Transit Swap hacker sent assets to Tornado Cash

The hacker who breached the decentralised cross‑chain exchange Transit Swap transferred part of the stolen funds to the Tornado Cash mixer and began corresponding with the project team.

#PeckShieldAlert 0x75f2aba…d46 (TransitSwap Exploiter) leaves a message to TransitFinance Funds Receiver 0xD989f7B4…a35E and starts to transfer part of stolen funds to Mixerhttps://t.co/o2h9suSXFI pic.twitter.com/CrX55l2Mo9

— PeckShieldAlert (@PeckShieldAlert) October 3, 2022

On October 2, an unknown actor withdrew from Transit Swap assets approximately $21 million. Later the exchange team said that the hacker had returned 70% of the stolen funds and invited him to get in touch.

On October 3, the attacker reimbursed the platform with another 2,612 BNB (~$750,000) and sent a signed message to the transaction. At the same time, he conducted 40 transfers of 100 BNB to Tornado Cash.

#PeckShieldAlert 0x75f2aba…d46 (TransitSwap Exploiter) has transferred ~2,612 $BNB (~$750k) to TransitFinance Funds Receiver 0xD989f7B4…a35E pic.twitter.com/6N9h4STegx

— PeckShieldAlert (@PeckShieldAlert) October 3, 2022

He expressed doubts about the developers’ offers from Transit Swap and said that he should receive a larger reward, citing incidents with Nomad and Wintermute. According to him, he hacked only the Ethereum and BNB Chain networks. In the case of attacks on other chains such as Fantom, Tron, Polygon, the bounty could reach $100 million, the hacker asserted.

«It’s hard not to suspect that this is your official backdoor, and you should be glad that I implemented the exploit, not someone else,» he commented on the vulnerability exploited in the code.

The developers refuted his words, assuring that the bug was not deliberate. They noted that the stolen funds belong to users and expressed hope for their return. The Transit Swap team also said it was prepared to increase the reward.

The hacker responded, saying that he spent a lot of time auditing the project’s code and successfully exploited the vulnerability. He also stated his willingness to engage in dialogue on bug-bounty terms.

«We value your response and the restitution, we regard your actions as testing, not an attack. All these funds belong to users, we hope you will continue the restitution and we sincerely invite you to start a friendly dialogue about bug bounties right now, thank you!», — wrote the developers.

In May, the Wormhole team paid $10 million to a white-hat hacker who discovered a critical vulnerability in the protocol.

Follow ForkLog’s bitcoin news on our Telegram — cryptocurrency news, prices and analysis.