Over the years, crypto hacks have become more elaborate and more common. In 2024, the community saw hundreds of millions of people wiped out by exploits and scams, leaving investors empty-handed.
Sometimes exploiters return funds and report vulnerabilities in a project, helping to prevent future incidents. However, it is more common to see hackers recover the stolen funds and flee the scene.
Crypto investigator ZachXBT has exposed a string of exploits apparently linked to the so-called Whitehat hacker responsible for the Prisma Finance exploit that cost $12 million last month.
Stained Whitehat Hacker
On March 28, Prisma Finance, the decentralized lending protocol based on Ethereum, suffered a hack that stole 3,479.24 ETH. After being alerted and observing the suspicious activity, the Prisma team alerted the community.
At the time, the hacker contacted the Prisma team via a chain message, posing as a “Whitehat” looking for the users. During their conversation, the exploiter claimed to want to “raise awareness of serious contractual audits” and the use of DeFi.
The next day, the loan protocol published a detailed autopsy of the incident. This message apparently ruffled the feathers of the hacker, who demanded that the team change all “accusing terms” like “exploit” and “hacker.”
The messages raised alarms over whether the funds would be returned. Apparently dissatisfied with the Prisma team’s willingness to modify the autopsy, the exploiter demanded a bounty of $3.8 million, or 34% of the total funds.
1/ An investigation into the alleged $11.1 million @PrismaFi exploiter 0x77 (Trung) and the multiple other exploits they are connected to. pic.twitter.com/QU1Oy7Txbb
-ZachXBT (@zachxbt) April 16, 2024
The amount requested was triple the industry standard of 10%. According to the crypto detective, the exploiter was “essentially extorting the team” because the Treasury did not have enough funds to reimburse the victims.
Despite Whitehat’s claims and his apparent discomfort with language indicating otherwise, the hacker contradicted himself by sending the funds to Tornado Cash. Further investigation by the crypto detective revealed that this Whitehat had several stains.
Prisma exploiter connected to multiple crypto hacks
ZachXBT’s in-depth analysis of the timeline of related transactions resulted in the discovery of “related activity on Tron.” One address, TGviNZ, was linked to many exploits.
According to the investigation, TGviNZ was finance by the Arcade_xyz exploit from March 2023. During this incident, the exploiter requested additional funds from the project via Telegram.
Likewise, the address was linked to the Pine Protocol exploit from February 2024. This time, the hacker demanded 50% of the funds and allegedly made “additional unreasonable requests via email.”
Chain of adresses connecting the Modulus Protocol deployer and the Prisma exploiter. Source: ZachXBT on X
The crypto sleuth then discovered that TGviNZ is linked to protocol deployer Modulus, a “decentralized, non-custodial platform.” Further investigation revealed that user X, “0x77,” was among the few followers of the protocol.
This proved crucial in piecing together the puzzle, as the Arcade exploiter used the alias “0x77” on Telegram. A closer look at the phone number, email addresses used and other details brought out the same suspicious behind these exploits.
Details of the alleged exploiter are now in the hands of the Prisma team, who are investigating whether to take legal action against the individual in Vietnam and Australia.
Crypto Total Market Cap sitting at $2.207 trillion in the weekly chart. Source: TOTAL on TradingView
Featured image from Unsplash.com, chart from TradingView.com
