Crypto detective ZachXBT has identified the alleged PrismaFi hacker, exposing their involvement in the $11.1 million theft and subsequent demands.
Blockchain sleuth ZachXBT uncovered an alleged attacker behind the PrismaFi hack, which left the protocol without $11.1 million worth of crypto. In a series of X posts, ZachXBT revealed that the exploiter, known as 0x77 (or Trung) might be linked to multiple other exploits.
1/ An investigation into the alleged $11.1M @PrismaFi exploiter 0x77 (Trung) and the multiple other exploits they are connected to. pic.twitter.com/QU1Oy7Txbb
— ZachXBT (@zachxbt) April 16, 2024
The Prisma team detected a series of transactions on the MigrateTroveZap contract earlier in March, which eventually resulted in a loss of 3,257 ETH (equivalent to $11.1 million at the time). Initially, the attacker communicated with the Prisma deployer, claiming the attack was just a whitehat initiative. However, all the funds were later deposited to Tornado Cash, a sanctioned crypto mixer.
You might also like: Prisma Finance hacker demands live conference, apology after $11m breach
The exploiter proceeded to make audacious demands, including a $3.8 million (34%) whitehat bounty, significantly higher than the industry standard of 10%, ZachXBT noted, adding that the demand was “essentially extorting the team as the treasury does not have sufficient assets to reimburse users.”
3/ At first the attacker communicated with the Prisma deployer the attack was whitehat.
— ZachXBT (@zachxbt) April 16, 2024
Later that day all of the funds were deposited to Tornado Cash contradicting that statement.
The exploiter began making outrageous demands and asked for a $3.8M (34%) whitehat bounty
This… pic.twitter.com/vFdJCJM5mz
Further investigation revealed that the exploiter’s address received funds via FixedFloat and was subsequently located on Arbitrum, a layer-2 solution on Ethereum. By analyzing timing, ZachXBT found that the exploiter’s address was connected to withdrawals on TRON, including those from the Bybit crypto exchange.
The investigation also uncovered connections to previous exploits, such as the Arcade_xyz exploit from March 2023 and the Pine Protocol exploit from February this year. The exploiter, using the alias 0x77 on Telegram, remained active, with ties to the deployer of @modulusprotocol, further solidifying the link between each incident.
The investigator also disclosed conducting an analysis of the exploiter’s personal information, gathering phone numbers and emails, which suggested a proficient technical background. Currently, all gathered personal data has been forwarded to the Prisma team, who are pursuing legal action against the hacker in Vietnam and Australia, ZachXBT added.
Read more: FixedFloat reportedly suffers another exploit, losing $2.8m