Despite delayed alerts to its users, FixedFloat ensures customer assets remain secure after a significant cyber breach.
FixedFloat, a crypto exchange renowned for its privacy-focused, non-custodial operations that forego traditional "know your customer" (KYC) protocols, was hit by a cyberattack this month. The breach led to the theft of assets exceeding $26 million, including more than 400 Bitcoin and 1,700 Ethereum.
The intrusion was pinpointed by BlockFence, a blockchain security company, which identified the Bitcoin wallet implicated in the theft. Further scrutiny by PeckShield, another analytics firm, tracked the siphoned Ethereum through various transactions, noting that the stolen funds were laundered through the eXch Ethereum mixer soon after the hack, making recovery efforts more challenging. PeckShield also discovered attempts to transfer a portion of the pilfered funds to exchanges HitBTC and CoinSpot.
In discussions with Decrypt, FixedFloat clarified that the breach was the result of external actors exploiting vulnerabilities in their security framework, rather than an inside job. "The problem was in our infrastructure, which was compromised due to flaws and insufficient protection," the exchange commented, indicating that the breach allowed unauthorized access to certain service functions.
Initially, FixedFloat attributed the service disruption to "minor technical problems" and shifted to maintenance mode, delaying the disclosure of the hack's extent. This decision led to user uncertainty and worry. "We did not immediately report the hack, as we were already aware of the incident and immediately began putting our service into maintenance mode to ensure security and minimize losses," FixedFloat explained their delayed communication.
Despite the turmoil, FixedFloat has reassured its customers that their funds are not at risk, emphasizing that the loss affects only the company's operational funds since FixedFloat does not store customer assets. This message was conveyed through their Twitter account amidst growing social media speculation regarding the breach.
Acknowledging the incident publicly, FixedFloat's Twitter response to inquiries stated, "We confirm that there was indeed a hack and theft of funds. We are not ready to make public comments about this matter as we are working to eliminate all possible vulnerabilities, improve security, and investigate."
The breach underscores the inherent risks associated with crypto exchanges, particularly those operating without KYC measures, which complicates tracking and prevention efforts. Despite this setback, the trend of significant hacks has been on the decline, with Chainalysis reporting a 54.3% decrease in stolen funds in 2023, totaling $1.7 billion, thanks in part to fewer DeFi-related incidents.
FixedFloat is currently collaborating with law enforcement, blockchain analysis firms, and other exchanges to locate the perpetrators and has committed to fulfilling its financial obligations to users upon resuming secure operations.