Mask Network founder’s wallet flagged for suspicious $4M crypto outflows

Cybersecurity platform Cyvers detected unusual outflows on Feb. 27 from an address linked to Mask Network founder Suji Yan.

The flagged transactions involved around $4 million in digital assets, mostly Ether-linked tokens. The assets suspected to have been stolen included 113 ETH, 923 WETH, 301 ezETH, 156 weETH, 90 pufET, 48,400 MASK, 50,000 USDT, and 15 swETH.

Following the breach, the stolen funds were swapped into ETH and distributed across six different wallet addresses, with one of them ending in “df7.” Meir Dolev, Cyvers’ co-founder, said the attack highlights the increasing sophistication of cyber threats in Web3 and reinforces the need for real-time transaction monitoring and rapid response measures.

The incident is the latest in a wave of high-profile crypto hacks, including the record-breaking $1.4 billion Bybit exploit on Feb. 21 and the Pump.fun social media breach on Feb. 26. Investigations into the Bybit attack revealed that the breach stemmed from compromised SafeWallet developer credentials, allowing hackers to manipulate transaction approvals.

Bybit confirmed findings from Sygnia and Verichains, which pointed to a malicious JavaScript code injected into SafeWallet’s Amazon Web Services (AWS) infrastructure as the entry point for the breach.

SafeWallet has since rebuilt its infrastructure, rotated credentials, and implemented additional security measures to prevent further exploitation. Bybit’s core infrastructure remained unaffected, according to the reports.

The Safe team clarified that its smart contracts and front-end services were not directly affected. Instead, attackers exploited the user interface to disguise fraudulent transactions as legitimate ones. Martin Köppelmann, co-founder of the Gnosis blockchain network, speculated that the hackers, believed to be North Korea’s Lazarus Group, may have avoided targeting other Safe users to prevent detection.

Blockchain security firms, including Arkham Intelligence, linked the North Korea-backed Lazarus Group to the Bybit exploit, which drained liquid-staked ETH (stETH), Mantle Staked ETH (mETH), and other assets from the exchange on Feb. 21.