'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Introduction
On 14th August, BtcTurk experienced unauthorized transfers involving multiple cryptocurrencies, with losses totaling approximately $48 million USD. The incident involved large transfers of ether (ETH), Avalanche’s AVAX (AVAX), Arbitrum’s ARB (ARB), Base (BASE), Optimism’s OP (OP), Mantle and Polygon’s MATIC (MATIC), with the bulk of the funds consolidating into several recipient addresses.
The team has launched an $2.4 million recovery bounty program — up to 5% of any recovered funds — for actionable intelligence that directly contributes to the recovery of stolen assets.
What Happened? (Incident Summary)
BtcTurk’s hot wallets were compromised in a coordinated attack, leading to unauthorized transfers worth ~$48M across multiple blockchains.
The incident was immediately contained by halting deposits and withdrawals.
- Core trading operations and fiat (TRY) services remain unaffected
- The vast majority of customer funds are secured in cold wallets
- Law enforcement and cybersecurity partners are engaged in the investigation
BtcTurk has launched a Hack Recovery Program with rewards of up to $2.4M to facilitate fund recovery.
Where do things stand?
Stolen Assets Destination Addresses:
- Ethereum: 0xA041FeB3a8297c5689FEE180083164A061a17fD6
- Ethereum: 0xb4b537626e21df5386cf167d1e654b38785056cc
- Ethereum: 0x7d91d1ebeba91257733a523409125aedac5d8b6e
- Bitcoin: bc1q3xgyvmfk6mw6zvhjklsw7v8wl2dk0xtm35ulut
Subsequent Related Addresses:
- Ethereum: 0x95Ab53305bC71D0e6e2d46F2E62690599CBC87Fc
- Ethereum: 0xDDFA0884f32d0D210597A996060fbDB5b068b0Ea
- Ethereum: 0x0fE41fe8786329fB6bd8F2baa73aa55e770f0951
Rewards and Rules
- Bounty Reward: Up to 5% of all successfully recovered funds.
- Potential Pool: Up to $2.4 million, if full recovery is achieved.
- Objective: Reward program participants who assist in locating, securing, and retrieving these funds back to BtcTurk.
This is open to ethical hackers, white-hat researchers and anyone committed to making crypto safer.
- All submitted intelligence must comply with applicable laws and ethical standards.
- Do not engage in unauthorized access, exploitation of systems without consent, or any activity that violates the law.
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- Please do NOT publish/discuss bugs.
- Reports must not include personally identifiable information (PII) obtained through unlawful or unethical methods.
- Rewards are subject to internal verification and compliance review.
- High-value rewards may require Anti-Money Laundering (AML) and Know Your Customer (KYC) verification.
How to Participate
All submissions are accepted through the HackenProof platform. Participants can submit vulnerability details or report cyberattack information related to the fund recovery. Details, requirements and submission form are available on the program page.
