A real-world Polkadot wallet drain & why we now need

@AlinaZ Let’s stop sugarcoating things.

You claim to be “fully aware” of the tool you’re using, yet everything you’ve said so far suggests a severe lack of practical experience.
Anyone with a minimum of on-chain literacy knows exactly how Binance and Kraken handle deposit addresses. These platforms generate user-specific hot wallets and they’ve done so for years. Why? To simplify attribution and automate crediting systems internally. Also partly for traceability . This is not up for debate it’s standard CEX infrastructure.

So when you say you’re not sure if an address is user-specific despite Merkle Science (your own provider!) and Subscan both labeling it clearly it just looks like you’re grasping at straws to defend a weak position.

And no, this isn’t about waiting days to “identify the swap service.”
It’s about understanding the mechanics of how CEX deposit flows actually work something you should already know if you’re in charge of tracking stolen funds.

Let’s be honest: Merkle Science is the tool your team pays for. So trying to discredit its output now that someone else is using it more effectively? That’s amateur hour.

If you’re serious about improving anti-scam response, you need to step up your game because right now, what you’re demonstrating is not just disappointing, it’s counterproductive.

Enough with the vague disclaimers. Be precise. Be competent. Or let someone else take over.

— Cyphertux

I find it hard to continue this conversation when we’re obviously not on the same page about how to interpret on-chain and Merkle Science data. For the context, I know how swap services can use CEX from working for a swap service. Its deposit addresses can be indistinguishable from the CEX deposit addresses on a block explorer.

You’ve mentioned that the victim is already in contact with Binance, and that’s great. Please keep us posted.

@AlinaZ If you need a little reminder, here’s the amount involved and the tool your team is paying for you, the so-called onchain analysis expert (at least from what I gathered from some of your own teammates).

When we look at those payouts, I genuinely thought you were full-time. But apparently, it’s more like a summer job. Just so you know, in France, that would be full-time, my friend and you wouldn’t be asking for more funding just to stuff your pockets even more. Let’s be serious for a second. I’ll say it again: in some countries, €30k feeds several families for an entire year. In crypto, it seems we’ve completely forgotten that.

And no, I won’t keep you updated since you asked. It’s not my job. I’ve got no income, no employment, and I’ve already wasted enough time on this nonsense.

Whether you work for a swap or whatever else, listen closely: I know exactly how this works. No one here can contradict what I’ve said. I didn’t just crawl out of the woods I’ve been in the ecosystem for 10 years, and 7 of those professionally. So let’s calm down and stop acting like you’re schooling anyone.

— Cyphertux

+1

Based on Cyphertux’s work here, I have raised a tip proposal → TIP: Cyphertux's work on Wallet Drain co-ordination

What you don’t understand is that there are some cross-chain bridge/swap services that leverage CEX accounts to do the transfer. So while it looks like a normal CEX transfer, it’s really not. Thus it’s not possible to attribute that account to the attacker.

Based on the fact that the addresses sending to that “user wallet” are different almost every deposit, makes me think it is one of those swap services.

What exactly do you mean by that?

In my original message, this was already very clear: the attacker’s primary collection account is easily attributable whether it’s automated or not doesn’t really matter. The path is straightforward.

By the way, I should probably mention at this point that Binance did confirm identifying suspicious activity (I don’t have more details on that). As for the rest of the flow, I’m not claiming every wallet involved belongs to the same person what’s obvious, though, is that funds landed there “magically,” and the resulting activity is extremely intense.

Feel free to point out the specific accounts you’re referring to so we can clarify this I’ll gladly take a look and respond.

It’s clear check this

I can tell you and Binance knows it too it’s one and the same user account. It simply hadn’t been flagged for suspicious activity before. :

Only Binance knows the truth. If you believe it’s a bridge used by multiple users, just know that in my personal experience, what I described is exactly how it works on Polkadot with Binance, Kraken, and others that much is obvious. And yes, you can indeed come across Binance user_wallets tied to swap/bridge services but you don’t need to study them for long to realize it. They usually show very regular, repetitive transactions.

If you’ve observed a CEX behaving differently on Polkadot than what I’ve explained, then I’m genuinely curious to hear it.

I might be surprised to see other types of behavior that are truly unexpected.

One thing’s for sure, my brother in this specific case, those are exactly the addresses that needed to be flagged. Nothing else.

If you think nothing should’ve been targeted, you’re mistaken.

This single transaction is enough to identify the main attacker for Binance end of story, if you will

Your only way to escape my radar is to use a mixer, my bro, end of story.

If you’re telling me I can’t prove anything or that I’m wrong, then listen carefully you handle your business, I’m here trying to support victims and help identify attackers. The CEXs can finish the job.

The attacker is a total rookie usually they try to complicate the trail, but here there’s no need to keep writing, it’s pointless.

Bridge or not, I’ve explained it to you there’s a very slim chance it’s a bridge, but that changes absolutely nothing about Binance already identifying this individual from it.

17 transactions with that kind of spacing the likelihood that this account is acting as a bridge, my friend, is extremely low. But hey, believe whatever you want, it won’t change the outcome.

The rest of the tree, of course, is harder to certify as attacker-owned but you can spot patterns and crossovers, and ultimately the CEX data can reveal much broader activity than we might initially imagine.