Hack Track: Axion Network

Image for post
Image for post

Merkle Science Hack Track provides digestible insights on the movement of stolen funds from the latest cryptocurrency heists.

[Scroll below to skip to our analysis of the stolen fund movements]

Who was hacked?

The high-interest cryptocurrency investment platform, Axion Network’s recently launched AXN tokens have been breached and exploited.

What was stolen and when?

According to a report published by Coin Telegraph (also quoted by Axion on its website), on Nov. 2, the Axion Network launched its new token, known as AXN. A few hours after the high-profile launch, however, it became clear that the token has been breached. An unauthorized actor unexpectedly minted 79 billion AXN and unloaded them on the market. The price collapsed in excess of 99%, netting the attackers 1300 ETH — worth an estimated $500,000.

Why did the hack take place?

In the report published by Coin Telegraph on the behalf of Certik Foundation, on the 2nd of November 2020 at approximately 11:00 AM +UTC a hacker managed to mint around ~80 billion AXN tokens by utilizing the unstake function of the Axion Staking contract. The hacker proceeded to then deposit the tokens on the AXN Uniswap exchange for Ether, repeating this process until the Uniswap exchange was drained and the token price was driven to 0. Certik concluded that the attack was likely planned from inside, involving an injection of malicious code at the time the code was deployed by altering code from OpenZeppelin dependencies

What is the impact of the hack on the firm’s clients?

In a post on Twitter just after the breach, Axion assured that all its customers holding AXN/HEX2T tokens at the time of breach will be compensated.

Figure 1: Screenshot of Axion’s Tweet

Later on Nov. 3, Axion posted a detailed statement on Twitter highlighting how they will be compensating the users. , Axion said that “everyone will be compensated as fairly and fully as possible. We’re still here and more resilient than ever. One man can not take us down, this community is strong. We will persist and grow stronger than ever.”

Where are the stolen funds going?

After the hacker dumped all the AXN tokens to Uniswap and cashed out for a total of 1652 ETH over multiple transactions, 1300 ETH were then sent to another address “0x3018C81dCB9cAA2554d226d5a1A929dd319F085D”. There is no further movement of funds from this address. However, our data scientists noticed that hackers were using Tornado cash, a coin mixing service for Ethereum, to obfuscate the history of ether (ETH) transactions.

What is Tornado Cash?

Tornado cash is one of the coin mixers in the Ethereum blockchain. It allows hackers to create a private key (almost like a password converted to a hash) while making a deposit of funds to a particular smart contract, let’s call it Smart Contract A. At a later period when the users want to withdraw the funds, they can access their smart contract address, in this case, Smart Contract A using their private key. The said smart contract will then match the key with the deposited funds and instruct a different smart contract (let’s call that smart contract B) to transfer the funds to an address provided by the user. Smart contract B will then retrieve funds from a vault called anonymity pool, which mostly has funds collected from other past users of the platform, and initiate a transfer to the provided address.

The receiving address could either be a wallet address (priorly used at least once, i.e., one deposit minimum) or it could be a relayer. The wallet must have a small amount in it to be able to pay for and call the smart contract B for initiating the further transfer. In case a user does not have any balance in its wallet or wants to transfer funds to a completely new address, the amount required to call the smart contract B can be paid from the depositor address, thus creating no links between the sending address and the receiving address.

Role of Tornado Cash in Axion Breach

In the case of Axion Network, what may look like 1652 ETH could easily be more. The actual losses will be difficult to determine as the hacker was exchanging the stolen tokens during the rapid price drop of the said tokens.

Image for post
Image for post
Figure 2: Highlights Use of Tornado Cash by the Hackers
Image for post
Image for post
Figure 3: Highlights Transfer of Funds from Tornado Cash’s Smart Contract Wallet

What can be done to prevent hackers from cashing out?

All exchanges that are receiving funds from Axion breach can freeze the account of the user associated with the incoming transaction (flagged by a blockchain analysis tool), preventing them from trading one currency for other cryptocurrencies, especially anonymous ones, that could then be transferred elsewhere and are more difficult to trace.

Tornado Cash is labeled on Merkle Science’s service and users should treat it as a risky entity. Merkle Science has also updated wallet addresses associated with the Axion breach. All our partners and customers will also receive immediate information if any funds they receive are from the hackers’ wallet

Most exchanges globally share information on stolen fund addresses to deal with such risks and collaborate with law enforcement agencies and blockchain analysis firms such as Merkle Science for additional data and investigative services.

Our team will continue to update this article on a periodic basis following continuing movements of the stolen funds.

Merkle Science

Detect, investigate and prevent cryptocrime.

Sign up for Cryptocrime Digest

By Merkle Science

A weekly summary of news and commentary about criminal activity related to cryptocurrencies.  Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Merkle Science Marketing

Written by

Merkle Science

Merkle Science provides blockchain transaction monitoring and intelligence solutions for cryptoasset service providers, financial institutions and government agencies to detect, investigate and prevent the use of cryptocurrency for criminal activities.

Merkle Science Marketing

Written by

Merkle Science

Merkle Science provides blockchain transaction monitoring and intelligence solutions for cryptoasset service providers, financial institutions and government agencies to detect, investigate and prevent the use of cryptocurrency for criminal activities.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store