ZachXBT had noted that there were hundreds of suspicious transactions, each under a ceiling of $7000, where the hot wallets of NoOnes were drained off Ethereum, Tron, Solana, and BNB, amounting to $7.9 million in total.
At the time, NoOnes did not admit to any breach, only stating that there would be maintenance. The company first admitted there was a problem on the day of ZachXBT’s posting through Youssef. He stated that there had been a breach starting on January 1 and that their “security teams quickly responded and the situation was immediately contained.”
He further stated that because the attack vector was a bridge on Solana, support for the chain would be paused until more pen testing was done. Solana was eventually restored on February 11, including withdrawals and deposits in the USDT/SOL pair.
In his video, Youssef stated that he was on a pilgrimage in Mecca when he learned about the hack at the start of the year. He referenced that he had been in a similar position before: At Paxful, customers were unable to withdraw a yield-bearing product known as Paxful Earn because of the collapse of their partner Celsius. Paxful ended up reimbursing customers from the organization’s own funds.
Although the breach was due to an exploit on Solana, Youssef emphasized more general remediation. “We've taken serious measures to make sure this never happens again. Number one: Instead of leaving seven million dollars on a hot wallet at one time - which is about a seven day supply - [we will] just leave a million one or two days maximum,” he said, noting that this will lower their risk profile but that there will always be hacks.
Youssef concluded by giving advice to retail investors.
“Any centralized exchange, no matter how secure, no matter how big their security budget, is not a place for your savings. Keep your savings in self-custody. Keep on any centralized exchange only what you're willing to trade,” he said. To this end, he shared that NoOnes will be launching a decentralized exchange in the future where retail investors will control their own private keys".
Source: Aaron Ratcliff, Merkle Science Head of Attributions
Here is what we know so far about the NoOnes hack and flow of funds:
NoOne’s hot wallets for Ethereum, Tron, Solana, and Binance Smart Chain were hacked beginning on January 1, 2025. This initial attack on Ethereum was funded from Tornado Cash, a popular coin mixer. The subsequent attacks on other chains like Binance Smart Chain and Tron were funded by the Ethereum attack. The hackers made off with $7.9 million - Youssef stated that $7 million is about a seven-day float for NoOnes.
The stolen money was moved through three different wallet clusters, each with more than twenty different addresses (with the exception of Solana, which went straight to Tornado Cash). They did not send funds in transactions greater than $7000, which we believe is a form of smurfing: The attackers may have wanted the withdrawals to look like legitimate trading activity. The organization’s earlier messaging about maintenance may have been due to uncertainty: Initially, they may not have been sure that they were being hacked.
The funds were bridged to Ethereum and Binance Smart Chain, where they were consolidated from the clusters to 0x72c1eabafc42a2ac6d0447b02c657b96f07402e6 for Binance Smart Chain, and 0x72c1eabafc42a2ac6d0447b02c657b96f07402e6, 0x4b0edd27196063476d91b634333be289beca9202, and 0x6c9b55b50e6a42fd7a14b49ba7747096090b0465 for Ethereum.
The funds were then sent to Tornado Cash. Users can deposit tokens, which is mixed with crypto from other users, breaking the link between transactions and users when an equal amount is withdrawn. In related news, Tornado Cash developer Alexey Pertsev was released from Dutch prison in early February on condition he remains under electronic monitoring.
Key takeaways from the NoOnes hack:
NoOnes has over 2 million users, primarily from emerging markets. In a February 3 post about trading volume, the company named Nigeria, Ghana, China, India, Philippines, Cameroon, Kenya, Vietnam, South Africa, and Ukraine as its top countries, in that order. Generally speaking, countries where crypto is unregulated or prohibited have fewer outlets for trading, forcing citizens to turn to P2P solutions like NoOnes, which may have higher risks, such as liquidity issues, inconsistent dispute resolution involving counter-parties or limited custody protections. These risks can be as impactful as the inherent volatility of crypto: Retail consumers should be aware of them.
Youssef should be applauded for eventually posting a video about the hack and their remediation efforts, and doing so on camera no less. Still, the admission came almost six weeks after the breach, and only after online sleuths drew attention to it, prohibiting them from remaining mum on the issue. In general, crypto businesses should strive for transparency throughout a security breach, so that clients and users may be aware of any issues that materially affect their digital assets. One such example comes from Yei Finance, which provided real-time updates as well as a detailed post-mortem in relation to a December 2024 hack.
The NoOnes attack was built around small, seemingly normal withdrawls. These would appear innocuous to company observers, but would have been detected by a blockchain analytics tool built around a sophisticated rule engine. The solution would have flagged the unusual activity much earlier on, potentially allowing the company to secure their wallets before more funds could be withdrawn from their hot wallets. Crypto companies need a sophisticated blockchain analytics tool like Merkle Science’s Compass to detect bad actors, minimize risk, and protect investors.
Conclusion
NoOnes' handling of the hack underscores the importance of proactive security measures and real-time transparency in the crypto industry. While Youssef’s eventual admission and commitment to remediation are commendable, the delay in disclosure raises concerns about accountability, particularly for platforms serving users in emerging markets with limited alternatives.
The attack itself highlights how sophisticated threat actors exploit vulnerabilities through structured withdrawals, reinforcing the need for advanced blockchain analytics tools to detect anomalies before significant losses occur. As regulatory discussions around crypto consumer protections gain momentum, businesses must prioritize robust security frameworks and timely communication to maintain trust in decentralized finance.
