The $200K Drain — Live On-Chain Investigation
On May 11, 2026, @0xUnihax0r was drained for $200K+ across Ethereum, Base, and BSC. I independently traced one branch of the operation — from a fresh drain wallet through a 5-day-old operator hub, across deBridge to Base, into a 51,000+ transaction contract routing fees to an address Arkham identifies as the Sigma.win Deployer. The downstream trail ends at Kraken. All findings are independently verifiable on-chain.
Investigator: @0x_note
Date: May 11–12, 2026
Target: 0xF7cFFC27732a5C9c4E2D592F3E33435F8dDb019A
Chain: Ethereum, Base, BSC
Status: Funds partially recoverable at time of investigation
---
Background
On May 11, 2026, crypto trader @0xUnihax0r posted publicly that he had been drained for over $200,000 across multiple chains. The drain happened manually over approximately 10 minutes across Ethereum, Base, and BSC. Two wallets were affected — both originally created inside the Sigma Telegram trading bot, then imported into GMGN and Rabby Wallet.
This report documents an independent on-chain investigation conducted using two custom Python tools: wallet_investigator.py and multi_hop_tracer.py. Both scripts use the Etherscan API and Alchemy RPC to collect, normalise, and analyse on-chain data.
---
The Drain Wallet
Address: 0xF7cFFC27732a5C9c4E2D592F3E33435F8dDb019A
This wallet had never existed before May 11, 2026. Its first transaction was at 00:53 UTC. By 01:27 UTC — 34 minutes later — it had processed stolen assets from multiple victims across three chains.
Key profile data from wallet_investigator.py:
| Field | Value |
|-------|-------|
| First seen | 2026-05-11 00:53 UTC |
| Last seen | 2026-05-11 01:19 UTC |
| ETH In (normal) | 5.904 ETH |
| ETH In (internal) | 4.319 ETH |
| Total received | 10.223 ETH |
| Balance at investigation | 10.199 ETH |
| Nonce | 6 |
| Active days | 0 |Risk flags triggered:
- `TRANSACTION_BURST` — 11 transactions in a 60-minute window
- `CONCENTRATED_TIMING` — concentration score 0.52, activity only in UTC hours 00–01
Spoof token detected: ĖTḨ — homoglyph fake ETH token sent outward. This wallet was an ACTIVE SENDER, confirming operator-level involvement, not a passive victim.
The balance sheet showed clean reconciliation — total received minus balance minus fees equalled approximately zero. The money was still here when I ran the investigation.
---
The Operator Hub
Address: 0x62ace10c7f2aa0e9b5a8e09cbf5d18d0f8a1ee8a
The drain wallet was funded with 5.80 ETH from this address — making it the operator hub, the central controlling wallet for this operation.
Running wallet_investigator.py on the hub revealed:
| Field | Value |
|-------|-------|
| First seen | 2026-05-05 05:24 UTC |
| Last seen | 2026-05-11 01:07 UTC |
| Active days | 5 |
| Total received | 68.74 ETH |
| ETH In (internal) | 61.39 ETH |
| Nonce | 34 |
| Unique tokens | 9 |All 68.74 ETH distributed outward — to unknown addresses, contracts, and deBridge bridge transactions. Current balance: 0.024 ETH. This is a distribution hub, not an accumulation wallet.
Top recipients from the operator hub:
| Address | Amount | Type |
|---------|--------|------|
| `0x9c65d15a671d814ef7be25418fd46139e7366c07` | 32.15 ETH | Contract |
| `0x4c82d1fbfe28c977cbb58d8c7ff8fcf9f70a2cca` | 13.80 ETH | Contract |
| `0xef4fb24ad0916217251f553c0596f8edc630eb66` | 12.00 ETH | deBridge contract |
| `0xf827725498e6fcf62d331566965f5254bcda081f` | 0.95 ETH | Wallet |
| `0xF7cFFC27732a5C9c4E2D592F3E33435F8dDb019A` | 5.80 ETH | Drain wallet (victim) |Timezone profile: Peak activity at 07:00 UTC, estimated operator timezone UTC+7 (Southeast Asia — Vietnam, Thailand, Indonesia). Treat as weak signal only — not confirmed.
---
The Vanity Wallet Cluster
Independent researcher @the_smart_ape identified something significant in his Dune analysis: four wallets all sharing the exact same 8 hex characters at identical positions.
0x62ace10c7f2aa0e9b5a8e09cbf5d18d0f8a1ee8a ← operator hub
0x62ace0e0ecf70f62399b26e28eaf74cc455bee8a
0x62ac07ae9242c354f6c307bbd9b36c749a5aee8a
0x62ac6095d7e9189353bcbf17d439348ab7a1ee8aAll share the prefix 0x62ac and suffix ee8a. Finding four wallets matching this exact pattern by accident is statistically impossible. These were generated by a vanity address tool — a GPU-intensive process that searches for addresses matching a specific pattern.
The three non-hub wallets sent only worthless memecoins to the drainer. This suggests they were used for address poisoning — creating look-alike addresses to confuse victims and investigators tracing fund flows.
---
The deBridge Bridge — Funds Leave Ethereum
From the operator hub, two transactions bridged ETH to Base via deBridge:
| Transaction | Amount | Date |
|-------------|--------|------|
| `0x110070e1bc9a7c79...` | 10.001 ETH | May 10, 2026 |
| `0x8cddb28a4bd1255f...` | 2.001 ETH | May 5, 2026 |Total bridged: 12 ETH to Base.
The deBridge order data confirmed the receiver on Base was the same operator hub address — 0x62ace10c7f2aa0e9b5a8e09cbf5d18d0f8a1ee8a. Same-address bridge — the operator controls identical addresses across chains.
---
The Base Operation
Checking the operator hub on Basescan revealed 68 transactions over 6 days. The dominant outgoing destination was a single contract:
Contract: 0x8CC69C61712589F74F15415ceCB3D00701c84C35
| Field | Value |
|-------|-------|
| Created | 28 days before investigation |
| Total transactions | 51,000+ |
| Source code | Unverified |
| Contract creator | `0x107f250E57Ccb5bcace077B444080c271BaA0450` |
| ETH received from operator | 47+ ETH across multiple transactions |The operator deposited into this contract in chunks: 10 ETH, 8 ETH, 5 ETH + 5 ETH + 5 ETH, 5 ETH + 5 ETH, 1.3 ETH, 1.25 ETH, 1 ETH.
Analysing the internal transaction CSVs from this contract revealed a consistent micro-payment pattern — every single transaction sends a small fee to one address:
Fee collector: 0xB25750FA55B302c9a3997f64d24c0B14aFDd3165
---
The Sigma.win Connection
Checking the fee collector 0xB25750FA55B302c9a3997f64d24c0B14aFDd3165 on Arkham Intelligence returned a significant label:
**Sigma.win: Deployer**
The Arkham tracer showed every major inflow to this address coming from Sigma.win's own labelled contracts:
- Sigma.win (0xECB) — $6M
- Sigma.win: Proxy (EIP-1967) — $1M
- Sigma.win: Proxy (EIP-1967) — $771K
- Sigma.win: Proxy (EIP-1967) — $265K
- Sigma.win (0xb65) — $246K
- Sigma.win (0x7Be) — $108K
- Base: L1 Standard Bridge — $2M
Total historical flows through the fee collector: $39.75M across 396 transactions.
The contract creator 0x107f250E57Ccb5bcace077B444080c271BaA0450 also deployed a second contract 63 days prior — and that contract sends fees to the same collector. Two separate contracts, one operator, one fee address, all connected to Sigma.win's labelled infrastructure.
Important caveat: This finding establishes that Sigma.win's own deployer address is embedded in the drainer fee infrastructure. It does not conclusively prove that Sigma.win is responsible for the drain. The operator may have used Sigma's trading platform to swap stolen proceeds, with Sigma collecting its standard 1% fee in the normal course of business. Sigma.win publicly stated the compromise was external and that they are cooperating with the victim. This finding warrants a direct explanation from the platform — it does not constitute proof of wrongdoing.
---
The Downstream Trail — Kraken
Following the fee collector outflows:
0xB25750FA... (Sigma.win Deployer — fee collector)
↓ funded 1yr 255 days ago (0.1 ETH seed)
0xb6D2278298e080c0ae8e47aA1DDFb08090945010
↓ 70.72 ETH — 7 days before investigation
0xf33b267b2B79045C3E7e58bA13F2bE2d2C42b4c3 (fresh wallet)
↓
0x9baF69E38c079a911D9D6d606213247AB34E92aE (known phishing cluster)
↓
0x57E850f50390823ee1bEa78112F1F8011bbEb8d0 (funded by Kraken Hot Wallet 4)
↓
0xf30ba13e4b04Ce5dC4D254Ae5FA95477800F0EB0 (Kraken Hot Wallet 2)The trail ends at two confirmed Kraken hot wallets. This indicates the operator has a Kraken account used to deposit and withdraw proceeds. Kraken holds KYC data on this account.
Additional funding source: The operator hub on Base was funded by FixedFloat 22 days before the investigation — transaction 0xa23830f833f5cb24b6304ebf8a7010027f99aeac42f2d359e88664116ccb2dbf. FixedFloat is a cryptocurrency exchange with transaction records for this order.
---
The Cross-Investigation Connection (BSC)
Independent researcher @SpecterAnalyst identified a parallel cluster of 50+ victims with $665K+ in losses showing the same key compromise pattern. He identified two BSC laundering addresses known as AudiA6:
- `0xb3fD7DE3f8242D925E0EA9e1660e395def56D9C7`
- `0x02DaadFA6bbD1d99B2D53fDC6Cbe0DeAab8FbB20`
I checked both addresses on BSC using a free public RPC:
| Address | BSC Balance | BSC Nonce | Ethereum Activity |
|---------|-------------|-----------|-------------------|
| `0xb3fD7DE3...` | 0.000000625 BNB | 1 | None |
| `0x02DaadFA...` | 0.000000625 BNB | 1 | None |Both were seeded with identical dust amounts and each executed exactly one outgoing transaction within 50 minutes of each other:
- `0xb3fD7DE3` — seeded from `0x40a00742...4c547A152`, sent 44.42 BNB to `0x40a0b848...128eAA152`
- `0x02DaadFA` — seeded from `0xdB13ffa2...3793b0aE1`, sent 44.64 BNB to `0xdB133517...2d1d40aE1`
Both follow the same pattern seen in the Ethereum investigation — programmatically generated single-use wallets with matching address prefixes (0x40a0 and 0xdB13), mirroring the 0x62ac prefix cluster on Ethereum. Identical dust amounts, identical fees, automated execution. The infrastructure across both investigations shares the same operational signature.
---
Complete Fund Flow Diagram
ETHEREUM
════════
FixedFloat (funded operator 22 days prior)
↓
0x62ace10c7f2aa0e9b5a8e09cbf5d18d0f8a1ee8a ← OPERATOR HUB
↓
├── 0xF7cFFC27732a5C9c4E2D592F3E33435F8dDb019A ← DRAIN WALLET (victim)
│ └── 10.2 ETH still on-chain at time of investigation
│
├── deBridge → BASE (12 ETH)
│
├── 0x9c65d15a671d814ef7be25418fd46139e7366c07 (contract — 32.15 ETH)
├── 0x4c82d1fbfe28c977cbb58d8c7ff8fcf9f70a2cca (contract — 13.80 ETH)
└── 0xef4fb24ad0916217251f553c0596f8edc630eb66 (deBridge — 12 ETH)
BASE
════
0x62ace10c7f2aa0e9b5a8e09cbf5d18d0f8a1ee8a ← SAME OPERATOR ON BASE
↓
0x8CC69C61712589F74F15415ceCB3D00701c84C35 ← CASH-OUT CONTRACT (51K+ txs)
↓ (fees on every tx)
0xB25750FA55B302c9a3997f64d24c0B14aFDd3165 ← FEE COLLECTOR (Sigma.win Deployer)
↓
0xb6D2278298e080c0ae8e47aA1DDFb08090945010 (EOA — 260+ ETH)
↓ 70.72 ETH
0xf33b267b2B79045C3E7e58bA13F2bE2d2C42b4c3
↓
0x9baF69E38c079a911D9D6d606213247AB34E92aE (known phishing cluster)
↓
0x57E850f50390823ee1bEa78112F1F8011bbEb8d0
↓
0xf30ba13e4b04Ce5dC4D254Ae5FA95477800F0EB0 ← KRAKEN HOT WALLET 2---
## Key Findings Summary
| Finding | Confidence | Evidence |
|---------|------------|----------|
| Drain wallet is operator-controlled | CONFIRMED | ACTIVE SENDER spoof token, seeded by operator hub |
| Operation active for at least 5 days on Ethereum | CONFIRMED | Operator hub first seen May 5 |
| Funds bridged to Base via deBridge | CONFIRMED | Two deBridge order receipts |
| Base contract routes fees to Sigma.win Deployer | CONFIRMED | Arkham label, internal tx CSV analysis |
| $39.75M total flows through fee collector | CONFIRMED | Arkham tracer |
| Downstream trail ends at Kraken | CONFIRMED | On-chain address labels |
| Operation uses automated single-use wallet infrastructure | CONFIRMED | Identical dust amounts, fees, timing |
| Vanity address tool used for obfuscation | CONFIRMED | 4 wallets with identical hex pattern |
| Sigma.win directly responsible for drain | UNCONFIRMED | Requires further investigation |
| Full $200K traced | NOT ACHIEVED | ~10 ETH traced, one branch of multi-chain drain |
---
Recovery Recommendations
For @0xUnihax0r:
1. Contact Kraken compliance immediately at compliance@kraken.com with all addresses in this report. Kraken has KYC data on the account associated with Hot Wallet 2.
2. Contact deBridge security at security@debridge.finance with transaction hashes 0x110070e1bc9a7c79... and 0x8cddb28a4bd1255f....
3. Contact FixedFloat at support@fixedfloat.com — they funded the operator 22 days prior and have transaction records.
4. File with FBI IC3 at ic3.gov — include all addresses and the Arkham screenshot showing $39.75M in flows.
5. The 10.2 ETH in 0xF7cFFC27732a5C9c4E2D592F3E33435F8dDb019A was still on-chain at time of investigation. Contact all major exchanges to pre-flag this address before deposit.
---
Tools Used
| Tool | Purpose |
|------|---------|
| wallet_investigator.py | Full wallet profiling — identity, balance sheet, risk flags, timing analysis |
| multi_hop_tracer.py | BFS forward and backward fund tracing across multiple hops |
| Etherscan API | Transaction data — Ethereum |
| Basescan (manual) | Transaction data — Base |
| BscScan (manual) | Address verification — BSC |
| web3.py + BSC public RPC | Balance and nonce checks — BSC |
| Arkham Intelligence | Address labelling and entity attribution |
| deBridge Explorer | Cross-chain order tracking |
---
References
- @0xUnihax0r — original victim report (X, May 11 2026)
- @the_smart_ape — comprehensive Dune analysis confirming $173K scope across 5 wallets
- @SpecterAnalyst — cross-chain cluster analysis, 50+ victims, $665K+
- @SigmaTrading — platform security response (X, May 11 2026)
- Arkham Intelligence — entity labelling for `0xB25750FA...`
---
Disclaimer
All addresses referenced in this report are publicly available on-chain. This report presents investigative findings derived from public blockchain data. It does not constitute legal conclusions, attribute criminal liability, or make definitive claims about platform responsibility. The Sigma.win connection is presented as a finding that warrants explanation — not as proof of wrongdoing.
---
Report compiled by @0x_note | May 2026
Tools: wallet_investigator.py + multi_hop_tracer.py
GitHub: https://github.com/notes0x/blockchain-intelligence