$8 Million Nexus Mutual Hacker Lives in Singapore, Says Team
The founder of one of DeFi’s most vital protocols lost $8 million in a sophisticated attack yesterday. The perpetrator has already begun cashing out the stolen funds.
- Following yesterday’s lucrative hack on Nexus Mutual founder Hugh Karp, the attacker has begun cashing out their takings.
- Karp has already offered a $300,000 bounty to the attacker; the investigation is ongoing.
- Nexus Mutual has located a number of Ethereum addresses and possible foot trail leading to an IP address in Singapore.
Share this article
The attacker who stole more than $8 million worth of NXM from Hugh Karp has cashed out a significant portion of his stash. Nexus Mutual has identified many clues pointing to a potential suspect.
Nexus Mutual Hacker Dumping Stolen Funds
The high-level attack involved setting up a fraudulent transaction to imitate the popular browser extension Metamask. It resulted in Karp losing 370,000 NXM, the native token of his cover protocol Nexus Mutual. The transaction can be viewed on Etherscan.
The assailant has since begun moving the funds into other cryptocurrencies.
First, they exchanged a portion of them into ETH, followed by renBTC. There’s now over 137 BTC sitting in two addresses suspected to belong to the hacker. The BTC supply is worth $2,654,000 at the time of writing. Etherscan has a trail of many of their footprints; there’s still almost 200,000 wNXM, for instance, now worth $3,332,671, sitting in the wallet.
Karp offered the attacker a $300,000 bounty for the funds’ safe return yesterday and has since alluded to escalating the case if the situation doesn’t change.
The mempool is a dark forest, but the IPs on the internet are quite transparent.
I'm still happy to honour the bounty if you return the funds (less the bounty) within the next 12 hours. No questions asked.
— Hugh Karp 🐢 (@HughKarp) December 14, 2020
Potential Clues Unearthed
Though the Nexus Mutual protocol was unaffected by the incident, the team has been busy investigating.
On Twitter, a team member confirmed that the attacker was a member of Nexus Mutual.
The protocol requires users to complete a KYC process when they sign up. The team says that they completed the process before switching their membership on Dec. 3.
Nexus Mutual has since identified some possible addresses linked to the hacker. If correct, it appears the attacker may have made several clumsy slip-ups that have helped expose them.
There’s also been some suspicious activity in the official Nexus Mutual Telegram group, involving someone who began asking questions about the hack and blocked Nexus Mutual as a contact when the team reached out to them privately. Additionally, one of the addresses Nexus Mutual has unearthed has recently interacted with the one that stole Karp’s NXM.
The team says it belongs to someone who completed the KYC process and lives in Singapore. They’ve even located an IP address.
With the attacker still at large, the investigation is ongoing.
Disclaimer: At the time of writing, the author of this feature owned wNXM and ETH, among a number of other cryptocurrencies.