BitMart Hack Bounty Program

Introduction

In December 2021, BitMart Exchange experienced a significant security incident where hackers used stolen private keys to steal approximately $196 million worth of crypto assets from hot wallets.Affected assets included BTC, Ethereum, Binance Smart Chain tokens, and others.

Key Fund Movements

• December 2021: Attackers converted most stolen assets into ETH & BNB and mixed them using Tornado Cash.
  
• December 2021: Stolen TRON funds were mixed via ChangeNOW and nrb.io.
  
• December 2021: Stolen VeChain funds were mixed via SimpleSwap.
  
• March 2024: Stolen BTC was mixed using Wasabi CoinJoin.
  

This program seeks to identify those responsible for the BitMart breach, trace stolen assets, and facilitate fund recovery. Verified contributions will be rewarded, with additional bounties for successful recoveries. White-hat participants who provide verified key information will be eligible for rewards. Additionally, if the stolen assets are successfully recovered, a percentage of the recovered amount will be distributed as a bounty to those who made significant contributions.

---

Scope

We seek verified intelligence related to the BitMart hot wallet theft on December 4, 2021 (UTC). This includes but is not limited to:

• Attacker identification (on-chain & off-chain ties, social links, CEX account traces).
  
• Transaction & fund flow analysis (on-chain tracing, mixing activity, laundering methods).
  
• Infrastructure details (IP addresses, domains, hosting services used).
  
• Other forensic evidence that contributes meaningfully to identifying the hacker(s).
  

Submissions lacking forensic value, repeating known data without new context, or providing unverifiable claims will not be eligible for rewards.

---

Known Information

Hacker Addresses

Hacker Address	Type of Asset
0x39fb0dcd13945b835d47410ae0de7181d3edf270	ETH
0x4bb7d80282f5e0616705d7f832acfc59f89f7091	ETH
0x8eafee3d0df538a1e04487a43239c1c73b50032d	ETH
0xAf631C6EebFC5Ff3a267788bafa52A18670D577c	ETH
0x132f8cEEfE9ea00e1DbC06b32f625864BA21d66c	ETH
0xC47A987521e2E646423ac92b1Eb0b3cB2193625D	ETH
0xa9e4332448318da58cdd398286c0809684ed9bd4	ETH
0x402be63f5d8189f8027d429b8588df4f0aec9f53	ETH
0xe68a520f67c0225b7856bb9496dfc6b476217256	ETH
0xb4f8abad5d64f7132c74013569d55a6ac9bbaa1d	ETH
0xf082af2426ee0d626c75597649f8f8fe0b5fbeee	ETH
0x6723736dd131c0baed60d712d8e569fe6e9509b0	ETH
0x041afe8c155997de612d69f3ff0287ae58504246	ETH
0x25fb126b6c6b5c8ef732b86822fa0f0024e16c61	BSC
3Nsop3FW7jjjTKd6MkLc6qjyWuAm9XLU81	BTC
0x59E55AC0cb34358B9511bbB3f3C1327BD40523E5	AVAX
bnb15r4fzmhjv54ncf4f0cvmjvadjgwffd93gf56qv	Binance Chain
TL1NRNDe3babg3zZywe8PC1tTMta1mqkTX	TRON
TBTPmRe7Lpjka6Koxr2v7CrAocCNGZKsW5	TRON
TGScTPMkm3MDF8T3xpUzb7u3jXUV4qcBYm	TRON
0x673B380f1667b2f9A216Fd1eBB6225Ee75cC7d55	VeChain
0xbb3fd383d1c5540e52ef0a7bcb9433375793aeaf	VeChain
0x6f39fa0096b075becdb2c46c62976e92f03ca104	VeChain
0x8cbcc75678cd88e3d450941dcd3d27b560a6ecba	THETA

Attackers' IoC Information

• IP Addresses:
  • 119.91.93.28 (Discovered in Dec 2021)
  • 38.102.175.100 (Discovered in Dec 2021)
• Mixing Services Used: Tornado Cash, ChangeNOW, SimpleSwap, Wasabi CoinJoin.
  

---

Rules and Guidelines

Accuracy

• Submissions must be verifiable, objective, and directly contribute to identifying the attacker or tracking stolen funds.
  

Details

Submissions should include:

• Blockchain transaction proofs (tx hashes, addresses, patterns).
• Cross-referenced intelligence (CEX account links, emails, IPs, domain history).
• Technical analysis (heuristics, mixing methods, transaction clustering).
• Chain of custody to ensure data integrity.
• A complete forensic intelligence clue chain.
• Supporting data that proves the intelligence's value.
• Specific methods, tools, or techniques used.

Originality

• Information must be original and not previously disclosed or made public.
  

Impact

• Intelligence must provide actionable insights or lead to significant progress in the investigation.
  

Feedback

• Due to the complexity of verification, responses may take longer than standard vulnerability reports.

---

Bounty Details

High-Impact Intelligence ($1,000 - $5,000)

• Personal ID evidence (email, phone, gov ID, home address).
  
• On-chain & off-chain intelligence tying the hacker to real-world entities.
  
• CEX account evidence linked to stolen funds.
  

Important data that directly identifies the attacker or connects them to individuals, groups, or APT organizations, or significantly increases the likelihood of recovering funds. This includes sensitive personal identification information (e.g., personal email, phone number, ID number, home address, social relationships) or CEX account information directly tied to the stolen assets.

Medium-Impact Intelligence ($500 - $2,000)

• IP addresses, domain names, devices, or indirect attacker links.
  
• Tracing reports connecting different laundering patterns.
  

Indirect intelligence that helps identify the attacker, such as IP addresses, domain names, or evidence that indirectly links the attacker to individuals, groups, or APT organizations.

Low-Impact Intelligence ($50 - $500)

• Supplementary insights into attack techniques or blockchain movement analysis.
  

Additional Reward:

• If stolen funds are recovered, contributors will receive a 10%-30% bounty of the value based on the significance of their contribution (at the discretion of forensic analysts).
  
• All amounts shown per market price on [DATE] for relevance to the security incident in 2021

---

Legal & Ethical Considerations

• All submitted intelligence must comply with applicable laws and ethical standards.
• Do not engage in unauthorized access, exploitation of systems without consent, or any activity that violates the law.
• Reports must not include personally identifiable information (PII) obtained through unlawful or unethical methods.
• Rewards are subject to internal verification and compliance review.
• High-value rewards may require Anti-Money Laundering (AML) and Know Your Customer (KYC) verification.

---