NoOnes P2P Marketplace Drained of $7.9 Million in Multi-Chain Hot Wallet Breach

The peer-to-peer cryptocurrency marketplace NoOnes began the new year with a devastating security breach that saw $7.9 million siphoned from its hot wallets across four blockchains. The attack, which commenced on January 1, 2025, targeted Ethereum, Tron, Solana, and Binance Smart Chain wallets in a coordinated operation that exploited a vulnerability in the platform’s Solana bridge infrastructure.

The Exploit Mechanics

The attackers initiated the breach by funding their Ethereum operations through Tornado Cash, a well-known cryptocurrency mixer frequently used to obscure the origin of funds. Once positioned on Ethereum, the hackers launched parallel attacks across multiple chains. The initial Ethereum exploit was then used to fund subsequent attacks on Binance Smart Chain and Tron, creating a cascading drain across NoOnes’ infrastructure.

What made this attack particularly stealthy was the laundering technique known as smurfing. Rather than executing a few large transactions that would immediately trigger alerts, the attackers processed hundreds of transactions, each kept deliberately under $7,000. This amount was carefully chosen to mimic normal trading activity on the peer-to-peer platform, where individual trades typically fall within this range. The stolen funds were distributed across three major wallet clusters, each containing more than twenty different addresses, making tracking significantly more difficult for investigators.

Affected Systems

The breach impacted NoOnes’ hot wallets across four distinct blockchain networks. The Solana bridge served as the initial entry point, with the vulnerability in its smart contract code allowing the attackers to bypass standard security checks. From there, the exploit spread to Ethereum, where the largest portion of funds was drained, followed by Tron and Binance Smart Chain. Notably, the Solana assets were sent directly to Tornado Cash rather than through the intermediate clustering used on other chains, suggesting a different operational approach or possibly a separate team handling that portion of the theft.

At the time of the breach, NoOnes maintained approximately $7 million in hot wallet balances, representing roughly a seven-day operational float for the platform. This meant the attackers effectively drained the entirety of the platform’s liquid operational funds in a single coordinated operation.

The Mitigation Strategy

The platform’s initial response raised significant concerns within the cryptocurrency community. Rather than immediately disclosing the breach, NoOnes described the disruptions as routine maintenance, a characterization that drew sharp criticism once the truth emerged. It was not until January 24, when blockchain investigator ZachXBT publicly flagged the suspicious transactions through his Telegram investigations channel, that NoOnes acknowledged the security incident. CEO Ray Youssef confirmed the breach on the same day, stating that the security team had “quickly responded and the situation was immediately contained.”

In a video address published on February 12, Youssef outlined several remedial measures. The most significant change involved slashing hot wallet exposure from $7 million to just $1 million, representing a maximum two-day operational float. The platform also temporarily suspended all Solana support while conducting comprehensive penetration testing. Solana services were eventually restored on February 11, including withdrawals and deposits for the USDT and SOL trading pair. Youssef also announced plans to launch a decentralized exchange where users would maintain control of their private keys.

Lessons Learned

The NoOnes incident highlights several critical vulnerabilities that plague centralized cryptocurrency platforms, particularly those serving emerging markets. The delayed disclosure, spanning nearly three weeks, represents a significant failure in transparency that could have left users unknowingly exposed to additional risk. The heavy reliance on hot wallets for operational liquidity, while necessary for a peer-to-peer platform, creates an attractive target for sophisticated attackers.

From a broader perspective, the attack underscores the risks associated with cross-chain bridge infrastructure. Bridges remain one of the most vulnerable components in the cryptocurrency ecosystem, with billions of dollars lost to bridge exploits in recent years. The use of Tornado Cash to fund and launder the stolen funds also demonstrates the ongoing challenge of tracing cryptocurrency transactions through mixing services.

User Action Required

For NoOnes users, the incident serves as a stark reminder of the risks associated with keeping significant funds on any centralized platform. Users should verify that their accounts and balances have not been affected by reviewing recent transaction history. Moving forward, the general principle articulated by Youssef himself bears repeating: keep only what you intend to trade on centralized exchanges and maintain the bulk of your crypto holdings in self-custody wallets where you control the private keys. Hardware wallets such as Ledger or Trezor remain the gold standard for securing significant crypto holdings, with Bitcoin trading at approximately $94,400 at the time of this incident, the stakes of proper security practices have never been higher.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.