CertiK, a blockchain security company and auditor of smart contracts, reported that it has successfully blocked $160,000 of the stolen money of Merlin, a decentralized exchange that was the target of a malicious insider “rug pull” in April that cost users about $1.8 million.
According to CertiK, illicit actors used ponzi schemes, vulnerabilities, exit scams, and flash loan attacks to steal more than $100 million from cryptocurrency projects and investors. The business maintained that insiders at Merlin were responsible for the action, rug-pulling its users for that enormous quantity of money.
We have successfully frozen $160K of the stolen funds with the help of partners. We will continue to monitor the movement of all stolen funds in an attempt to freeze and recover the remaining amount.
— CertiK (@CertiK) May 4, 2023
On May 4, CertiK updated its Twitter followers on one of its most recent actions: the successful freezing of some parts of the stolen funds. The firm stated that they were able to freeze the assets with the assistance of partners and that they are continuing to track the flow of the assets.
“This was an internal rug pull,” the on-chain monitoring firm said. “Merlin insiders abused the owner’s wallet’s privileges.”
CertiK is Making Efforts to Locate the Scammers
They did, however, claim that while first attempting to work with the remaining Merlin team members, several of the key members were resistant to confirming their true identities. As a result, the on-chain monitoring firm’s efforts to support victims were complicated, so they had to turn to law enforcement agencies in the United States and the United Kingdom to track down the stolen funds and bring the perpetrators to justice.
Furthermore, the security company assumes the “rogue developers” are located in Europe, as stated in a previous tweet in which they urged the developers to accept a 20% white hat bounty and revealed they were looking into a community compensation plan.
However, CertiK admitted that they were partially to blame for failing to adequately alert users to the risks of centralization. Although the auditor claimed that the audit report raised concerns about private key privilege and centralization risks, the impact of these findings wasn’t made as clear as it should have been.
The company said,
“The centralized privileges should have been distinctly highlighted so users were aware of the risks.”
At the same time, Merlin DEX asserted that their back-end team, in whom they claim to have placed a “high degree of trust”, was responsible for rug pulling. The relatively new decentralized exchange said in a statement from April 26th that they had also alerted the appropriate authorities in Serbia—the territory of the back-end team—and had cooperated with on-chain experts to track the flow of the stolen funds.