A real-world Polkadot wallet drain & why we now need

@AlinaZ Let’s stop sugarcoating things.

You claim to be “fully aware” of the tool you’re using, yet everything you’ve said so far suggests a severe lack of practical experience.
Anyone with a minimum of on-chain literacy knows exactly how Binance and Kraken handle deposit addresses. These platforms generate user-specific hot wallets and they’ve done so for years. Why? To simplify attribution and automate crediting systems internally. Also partly for traceability . This is not up for debate it’s standard CEX infrastructure.

So when you say you’re not sure if an address is user-specific despite Merkle Science (your own provider!) and Subscan both labeling it clearly it just looks like you’re grasping at straws to defend a weak position.

And no, this isn’t about waiting days to “identify the swap service.”
It’s about understanding the mechanics of how CEX deposit flows actually work something you should already know if you’re in charge of tracking stolen funds.

Let’s be honest: Merkle Science is the tool your team pays for. So trying to discredit its output now that someone else is using it more effectively? That’s amateur hour.

If you’re serious about improving anti-scam response, you need to step up your game because right now, what you’re demonstrating is not just disappointing, it’s counterproductive.

Enough with the vague disclaimers. Be precise. Be competent. Or let someone else take over.

— Cyphertux

I find it hard to continue this conversation when we’re obviously not on the same page about how to interpret on-chain and Merkle Science data. For the context, I know how swap services can use CEX from working for a swap service. Its deposit addresses can be indistinguishable from the CEX deposit addresses on a block explorer.

You’ve mentioned that the victim is already in contact with Binance, and that’s great. Please keep us posted.

@AlinaZ If you need a little reminder, here’s the amount involved and the tool your team is paying for you, the so-called onchain analysis expert (at least from what I gathered from some of your own teammates).

image1545×644 58.7 KB

When we look at those payouts, I genuinely thought you were full-time. But apparently, it’s more like a summer job. Just so you know, in France, that would be full-time, my friend and you wouldn’t be asking for more funding just to stuff your pockets even more. Let’s be serious for a second. I’ll say it again: in some countries, €30k feeds several families for an entire year. In crypto, it seems we’ve completely forgotten that.

And no, I won’t keep you updated since you asked. It’s not my job. I’ve got no income, no employment, and I’ve already wasted enough time on this nonsense.

Whether you work for a swap or whatever else, listen closely: I know exactly how this works. No one here can contradict what I’ve said. I didn’t just crawl out of the woods I’ve been in the ecosystem for 10 years, and 7 of those professionally. So let’s calm down and stop acting like you’re schooling anyone.

— Cyphertux

+1

Based on Cyphertux’s work here, I have raised a tip proposal → TIP: Cyphertux's work on Wallet Drain co-ordination

What you don’t understand is that there are some cross-chain bridge/swap services that leverage CEX accounts to do the transfer. So while it looks like a normal CEX transfer, it’s really not. Thus it’s not possible to attribute that account to the attacker.

Based on the fact that the addresses sending to that “user wallet” are different almost every deposit, makes me think it is one of those swap services.

What exactly do you mean by that?

In my original message, this was already very clear: the attacker’s primary collection account is easily attributable whether it’s automated or not doesn’t really matter. The path is straightforward.

By the way, I should probably mention at this point that Binance did confirm identifying suspicious activity (I don’t have more details on that). As for the rest of the flow, I’m not claiming every wallet involved belongs to the same person what’s obvious, though, is that funds landed there “magically,” and the resulting activity is extremely intense.

Feel free to point out the specific accounts you’re referring to so we can clarify this I’ll gladly take a look and respond.

It’s clear check this

IMG_43821179×1685 85.4 KB

IMG_43831179×1796 90.1 KB

Only Binance knows the truth. If you believe it’s a bridge used by multiple users, just know that in my personal experience, what I described is exactly how it works on Polkadot with Binance, Kraken, and others that much is obvious. And yes, you can indeed come across Binance user_wallets tied to swap/bridge services but you don’t need to study them for long to realize it. They usually show very regular, repetitive transactions.

If you’ve observed a CEX behaving differently on Polkadot than what I’ve explained, then I’m genuinely curious to hear it.

I might be surprised to see other types of behavior that are truly unexpected.

One thing’s for sure, my brother in this specific case, those are exactly the addresses that needed to be flagged. Nothing else.

If you think nothing should’ve been targeted, you’re mistaken.

This single transaction is enough to identify the main attacker for Binance end of story, if you will

Your only way to escape my radar is to use a mixer, my bro, end of story.

If you’re telling me I can’t prove anything or that I’m wrong, then listen carefully you handle your business, I’m here trying to support victims and help identify attackers. The CEXs can finish the job.

The attacker is a total rookie usually they try to complicate the trail, but here there’s no need to keep writing, it’s pointless.

Bridge or not, I’ve explained it to you there’s a very slim chance it’s a bridge, but that changes absolutely nothing about Binance already identifying this individual from it.

17 transactions with that kind of spacing the likelihood that this account is acting as a bridge, my friend, is extremely low. But hey, believe whatever you want, it won’t change the outcome.

The rest of the tree, of course, is harder to certify as attacker-owned but you can spot patterns and crossovers, and ultimately the CEX data can reveal much broader activity than we might initially imagine.

Thanks for sharing this deep dive — it’s a sobering reminder that even one checkbox (“remember password”) can open the door to serious losses. This case makes it clear we need better defaults in Polkadot{.js}, more user education, and a real incident response task force for the ecosystem. Malware is evolving, and we must too — from cold storage to threat sharing, proactive defense needs to become the norm, not an afterthought.

Thank you for your comment. I’d like to clarify our position within the Polkadot ecosystem: the PolkadotJS Wallet is clearly intended for developers, and on the official website, it has been explicitly excluded to prevent regular users from using it. The only real risk comes from former users who still rely on it. Since this wallet targets developers, they must be aware that if they are not in a secure environment and are performing sensitive actions, then clearly, this option should be avoided.

For some reason, you are focusing on the 15min remember password from pjs.
The problem has very little to do with this. The reason pjs is the target is because it’s the most used wallet still.

If a computer is targeted, you’re screwed, whether you use Talisman, Pjs, or anything else. And no the 15min checkbox has nothing to do with this. If users had to type their password every single time, it wouldn’t help since keyloging is a thing. Talisman or Metamask for instance stay in an unlocked state much longer than 15min. On top of this, polkadot would yet again have a much worse UX than any other eco out there.

What makes sense to me

• education about cold storage, we’re lucky to have many options, cheap ones too (Vault)
• education about self custody risks (please don’t tell ppl to use a separate pc for their wallet, no-one does this)
• fast response and all the things you’ve discussed with the anti-scam bounty
• forget about VPN and what not, it’s not practical for normies, is costly and does close to nothing to prevent scams

@tbaut I didn’t take the time the only thing that would be interesting is to analyze this malware in depth. I’m surprised the attacker only emptied PolkadotJS and waited so long; it seems crazy to me. I suppose in this case the attacker wasn’t interested in those other wallets

@Cyphertux nice initiative. some good insights here. I also want to highlight the ineffectiveness of anti-scam bounty and it’s spending.

Attaching the spending spree below and let the community do an audit of their entire spending.

1. Social Media spending

2. Maintenance of phishing repo:

{0F240CC1-80A9-49AA-9B5C-00B91BAF4FAD}1031×331 24.1 KB

3. Education Track

4. DART: a risk assessment framework was made and treasury money spent, outcome 0

image1210×550 69.4 KB

Bounty Link
Child bounties Link

@SAXEMBERG @bill_w3f @permanencedao @LeNexus @xiaojie_PolkaWorld @lilymendzdev @alice_und_bob FYI I want to bring your attention to this and request an audit into the spending and effectiveness of this proposal

Although I appreciate some of the team members have put in helping scam victims, but the unnecessary spending in the name of anti-scam can’t be justified.

also want to highlight how @TimJanssen is misusing the treasury funds from the child bounty Mod team

Steps

1. Go to polkadot discord Polkadot (Official)
2. Search for the message history of the user timjanssen1989
3. Voila the output below for the month of May

{D2AB4973-B13E-4316-8107-F2495012F469}337×972 90.8 KB

{4B02F0C1-AB8A-4E36-9B0C-C3D9685E2419}333×901 82.2 KB

Quite strange, the treasury spent 300 DOTs for this activity
Child bounty link Mod team bounty- May 2025 - Tim Janssen

Anyone interested to dig in more, just go through the user’s history in discord and the child bounty paid for Mod and Anti Scam bounties.

This doesn’t show my moderator activity. Most part of moderation is done using tools to remove post that violate the server rules, ban spamm bots / suspicious users. Your search results don’t show any of that and I am doing that daily…

FYI, Le NEXUS was strongly against the renewal of the Anti-Scam bounty and requested to cut further more the requested amount in the last proposal to minimize the size of the team to only 5 ppl (and not 10 like today).

We raised our concerns on the last ref comments. It’s more or less the only comment on the ref by the way

To reply to this, DART and other prior unrelated expenses were cut down with the refill as they had no impact. The only item that matters right now is the core mission of response to those drains and attacks. The reaction time for this case and the further comments of “well, if there is malware then there is malware, what are we gonna do” were pretty lulz tbh. A quick direct line to these exchanges and quick response usually means the freeze and even recovery of funds.

Cyber education for the layperson proved to be ineffective because these venues had no reach. It’s funny that we’re still insisting on 2 view youtube educational videos as the best solution.

So let’s hope to see that this core mission remains strong and if the bounty can do anything about this and other cases otherwise the bounty will face a discontinuation and if there are more issues like this or even any cases with larger amounts potentially a cancellation of it.

FYI, even without self-dev’d tracking tools you can see the identity of Shapeshift-like services even if they are built on top of CEX addresses.

Understandably, you have these concerns. I went through a similar phase some time ago, wondering how the bounty system works and why, in some cases, it seems like there’s little to no accountability to the community once a bounty is approved. Of course, I can’t generalize; some bounties are well-structured, document every step, and provide up-to-date information on how funds are being used.

At that time, the only thing I could do from my position was to create a dashboard on Dune, where anyone could see how many DOT had been claimed by each bounty. Back then, there wasn’t a place where you could easily access that kind of information. Fortunately, things have improved. Today, there’s a section in OG Tracker dedicated to bounties. If you click on a specific child bounty, you can even see how many child bounties a particular beneficiary has received in total.

That said, we still don’t have any formal figure or entity that audits the payments to ensure each one corresponds to completed work. I suppose we’d need to propose another bounty … to audit the other bounties. Or we just wait for the reports they submit when requesting a TopUp, which, to be honest, don’t always arrive or come with all the necessary details.

@lilymendzdev Honestly, it’s a disaster. This incentive system has its own limitations. From our side, we can clearly see it just look at the anti-scam team, and they’re not the only ones doing things that are either poorly executed or, frankly, feel like a ghost train. So don’t be surprised by the current situation. I see too many people in our Polkadot ecosystem trying to eat from every trough, and I’m not the only one noticing. A person should be limited to one role and one budget from the outside, it honestly feels like watching the French government. I’m not joking.