Mixin Hack: Something Fishy

On September 25, Web3 transaction network Mixin Network reported a loss of about $200M from a hack that happened "in the early morning of September 23, 2023 Hong Kong time." The platform said that the database of its cloud service provider was attacked by hackers, resulting in the loss of some assets on the mainnet. The company stopped deposit and withdrawal services in light of the hack, then contacted Google and blockchain security company SlowMist to assist with the investigation.

‍

On the same day of the Mixin announcement, founder Xiaodong Feng said that most of the assets stolen from the hack were in $BTC. He added that Mixin plans to compensate up to 50% of users' losses due to the hack, with the remainder of the compensation to be given through “tokenized liability claims” that Mixin plans to repurchase in the future.

‍

In its independent investigation, the 0xScope team uncovered the historical background of the addresses involved in the hack, as well as some additional details that paint a more complicated picture of the attack on Mixin.

‍

Highlights

‍

Based on the sequence of events that happened during the hack (for more details, see the Timeline section below), we have observed the following:

‍

1. It took Mixin two days after the hack to announce it to the public. By comparison, a Mixin user took just one hour to take out its funds from the platform, presumably after sensing that a hack is taking place. This two-day wait is puzzling, and perhaps a sign of a severe lack of security measures in the platform.

‍

2. Mixin, a supposedly decentralized platform, attributed the hack to an attack on the database of its cloud service provider.

‍

3. Two days after its announcement, Mixin claimed that "the losses are not as significant as estimated," but did not give a specific number. This statement, combined with the CEO's controversial decision to process refunds only up to 50% of users' lost funds and the on-chain message to the hacker about the "BUG Bunty," has considerably eroded trust in Mixin, perhaps even more than the hack itself.

‍

4. Instead of giving full disclosures on the nature of the hack, the Mixin team has given seemingly suspicious statements, resulting in some community members accusing Mixin of executing an inside job to steal users' funds. The web of connections between Mixin wallets and the hackers' wallets, with some connections being established a year or two ago, raise more questions than answers regarding the nature of the Mixin hack.

We at 0xScope will keep you posted.

‍

Timeline

‍

For a detailed overview of what happened during the hack, check our team's reconstruction below.

‍

One year before the hack:

‍

June 18, 2022: 0x1795, an address connected to the hack, received 5 $ETH from Mixin (0xB0Cf). This address transferred 51 $ETH to address 0xd07A on August 6, 2021 and deposited 5.9 $ETH on Binance (0x4b83) on July 5, 2022.

‍

October 20, 2022: ETH miner 0xab3B sent 118 $ETH to 0xfc73, a user of Gate.io and OKX.

‍

November 9, 2022: Mixin address(0xB0Cf) sent 10,000 $ETH to 0x5D5a.

‍

September 16, 2023: 0x5D5a sent 100 $ETH in gas to 0x4701.

‍

During the hack:

‍

September 22, 2023: 0xfc73 sent 0.5 $ETH in gas to 0x52e8, a wallet connected to the Mixin hack. This wallet holds $94M worth of $ETH.

‍

September 22, 2023: 0xd07A sent 50 $ETH as gas to 0xb5d6, another hack-related wallet holding $71,000 in $ETH, moments before the attack. This transfer was done so that the hacker could disperse tokens from Mixin's addresses through 0x52E8 for the attack.

‍

September 22, 2023: 0xb5d6 (hacker wallet) sent 0.3 $ETH as gas to 0x3b5f, an address that swapped USDT into DAI to avoid being frozen out of stolen funds.

‍

September 23, 2023: Disperse.app address 0xD152 sent 0.0025 $ETH in gas to Mixin wallet 0x68EF. It is likely that the hacker used Disperse.app to distribute tokens.

‍

‍

‍

After the hack:

‍

September 23, 2023: One hour after the hack, Mixin user 0x6e05 retrieved 30 $ETH from the platform, perhaps sensing that a hack was taking place.

‍

September 25, 2023: Mixin announced the stoppage of deposits and withdrawals, two days after it got hacked for $200M.

‍

September 25, 2023: Mixin wallets sent 988 $UNI to a hacker-related address (0xCD65) that now holds $8M in crypto assets.

‍

September 25-26, 2023: Mixin wallets sent $9M worth of crypto funds, including $HMT, $UNI, $ETH, and $USDC, to 0x4701.

‍

September 26, 2023: 0x68EF, a Mixin wallet that received gas from the hacker (0xD152), transferred $USDC and $HMT to 0x4701. It is likely that 0x4701 is an address controlled by Mixin to secure their remaining tokens, although Mixin has yet to confirm this.

‍

‍

September 27, 2023: 0x548A, an address that previously received gas from crossle.eth (presumably the ENS name of a wallet owned by Mixin CTO Crossle Song), sent the following address to hacker address 0x52E8:

‍

"IDM: Most of our platform assets were users’, and we hope you can refund them. You can keep $20M of the assets as a BUG Bunty (sic) Reward for the BUG. Contact us via bug@mixin.one for the reward details."

‍