On the evening of April 16, on-chain detective ZachXBT posted on X that the hacker attacking the Prisma Finance protocol was Vietnamese.
A Vietnamese person is suspected of being behind the Prisma Finance hack
Specifically, on-chain data analyst ZachXBT discovered that a user with Twitter handle 0x77 was involved in the Prisma Finance hack at the end of March 2024, causing more than 11 million USD in damage.
1/ An investigation into the meaningful $11.1M @PrismaFi exploiter 0x77 (Chinese) and the multiple other exploits they are connected to. pic.twitter.com/QU1Oy7Txbb
— ZachXBT (@zachxbt)April 16, 2024
Prisma Finance is a decentralized lending protocol with a total TVL of over 222 million USD, according to defillama.
On March 28, 2024, the project observed a series of transactions on the MigrateTroveZap contract that siphoned a total of 3,257 ETH, equivalent to $11.1 million. on-chain security alert system Cyvers Alerts was the first to discover this suspicious transaction chain and said that after the first exploit, the attacker began swapping the stolen funds to ETH.
In collaboration with @PrismaRisk and @wavey0x , we are publishing a comprehensive post-mortem report on yesterday's event. https://t.co/DljZSs3ssK
— Prisma Finance (@PrismaFi) March 29, 2024
We are fully mobilized to retrieve users' funds and we will keep you updated on next steps.
The most important action users can… pic.twitter.com/MUr1yqqBKX
According to ZachXBT's post, although initially admitting that he was a "white hat", the hacker turned 180 degrees when just that day, all the money was transferred to the cryptocurrency mixer Tornado Cash . Hackers began making sky-high demands to the Prisma team, asking for a "white hat" reward of up to 3.8 million USD (34% of the hacked amount). This is significantly higher than the standard 10% bonus for whitehats. If it follows the hacker's wishes, the project will not have enough liquidation to refund users.
“White hat” ('whitehat' in English) is a phrase to refer to good hackers, helping the project detect any vulnerabilities or any security problems that the system is facing.
Using on-chain investigation, ZachXBT analyzed the transaction execution time as well as the source address of transactions on the Arbitrum network. Then, on-chain detectives analyzed the hacker's withdrawal time on Bybit connected to the TRON network, then localized the two most suspicious wallet addresses.
Of the two wallet addresses above, the address starting with the letters “TGviNZ” has a history of being involved in an attack on the DeFi platform for Non-Fungible Token Arcade.xyz since March 2023. At that time, the hacker also requested additional bounties from the protocol.
6/ I found TGviNZ funded by the Arcade_xyz exploit from March 2023 where the exploiter requested additional funds from the protocol.
— ZachXBT (@zachxbt)April 16, 2024
Arcade exploiter
0x807350917efa87fb15ed7eb0952635cdf1c13366
Further investigation revealed the team had been in contact with the exploiter who… pic.twitter.com/nDXr5T1dmH
Investigating further, ZachXBT discovered that Arcade had contacted the hacker who owns Telegram named '0x77', and this account is still active. on-chain detectives also noticed unusual hacker connections to the Pine Protocol attack from February 2024.
ZachXBT quickly discovered that the hacker's address was related to the developer deploying the Modulus Protocol decentralized platform. Twitter user '0x77' is one of the few Watcher the project and has regular interactions in each of the platform's posts.
Conducting further analysis, ZachXBT quickly found and collated hacker information from the suspect's phone number, email and other details. ZachXBT urged the attacker to voluntarily return the money to Prisma Finance if he did not want to push the incident in a more serious direction.
9/ Further analysis was conducted with the phone number, emails, and other details of the purported exploiter.
— ZachXBT (@zachxbt)April 16, 2024
From their posts on X it is clear they have a strong technical background.
As of now all personal details have been compiled and the Prisma team is pursuing every… pic.twitter.com/GvQIbXbxdG
As of now, all personal information has been compiled and the Prisma team is collecting evidence to sue the suspect under Vietnamese and Australian laws. Coin68 will continue to monitor and report further developments of the Prisma Finance hack as soon as possible.
Recent cryptocurrency hacks further highlight the importance of building a regulatory framework for the industry. According to blockchain security company Immunefi, more than $336 million has been lost due to hacks and Rug Pull from the beginning of 2024 to date with a total of 32 incidents.
Coin68 compiled
Join the discussion about the hottest issues of the DeFi market in the Fomo Sapiens chat group with Coin68 admins!!!