Home Web3 SecurityCrypto Hacks & Exploits Mixin Network Security Breach—Sep 23, 2023—Detailed Analysis

Mixin Network Security Breach—Sep 23, 2023—Detailed Analysis

by ImmuneBytes
Mixin Network Security Breach—Sep 23, 2023—Detailed Analysis


Mixin Network, a blockchain-based peer-to-peer network for digital assets, experienced a significant security breach on September 23, 2023.

The hack resulted in a loss of approximately $200 million, with stolen assets including $95.3 million in Ether (ETH), $23.7 million in Bitcoin (BTC), and $23.6 million in Tether (USDT).

The breach occurred due to a compromise in the cloud service provider’s database, leading to unauthorized access to Mixin’s hot wallets.

About Mixin Network

Founded in 2017, the Mixin Network is a Hong Kong-based platform that operates a peer-to-peer transactional network for digital assets.

The Mixin Network, recognized for its extensive reach in the blockchain domain, facilitates transactions across an impressive array of 48 public blockchains. Its widespread adoption is evident from its robust user base of one million users.

Back in July 2023, the network’s infrastructure boasted 26 full nodes, indicating a strong and decentralized network. The top 100 assets on the platform were not just digital tokens but represented a significant market value, totaling $1.1 billion, showcasing Mixin’s substantial financial footprint in the digital asset space.

Notably, the platform’s prowess is further accentuated by its advanced cross-chain transfer protocol, a feature that has not only streamlined asset transfers across different blockchains but also positioned Mixin Network as a key player in the crypto arena, attracting considerable attention and acclaim before the unfortunate security breach.

Root Cause of the Hack

The primary cause of the Mixin Network hack was a breach in the database of their cloud service provider. This compromise led to unauthorized access to the network’s hot wallets. The centralized nature of the database used by Mixin Network was a critical vulnerability exploited in this attack.

Detailed Analysis

Initial Breach and Network Compromise

The Mixin Network hack began with a sophisticated breach by suspected North Korean hacker group Lazarus, who have a notorious reputation for targeting cryptocurrency platforms.

This group has been implicated in various high-profile crypto heists throughout the year, including attacks on Atomic Wallet, Alphapo, Stake.com, and CoinsPaid.

The initial attack on Mixin Network involved compromising the network’s mainnet, leading to unauthorized access and control over a significant portion of the network’s digital assets.

Method of Asset Extraction

The hackers managed to drain substantial assets from Mixin’s mainnet. The theft primarily involved large sums of the network’s Bitcoin (BTC), Ether (ETH), and Tether (USDT) holdings.

The detailed methodology used by the attackers to extract these funds remains unclear, but the scale and precision of the operation suggest a high level of expertise and planning.

Some of the addresses associated with the exploiter:

  • 0x52E86988bd07447C596e9B0C7765F8500113104c (ETH): Received 60,000 ETH (approximately $94 million).
  • 0x3B5fb9d9da3546e9CE6E5AA3CCEca14C8D20041e (ETH): Handled USDT, later swapped to DAI (around $23.5 million).
  • 0xB5d631A74AD9c9efcF96d6e9e2fAbcB75C67Eafa (ETH): Involved in dispersing ETH.
  • Bc1qq7uefmz6nng5c4dzs9mwrxxyh9sxg5cjg85hes (BTC): Received 891 BTC (approximately $23 million).

Stolen Fund Details

Composition of Stolen Funds

Data on exploiter addresses indicated that the Mixin Network hack led to significant financial losses, with the stolen funds amounting to $95.3 million in Ethereum (ETH), $23.7 million in Bitcoin (BTC), and $23.6 million in Tether (USDT).

Notably, this theft represented a considerable portion of Mixin’s cryptocurrency reserves: 9% of its total Bitcoin holdings, a substantial 71% of its Ethereum, and an overwhelming 93% of its Tether reserves.

Laundering Techniques

The stolen funds were primarily converted to Dai using decentralized exchanges, a strategy often employed by cybercriminals to evade tracking and freeze orders.

This conversion to Dai, a stablecoin that cannot be frozen like USDT, demonstrates the hackers’ familiarity with decentralized finance (DeFi) tools and their exploitation to launder stolen assets.

Hack Aftermath

Response and Recovery Efforts

Mixin Network’s response to the hack was multifaceted. In collaboration with Google, the platform appointed a blockchain investigator firm to aid in the investigation and recovery efforts.

A compensation plan was announced for affected users, involving a 50% refund of their lost assets and the issuance of bond tokens for the remainder. These tokens are to be repurchased using future profits of the network.

Service Suspensions and Security Measures

In the wake of the attack, Mixin Network suspended all deposit and withdrawal services. The platform stated that these services would only be reopened after thoroughly verifying and rectifying the vulnerabilities that led to the hack.

During this period, the network ensured that regular transfers were not affected, maintaining basic operational functionality.

Investigative Findings

A thorough investigation into the background of the Mixin Network hack unearthed some fascinating historical connections between the hacker and the network itself.

Notably, in 2022, a transaction involving the transfer of 5 ETH from Mixin to an address (0x1795) was identified. The same address, intriguingly linked to the hacker, later engaged in several transactions with the prominent cryptocurrency exchange Binance.

This sequence of transactions hints at a possible pre-existing awareness or relationship between the attacker and the Mixin Network, adding a layer of complexity to the hacker’s profile and familiarity with the network’s operations.

Such connections raise questions about the depth of the attacker’s knowledge and their potential previous interactions with the network.

Lessons Learnt

The Mixin Network hack underscores the importance of robust security measures, particularly for hot wallets and centralized databases. Regular audits, enhanced encryption, and the use of cold storage can be effective in preventing similar incidents.


The security breach experienced by Mixin Network serves as a crucial wake-up call for the DeFi industry, highlighting the persistent risks and the imperative for ongoing enhancements in security practices. This incident underscores the importance of implementing robust and comprehensive security measures.

It’s essential for blockchain networks to proactively engage in stringent security protocols, including but not limited to regular and thorough audits by specialized firms such as ImmuneBytes. Such proactive steps are vital in ensuring the protection of digital assets, especially given the dynamic and rapidly advancing nature of blockchain technology.

The lessons learned from this hack emphasize not just the need for strong security frameworks but also the importance of adaptability and vigilance in the face of evolving cyber threats within the blockchain ecosystem.

You may also like