FixedFloat Hack 2024: What Happened

On February 16, 2024, traders watching FixedFloat's status page first saw a brief, almost casual notice about "technical work." Within hours, on-chain sleuths were already counting outflows: roughly 409 BTC and 1,728 ETH had moved from the exchange's hot wallets to addresses with no prior history. By the time the dust settled, the loss totaled around $26 million, making the FixedFloat incident the largest non-KYC swap hack of early 2024 and one of the most studied breaches of the year. The damage was not just financial — it forced an entire category of instant exchanges to rethink hot-wallet exposure, third-party signer trust, and the way they communicate during incidents.

This breakdown reconstructs the timeline, the on-chain forensics, the unanswered questions, and the practical fallout for anyone who uses no-KYC swap services. If you route privacy-sensitive trades through aggregators or directly through services like MoneroSwapper, the lessons from FixedFloat's February 2024 incident are still load-bearing in 2026: the attack surface they exposed has not disappeared, it has only diversified.

The day FixedFloat went dark

FixedFloat had spent four years building a reputation as a reliable instant exchange — no account, no email, no KYC, just a quoted rate and an address. By early 2024 it was processing several thousand swaps per day across more than 60 coins, including Monero, Bitcoin, Litecoin, and a long list of EVM assets. That volume made the platform an attractive target, and on February 16 someone collected.

The initial public response was clumsy. FixedFloat's first message attributed the outage to "minor technical issues" and asked users to wait. Within six hours, blockchain analysts had already published wallet addresses, transaction hashes, and a rough running total of the losses. Only then did the exchange confirm what was by then obvious to anyone watching the chain.

• Bitcoin loss: approximately 409 BTC, drained in a series of UTXO consolidations from FixedFloat's hot wallet to attacker-controlled addresses.
• Ethereum loss: approximately 1,728 ETH, swept in clean batches and then immediately routed toward known coin-mixing infrastructure.
• Combined value: roughly $26 million at the spot prices on the day of the incident.
• Detection lag: nearly three hours passed between the first suspicious outflow and the first public acknowledgment by FixedFloat.
• User impact: in-flight swaps were paused, refunds were delayed for weeks, and several large customers reported partial losses on transactions that had been confirmed by the exchange but never delivered.

That detection lag is the part professional incident responders find most troubling. Hot wallets bleeding into unknown addresses should trigger automated alerts in seconds, not hours. The fact that the attacker had time to consolidate UTXOs and bridge Ethereum into mixing services before any public statement suggests that internal monitoring either failed, was bypassed, or was actively suppressed during the window of the attack.

How the attack actually unfolded

FixedFloat has never published a formal post-mortem, which is itself part of the story. Most of what is publicly known comes from independent on-chain analysis by firms like SlowMist, MistTrack, and PeckShield, plus community threads that reconstructed the flow of funds in near real time. Three pieces fit together to form the most widely accepted picture.

The hot-wallet exposure model

Instant exchanges live and die by hot-wallet liquidity. Unlike order-book exchanges that can move large reserves to cold storage between trades, a no-account swap service has to settle the moment a deposit confirms. That means a working balance has to sit online, indexed by address, and ready to sign outgoing transactions on demand. FixedFloat's hot wallets across BTC and ETH were sized to handle peak weekend volume, which meant tens of millions in liquid funds were always within reach of whatever signing infrastructure the platform used.

The signer compromise

The on-chain pattern of the FixedFloat drain — large, clean sweeps with no fragmented behavior, no failed attempts, no probing transactions — is consistent with an attacker who already had valid signing authority. There was no exploit of a smart contract, no bridge bug, no oracle manipulation. The keys themselves, or the systems that wielded them, were the vector. Whether that meant a leaked private key, a compromised HSM session, a malicious insider, or a supply-chain compromise of a signing dependency, the practical result was identical: the attacker signed transactions FixedFloat would have signed itself.

The laundering route

Within 24 hours of the breach, large portions of the stolen ETH had been routed through eXch — another no-KYC swap service — and converted into privacy-friendly assets. Some of the BTC took a longer path through mixing infrastructure before fragmenting across dozens of fresh addresses. The use of another no-KYC exchange to launder the proceeds became a flashpoint in the industry, and eXch later faced sustained regulatory pressure that contributed to its own shutdown in 2025. The FixedFloat hack is therefore not just the story of a single exchange's bad day — it triggered a chain reaction across the no-KYC ecosystem.

The instructive thing about FixedFloat is not that hot wallets can be drained, it is how long it took anyone inside the company to notice. Monitoring that depends on a human glancing at a dashboard is not monitoring.

Comparing the major no-KYC incidents

FixedFloat is not the only no-KYC service to have suffered a major breach. Putting it next to other incidents from the same era makes the structural risks of the category easier to see. The pattern is consistent: hot-wallet exposure, slow public communication, and laundering that flows toward privacy-preserving infrastructure.

Incident	Estimated loss	Attack vector	Public post-mortem
FixedFloat (Feb 2024)	~$26M	Hot-wallet signer compromise	None published
FixedFloat (Mar 2024 follow-up)	~$3M	Same infrastructure, partial reuse	None published
eXch laundering exposure	Indirect	Inbound stolen funds	Operational statements only
Bridge exploits 2022-2024 average	$100M+ per event	Smart contract bug	Usually published
Cold-storage CEX breaches	Rare	Multi-sig compromise	Sometimes published

What sets the no-KYC category apart is the silence afterward. A regulated exchange that loses customer funds faces immediate disclosure obligations and usually publishes a post-mortem to retain whatever trust remains. A no-KYC exchange has no such obligation and often has commercial reasons to keep details quiet: any technical disclosure can help future attackers, and any operational disclosure can attract regulators. The result is a category where users have to reason about safety from the outside, with on-chain breadcrumbs as the only reliable source of truth.

How to protect yourself when using non-KYC swaps

The FixedFloat incident does not mean non-KYC swap services should be avoided — for many users, especially in jurisdictions hostile to financial privacy, they remain the only realistic option. It does mean that the threat model is different from a custodial exchange, and your behavior should reflect that. The following steps reflect what experienced traders adopted after February 2024.

1. Treat the swap window as transit, not storage. The funds you send to a non-KYC exchange should be moving through, not sitting. Pre-stage your destination address — ideally a wallet whose keys you control, like a Monero wallet generated from a Polyseed mnemonic — before you create the swap. Do not pause halfway.
2. Size each swap carefully. The FixedFloat hot wallets were drained because they were sized for peak volume. From the user side, the lesson is symmetrical: never route a transaction larger than what you are willing to lose if the exchange has a bad afternoon. Several smaller swaps with different services beat one large one.
3. Verify the exchange's withdrawal address on-chain before sending. Reputable platforms display a deposit address that is fresh per order. Spot-check the address on a block explorer for prior history. A wallet with no history is a good sign for a fresh order; a wallet with thousands of inbound transactions is a red flag for security hygiene.
4. Cross-reference the rate. If the quoted rate is dramatically better than competitors, including MoneroSwapper, that is a signal worth investigating, not a deal worth grabbing. Pricing anomalies often correlate with stressed liquidity or, in extreme cases, with platforms operating under compromise.
5. Confirm completion to a Monero wallet you control. Once the swap completes to your destination, confirm the transaction in your wallet — RingCT outputs visible, the stealth address generating a balance, your view key matching the expected amount. Until you have done this in your own software, the swap is not finished.
6. Move funds promptly to long-term storage. If your long-term plan is to hold Monero, sweep the received outputs to a wallet whose seed is offline as soon as practical. The longer privacy-preserving assets sit at a known counterparty address, the more they accumulate metadata.

Why this story matters for Monero swap users

Monero users are over-represented in the customer base of no-KYC exchanges, for obvious reasons: the on-ramps to Monero from fiat or from other cryptocurrencies have narrowed considerably between 2021 and 2026, and instant-swap services have become a primary route. That makes the security of those services a direct concern for anyone trying to use Monero for its intended purpose. When an exchange like FixedFloat is compromised, the failure does not just affect the people whose deposits were stolen in the attack itself — it also affects everyone whose swap was in flight, everyone whose refund took weeks, and everyone whose downstream wallet now contains outputs that touched a flagged address.

Monero's privacy guarantees, including ring signatures, stealth addresses, and Bulletproofs+, protect transactions on the Monero chain itself. They do not protect the moment a user hands non-Monero coins to a swap service, and they do not unwind a counterparty failure. That is the gap that incidents like FixedFloat operate in. A user can have a perfect Monero opsec setup and still lose funds because the bridge service holding their BTC for thirty minutes was being drained by an attacker in another timezone.

The practical response is to choose swap services with care. Pay attention to operational track record, incident response history, and the degree to which a service is willing to discuss its security model. Services that publish their cold/hot wallet split, that rotate signing infrastructure, and that have clear, public communication during outages are demonstrably better risk profiles than services that treat every incident as a mystery. MoneroSwapper, for example, was built specifically around the principle that swap users should not be forced to choose between privacy and operational visibility — the routing is private, but the platform's behavior during an incident is meant to be loud and clear, not silent.

What the industry learned (and what it didn't)

Two years after the breach, the no-KYC swap ecosystem looks measurably different. Several platforms now publish quarterly proof-of-reserves snapshots, multiple have moved to multi-party signing with geographically distributed signers, and more incidents are followed by at least a short public statement. Insurance products for instant-swap services exist where none did before, although coverage is thin.

What has not changed is the structural pressure on hot wallets. As long as instant swaps are a product category, somebody has to hold liquid funds online, and somebody has to authorize transactions on demand. The frontier of attack moved from on-chain bugs (which dominated 2021–2022) to off-chain compromise of signing infrastructure, which is much harder to defend at the technical layer because the weakness is usually organizational. Phishing of operators, supply-chain attacks on dependencies, and insider threats are all still active vectors in 2026.

One genuinely positive development: the laundering chokepoints have narrowed. After the FixedFloat incident exposed how easily stolen funds could be flipped through other no-KYC services, the surviving platforms adopted shared blocklists, deposit-screening for known attacker clusters, and slower payouts on suspicious patterns. That has made follow-on laundering harder, even as the original attack surface has not been eliminated.

FAQ

How much did FixedFloat lose in the February 2024 hack?

FixedFloat lost approximately 409 BTC and 1,728 ETH, worth roughly $26 million at the time of the attack. The funds were drained from the platform's hot wallets in a series of clean transactions over the course of an afternoon. A smaller follow-up incident in March 2024 added approximately $3 million more in losses before the exchange rotated its signing infrastructure.

Did FixedFloat refund affected users?

FixedFloat eventually processed refunds for most users with in-flight or unfulfilled orders, although the process took weeks for many customers. The exchange covered the losses from its own reserves rather than passing them on to the affected users, which is a meaningful distinction — many hacked exchanges socialize losses across the user base. Some users reported partial recovery or unresolved cases.

Was the FixedFloat attacker ever identified?

Publicly, no. On-chain analysis traced funds through several mixers and across the eXch platform, but no individual or group has been formally attributed to the breach. Some analysts speculated state-actor involvement based on the laundering sophistication, while others pointed to insider or supply-chain compromise based on the clean signing behavior. FixedFloat has not published its internal findings.

Is it safe to use FixedFloat in 2026?

FixedFloat has continued to operate since the incident and has reportedly upgraded its signing infrastructure. The decision to use any non-KYC swap is a personal risk assessment that should account for operational history, transparency, and the size of the trade. Many users diversify across multiple platforms specifically to avoid concentrating exposure with one operator, which is sensible practice regardless of which exchange is in question.

What is the safest way to swap to Monero today?

The safest workflow is to use a swap service with a clean operational record, send the smallest practical amount per transaction, confirm receipt to a Monero wallet whose mnemonic seed you generated yourself, and sweep the funds to long-term storage soon after. MoneroSwapper is designed around this workflow — minimal data collection, clear status reporting, and direct delivery to a stealth address you control. Combining a careful swap service with disciplined wallet hygiene gives the strongest practical outcome.

How does this compare to traditional exchange hacks?

Traditional regulated exchange hacks usually involve larger absolute losses but more recovery options through insurance, regulatory pressure, and public post-mortems. Non-KYC swap hacks like FixedFloat are smaller in dollar terms but riskier per user because there is no recourse beyond the exchange's own goodwill. The structural difference is that you trade legal recourse for privacy when you choose the no-KYC route, and that trade should be priced into how much you put through any single platform.

Conclusion

The FixedFloat hack was a clarifying event for the no-KYC swap category. It did not invent a new attack class, and it did not introduce a risk that informed users had not already been thinking about. What it did was force a hidden assumption into the open: that the operational discipline of an instant exchange is part of the security guarantee, and that any platform asking users to trust it for thirty minutes had better be worth thirty minutes of trust. Some platforms responded to that pressure with better practices, public communication, and demonstrable improvements. Others stayed quiet and hoped users would forget. The market is still sorting which is which.

For anyone using Monero in 2026, the takeaway is practical. Pick swap services that treat your time and your funds with the seriousness the moment requires, size your trades for the threat model you actually face, and confirm every leg of the route in software you control. If you want to start a swap right now with a service that was built around exactly these principles, you can begin at buy Monero anonymously or compare current rates through MoneroSwapper's quote engine. The 2024 incident is in the rearview, but the lessons it left behind shape every swap you do today.