody is complaining? Which service of Mixin stored so many coins? Wallet? Messenger? 

Could be private investigators who rather keep their loses private than coming on social media to look like an idiot for keep such funds online in the first place. It was the Mixin safe I guess.

[serveria.com]

$20M Bug bounty reward?!  
I don't know if this is true statement or not, but it sounds like a desperate move from Mixin CEO...
I said many times that using cloud for anything serious is worst thing you can do, that is just computer from someone else.
In last few days I saw several users claiming on social media how they lost coins in this hack, but I didn't see any proof for their claims.
Strange thing in this situation is that all Mixin websites work as usual for me, and there are no information about this hack.

Furthermore, it's not even clear what was the origin of the funds and why Mixin were keeping it (apparently in a hot wallet). Were those users' funds? Then why nobody is complaining? Which service of Mixin stored so many coins? Wallet? Messenger? 

Could be private investigators who rather keep their loses private than coming on social media to look like an idiot for keep such funds online in the first place. It was the Mixin safe I guess.

Well, I don't work for Mixin Safe but I guess Mixin Safe is still in beta and the number of users is still very low. And surely this service can't hold $200m in funds it simply doesn't have some many users. Mixin's most popular product/service is a messaging software but I'm not sure how it's monetized or how can it keep users' funds.

[coupable]

$20M Bug bounty reward?!  
I don't know if this is true statement or not, but it sounds like a desperate move from Mixin CEO...
I said many times that using cloud for anything serious is worst thing you can do, that is just computer from someone else.
In last few days I saw several users claiming on social media how they lost coins in this hack, but I didn't see any proof for their claims.
Strange thing in this situation is that all Mixin websites work as usual for me, and there are no information about this hack.

Furthermore, it's not even clear what was the origin of the funds and why Mixin were keeping it (apparently in a hot wallet). Were those users' funds? Then why nobody is complaining? Which service of Mixin stored so many coins? Wallet? Messenger? 

Could be private investigators who rather keep their loses private than coming on social media to look like an idiot for keep such funds online in the first place. It was the Mixin safe I guess.

I also don't think that a project like Mixin in the beta stage is capable of raising hundreds of millions of dollars from enthusiastic investors, considering that the missing $200 million is only a small portion of the assets it has. This can be inferred from the review campaign that was launched about two months ago, which included 100 expert members of the forum, who agreed in most of their reviews (if not all) on the complexities of use and the danger of the service on the cloud. I am almost certain that none of them continued to use the service after the review campaign. The unprofessionalism of the project was confirmed after the success of the hack, and was further confirmed by this desperate message they sent to the hackers.

[Josefjix]

Well, I don't work for Mixin Safe but I guess Mixin Safe is still in beta and the number of users is still very low. And surely this service can't hold $200m in funds it simply doesn't have some many users. Mixin's most popular product/service is a messaging software but I'm not sure how it's monetized or how can it keep users' funds.

Only the main network was hacked, I still have my remaining $4 in USDT on the Mixin messager wallet but can't withdraw.

$200m is the highest hacked this year - have no idea where they got such funds in the first place.

[BitcoinsGreat]

$20M Bug bounty reward?!  
I don't know if this is true statement or not, but it sounds like a desperate move from Mixin CEO...
I said many times that using cloud for anything serious is worst thing you can do, that is just computer from someone else.
In last few days I saw several users claiming on social media how they lost coins in this hack, but I didn't see any proof for their claims.
Strange thing in this situation is that all Mixin websites work as usual for me, and there are no information about this hack.

Say that a thief stole $200M worth of money and he will be so kind enough to return that money and get only $20M.

Someone, please tell the Mixin CEO that the hacker was not a bug bounty hunter but a hacker

Because these hack incidents are not so easy to happen without insiders, but they cannot be exposed because we do not have evidence.

If this is an inside job, then i think that this deal will be done, Mixin team gets $20M for free and the reputation restored, Business continues, nice move !!

[Rikafip]

Say that a thief stole $200M worth of money and he will be so kind enough to return that money and get only $20M.

These kind of things are rare but happen sometimes. Back in 2021 Poly Network was hacked for $600M, which hacker eventually returned. In the end they offered him a reward and position of chief secrity advisor. Having said that, I doubt that its gonna happen in this case, but I guess it doesn't hurt to try,

Source: https://www.theverge.com/2021/8/11/22619272/poly-network-attack-600-million-cryptocurrency-theft-doge-ethereum-binance-return-defi

[ZeeshanTrade]

It could be an inside scam attempt or it can be poor security but why we are still promoting the service  Mixin Safe Signature Campaign

[serveria.com]

Say that a thief stole $200M worth of money and he will be so kind enough to return that money and get only $20M.

These kind of things are rare but happen sometimes. Back in 2021 Poly Network was hacked for $600M, which hacker eventually returned. In the end they offered him a reward and position of chief secrity advisor. Having said that, I doubt that its gonna happen in this case, but I guess it doesn't hurt to try,

Source: https://www.theverge.com/2021/8/11/22619272/poly-network-attack-600-million-cryptocurrency-theft-doge-ethereum-binance-return-defi

I hope the position was remote as I can't imagine this hacker guy coming to the office of the company he hacked, shaking hands with top managers of the company whose money he had stolen. That would be kinda weird!

[ScamViruS]

Because these hack incidents are not so easy to happen without insiders, but they cannot be exposed because we do not have evidence.

If this is an inside job, then i think that this deal will be done, Mixin team gets $20M for free and the reputation restored, Business continues, nice move !!

It was indeed a good move. If this hack is really done by hackers, then offering $20 million reward to hackers is a good effort. Now if the hackers return these funds then it will be good for this platform to return the funds to their customers.

But if this incident is done on purpose and to get free marketing, then it will be a dirty game, the users of this platform should think about using this platform for the second time, why they are going to use this platform even after this incident.

[Stalker22]

Because these hack incidents are not so easy to happen without insiders, but they cannot be exposed because we do not have evidence.

If this is an inside job, then i think that this deal will be done, Mixin team gets $20M for free and the reputation restored, Business continues, nice move !!

It was indeed a good move. If this hack is really done by hackers, then offering $20 million reward to hackers is a good effort. Now if the hackers return these funds then it will be good for this platform to return the funds to their customers.

But if this incident is done on purpose and to get free marketing, then it will be a dirty game, the users of this platform should think about using this platform for the second time, why they are going to use this platform even after this incident.

I'm not entirely sure they would willingly shoot themselves in the foot like that. This incident will surely damage their reputation, and if they genuinely had a million users, I can assume that they will lose a significant portion of them as a result. It is hard to see them benefiting from the media attention they have received.

Their best-case scenario now is to provide financial compensation to all their users and hope that this incident eventually fades away, unless a similar situation arises in the future.

[Rikafip]

If this is an inside job, then i think that this deal will be done, Mixin team gets $20M for free and the reputation restored, Business continues, nice move !!

How exactly would Mixin team get $20M free if this was an inside job? I would like to hear the logic behind this.

What's more important, if this was indeed an inside job they woulnd't offer reward to their own employee piublically to give back the money because they would know who actually did it.