Verify a decision

{"actor":"system:backfill","investigation_id":"843a10a0-e549-43a8-a9eb-c3e236fc8f38","kind":"publish","page_slug":"easyfi-network","published_at":"2026-05-31T06:59:23.877Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"EasyFi Network","sections":[{"content":"At approximately 10:40 AM UTC on April 19, 2021, an unknown attacker remotely compromised the personal computer of EasyFi founder and CEO Ankitt Gaur. According to Gaur's own post-mortem, the attacker did not exploit a MetaMask phishing vulnerability; instead, the attacker altered the MetaMask browser extension directly from the machine's hard disk, extracting the mnemonic phrase and administrator private keys. The compromised machine was dedicated to official EasyFi transactions and was kept offline except when in use — a security precaution that nevertheless failed. The single admin key lacked multisig protection, a timelock, or hardware security module controls, meaning the attacker could drain liquidity pools unilaterally once keys were obtained.","heading":"The April 2021 Admin Key Compromise","severity":"critical","sources":[{"credibility":2,"name":"EasyFi Security Incident — EASY HardFork & Tokenswap (Official Medium post)","type":"official","url":"https://medium.com/easify-network/easyfi-security-incident-66c02a277a91"},{"credibility":2,"name":"Explained: The EasyFi Hack (April 2021) — Halborn","type":"news","url":"https://halborn.com/explained-the-easyfi-hack-april-2021/"},{"credibility":2,"name":"EasyFi Hacked for Over $80 Million in MetaMask Attack — Crypto Briefing","type":"news","url":"https://cryptobriefing.com/easyfi-hacked-over-80-million-metamask-attack/"}]},{"content":"Using the stolen admin keys, the attacker drained approximately $6 million in user deposits denominated in USDT, USDC, DAI, MATIC, and ETH from EasyFi's Polygon liquidity pools, and transferred 2.98 million EASY tokens — representing roughly 30% of total token supply — to attacker-controlled address 0x83a2EB63B6Cc296529468Afa85DbDe4A469d8B37 on Ethereum. At the time of theft, EASY traded near $25, placing the nominal face value of the token tranche at approximately $75–80 million; however, liquid realizable value was far lower due to thin market depth. On-chain analysis documented that the stablecoin proceeds were routed through Ren Bridge and wrapped Bitcoin (renBTC/WBTC) mechanisms to convert assets into Bitcoin, with funds subsequently mixed through dark pools and consolidated at addresses linked to exchanges including AscendEX/Bitmax and Binance. BSC-based pools were reported to be unaffected at the time of the incident.","heading":"Funds Stolen and On-Chain Movements","severity":"critical","sources":[{"credibility":1,"name":"DeFi Protocol EasyFi Reports Hack, Loss of Over $80M in Funds — CoinDesk","type":"news","url":"https://www.coindesk.com/markets/2021/04/20/defi-protocol-easyfi-reports-hack-loss-of-over-80m-in-funds"},{"credibility":2,"name":"EasyFi Rekt — Rekt News","type":"news","url":"https://rekt.news/easyfi-rekt"},{"credibility":1,"name":"Easyfi Hacker address on Etherscan","type":"onchain","url":"https://etherscan.io/address/0x83a2EB63B6Cc296529468Afa85DbDe4A469d8B37"},{"credibility":2,"name":"lazarus-bluenoroff-research / easyfi.md — tayvano (GitHub)","type":"research","url":"https://github.com/tayvano/lazarus-bluenoroff-research/blob/main/hacks-and-thefts/easyfi.md"}]},{"content":"Security analysts noted that the protocol relied on a single externally-owned account (EOA) admin key rather than a multisig wallet, which meant that compromise of one machine was sufficient to drain all liquidity without any secondary approval or time-delay mechanism. Rekt News observed that the admin key's transfer function carried no timelock, making the protocol's entire TVL dependent on the physical security of one computer. The decision to store mnemonic keys in MetaMask on a general-purpose machine — even one kept mostly offline — rather than in a hardware wallet or a multi-party signing arrangement was identified as the root operational failure. These deficiencies pre-existed the hack and represent a structural governance risk.","heading":"Operational Security Failures","severity":"high","sources":[{"credibility":2,"name":"EasyFi Rekt — Rekt News","type":"news","url":"https://rekt.news/easyfi-rekt"},{"credibility":2,"name":"Explained: The EasyFi Hack (April 2021) — Halborn","type":"news","url":"https://halborn.com/explained-the-easyfi-hack-april-2021/"}]},{"content":"Following public disclosure on April 20, 2021, EasyFi CEO Ankitt Gaur offered a $1 million bounty for the return of stolen funds and engaged forensic security firms to trace the attacker. Within approximately four days the team executed a token hard fork, creating a new contract (EASY V2) with the ticker changed to EZ, maintaining a 1:1 swap ratio for legitimate holders at snapshots taken at Ethereum block 12276665, Polygon block 13497393, and BSC block 6729137 on April 20 at 11:10 AM UTC. The hard fork was explicitly designed to render the attacker's stolen EASY tokens valueless by making them non-exchangeable for the new EZ contract. Deposits and withdrawals were suspended pending the migration.","heading":"Team Response and Hard Fork","severity":"medium","sources":[{"credibility":2,"name":"EasyFi Security Incident — EASY HardFork & Tokenswap (Official Medium post)","type":"official","url":"https://medium.com/easify-network/easyfi-security-incident-66c02a277a91"},{"credibility":2,"name":"EasyFi Reinstatement Plan — EasyFi Network Medium","type":"official","url":"https://medium.com/easify-network/easyfi-reinstatement-plan-8cb4e67071a8"}]},{"content":"EasyFi published a compensation plan for the approximately $6 million in liquid deposits stolen from protocol pools. The plan allocated 25% of lost funds to be distributed immediately in stablecoin form, with the remaining 75% issued as IOU tokens redeemable 1:1 for EZ v2 tokens over a six-month vesting period at a 25% discount to the spot price of EZ at time of distribution. Affected users were also promised future airdrops from unspecified partner projects. Critically, the 2.98 million stolen EASY tokens — the larger nominal portion of the loss — were not separately compensated because the hard fork neutralized that tranche. The adequacy and ultimate execution of the compensation plan for depositors is not fully documented in available public sources.","heading":"Compensation Plan for Affected Depositors","severity":"high","sources":[{"credibility":1,"name":"Reeling from post-hack price slump, EasyFi reveals community compensation plan — CoinTelegraph","type":"news","url":"https://cointelegraph.com/news/reeling-from-post-hack-price-slump-easyfi-reveals-community-compensation-plan"},{"credibility":2,"name":"After Its Reinstatement Plan, EasyFi Announces Compensation Plan — Crypto Daily","type":"news","url":"https://cryptodaily.co.uk/2021/05/easyfi-compensation-plan"},{"credibility":2,"name":"Security Incident: EasyFi to Compensate 100% of the Depositors Net Balances — Bitcoinist","type":"news","url":"https://bitcoinist.com/security-incident-easyfi-to-compensate-100-of-the-depositors-net-balances/"}]},{"content":"No public law enforcement action, arrest, or indictment related to the EasyFi hack has been identified in available sources as of the date of this report. The attacker address (0x83a2EB63B6Cc296529468Afa85DbDe4A469d8B37) is publicly labeled on Etherscan but no named individual has been charged. Researcher Taylor Monahan's open-source Lazarus/BlueNoroff attribution repository (lazarus-bluenoroff-research) lists EasyFi as a suspected DPRK-linked theft incident and references UN Security Council documentation connecting the pattern of attack to North Korean state-sponsored actors; however, this attribution is assessed as alleged and has not been confirmed by a government agency or court filing. The stolen funds were laundered through Ren Bridge, renBTC/WBTC conversion, and mixing services including Chipmixer, with residual flows traced to exchange deposit addresses at AscendEX and Binance.","heading":"Attacker Attribution and Law Enforcement","severity":"high","sources":[{"credibility":2,"name":"lazarus-bluenoroff-research / easyfi.md — tayvano (GitHub)","type":"research","url":"https://github.com/tayvano/lazarus-bluenoroff-research/blob/main/hacks-and-thefts/easyfi.md"},{"credibility":1,"name":"EasyFi hack attacker address — Etherscan","type":"onchain","url":"https://etherscan.io/address/0x83a2EB63B6Cc296529468Afa85DbDe4A469d8B37"}]},{"content":"The EASY token fell from approximately $25 to below $17 in the immediate aftermath of the April 2021 disclosure. Post-hard-fork, the replacement EZ token never recovered to pre-hack levels. As of 2025, EZ trades at or near $0.001 USD with a market capitalization under $10,000, representing a decline of approximately 99.99% from its all-time high of $44.39 recorded on April 6, 2021 — just days before the hack. The 24-hour trading volume on most platforms is effectively zero, indicating the protocol has minimal active users. CertiK assigned EasyFi a security score of 3.9 out of 10. The official EasyFi website (easyfi.network) remains reachable as of this investigation, and the EasyfiNetwork X account exists, but the protocol has no discernible TVL tracked by DeFiLlama or comparable platforms.","heading":"Token Price Impact and Long-Term Protocol Status","severity":"high","sources":[{"credibility":2,"name":"EasyFi price today, EZ to USD live price — CoinMarketCap","type":"other","url":"https://coinmarketcap.com/currencies/easyfi/"},{"credibility":2,"name":"$80 million taken from EasyFi lending platform — Web3 Is Going Great","type":"news","url":"https://www.web3isgoinggreat.com/?id=80-million-taken-from-easyfi"}]}],"sources_used":[{"name":"EasyFi Security Incident — EASY HardFork & Tokenswap (Official Medium post)","type":"official","url":"https://medium.com/easify-network/easyfi-security-incident-66c02a277a91"},{"name":"DeFi Protocol EasyFi Reports Hack, Loss of Over $80M in Funds — CoinDesk","type":"news","url":"https://www.coindesk.com/markets/2021/04/20/defi-protocol-easyfi-reports-hack-loss-of-over-80m-in-funds"},{"name":"EasyFi Hacked for Over $80 Million in MetaMask Attack — Crypto Briefing","type":"news","url":"https://cryptobriefing.com/easyfi-hacked-over-80-million-metamask-attack/"},{"name":"Explained: The EasyFi Hack (April 2021) — Halborn","type":"news","url":"https://halborn.com/explained-the-easyfi-hack-april-2021/"},{"name":"EasyFi Rekt — Rekt News","type":"news","url":"https://rekt.news/easyfi-rekt"},{"name":"EasyFi Reinstatement Plan — EasyFi Network Medium","type":"official","url":"https://medium.com/easify-network/easyfi-reinstatement-plan-8cb4e67071a8"},{"name":"Reeling from post-hack price slump, EasyFi reveals community compensation plan — CoinTelegraph","type":"news","url":"https://cointelegraph.com/news/reeling-from-post-hack-price-slump-easyfi-reveals-community-compensation-plan"},{"name":"Compound Finance Fork EasyFi Loses Over $60M in Admin Key Hack — The Defiant","type":"news","url":"https://thedefiant.io/news/hacks/compound-finance-fork-easyfi-loses-over-60m-in-admin-key-hack"},{"name":"lazarus-bluenoroff-research / easyfi.md — tayvano (GitHub)","type":"research","url":"https://github.com/tayvano/lazarus-bluenoroff-research/blob/main/hacks-and-thefts/easyfi.md"},{"name":"Easyfi Hacker address — Etherscan","type":"onchain","url":"https://etherscan.io/address/0x83a2EB63B6Cc296529468Afa85DbDe4A469d8B37"},{"name":"EasyFi EZ V2 token contract — Etherscan","type":"onchain","url":"https://etherscan.io/token/0x00aba6fe5557de1a1d565658cbddddf7c710a1eb"},{"name":"EasyFi price today, EZ to USD live price — CoinMarketCap","type":"other","url":"https://coinmarketcap.com/currencies/easyfi/"},{"name":"$80 million taken from EasyFi lending platform — Web3 Is Going Great","type":"news","url":"https://www.web3isgoinggreat.com/?id=80-million-taken-from-easyfi"},{"name":"Security Incident: EasyFi to Compensate 100% of the Depositors Net Balances — Bitcoinist","type":"news","url":"https://bitcoinist.com/security-incident-easyfi-to-compensate-100-of-the-depositors-net-balances/"},{"name":"EasyFi Network Details $6M DeFi Hack in Latest Postmortem — BeInCrypto","type":"news","url":"https://beincrypto.com/easyfi-network-6m-defi-hack-in-latest-postmortem/"}],"summary":"EasyFi Network was a Polygon-based DeFi lending protocol that suffered one of the largest private-key compromise incidents in early DeFi history. On April 19, 2021, an attacker remotely compromised founder Ankitt Gaur's machine and extracted MetaMask admin keys, stealing approximately $6 million in stablecoins and 2.98 million EASY tokens (face value ~$75–80 million, liquid value ~$6 million). Following a hard fork to a new EZ token and a partial compensation plan, the protocol never recovered meaningful adoption; the EZ token as of 2025 trades at near-zero value.","timeline":[{"date":"2021-04-06","event":"EASY token reaches all-time high of approximately $44.39 USD, days before the hack.","source":"CoinMarketCap","source_url":"https://coinmarketcap.com/currencies/easyfi/"},{"date":"2021-04-19","event":"At approximately 10:40 AM UTC, an attacker compromises founder Ankitt Gaur's computer, extracts MetaMask mnemonic keys, and drains $6 million in stablecoins and 2.98 million EASY tokens from EasyFi protocol contracts on Polygon and Ethereum.","source":"EasyFi Official Medium / CoinDesk","source_url":"https://medium.com/easify-network/easyfi-security-incident-66c02a277a91"},{"date":"2021-04-20","event":"EasyFi CEO Ankitt Gaur publicly discloses the hack, suspends deposits and withdrawals, and announces a $1 million bounty for the return of funds. Attacker address identified as 0x83a2EB63B6Cc296529468Afa85DbDe4A469d8B37.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2021/04/20/defi-protocol-easyfi-reports-hack-loss-of-over-80m-in-funds"},{"date":"2021-04-20","event":"EasyFi executes token snapshots on Ethereum (block 12276665), Polygon (block 13497393), and BSC (block 6729137) to establish legitimate holder balances for the forthcoming hard fork.","source":"EasyFi Official Medium","source_url":"https://medium.com/easify-network/easyfi-security-incident-66c02a277a91"},{"date":"2021-04-23","event":"EasyFi publishes its Reinstatement Plan, announcing the hard fork to EASY V2 (ticker: EZ) at a 1:1 swap ratio, with the intent of rendering the attacker's stolen EASY tokens worthless.","source":"EasyFi Network Medium","source_url":"https://medium.com/easify-network/easyfi-reinstatement-plan-8cb4e67071a8"},{"date":"2021-05-01","event":"EasyFi announces its compensation plan: 25% of depositor losses to be paid immediately in stablecoins, 75% in IOU tokens vesting over six months redeemable for EZ v2 at a 25% discount.","source":"CoinTelegraph","source_url":"https://cointelegraph.com/news/reeling-from-post-hack-price-slump-easyfi-reveals-community-compensation-plan"},{"date":"2025-01-01","event":"EZ token trading near $0.001 USD with near-zero volume and market capitalization under $10,000. Protocol shows no measurable TVL. Attacker remains unidentified and no law enforcement action has been publicly reported.","source":"CoinMarketCap / Etherscan","source_url":"https://coinmarketcap.com/currencies/easyfi/"}]},"v":1}