As per the protocol’s post-mortem, the security agencies have already “tentatively determined” the hackers’ location, and negotiations are underway.
According to the statement shared by PeckShield, a leading cybersecurity provider for blockchain products, NFT lending platform XCarnival was attacked.
1/ @XCarnival_Lab was exploited in a flurry of txs (one hack tx: https://t.co/LUcxSU9UQn),
leading to the gain of 3,087 ETH (~$3.8M) for the hacker (The protocol loss may be larger). pic.twitter.com/mmGw5PQfbt
Attackers managed to get an infinite number of loans using the same high-profile NFT (Bored Apes Yacht Club #5110). The protocol was targeted by a “flurry” of transactions initiated by hackers.
Malefactors managed to generate multiple contract addresses, pledge BAYC NFT as collateral, get a loan, immediately withdraw an NFT and repeat this procedure multiple times.
As such, hackers borrowed over $3.8 million in Ethereum (ETH) equivalent with no need to pay the loan back. This became possible due to the vulnerability in the borrowing module codebase.
The team promptly reported the issue to cybersecurity and law enforcement agencies. Initially, the hacker was offered a $300,000 bounty to recover the funds, but then the sum was increased to $1.8 million.
The main contract as well as deposit and borrowing functions were shut down to prevent XCarnival users from losing their funds.
As the attacker was tracked, the negotiations started. By press time, he/she has returned 1,467 Ethers (ETH) stolen. It should also be noted that initial funds for the attack were transferred out of the Tornado Cash mixer.

Related
Inverse Finance DeFi Drained, Here’s What’s Special About This Hack

As covered by U.Today previously, the hackers attacked the Inverse Finance decentralized lending/borrowing protocol earlier this month; losses eclipsed $1.25 million in equivalent.

Blockchain Analyst & Writer with scientific background. 6+ years in IT-analytics, 3+ years in blockchain.
Worked in independent analysis as well as in start-ups (Swap.online, Monoreto, Attic Lab etc.)
Disclaimer: Any financial and market information given on U.Today is written for informational purpose only. Conduct your own research by contacting financial experts before making any investment decisions.

source