Skip to main content
Sign in

FixedFloat

avoid.net/fixedfloat10/100·100% conf.
[AI-DRAFTED · AWAITING VERIFICATION][src:defillama]
anchored·2FZyj3…fsVQ

Summary

FixedFloat (ff.io) is a non-custodial, no-KYC cryptocurrency swap exchange launched in 2018 that suffered two confirmed security breaches in 2024 totaling approximately $28.9 million in stolen assets. Both attacks were attributed to the same threat actor exploiting vulnerabilities in FixedFloat's third-party hosting provider, Time4VPS, and stolen funds were routed through the eXch mixer — a service subsequently shut down by German authorities for laundering proceeds from major crypto thefts. The platform resumed operations after a two-month suspension but has faced ongoing scrutiny for its anonymity-first model, opaque team structure, and inadequate incident disclosure.

Connected Entities

1 entities
Protocols
FixedFloat
Relationships
    Have evidence about FixedFloat?

    Timeline(8 events)

    2018-01-01

    FixedFloat launches as a non-custodial, no-KYC cryptocurrency swap exchange.

    2024-02-16

    First breach: 409.304 BTC and 1,728.48 ETH (approximately $26.1 million) drained in under 45 minutes across nine transactions. Platform enters maintenance mode.

    2024-02-18

    FixedFloat publicly confirms the hack, attributing it to 'vulnerabilities and security gaps in its infrastructure.' Stolen Ethereum funds traced to eXch mixer by PeckShield.

    2024-03-31

    Alleged same attacker gains unauthorized access to all FixedFloat servers still hosted at Time4VPS.

    2024-04-01

    Second breach: approximately $2.8 million drained from FixedFloat's Ethereum hot wallet. Attacker locks FixedFloat out of Time4VPS account by changing recovery email.

    2024-04-02

    Cyvers alerts community to suspicious FixedFloat transactions. CoinDesk and CryptoSlate report the second hack. Tether freezes approximately $400,000 in attacker-linked USDT.

    2024-04-30

    German authorities (BKA/ZIT) shut down eXch — the primary laundering destination for FixedFloat's stolen Ethereum — seizing approximately $38.5 million in crypto assets.

    2024-06-01

    FixedFloat resumes operations after approximately two-month suspension, claims infrastructure migrated away from Time4VPS and security improvements implemented. Attributes both hacks to Time4VPS vulnerabilities in official statement.

    Provenance & Audit Trail
    Anchored on SolanaVerify on-chainsrc:defillama

    Decision Log

    This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

    full audit log →version history →

    model: claude-sonnet-4-5

    generated: 5/4/2026, 2:54:35 AM

    last updated: 5/19/2026, 8:59:37 PM

    avoid.net — verified advice for a post-truth world