# Moby Trade Exploit and Swift Seal911 Response

<figure><img src="/files/ONvZobjCDFXMOa71cGZT" alt="" width="563"><figcaption></figcaption></figure>

## Summary

[On January 8th, 2025, Moby announced to its users that, despite their claims of secure smart contracts and robust key management, an exploiter identified a vulnerability and exploited it, resulting in significant theft. ](https://x.com/Moby_trade/status/1877096336140677458)

[Moby](https://moby.trade/), a decentralized options trading platform on Arbitrum, offers real-time pricing, low spreads, and deep liquidity. The platform utilizes liquidity pools, such as sOLP (stablecoins) and mOLP (crypto + stablecoins), to facilitate efficient on-chain derivatives trading.

The exploit was possible after Moby's **Admin-privileged private key** was compromised, allowing the attacker to upgrade key smart contracts. This breach led to the theft of **3.77 wBTC, 207.76 wETH, and 1,500,351.5 USDC,** assets equivalent to **$2,557,683.79**.

In times of crisis, unexpected help can arrive, and that’s exactly what happened with the intervention of the [**Seal911 team**](https://x.com/_seal_org?lang=en). They managed to recover 1.4M USDC from the stolen funds, however, the remaining funds were converted and dispersed across various bridges, resulting in a **total loss of approximately $1,109,914.17.**

## How Did It Happen?

The root cause of the attack was the compromise of Moby's admin-privileged private key, supposedly secured under *"Secured Key Management."* With access to this key, the attacker gained privileges, allowing them to upgrade core smart contracts, creating a security breach.

Once the attacker identified this vulnerability, they conducted a [test attack on the Arbitrum Sepolia](https://sepolia.arbiscan.io/tx/0xbf97d408ed11e0161d6667457c3a17b6947bc1b7a339e3201bc1d01c36f0ac78) network. An hour later, they executed the exploit on the mainnet, initiating the drainage of funds. The stolen funds were then bridged from Arbitrum to Ethereum, and the attacker began dispersing and laundering the assets across numerous wallets.

In response, Moby publicly acknowledged the attack and contacted security teams, including [Seal911](https://x.com/_seal_org?lang=en) and [SlowMist](https://www.slowmist.com/). They also reached out to protocols like [Circle](https://www.circle.com/) and [Rhino.fi](https://rhino.fi/), used by the attacker, to block and freeze assets, preventing further obfuscation. [Seal911 successfully thwarted ](https://x.com/tonykebot/status/1877240687256580248)another attempt by the attacker to exploit a smart contract, recovering approximately 1,470,191.71 USDC in the process. Unfortunately, the [wBTC and wETH stolen during the attack were irretrievable](https://x.com/tonykebot/status/1877240698031800749), as they had already been drained. The attacker converted the remaining assets into **312.02 ETH** and used the [**Stargate protocol**](https://x.com/stargatefinance?lang=en) to bridge them onto the Ethereum mainnet. To further obscure the trail, the attacker employed several tunneling addresses and utilized bridges like [**DLN** ](https://x.com/dln_trade?lang=en)to launder the funds. Some of the wallets associated with the attacker still hold portions of the stolen ETH.

Let’s visualize and break down the entire exploit using Blockscope’s advanced analytics and forensic tools.

## On-chain Activity

The Moby exploit is a multichain operation that began on the Arbitrum Sepolia Testnet, moved to the Arbitrum Mainnet, and then bridged to the Ethereum Mainnet to obscure the trail. Currently, the laundered funds are still being bridged across chains.

**Moby Attacker:** 0x2a566D111d0a5Be888FEC5F3834434Af3245Bb1b&#x20;

**Moby Attacker 2:** 0x6A92D4840309f447922114a349984a1d09a51470

**Total Assets Lost:** 3.77 wBTC, 207.76 wETH and 30,179.97 USDC

Using **Tracer**, we visualized the entire exploit, tracking how funds moved from the S\_Vault and M\_Vault contracts to the attacker, and noted the conversion of stolen assets using Uniswap.

<div data-full-width="true"><figure><img src="/files/97W6MwUIbUm3HiLxFH7g" alt=""><figcaption><p>Attacker's token movement before bridging to Ethereum</p></figcaption></figure></div>

Once converted to ETH, the funds were bridged to the Ethereum Mainnet using Stargate. The recipient address on Ethereum Mainnet was the attacker's second address, which was also used for cross-chain bridging: 0x6a92d4840309f447922114a349984a1d09a5147&#x30;***.***

<figure><img src="/files/l4gwOi5aoWDuAu6hgTp1" alt=""><figcaption><p>Tracer shows transfer of stolen wETH from Arbitrum to Ethereum using Stargate</p></figcaption></figure>

After receiving 312.02 ETH, this address tunneled the funds and distributed them across numerous other addresses in an attempt to obfuscate and launder the assets. Several of these tunneling addresses used the DLN protocol to bridge assets cross-chain to networks like Polygon Mainnet, while most still hold the stolen assets.

Our tracer for the Ethereum Mainnet illustrates the flow and current state of the assets involved in this exploit.

<div data-full-width="true"><figure><img src="/files/1poNXheGekd9yj6WD24N" alt=""><figcaption><p>Post-Bridging tracer on Ethereum</p></figcaption></figure></div>

The tracer below shows how the attacker leveraged bridges to launder and obfuscate funds. In the below transaction, the Attacker's side wallets 0xe5240366f033ae373ff68ccffe552ea1d460b1d0 can be seen bridging around 3 ETH from the Ethereum mainnet to Polygon mainnet using DLN bridge and receiving 21,339 POL at address 0x36d137d85a8a0c8d30cec57aeda82b4eff1ebade.&#x20;

Tx. Hash: 0x35031f2fca5558df30bbcca228c06027357a4481f8a413d782c568c9e0a475e9

<figure><img src="/files/JJZ6zu5eKrraEmtI9yPj" alt=""><figcaption><p> 0xe52...b1d0 bridging ETH to Polygon Mainnet using DLN Protocol</p></figcaption></figure>

## Exploit Breakdown & Timeline

### **January 8, 2025 - 11:56 UTC**&#x20;

The attacker, using Moby Attacker wallet 0x2a566D111d0a5Be888FEC5F3834434Af3245Bb1b, prepared the exploit on the Arbitrum Sepolia Testnet after obtaining the admin-privileged private key.

Tx. hash: 0xbf97d408ed11e0161d6667457c3a17b6947bc1b7a339e3201bc1d01c36f0ac78

### January 8, 2025 - **12:57 UTC**

The attacker initiated the attack. Utilizing the stolen private key, the attacker executed a contract upgrade, and changed the proxy admin at **1:49 UTC**, eventually gaining ownership and admin rights on the primary address. &#x20;

Tx. hash: 0x9da34da770f1e9c5d5e176578b32710d8e288587d8401582f34a9631edf9be4b

<figure><img src="/files/WbKZopTJTgKLtq99t6kX" alt=""><figcaption><p>Change of contract ownership</p></figcaption></figure>

### January 8, 2025 - Between **15:24 to 15:28 UTC**

After securing admin rights, the attacker altered the ownership of the S\_Vault Contract 0xd4d23332e6256b751e2da0b9c0b3a70cfe9180c0 and executed three Emergency Withdrawals, transferring 0.07 wBTC, 0.79 wETH, and 30,179.79 USDC to the primary address.    &#x20;

Tx. hashes:                                                                                                                                                                                USDC: 0xfb260f58332034fe203a41b031c41b8461f469e46d5632b33b328f22aed1fb42                         wBTC: 0xa64829baf5b83fb6fbebcac334f2c73f6d8ec31a4c8b210538e32105c8ca8566                        wETH: 0x15890f9b4db381875d2e1e606f5c0b39540295f2af7ab34abe4dd4722dde18d2

<figure><img src="/files/PM3peUPchu4cAO3GlR9J" alt=""><figcaption><p>Transfer of assets from S_Vault contract</p></figcaption></figure>

### **January 8, 2025 - 16:37 UTC**

The attacker performed a similar admin change on the M\_Vault Contract 0x9e34f79e39addb64f4874203066ffddd6ab63a41, making two transfers of 3.70 wBTC and 206.97 wETH to the primary address between **16:47 and 16:48 UTC.**&#x20;

Tx. hashes:                                                                                                                                                                                 wETH: 0xa16b4751f802b01ad9f71a9a44f534afc943c5b1952551d6a06e75207eee917a                                     wBTC: 0x5729abb3d2898e80b24b08f3f079c5b5022db72fb97972e56ea68230b1efbacc

<figure><img src="/files/Fc2xYLPOeArGnHpeY61V" alt=""><figcaption><p>Transfer of assets from M_Vault contract</p></figcaption></figure>

### January 8, 2025 - **16:48 UTC**

Seal911 identified the vulnerability and fixed the smart contract by upgrading it, preventing the loss of 1,470,191.71 USDC from the exploited M\_Vault Contract.&#x20;

Tx. hash: 0xa247fb0c2a641ad09f3c798c754662ee46ec56ebebc85c17afa397fdeaafe64a

<figure><img src="/files/vGKXdakgkngwYh2n8NRB" alt=""><figcaption><p>Seal911 recovered the vulnerable 1.47M USDC</p></figcaption></figure>

### **January 8, 2025 - 16:50 UTC**

The attacker transferred 3.70 wBTC and 206.97 wETH to the Bridging Address Moby Attacker 2 0x6A92D4840309f447922114a349984a1d09a51470 and 30,179.97 USDC into the Uniswap V3 pool.&#x20;

Tx. hashes:                                                                                                                                                                                wETH: 0xa16b4751f802b01ad9f71a9a44f534afc943c5b1952551d6a06e75207eee917a                          wBTC: 0x5729abb3d2898e80b24b08f3f079c5b5022db72fb97972e56ea68230b1efbacc

<figure><img src="/files/io9joeyW3sFAx1McF4r0" alt=""><figcaption><p>Transfer of stolen wETH and wBTC to Moby Attacker 2</p></figcaption></figure>

### January 8, 2025 - Between **16:59 to 17:01 UTC**

The attacker converted 206.97 wETH and 3.70 wBTC into 312.02 ETH using swaps, primarily through Uniswap.

Tx. hashes:                                                                                                                                                                                 wETH: 0xa605d246b5a4f01de5bfe7864055ab331aab3ffa11ffcf9e84a669f22201c612                                            wBTC: 0x670b17897045b5e1745e43ffc59dee103135f3ead600684d6bb67fa57763a61b

<figure><img src="/files/6QjvTMYRyyvCSBWpIUs6" alt=""><figcaption><p>Conversion of wBTC and wETH into ETH</p></figcaption></figure>

### **January 8, 2025 - Between 17:11 to 17:25 UTC**

The attacker bridged all the funds to the Moby Attacker 2 0x6A92D4840309f447922114a349984a1d09a51470 from Arbitrum to Ethereum Mainnet using the Stargate protocol.

<figure><img src="/files/6D9zNmamhnK3FHvGLjti" alt=""><figcaption><p>Using Stargate protocol, Moby Attacker 2 bridged 312.02 ETH from Arbitrum to Ethereum mainnet</p></figcaption></figure>

### January 8, 2025 - **17:26 UTC**

The attacker began dispersing ETH across numerous wallets to obfuscate the trail. Some ETH was bridged using the **DLN protocol** while most remained in side wallets.

<figure><img src="/files/sgLJJeMdnkhnDP9YEehi" alt=""><figcaption><p>Attacker did some cross-chain bridging to launder &#x26; obfuscate assets</p></figcaption></figure>

### January 8, 2025 - **20:53 UTC**

[Moby Trade tweeted about the exploit](https://x.com/Moby_trade/status/1877096336140677458), responding hours after the incident. On **January 10th at 13:27 UTC**, Moby published its [Post-Mortem Report and Growth Plan](https://x.com/Moby_trade/status/1877708786783392232), post exploit.

<figure><img src="/files/9nPVhifV8RdgkBwSxWJw" alt=""><figcaption><p>Moby's first rersponse</p></figcaption></figure>

## Wallets and Addresses Found

In this investigation, we identified a substantial list of addresses linked to the attacker, which were used to tunnel, bridge, and obfuscate the stolen assets. Using the **Cohort Analysis Tool**, we demonstrated a clear and direct relationship between the attacker and the addresses listed in the table below.

<figure><img src="/files/SJObgvfdRtv8Cho5hZWr" alt=""><figcaption><p>Cohort Analysis on Ethereum mainnet, shows relationship between attacker's wallets</p></figcaption></figure>

### List of Associated Addresses&#x20;

<table><thead><tr><th width="339">Note</th><th>Address</th></tr></thead><tbody><tr><td>Moby Attacker (Primary Address on ARB)</td><td>0x2a566d111d0a5be888fec5f3834434af3245bb1b</td></tr><tr><td>Moby Attacker 2 (Bridging Address on ARB and ETH)</td><td>0x6a92d4840309f447922114a349984a1d09a51470</td></tr><tr><td>Side Wallet (ETH)</td><td>0x5267c4e531b00597ef0cce0dc591c30fad7e4137</td></tr><tr><td>Side Wallet(ETH)</td><td>0x3d5908d723db3e75962b464935ec72b25f279488</td></tr><tr><td>Side Wallet(ETH)</td><td>0x0261254a0ea9c4065727b77b2680fe0726010e49</td></tr><tr><td>Side Wallet(ETH)</td><td>0x1bb090b419b1437247eca7fc4c2a847f7222cd1a</td></tr><tr><td>Side Wallet(ETH)</td><td>0x5ecbe4f3d08594e42a3ebe3752fa6d6fa0bc8d38</td></tr><tr><td>Side Wallet(ETH)</td><td>0x07b00bab187a1acc4dfb18190b5652a6d86795f9</td></tr><tr><td>Side Wallet(ETH)</td><td>0x396b19959cabecb07787190044c11aaf48c44a05</td></tr><tr><td>Side Wallet (ETH)</td><td>0x83629c00266bd68c60634caff34646162233700b</td></tr><tr><td>Side Wallet (ETH)</td><td>0xa6523e3bdf6a798ef3cd8a5e1d55e6d82416dc02</td></tr><tr><td>Side Wallet (ETH)</td><td>0x8b0e842de81b4cde581a139e5b6a67027c679349</td></tr><tr><td>Side Wallet (ETH; Bridged funds)</td><td>0x8a564053192b5566edae8b0305d7d40040913eab</td></tr><tr><td>Side Wallet (ETH; Bridged funds)</td><td>0xe5240366f033ae373ff68ccffe552ea1d460b1d0</td></tr><tr><td>Side Wallet (ETH; Bridged funds)</td><td>0x06d86f0c7b563571460f2369abc051ced744ca31</td></tr><tr><td>Side Wallet (ETH; Bridged funds)</td><td>0xba021c7817e7b1ea2ad103fb535f75f07f9b2571</td></tr><tr><td>Side Wallet (ETH; Bridged funds)</td><td>0x2b9d98682e179c52eb031a8b42cd3ac56e0c7e8e</td></tr><tr><td>Side Wallet (ETH)</td><td>0xbcf24b2f2f1a7f8c3709f40bfd12be1469608108</td></tr><tr><td>Side Wallet (ETH)</td><td>0x818051846e1cb33c9775ecc68f9ec24fa8872d50</td></tr><tr><td>Side Wallet (ETH)</td><td>0xad6049d1fe59ce49b71386c45bb6348a9d2e45be</td></tr><tr><td>Side Wallet (ETH)</td><td>0xfbf735e81a1c430729dca17fc927df46c269fe6f</td></tr><tr><td>Side Wallet (ETH)</td><td>0x81ebcb5cb748df13ad117aad9d828d8ebc7056a2</td></tr><tr><td>Side Wallet (ETH)</td><td>0x246159d610ab6165f9445a6a22f2fa63782b710e</td></tr><tr><td>Side Wallet (ETH)</td><td>0x06894cf8308b5235733ee42ce57e4524d1642f6b</td></tr><tr><td>Side Wallet (ETH)</td><td>0x65aeeb98e3b59a18b8dfa3f2c8ee376828da7782</td></tr><tr><td>Side Wallet (ETH)</td><td>0xa90da10c49ba8f751d6d5b7fb4788b499277cdab</td></tr><tr><td>Side Wallet (ETH)</td><td>0x61b7e18ba8ba0413a9ae61cbb263507afb53b7cc</td></tr></tbody></table>

## On-Going Monitoring

Moby Trade is actively collaborating with various security firms, law enforcement agencies, and exchanges to freeze stolen assets and prevent successful obfuscation and laundering attempts. Additionally, [we have deployed our **Watchtower** system to continuously monitor all side wallets still holding ETH on the Ethereum Mainnet. ](https://www.blockscope.co/community/watchtowers/6792e161e8c4d608b73070f3)

<figure><img src="/files/mZCizOGst7fB0WroiTGu" alt=""><figcaption><p>Moby Trade Active Watchtower</p></figcaption></figure>

## Conclusion

This exploit serves as a critical reminder that companies handling public funds must be held accountable and take proactive security measures. Moby Trade’s response—downplaying the incident by stating that their smart contracts "worked properly" and attributing the breach to stolen private keys—highlights the need for better responsibility in securing sensitive information.

On a positive note, this case underscores the importance of blockchain security. The **Seal911 team** successfully recovered approximately **$1.4M USDC**, and [Tony Ke’s tweet captures their achievement](https://x.com/tonykebot/status/1877240684266295373). As noted, the attacker exploited the system by upgrading the smart contract using the **UUPS (Universal Upgradeable Proxy Standard)** but failed to secure it, leaving a vulnerability that Seal911 was able to leverage.

<figure><img src="/files/E9uFreGw9I9J4DEN1Khg" alt=""><figcaption></figcaption></figure>

At [**Blockscope**](https://www.blockscope.co/), we develop tools and technologies to safeguard your assets and empower individuals and organizations to take accountability. As attackers evolve and become increasingly sophisticated, so must our security measures. The Moby Trade exploit is a powerful example of how security firms can make a significant impact in the fight against cybercrime.

The investigation utilized a suite of advanced tools from Blockscope and forensic techniques to meticulously trace and analyze the events of the hack. Here's a summary:

* **Transaction Decoder**: Deconstructed transactions to understand the attacker's actions and sequence of events, and how the contract was upgraded into UUPS.
* **Wallet Profiler**: Identified attacker wallets, analyzed suspicious transactions on Arbitrum and Ethereum and revealed obfuscation using Stargate and DLN protocols.
* **Tracer Tool**: Tracked stolen tokens like wETH, wBTC, and USDC across wallets and DeFi protocols, including cross-chain movement from Arbitrum to Ethereum.
* **Entity Interaction Tool**: Mapped interactions between Stargate protocol and Moby Attacker 2 to bridge funds.
* **Cohort Analyzer**: Identified clusters of associated wallets, clarifying the attacker’s network on Ethereum.
* **Watchtower**: Monitored and tracked all wallets and side addresses involved in the exploit in real time.

**Investigation by:** [**Tushar Tiwari**](https://research.blockscope.co/moby-trade-and-the-breached-private-key/www.linkedin.com/in/tushartiwari21)**, Analyst @** [**Blockscope**](https://www.blockscope.co/)

For more information, please reach out to us at **<hello@blockscope.tech>**

<figure><img src="/files/yJqkXMeOJ5aAiNjasen5" alt=""><figcaption></figcaption></figure>

Disclaimer: Best Effort Investigation

This investigation and its findings represent our best effort based on the information available at the time. However, please be aware of the following limitations:

* The data used in this investigation may contain inaccuracies, omissions, or errors.
* Information sources may be incomplete or subject to change.&#x20;
* New evidence may emerge that could alter the conclusions.&#x20;
* Analysis and interpretations are based on current understanding and may evolve.

We have made every reasonable attempt to ensure accuracy, but cannot guarantee that all information is entirely correct or complete. This report should be considered a snapshot of our current knowledge and understanding, subject to revision as new information becomes available.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://research.blockscope.co/moby-trade-and-the-breached-private-key/moby-trade-exploit-and-swift-seal911-response.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.