Was the $160M Wintermute Hack an Inside Job?

Blockchain analyst alleges “the hacker was likely an internal member of the Wintermute team”


Blockworks Exclusive art by axel rangel


key takeaways

  • An external hacker wouldn’t have the knowledge required for contract execution, Edwards alleged
  • Wintermute must clarify how the attacker had the necessary signature required, he said

The $160 million hack of market maker Wintermute might have been an inside job, according to one blockchain analyst.

The liquidity provider, among the largest dedicated to crypto market making, was allegedly hacked due to a recently discovered “vanity address” vulnerability in its DeFi (decentralized finance) operations. CEO Evgeny Gaevoy, who said the firm remained solvent, asked the hacker to get in touch and offered a 10% bounty if the funds were returned.

But a new theory by James Edwards, who goes by the name Librehash on Medium, claims the hack could be pinned down to Wintermute’s own team.

In a blog posted on Monday, Edwards said the prevailing theory maintains that an externally owned address (EOA) behind the “compromised” Wintermute wallet was itself compromised because of a vulnerability in a vanity address generator tool. 

But he disputed that theory after analyzing the smart contract and its interactions, concluding that the knowledge required to go through with the hack rules out the possibility that the hacker was random or external. 

Edwards noted that the smart contract at issue has “no uploaded, verified code,” which makes it difficult for external parties to confirm the external hacker theory and raises the issue of transparency. 

“The relevant transactions initiated by the EOA make it clear that the hacker was likely an internal member of the Wintermute team,” he wrote.

Further, on conducting an Etherscan analysis, he said the compromised smart contract received two deposits from Kraken and Binance’s hot wallets. “It’s safe to assume that such a transfer must have been initiated from team-controlled exchange accounts,” he said.

Less than a minute after the compromised Wintermute smart contract received over 13 million in Tether (the total amount of that token), the funds were sent from the wallet manually to a contract supposedly controlled by the hacker.

“We know the team was aware the smart contract had been compromised at this point. So why initiate these two withdrawals directly to the compromised smart contract smack in the middle of the hack?” he said on Twitter.

Edwards believes the Wintermute team should provide an explanation of how the attacker would have the necessary signature for contract execution and know which functions to call, since there’s no contract source code published. He suggested only someone with intimate knowledge would have the capacity to do so. 

Edwards is not a professional cybersecurity analyst and his blog on the Wintermute hack appears to be his debut Medium post. But he’s previously put out Twitter threads analyzing possible money laundering on various crypto projects.  

The large scale theft was another blemish on the record of the industry as it would hurt the confidence of TradFi (traditional finance) institutions looking to enter the space, according to Marcus Sotiriou, analyst at GlobalBlock. “As Wintermute was one of the biggest liquidity providers in the industry, they may be forced to remove liquidity in order to mitigate further risk from their loss,” he said.

Wintermute didn’t return Blockworks’ request for comment by press time.

Don’t miss the next big story – join our free daily newsletter.


Upcoming Events

Hilton Metropole | 225 Edgware Rd, London

Mon - Wed, March 18 - 20, 2024

Crypto’s premier institutional conference returns to London in March 2024. The DAS: London Experience: Attend expert-led panel discussions and fireside chats Hear the latest developments regarding the crypto and digital asset regulatory environment directly from policymakers and experts.


TUES, OCT. 8, 2024

Guided by the expertise of Blockworks Research Analysts team, this one day event will feature senior leaders, entrepreneurs, and developers from across the crypto industry. Attendees will have the opportunity to participate in an immersive experience to explore the latest trends, […]

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Research report cover graphics (1).jpg


Wormhole is a suite of open-source, permissionless protocols used to move assets and queries across blockchains.  Despite being a common misconception, Wormhole is not just a token bridge. Nevertheless, protocols can build token bridges on top of Wormhole by leveraging the cross-chain messaging provided.


Ether is a commodity just up until the point it is not, or, ether is not a commodity just up until the point it is — whichever you prefer


The bull-market conference was filled with good feelings but little clarity on where the crypto industry is headed next


The Friday ruling was issued as a default judgment because Sameer Ramani “appears to have fled the country”


Bitcoin’s previous record high against the Euro was set in September 2021


As bitcoin ETFs grow larger and more liquid, due diligence teams at wirehouses and other investment firms are more likely to clear them, Bitwise researcher says



The TRON DAO team attended ETH Denver, one of the leading events in the blockchain space