Hack or Exit Scam: What Happened at BitForex

Since February 23, crypto exchange BitForex stopped processing withdrawals, without any announcement on their website or social media channels. On the same day, about $56.5M worth of crypto tokens flowed out from the exchange's hot wallets. This development has been covered in our recent X (Twitter) post and another post by known crypto sleuth ZackXBT.

BitForex, established in 2017, features 1,166 trading pairs as of February 2024, although only 12.6% of those pairs have trading volumes above $10M, according to data from CoinMarketCap and CoinGecko. The latest major news about this exchange is the departure of its CEO Jason Luo, also a co-founder of Red Rock Capital, on January 31 after leading the company since November 2020.

As of today (February 26), BitForex's website is currently inaccessible, while its X account made its last post on February 21.

ZackXBT noted that BitForex holds 18% of the Tellor ($TRB) supply and 7% of the ECOMI ($OMI) supply. Interestingly, $54.2M of the tokens taken out of the exchange were in $TRB.

In this article, the 0xScope team provides an overview of the recent events at BitForex and investigates the likely causes and effects.

Suspicious BitForex Outflows

The recent outflows from BitForex can be seen across the Ethereum, Tron, and Bitcoin networks. There are three addresses of interest in these transactions:

Ethereum

Aside from getting $54.2M worth of $TRB tokens from 0x50Cb, address 0xdcac also received $USDT, $ETH, $BNB, $USDC, and $MATIC from BitForex hot wallet address 0x3A72, but there's still $4M of other tokens in BitForex. 0x50Cb currently holds 14 other tokens worth $284K.

Tron

The address TQcnqaU4NDTR86eA4FZneeKfJMiQi7i76o received $657K in $USDT and $44K worth of $TRX from BitForex, whose hot wallet address TLAiQcyKs5tuyztiy1syh7ykA6ked56Lkp still holds $174K worth of other tokens.

Bitcoin

3DbbF7yxCR7ni94ANrRkfV12rJoxrmo1o2 received 5.7 $BTC from multiple BitForex addresses. As of today, BitForex only holds 0.238 $BTC.

Our Analysis

Based on the information we gathered from this investigation, the 0xScope team thinks that the recent suspicious transactions on BitForex are unlikely to be caused by a hacking attack.

We observed that the address 0xdcac received 0.01 $ETH on Feb 21. However, the next transaction is made about 58 hours later, as seen below:

0xdcac tested its first $USDT transaction with $10 and waited 3 hours before the actual, bigger transactions took place. Typically, a CEX is capable of detecting unauthorized transactions in a few minutes. However, in this instance, BitForex was either unable to detect the test transaction or, worse, chose to do nothing.

The 0.01 $ETH transaction also offers a clue to the nature of 0xdcac's actions. Usually, hackers would promptly transfer all the $ETH out of an exchange after a successful test transaction. In this instance, no action was taken for the next 58 hours, either from the exchange or 0xdcac.

Further investigation is needed to come to a certain conclusion about what happened to BitForex. But based on our investigation, what's close to certain is that the Bitforex outflows did not result from a typical crypto hack. Furthermore, given that BitForex did not act on the suspicious outflows, other angles might be at play, including a possible inside job.

We encourage the crypto community to join us in finding out the truth, especially given that BitForex has not made any statement since the suspicious transactions took place.

‍