The cryptocurrency exchange FixedFloat has confirmed a significant security breach that resulted in the loss of approximately $26 million worth of Bitcoin and Ethereum on February 16, 2024. The attack, which unfolded over less than an hour, marks one of the most substantial exchange hacks of early 2024 and raises renewed questions about the security posture of non-KYC trading platforms operating in the decentralized finance ecosystem.
FixedFloat, known for its automated, non-custodial crypto-to-crypto exchange services, detected unusual blockchain activity on both the Ethereum and Bitcoin networks during the evening hours of February 16. The platform subsequently confirmed that an external attacker had exploited a suspected private key vulnerability to drain funds from its hot wallets.
The Exploit Mechanics
According to on-chain analysis, the attack began at 9:05 PM UTC on the Ethereum blockchain, with the attacker executing a small test transaction of 0.007 ETH to verify access to the compromised wallet. Over the next 34 minutes, the attacker drained a total of 1,728 ETH, valued at approximately $4.85 million at the time, from the FixedFloat contract address. The stolen Ethereum was distributed across multiple externally owned accounts before being routed through eXch, a centralized mixer designed to obscure transaction trails.
On the Bitcoin network, the attack commenced at 10:25 PM UTC and concluded within 20 minutes. The attacker moved 409 BTC, worth approximately $21.17 million, in a series of carefully structured transactions. Initial test transfers of 3.1 BTC each were followed by two large withdrawals of 200 BTC apiece, valued at roughly $10.5 million each at Bitcoin prices of $52,160. The stolen Bitcoin was distributed to three separate addresses holding 170.85 BTC, 38.45 BTC, and 200 BTC respectively.
Affected Systems
The primary victim address on Ethereum (0x4E5B2e1dc63F6b91cb6Cd759936495434C7e972F) and the corresponding Bitcoin address were both identified as FixedFloat operational wallets. The speed and precision of the attack suggest the attacker had gained direct access to private keys rather than exploiting a smart contract vulnerability. The attack pattern—beginning with a small test transaction followed by rapid large-scale withdrawals—is consistent with a private key compromise scenario.
FixedFloat took its website offline shortly after detecting the breach, displaying a maintenance page while the investigation was underway. The platform confirmed that no user data beyond transaction records was exposed, as the exchange does not collect personal identification information under its non-KYC operating model.
The Mitigation Strategy
In the immediate aftermath, FixedFloat security team initiated a comprehensive investigation in coordination with blockchain analytics firms. The attacker use of the eXch mixer for Ethereum funds and the distribution of Bitcoin across multiple wallets indicates a sophisticated laundering strategy designed to complicate recovery efforts.
The broader crypto security community quickly mobilized to trace the stolen funds. On-chain analysts established that the attack exhibited hallmarks of a well-planned operation, with pre-positioned wallet addresses and an established laundering pipeline ready to receive the stolen assets within minutes of the initial breach.
Lessons Learned
The FixedFloat exploit highlights several persistent vulnerabilities in the cryptocurrency exchange ecosystem. First, even platforms that position themselves as decentralized or non-custodial often retain operational hot wallets that present attractive targets for attackers. Second, private key management remains a fundamental weakness across the industry, with the $26 million loss underscoring the devastating impact of a single compromised key.
The incident also demonstrates the growing sophistication of crypto crime operations. The attacker use of mixing services and rapid cross-chain movement reflects an evolution in laundering techniques that challenges even advanced blockchain analytics tools. As Bitcoin trades above $52,000 and Ethereum nears $2,800, the incentive for such attacks continues to grow proportionally.
User Action Required
Users who had pending transactions on FixedFloat at the time of the breach should monitor the platform official communication channels for updates on the investigation. All crypto users, regardless of platform, should consider the following security measures: storing the majority of holdings in cold wallets rather than exchange hot wallets, enabling multi-signature authentication where available, and regularly reviewing withdrawal whitelist settings. The FixedFloat breach serves as a reminder that no exchange is immune to sophisticated attacks, and personal custody of private keys remains the most secure approach for long-term cryptocurrency storage.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
34 minutes and 1728 ETH gone. non-KYC doesn’t mean non-risk, people need to stop equating the two
exactly. the non-custodial label gave everyone false confidence. if they hold your keys during swap, its custodial by another name
34 minutes is an eternity in exploit time. most drains happen in under 5 minutes. the slow methodical approach actually makes this scarier
test tx of 0.007 ETH before the full drain is classic. these attackers are so methodical its scary
the 0.007 ETH test tx is such a tell. exchanges should have real-time monitoring that flags test transactions from unknown addresses