M2 Exchange - Rekt
As the rest of the world celebrated Halloween, M2 Exchange was dealing with horrors of their own.
In an unusual twist, the UAE-based exchange was first to report their own $13.7 million nightmare - after they'd already recovered the funds.
A ghost story with a suspiciously spooky ending.
The Abu Dhabi platform claimed to have detected and resolved the incident within 16 minutes, wrapping up their security breach faster than most people carve a pumpkin.
ZachXBT's confirmation added another layer to the mystery, revealing the attack had spread across ETH, BTC, and SOL chains like a digital haunting.
When an exchange races to announce their own hack - with funds already recovered - dark shadows whisper: what demons are they trying to keep locked in the vault?
Credit: M2, ZachXBT, Cyvers, Hacken
In the dead of night on October 30th, digital shadows began to stir.
Cyvers' AI sentinels were the first to spot the darkness spreading, as multiple suspicious transactions slithered across ETH, SOL, and BTC chains.
Their warning, lost in LinkedIn's corporate labyrinth, maye have died unread in M2's inbox.
But like a carnival mask, M2's vague explanation barely concealed what lay beneath.
It wasn't until Hacken stepped in that the true nature of the exploit emerged: an access control breach.
Hacken's technical breakdown peeled back layers of digital darkness, revealing the methodical nature of the attack.
As the witching hour struck, funds began flowing like dark water from M2's hot wallet: 0xE26abc37b06B819243B4B104270Cc18f7C835FcE
First to an EOA:
0xb5f798096bd4D969466E2284Bda01F7A51049d3A
Before being moved to another EOA for further distribution:
0x968b6984cba14444f23ee51be90652408155e142
The attacker's haul materialized across three chains, in a trinity of terror.
On Ethereum, approximately $10.1M worth of assets were drained:
97M $SHIBA tokens
$3.7M in $USDT
1,378 $ETH
All swiftly transformed into ETH, like shapeshifters under a full moon.
Over in Bitcoin's realm, 41 BTC ($2.87M) slipped into the shadows.
Additional funds vanished through Solana's gates, though their ghostly traces remain difficult to track.
Attacker Addresses:
ETH: 0x968b6984cba14444f23ee51be90652408155e142
BTC: Bc1qu4kh7wa38xpkrp8frgxl4sak88wx0jug8n3vfj
SOL: EKko14NvgqdvNttUb8JjXkVGuUs6BTikjfN3hqW4LQoL
The stolen spirits now rest in two main crypts.
ETH: ($10.1 million): 0x968b6984cba14444f23ee51be90652408155e142
BTC: ($2.87 million): bc1qu4kh7wa38xpkrp8frgxl4sak88wx0jug8n3vfj
M2's PR machine sprang into action with supernatural speed - claiming to detect, address, and resolve a multi-chain exploit in just 16 minutes.
A feat that would make even Houdini raise an eyebrow.
According to their security update, "We would like to report that the situation has been fully resolved and customer funds have been restored."
The exchange hastily assured users they had "taken full responsibility for any potential losses," while demonstrating their "unwavering commitment to safeguarding customers' interests."
The official statement read like a hastily performed seance - full of assurances about service restoration and additional controls, yet mysteriously light on details about how their security actually failed.
Their final act? A solemn pledge to cooperate with "relevant legal and regulatory authorities" - as if Abu Dhabi's regulators could chase down digital phantoms.
When an exchange performs its own exorcism this quickly, shadows dance with doubt: did they banish all their demons, or just the ones we can see?
As dark shadows retreat from this Halloween tragedy, M2's story fractures like a broken mirror.
Their claims of swift recovery and resolution ring hollow while $13 million worth of digital treats still sit in the attacker's bags, unmoved and untouched - like a haunted house with its lights still on.
The speed of their response, matched with their rush to downplay the incident, reads like a script written before the attack even began.
Yet unlike most crypto crime scenes, where victims cry foul and attackers vanish into digital mist, M2 seems almost... comfortable with their haunting.
When an exchange claims to have recovered from a ghost story while the spirits still dance in plain sight, in this house of horrors, who's really holding the keys to the crypt?
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
disclaimer:
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
GemPad - Rekt
The perfect digital heist - missing reentrancy guards on Gem Pad let an attacker snatch roughly $1.9 million in locked tokens across three chains. Several protocols left wondering if their lock box provider should have checked their own locks first.
False Prophet
Alpaca Finance lost millions by allegedly using manual CoinGecko price updates instead of real oracles. When questioned, they asked "which faster oracle would you have used?" Turns out F5 isn't a reliable price feed. Who knew?
Clober Dex - Rekt
$500k vanished from Clober DEX when code changes met one of DeFi's oldest vulnerabilities. The twist? The exploit code wasn't there during the audits. Some security lessons write themselves.