$160M Wintermute Security Exploit Could Have Been an Insider Job: Report

The leading crypto market maker, Wintermute, suffered a $160 million breach in its decentralized finance operations last week. On-chain data revealed tens of millions of dollars worth of Dai, USDC, Tether, Wrapped ETH, and other assets transferred from the company to a wallet address flagged as “Wintermute Exploiter.”

While the UK-based company has not revealed if law enforcement was notified, it went on to offer a 10% bounty to the hacker on the ill-gotten funds and treat the breach as a “white hat” event.

However, a new report suggests that this could be an insider job.

Insider Job

Analyst James Edwards, aka Librehash, also known as the editor of ZeroNoncense, argued that the hacker couldn’t have been a random, external entity that “simply recovered the private key to an unsafe externally owned address that the team failed to revoke admin permissions for.” Edwards stated that the hack appears to have been carried out by an internal party after observing the platform’s smart contracts interactions.

“In other words, the relevant transactions initiated by the EOA make it clear that the hacker was likely an internal member of the Wintermute team.”

Edwards questioned the transparency of the project while pointing out the lack of uploaded, verified code for the Wintermute smart contract in question, making it impossible for the community to confirm that the hacker was not internal. Typically, any smart contract responsible for the management of user/customer funds deployed onto a blockchain is up for public verification.


Upon deeper inspection and sifting through the decompiled bytecode, the analyst allegedly found that the code did not match with what was supposedly compromised.

Edwards also took a jibe at Wintermute’s CEO and founder, Evgeny Gaevoy, and called the exec’s explanation to be “rushed, hasty, and sloppily published,” giving the impression that the team was “relieved” for managing to potentially pull off a million dollar heist with “little to no scrutiny.”

Transfer to Compromised Wallet

The transfer of 13.48 million USDT from the Wintermute smart contract address to the smart contract supposedly created and controlled by the Wintermute hacker is contentious in nature, according to Edwards.

He alleged that the transaction history showed the movement of millions in USDT from the hot wallets of two different exchanges – Binance and Kraken – to the compromised smart contract, which could have been initiated from team-controlled exchange accounts.


Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off fees on Binance Futures first month (terms).

PrimeXBT Special Offer: Use this link to register & enter POTATO50 code to receive up to $7,000 on your deposits.

You Might Also Like: