Skip to main content
Sign in
Wintermute1 decision on this page

Audit log

Every state-changing event for Wintermute: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-05-20 18:58:59Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-beta
    sig
    38s69PfndPM2…xRQwooPjexplorer ↗
    hash
    2dBNSyGvxMJT…6czMwZtpsha256 → base58
    verifying row…full verify ↗
    canonical bytes (6317 B) ▸
    {"actor":"system:backfill","investigation_id":"c0832d18-9663-491d-8289-727146536eaf","kind":"publish","page_slug":"wintermute","published_at":"2026-05-20T18:58:59.439Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Wintermute","sections":[{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://www.coindesk.com/business/2022/09/20/crypto-market-maker-wintermute-hacked-for-160m-says-ceo"},{"credibility":3,"name":"","type":"other","url":"https://www.wintermute.com/insights/market-color/reports/wintermute-otc-2024-in-review-2025-outlook"},{"credibility":3,"name":"","type":"other","url":"https://www.tradersmagazine.com/featured_articles/wintermute-expands-into-u-s-makes-new-policy-hire/"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://blog.1inch.com/a-vulnerability-disclosed-in-profanity-an-ethereum-vanity-address-tool/"},{"credibility":3,"name":"","type":"other","url":"https://www.halborn.com/blog/post/explained-the-wintermute-hack-september-2022"},{"credibility":3,"name":"","type":"other","url":"https://www.certik.com/resources/blog/uGiY0j3hwOzQOMcDPGoz9-wintermute-hack"},{"credibility":3,"name":"","type":"other","url":"https://cointelegraph.com/news/cyber-sleuth-alleges-160m-wintermute-hack-was-an-inside-job"},{"credibility":3,"name":"","type":"other","url":"https://www.coindesk.com/business/2022/09/20/crypto-market-maker-wintermute-hacked-for-160m-says-ceo"},{"credibility":3,"name":"","type":"other","url":"https://beincrypto.com/1inch-severe-vulnerability-ethereum-vanity-address-tool-risks-millions-dollars/"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://www.numencyber.com/an-analysis-of-wintermutes-usd160-million-hacking/"},{"credibility":3,"name":"","type":"other","url":"https://www.merklescience.com/blog/hack-track-analysis-of-wintermute-attack"},{"credibility":3,"name":"","type":"other","url":"https://immunebytes.com/blog/wintermute-crypto-exchange-hack-sep-20-2022-detailed-analysis/"},{"credibility":3,"name":"","type":"other","url":"https://quillaudits.medium.com/wintermutes-160m-exploit-analysis-quillaudits-f1dbd217b9f9"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://www.coindesk.com/business/2022/10/14/crypto-market-maker-wintermute-pays-off-96m-truefi-debt-weeks-after-being-hacked"},{"credibility":3,"name":"","type":"other","url":"https://cointelegraph.com/news/wintermute-repays-92m-truefi-loan-on-time-despite-suffering-160m-hack"},{"credibility":3,"name":"","type":"other","url":"https://www.coindesk.com/business/2022/09/20/hacked-crypto-market-maker-wintermute-has-200m-in-outstanding-defi-debt"},{"credibility":3,"name":"","type":"other","url":"https://www.sec.gov/files/ctf-written-wintermute-11172025.pdf"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://www.halborn.com/blog/post/explained-the-wintermute-hack-september-2022"},{"credibility":3,"name":"","type":"other","url":"https://safeheron.com/blog/how-profanity-caused-wintermute-to-lose-160m/"},{"credibility":3,"name":"","type":"other","url":"https://www.theblock.co/post/170359/1inch-claims-potential-exploit-on-profanity-generated-ethereum-addresses"},{"credibility":3,"name":"","type":"other","url":"https://blockbytes.com/2023/02/13/crypto-casefiles-wintermute-hack/"}]}],"sources_used":[],"summary":"Wintermute is a London-headquartered algorithmic trading firm and cryptocurrency market maker founded in 2017 by Evgeny Gaevoy. On September 20, 2022, the firm's DeFi operations were exploited for approximately $160 million after an attacker leveraged a known cryptographic vulnerability in the Profanity vanity address tool to compromise Wintermute's admin private key. The stolen funds were never recovered, though the firm remained solvent, repaid its outstanding DeFi loans, and has continued operating and expanding into U.S. markets.","timeline":[{"date":"2017-01-01","event":"Wintermute founded in London by Evgeny Gaevoy, formerly of Optiver's European ETF desk.","source":""},{"date":"2022-09-15","event":"1inch Network publicly discloses a severe cryptographic vulnerability in Profanity, the Ethereum vanity address generator, recommending all users immediately transfer funds away from Profanity-generated addresses.","source":""},{"date":"2022-09-15","event":"Profanity vulnerability exploited by separate actors draining approximately $3.3 million from other wallets, establishing proof of exploitability before the Wintermute attack.","source":""},{"date":"2022-09-20","event":"Attacker uses a reconstructed private key from a Profanity-generated Wintermute admin wallet to drain approximately $160 million from Wintermute's DeFi vault across roughly 90 ERC-20 token types.","source":""},{"date":"2022-09-20","event":"CEO Evgeny Gaevoy publicly discloses the hack via Twitter, confirms solvency, and characterizes the incident as a potential white-hat event, offering the attacker a 10% bounty to return funds.","source":""},{"date":"2022-09-20","event":"Attacker routes approximately $114 million in stablecoins through Curve Finance 3pool to complicate asset freezes.","source":""},{"date":"2022-09-27","event":"Researcher 'Librehash' alleges via social media that the hack was an inside job based on alleged anomalous pre-hack transactions; Wintermute denies the allegation. BlockSec assesses the inside-job theory as unsubstantiated.","source":""},{"date":"2022-10-14","event":"Wintermute repays its $96 million TrueFi DeFi loan one day before deadline, demonstrating continued solvency following the hack.","source":""},{"date":"2023-01-01","event":"Stolen $160 million remains unrecovered; attacker's 10% white-hat bounty offer unclaimed. Wintermute resumes normal operations.","source":""},{"date":"2025-02-01","event":"Wintermute opens U.S. headquarters in New York City, expanding OTC and derivatives offerings.","source":""},{"date":"2025-09-03","event":"Wintermute submits formal feedback to the SEC Crypto Task Force, arguing network tokens should not be classified as securities.","source":""}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 9e5054ad-b822-4cc4-be91-7904c04ea807
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.