FixedFloat has been hacked (26M $)

[OmegaStarScream]

So I'm pretty sure lots of you here have already heard of this instant exchange. It got hacked a few hours ago[1][2].

The team did confirm the hack and denied that it was an inside job. They're currently in maintenance mode.

[1] https://decrypt.co/218077/fixedfloat-hack-26-million-bitcoin-ethereum
[2] https://twitter.com/PeckShieldAlert/status/1759399281201733917

[1715201526]

1715201526

[1715201526]

1715201526

[Rikafip]

It got hacked a few hours ago.

As far as I know, they got hacked yesterday. Can't say that I ever heard of them, let alone use them.  

https://decrypt.co/218077/fixedfloat-hack-26-million-bitcoin-ethereum

Huh, in that article they say that eXch is Ethereum mixer  

[dkbit98]

The team did confirm the hack and denied that it was an inside job. They're currently in maintenance mode.

I don't think they are coming back any time soon, like they say on their website.
Even if they come back they are probably going to change to fully kyc, and they will have hard time recovering from this loses.
But I would love to hear what they have to say, last time they logged in and posted was in the end of January:
https://bitcointalk.org/index.php?topic=5482815.msg63576532#msg63576532

As far as I know, they got hacked yesterday. Can't say that I ever heard of them, let alone use them.  

They are all over the forum, and they have registered account here since 2018:
https://bitcointalk.org/index.php?action=profile;u=2387384

[tabas]

I see that's the reason why the website says they're on technical maintenance currently.

It got hacked a few hours ago.

As far as I know, they got hacked yesterday. Can't say that I ever heard of them, let alone use them. 

https://decrypt.co/218077/fixedfloat-hack-26-million-bitcoin-ethereum

Huh, in that article they say that eXch is Ethereum mixer 

The article author don't realize that it's a competitor to their business.

I don't understand if there are funds from their customers telling that they're safe. Are they talking about the recent transactions that were sent to them? because no one can hold funds there as the transactions gets confirmed, the conversion is sent afterwards quickly CMIIW.

[hugeblack]

I've used them about 4 times since the beginning of this year, everything was fast and good, it's unfortunate to see them stop working.
I think, is a small exchnage with about $10 million, but $26 million is not an easy matter to compensate, and most likely the government agencies that will deal with them will demand more stringency regarding customer data.

So I think it will be the last time I will use them (if they come back), even though my experience with them was good.

[LoyceV]

Does anyone have a recent snapshot of their "Reserves" on BestChange? I can only find a snapshot from almost 4 years ago, when their reserves were only $38,489.
How did they go from that to 26 million in a hot wallet?

[Synchronice]

How did they go from that to 26 million in a hot wallet?

Are you seriously asking? It's super simple. You create an exchange, start small, then implement KYC, ask depositors to submit KYC documents on your website, there is a chance that they will refuse it and might give up on their money. Then, over time, you come up with another better solution, that means, you partner with blockchain analysis companies and you confiscate the money of high depositors. At first you confiscate $2000, then $5000, then $8000 and so on. Over time, you go from 38K to 26 Million by keeping deposits in your wallet instead of sending to the receiver.

[Potato Chips]

Nice article. I'm used to news outlets mistakenly referring little to no KYC measures CExes as decentralized exchanges so seeing eXch as ethereum mixer is new lol

and yet another, let's shift the blame for the lack of KYC:

FixedFloat, which advertises itself as an "instant, fully automatic cryptocurrency exchange with Lightning Network," prioritizes privacy over safety, operating without requiring account registration or identity verification. This lack of KYC measures is appealing to privacy-conscious users, but it poses significant risks for both the platform and its users in the event of a hack, as investigators have limited information to work with.

I'm sure the hackers would've given fixedfloat their real name and home address /s

No mention what sort of attack was used so who knows if they even have to trade for this.

Does anyone have a recent snapshot of their "Reserves" on BestChange?

I've looked into snaps from a couple months ago and their reserves were constantly increasing. The final amount at Feb 13th was at $45M, see: https://web.archive.org/web/20240213024353if_/https://www.bestchange.com/list.html

[LoyceV]

The final amount at Feb 13th was at $45M, see: https://web.archive.org/web/20240213024353if_/https://www.bestchange.com/list.html

Thanks, I didn't find it at archive.org.
This means they had more than 50% in their hot wallet. Needless to say: that's incredibly dumb.

[LTU_btc]

Another day - another exchange got hacked. I think I've never heard their name before and it's nothing surprising as it's relatively small exchange. Seems that they didn't put their heads into sand and trying to communicate, that's at least some positive sign. Will be interesting to follow how things will developp further.

I've used them about 4 times since the beginning of this year, everything was fast and good, it's unfortunate to see them stop working.
I think, is a small exchnage with about $10 million, but $26 million is not an easy matter to compensate, and most likely the government agencies that will deal with them will demand more stringency regarding customer data.

So I think it will be the last time I will use them (if they come back), even though my experience with them was good.

Yeah, it's small exchange, but still, $26 million is huge money, no idea how they're going to compensate it. And for scammers it's more than enough money to retire, but probably they're not going to do it.

[Yamane_Keto]

This means they had more than 50% in their hot wallet. Needless to say: that's incredibly dumb.

Their description of the hack indicates that the security structure allowed hackers to access the basic functions of the service. It is a complete failure and appears to be access to cold storage, as I see in the explosion that the 1,700 Ethereum were transferred from one address. If they were in the hot wallet, there would have been a large number of addresses.

“The problem was in our infrastructure, which was compromised due to flaws and insufficient protection,” the company said. “This allowed the attackers to gain access to some of the functions of our service.”

[yhiaali3]

In a subsequent statement, FixedFloat assured customers their funds were safe, clarifying that the financial losses impacted only the service itself and not user-held assets. "FixedFloat does not perform the functions of a custodial service—that is, it does not store user funds. We will provide more information later," the platform tweeted.

Is this true, does FixedFloat really “do not store user funds”? As far as I know, all centralized exchanges use user funds and do not isolate exchange assets from user assets, especially those that are not subject to regulatory laws.

FixedFloat said that it will fulfill all payment obligations as soon as it resumes its operations, but of course they did not specify a time for that, and until that time, user funds will remain stuck. I hope that the exchange’s words are true and that user funds have not been affected.

[LoyceV]

Their description of the hack indicates that the security structure allowed hackers to access the basic functions of the service. It is a complete failure and appears to be access to cold storage

That is by definition impossible. If hackers can access it without physically breaking into the building, it wasn't cold storage.
Unless it was in cold storage and an employee manually approved a withdrawal from cold storage that was made without an deposit. That would be a new level of stupidity.

Is this true, does FixedFloat really “do not store user funds”? As far as I know, all centralized exchanges use user funds and do not isolate exchange assets from user assets, especially those that are not subject to regulatory laws.

In an ideal scenario, an instant exchange only holds the user's funds until it has enough confirmations to complete the transaction and send back the other coin.

[FinneysTrueVision]

In a subsequent statement, FixedFloat assured customers their funds were safe, clarifying that the financial losses impacted only the service itself and not user-held assets. "FixedFloat does not perform the functions of a custodial service—that is, it does not store user funds. We will provide more information later," the platform tweeted.

Is this true, does FixedFloat really “do not store user funds”? As far as I know, all centralized exchanges use user funds and do not isolate exchange assets from user assets, especially those that are not subject to regulatory laws.

FixedFloat said that it will fulfill all payment obligations as soon as it resumes its operations, but of course they did not specify a time for that, and until that time, user funds will remain stuck. I hope that the exchange’s words are true and that user funds have not been affected.

FixedFloat is an instant exchange like exch.cx. You can use it without creating an account. The only users who would have lost money would be those who were in the process of swapping or receiving a refund.

I’ve used them several times since they are one of the few exchanges with lightning support but the recent controversy they had with a user on the forum, where they were asking invasive questions about the source of their funds, made me skeptical about using them again.

[un_rank]

I’ve used them several times since they are one of the few exchanges with lightning support but the recent controversy they had with a user on the forum, where they were asking invasive questions about the source of their funds, made me skeptical about using them again.

They have had several of such complaints off the forum before now which leads me to think that this was always coming with the kind of service they offered. Some users who tried to trade on an 'instant' exchange 2 days before the hacked still had funds stored in it till it closed withdrawals.

Requests for private info for no apparent reason also increased recently before the hack.

- Jay -

[dkbit98]

Their description of the hack indicates that the security structure allowed hackers to access the basic functions of the service. It is a complete failure and appears to be access to cold storage, as I see in the explosion that the 1,700 Ethereum were transferred from one address. If they were in the hot wallet, there would have been a large number of addresses.

There is no real difference between using cold and hot wallet addresses.
Only difference for cold wallets is that keys/phrases are stored offline, everything else is the same looking from outside.
Cold storage access can only happen with leak from the inside.

In an ideal scenario, an instant exchange only holds the user's funds until it has enough confirmations to complete the transaction and send back the other coin.

That would operate in snail speed especially for larger transactions, and someone for sure owned $26 million worth of Bitcoin and ethereum that was hacked.

[arabspaceship123]

Have ppl heard of instant exchanges getting hacked it's first time I've seen this. Hackers must've been given inside info. They've lost $26M from instant exchange last month so why'd they delay their announcement.

So I'm pretty sure lots of you here have already heard of this instant exchange. It got hacked a few hours ago[1][2].

The team did confirm the hack and denied that it was an inside job. They're currently in maintenance mode.

[1] https://decrypt.co/218077/fixedfloat-hack-26-million-bitcoin-ethereum
[2] https://twitter.com/PeckShieldAlert/status/1759399281201733917

[stompix]

"it was an external attack caused by vulnerabilities in our security structure.”
“The problem was in our infrastructure, which was compromised due to flaws and insufficient protection,” the company said.

Is this the first one in a while that comes out with a clear statement like this, we had flaws, our infrastructure security was rubbish, we know we screwed up, it's a miracles it lasted that long? Anyhow, at $26M and with bad publicity I can't see them making a real comeback, even if there will be no customers loss people will be warry of it, such a loss might trigger some extra fleecing on clients to recoup some of that!

In an ideal scenario, an instant exchange only holds the user's funds until it has enough confirmations to complete the transaction and send back the other coin.

I don't get it. If I send Bitcoins and want monero, the moment I sent a coin it's not mine anymore, it's the property of the exchange and they release my monero coins, why would there be a limit on how long they can hold that?

[LoyceV]

In an ideal scenario, an instant exchange only holds the user's funds until it has enough confirmations to complete the transaction and send back the other coin.

I don't get it. If I send Bitcoins and want monero, the moment I sent a coin it's not mine anymore, it's the property of the exchange and they release my monero coins, why would there be a limit on how long they can hold that?

The question was if they really don't store user funds. My answer was related to the short time between depositing and receiving your exchanged coins. It could be up to about an hour to get enough confirmations. What they do with the coins after that is indeed not your concern.

[Potato Chips]

Have ppl heard of instant exchanges getting hacked it's first time I've seen this. Hackers must've been given inside info. They've lost $26M from instant exchange last month so why'd they delay their announcement.

Did you mean 'this' month?

But I'm not that surprised since instant exchanges like fixedfloat are pretty much a simplified version of the custodial and centralized exchanges we're used to -- e.g. kucoin, binance etc.-- created for quick trades. We may not leave our coins there for long but they do have the attack prone hot wallets for daily transactions.

[DaveF]

I was always under the impression that sites like this didn't even store user funds.
Don't know why but, I was thinking they were just using the APIs of other exchanges to make the trades and skimming a small % off the top to make their profit.

There were a few of them in the past that operated that way. Put together a pretty interface, no real KYC, and just take a small cut.

Saw this when I went to do a small swap of some alts I found a paper wallet for when cleaning up and didn't want to be bothered finding an exchange that actually traded them and setting up an account and so on....

-Dave

[shield132]

I was always under the impression that sites like this didn't even store user funds.
Don't know why but, I was thinking they were just using the APIs of other exchanges to make the trades and skimming a small % off the top to make their profit.

There were a few of them in the past that operated that way. Put together a pretty interface, no real KYC, and just take a small cut.

Saw this when I went to do a small swap of some alts I found a paper wallet for when cleaning up and didn't want to be bothered finding an exchange that actually traded them and setting up an account and so on....

-Dave

You might won't believe but local bank in my country was offering crypto exchange service via a child company and the child company was really using an API of other exchanges to make the trades. They fixed it once they became popular.
Btw when I visit fixedfloat.com it redirects to ff.io <-- I bet that they want to make this accident look like they didn't experience any hack at all and all of this happens because they purchased a new domain and want to move whole database on a new one.

[arabspaceship123]

They aren't supposed to hold funds after they're exchanging. They should've sent swapped funds to destination addresses so how's $26M stolen?

I was always under the impression that sites like this didn't even store user funds.
Don't know why but, I was thinking they were just using the APIs of other exchanges to make the trades and skimming a small % off the top to make their profit.

There were a few of them in the past that operated that way. Put together a pretty interface, no real KYC, and just take a small cut.

Saw this when I went to do a small swap of some alts I found a paper wallet for when cleaning up and didn't want to be bothered finding an exchange that actually traded them and setting up an account and so on....

-Dave

[LoyceV]

I was always under the impression that sites like this didn't even store user funds.
Don't know why but, I was thinking they were just using the APIs of other exchanges to make the trades and skimming a small % off the top to make their profit.

There were a few of them in the past that operated that way. Put together a pretty interface, no real KYC, and just take a small cut.

Now that you mention it: I also thought that's how they operate, especially since they have a fixed and dynamic fee rate.
But withdrawal fees of most exchanges are a problem for that business model. Unless they get a custom deal, most exchanges charge far more to withdraw than an instant exchanger can earn from small trades.
It would make sense to only handle large transactions through a CEX, and handle small ones by themselves. That way they'd only need $26k instead of $26M in their hot wallet.

[Synchronice]

I was always under the impression that sites like this didn't even store user funds.
Don't know why but, I was thinking they were just using the APIs of other exchanges to make the trades and skimming a small % off the top to make their profit.

There were a few of them in the past that operated that way. Put together a pretty interface, no real KYC, and just take a small cut.

Now that you mention it: I also thought that's how they operate, especially since they have a fixed and dynamic fee rate.
But withdrawal fees of most exchanges are a problem for that business model. Unless they get a custom deal, most exchanges charge far more to withdraw than an instant exchanger can earn from small trades.
It would make sense to only handle large transactions through a CEX, and handle small ones by themselves. That way they'd only need $26k instead of $26M in their hot wallet.

Many exchanges have fixed and dynamic fees, I think this gives them the possibility to charge you more percentage during trade while protecting you from slight volatility that god knows whether happens or not.
By the way, if it's possible to create an exchange via API, then how do they deal with high risk deposits?
Let's say that:
A is an instant exchange
B is a big exchange that gives API to A

How does B deal with high risk deposits that comes from someone sending dirty coins to A instant exchange? Does B send a request to A to tell its user to submit KYC documents? Or how does it happen?

Seems, fixedfloat is live but some browsers warn me that fixedfloat is dangerous to visit:

Attackers on the site you're trying to visit might trick you into installing software or revealing things like your password, phone, or credit card number. Chrome strongly recommends going back to safety.

Karma exists!

[LoyceV]

if it's possible to create an exchange via API, then how do they deal with high risk deposits?
Let's say that:
A is an instant exchange
B is a big exchange that gives API to A

How does B deal with high risk deposits that comes from someone sending dirty coins to A instant exchange? Does B send a request to A to tell its user to submit KYC documents? Or how does it happen?

I've seen topics about it: Basically, A claims B froze their funds based on arbitrary conditions (despite A claiming in their terms they use their own funds), and A makes up arbitrary terms for the user to get back their funds. It doesn't make much sense. The whole "freezing" and "dirty" is BS anyway, exchanges would gladly send those funds to other users again:

The funds remain frozen at our addresses, and when the frozen funds are seized by the authorities, they are also sent from our addresses.

That's not true. You say the funds "remain frozen", but that can't be since you've mixed them already.
The first transaction was mixed in this transaction and that same output was used to sent to another address. The second transaction was mixed in this transaction and also sent to another address. None of the funds were frozen in your wallet, you're normally using them to pay other people.
To summarize: if those funds came from criminal activity as you claim, you've now sent it to other innocent users who now own those "tainted" Bitcoins.
It sounds very much like you only care about "taint" when it's convenient for you.

[DaveF]

I was always under the impression that sites like this didn't even store user funds.
Don't know why but, I was thinking they were just using the APIs of other exchanges to make the trades and skimming a small % off the top to make their profit.

There were a few of them in the past that operated that way. Put together a pretty interface, no real KYC, and just take a small cut.

Now that you mention it: I also thought that's how they operate, especially since they have a fixed and dynamic fee rate.
But withdrawal fees of most exchanges are a problem for that business model. Unless they get a custom deal, most exchanges charge far more to withdraw than an instant exchanger can earn from small trades.
It would make sense to only handle large transactions through a CEX, and handle small ones by themselves. That way they'd only need $26k instead of $26M in their hot wallet.

Once again as an assumption, I had in my mind that they lack of withdraw fess was covered by the rates that were not that good.
I *know* that is how a couple of other places worked.

The rate you saw was what you would get if you went to a full regular exchange minus the withdraw fee minus their cut.

I know that when I was moving some forked BCH that I had with them last year I followed the coins to some other exchange. The BTC I got back was from a small wallet, no idea who's it was.

-Dave

[Yamane_Keto]

https://fixedfloat.com service is partially back, trading pairs such as Bitcoin, Ethereum, and Monero are still temporarily suspended, only a few tokens besides LTC are allowed.

February 27, 2024

Their description of the hack indicates that the security structure allowed hackers to access the basic functions of the service. It is a complete failure and appears to be access to cold storage

--

--

I did not find an official statement from them. I read some articles that talked about the reason and it seemed, as I mentioned, a complete failure of the system, as one of the articles mentioned that private key exploit.

On-chain Details show that the attack lasted for more than two hours. The hackers emptied their ETH balance first, and then after an hour, the same thing was repeated for Bitcoin, for more than half an hour. In both cases, the damage could have been mitigated, as the Bitcoin wallets were emptied after more than an hour from the suspicious movement of ETH wallets.

FixedFloat Exploit

[dkbit98]

https://fixedfloat.com service is partially back, trading pairs such as Bitcoin, Ethereum, and Monero are still temporarily suspended, only a few tokens besides LTC are allowed.

They came back faster than I expected, and after reading their latest blog posts I can say they had very poor protection, and slow reaction to initial hack.
According to their twitter account they are now making a planned transition to new short domain ff.io:
https://twitter.com/FixedFloat/status/1761267221051977842

[FinneysTrueVision]

It seems like they were probably hacked again. Their website went offline some hours ago. Millions in ETH, stablecoins, and BNB has been transferred from their hot wallets and some of it has been swapped using eXch.



The ETH wallet 0x4E5B2e1dc63F6b91cb6Cd759936495434C7e972F was the same one that was hacked in February.

[stompix]

The ETH wallet 0x4E5B2e1dc63F6b91cb6Cd759936495434C7e972F was the same one that was hacked in February.

Waaaaiiit a minute!

Let's assume they were not hacked this time until confirmation but! they are still using the same hot wallet the same address that was hacked last time? They didn't even change that and they were up and running like nothing happened? They didn't even mention what went wrong the first time, the services were not fully back but they kept using the same system and the same addresses? Common, this is unbelievable!

 

[LoyceV]

Let's assume they were not hacked this time until confirmation but! they are still using the same hot wallet the same address that was hacked last time?

My speculation: maybe the wallet wasn't compromised, but the rest of the system. Like: someone made it look as if they made a transaction without making a deposit, after which the payment was sent.

[dkbit98]

It seems like they were probably hacked again. Their website went offline some hours ago. Millions in ETH, stablecoins, and BNB has been transferred from their hot wallets and some of it has been swapped using eXch.

This hack is now officially confirmed on FixedFloat twitter account.
I can't believe this is actually happening in the same way like last time, and something seriously stinks here.
It sounds to me like there is some information leak from inside this exchange.

On April 1, we were again attacked by the attackers who were behind the February 16 hack. The attackers did not stop there and continued to use various methods to try to hack our service again. Thanks to the enormous work done to improve the security of our infrastructure, we were able to successfully repel their attacks and continue to work.

However, despite all our efforts, unfortunately, hackers managed to discover a vulnerability of a third party whose services we use. Although such third-party attacks are beyond our control, we take all necessary measures to strengthen the security of our service and will work to prevent similar incidents in the future.

We would like to emphasize that financial losses affected only our service; hackers stole funds to ensure the liquidity of the service, that is, the company’s funds and user funds were not affected. We also want to emphasize that FixedFloat does not perform the functions of a custodial service, that is, it does not store user funds.

We are currently in the process of an active investigation. Details of the incident cannot yet be disclosed due to the ongoing investigation.

https://twitter.com/FixedFloat/status/1775172224216875223

[stompix]

My speculation: maybe the wallet wasn't compromised, but the rest of the system. Like: someone made it look as if they made a transaction without making a deposit, after which the payment was sent.

Let's assume that would be true, now which one of the old crypto users who has been around for years and knows about security would just say, we know what the bug is, the rest is safe, let's keep the same wallet that was drained because changing one line is way too complicated 
They got lazy at least to say, that, if the second hack is a hack at all.

This hack is now officially confirmed on FixedFloat twitter account.
I can't believe this is actually happening in the same way like last time, and something seriously stinks here.

Stinks is underestimating this, I read that twice and I still can't understand  a few things:

Thanks to the enormous work done to improve the security of our infrastructure, we were able to successfully repel their attacks and continue to work.
However, despite all our efforts, unfortunately, hackers managed to discover a vulnerability of a third party whose services we use

This seems like successfully repelling all the attack on all fronts while losing all your army and retreating 200 miles.
Then:

We would like to emphasize that financial losses affected only our service; hackers stole funds to ensure the liquidity of the service, that is, the company’s funds and user funds were not affected.

So those were not customer money nor company funds, was it the hacker's own money, or what cause if somebody provided liquidity for your company then it's your company money, and you're going to have to pay it back!!!!
The first one might have been a genuine hack, this one sounds like an exit...s word!

[DaveF]

Yeah, something is not right.
Or, and this is just a guess the original hack was worse then they thought it was and they had more access to the systems then FF thought so they just had to wait for wallets to be refilled and do it again.

Shrug, whatever, so long as no user funds were lost then it's an internal issue. If you don't take security seriously then that's on you.

Should have been down for weeks while every line of code was checked.


If it really was a 3rd party that was at fault, then why would ANY 3rd party have access to your hot wallets....

-Dave

[arabspaceship123]

They've lost $26M in hot wallets so we've got to know if they're being targeted by outside hackers or inside info helping inside hackers. They haven't told ppl because they're investigating. FixedFloat weren't well known before their hacks now ppl are talking about them for the wrong reasons.

[dkbit98]

This seems like successfully repelling all the attack on all fronts while losing all your army and retreating 200 miles.

Whatever they did to ''improve'' their service now made them look like a bunch of amateurs.  
This sounds like a classic backdoor access to me, building taller walls won't help to protect you from this.

So those were not customer money nor company funds, was it the hacker's own money, or what cause if somebody provided liquidity for your company then it's your company money, and you're going to have to pay it back!!!!
The first one might have been a genuine hack, this one sounds like an exit...s word!

Maybe, but whenever I hear the story about evil hackers I have doubts if they really exist or if they exist who hired them.

Should have been down for weeks while every line of code was checked.

Exactly.
If first hack happened and I was the owner of FF, I would never continue to work and get back so quickly like they did.

[examplens]

Should have been down for weeks while every line of code was checked.

Exactly.
If first hack happened and I was the owner of FF, I would never continue to work and get back so quickly like they did.

They needed to be robbed twice to accept the seriousness of the situation, now they have been in maintenance for 8 days. I wouldn't bother checking the old code, it's probably safer for them to start everything from scratch.

Did they announce somewhere what the amount is in this second incident?

[RickDeckard]

Did they announce somewhere what the amount is in this second incident?

A security research firm told Coindesk[1] that there were suspicious transfers of around ~ 3 million ETH. I have just checked the website and it continues in maintenance mode so I guess that they haven't solved the problem. According to a recent tweet of them[2] they were once again attacked by the same group:

On April 1, we were again attacked by the attackers who were behind the February 16 hack. The attackers did not stop there and continued to use various methods to try to hack our service again. Thanks to the enormous work done to improve the security of our infrastructure, we were able to successfully repel their attacks and continue to work.

However, despite all our efforts, unfortunately, hackers managed to discover a vulnerability of a third party whose services we use. Although such third-party attacks are beyond our control, we take all necessary measures to strengthen the security of our service and will work to prevent similar incidents in the future.

We would like to emphasize that financial losses affected only our service; hackers stole funds to ensure the liquidity of the service, that is, the company’s funds and user funds were not affected. We also want to emphasize that FixedFloat does not perform the functions of a custodial service, that is, it does not store user funds.

We are currently in the process of an active investigation. Details of the incident cannot yet be disclosed due to the ongoing investigation.

[1]https://www.coindesk.com/markets/2024/04/02/bitcoin-lightning-exchange-fixedfloat-sees-suspicious-transfers-of-3m-to-ethereum-tron/
[2]https://twitter.com/FixedFloat/status/1775172224216875223

[logfiles]

We would like to emphasize that financial losses affected only our service; hackers stole funds to ensure the liquidity of the service, that is, the company’s funds and user funds were not affected.

So those were not customer money nor company funds, was it the hacker's own money, or what cause if somebody provided liquidity for your company then it's your company money, and you're going to have to pay it back!!!!
The first one might have been a genuine hack, this one sounds like an exit...s word!
[/quote]I had a laugh when I also read that part. Like if the $26M+ is not customer's money nor company's money. Then whose money is it? 
Did someone just stash it in the address that just happen to be fixedfloat's and then hackers came in and stole it?

I think it's just a matter of time before we get an announcement that they are shutting down, or they will probably stay in maintenance mode indefinitely.

[LoyceV]

We would like to emphasize that financial losses affected only our service; hackers stole funds to ensure the liquidity of the service, that is, the company’s funds and user funds were not affected.

So those were not customer money nor company funds, was it the hacker's own money, or what cause if somebody provided liquidity for your company then it's your company money, and you're going to have to pay it back!!!!
The first one might have been a genuine hack, this one sounds like an exit...s word!

This sounds like an inside job: first drain the company, than drain the next guy involved.

[DaveF]

We would like to emphasize that financial losses affected only our service; hackers stole funds to ensure the liquidity of the service, that is, the company’s funds and user funds were not affected.

So those were not customer money nor company funds, was it the hacker's own money, or what cause if somebody provided liquidity for your company then it's your company money, and you're going to have to pay it back!!!!
The first one might have been a genuine hack, this one sounds like an exit...s word!

This sounds like an inside job: first drain the company, than drain the next guy involved.

Sound like they are being vague on purpose.

Had  they said this:

No customer funds were lost.
The funds we have to run the company on a day to day basis (hosting, payroll, etc) were not lost.
The only funds lost were those that were in hot wallets that were needed to run the service on a day to day basis.

Is much more clear. But at that point they have no wiggle room.

The generic ambiguous statement that they put out can mean just about anything.

Also, English may not be their native language, they may not know what they said outside of Google Translate....

-Dave