- FixedFloat confirmed on February 18 that it was hacked.
- Around $26 million worth of Bitcoin (BTC) and Ethereum (ETH) were reportedly missing following the attack.
- The decentralized cryptocurrency exchange is popular due to its lack of KYC (Know Your Customer) requirements.
The FixedFloat Hacking Incident
On Saturday, February 17th, some users bombarded the X account of FixedFloat with complaints about frozen transactions and missing funds. The decentralized crypto exchange initially responded that the numerous outflows were due to “some minor technical problems” they were encountering with the system. The issue resulted in the admin switching the platform’s service to “maintenance mode.”
The next day, FixedFloat confirmed the attack but didn’t immediately provide specific details about it.
“We confirm that there was indeed a hack and theft of funds,” said the exchange on social media. “We are not yet ready to make public comments on this matter, as we are working to eliminate all possible vulnerabilities, improve security, and investigate. Our service will be available again soon.”
However, an investigation of on-chain data showed that around 400 BTC worth over $41 million and more than 1,700 ETH amounting to nearly $5 million were siphoned from the cyberattack.
Other Statements Related to the Hack
To get more information, we delved into the complaints as well as the official answers of FixedFloat to some of its users on X. The replies were a mix of assurance and some contradiction to earlier statements made by the exchange.
Although the company instructed users to direct their complaints through email, a lot of them engaged the exchange via X anyway. First off, the exchange clarified that no user funds were affected by the exploit because they do not offer custodial service.
“Financial losses affected only our service, user funds were not affected,” it explained. “We also want to emphasize that FixedFloat does not perform the functions of a custodial service, that is, it does not store user funds.”
Some users found another tweet of the exchange somehow contradictory to its claim that they are not a custodial service provider though.
“We never freeze user funds for no reason, if the user has provided all the evidence that he is not involved in the crime – we unfreeze the funds and conduct an exchange or refund the funds,” it posted. “We value our reputation and do not want to be complicit in crimes, which, if ignored, may block the operation of our service.”
Others urged FixedFloat to provide more transparency on the matter to which they responded, “We cannot give more information yet, as an investigation is currently underway. We promise that we will provide more information later.”
Meanwhile, there’s one user who complained about emailing FixedFloat only to get a response asking about his identity information, which he deemed irrelevant to his problem. The exchange refused to directly address his query and referred to him to their security service instead.
For an exchange that does not require KYC registration, it does not really make sense why they are suddenly asking for the personal details of the user. Just how can they verify transactions when they do not have anything to cross-check them in their database?
As of this writing at 3:30 AM UTC, the website of FlixedFloat is still down. There’s also a warning from Etherscan that the address related to the exchange has been used in a phishing scam, thanks to a report from the famous crypto sleuth on X, zachxbt.