Skip to content
Qubit Finance Hack

$80 Million Stolen. No One Held Accountable.

On January 28, 2022, Qubit Finance's cross-chain bridge was exploited. Mound Inc. — endorsed by Binance — took $80M of user funds and went silent. Four years later, nothing has changed.
Read the Evidence What Happened
$80MStolen in one attack
$0Returned to victims
4 yrsOf silence from Mound Inc.
0People held accountable

STATUS: UNRESOLVED. Mound Inc. — the Korean company behind Qubit Finance, backed by Binance — exploited a critical vulnerability in their own unaudited bridge contract, losing $80M of user funds. Their response: remove victims from Telegram, have the CTO delete his LinkedIn, claim to file police reports (never verified), and go dark. No compensation. No accountability. No answers.

The Incident

What Happened

Section titled “What Happened”

Qubit Finance ran a cross-chain bridge (QBridge) between Ethereum and Binance Smart Chain. On January 28, 2022, an attacker found that calling deposit() instead of depositETH() triggered the same on-chain event — but required zero actual ETH. The bridge relayer, watching only events, minted qXETH tokens on BSC for free. The attacker used these as collateral to drain $80 million.

Three things made this possible: the bridge was deployed without a completed security audit, a contract parameter was secretly changed by the owner days before (no timelock, no announcement), and a known EVM behavior — that calling any function on the zero address silently succeeds — was never accounted for.

Full Account

How the attack worked, step by step — the vulnerability, the exploit, and the $80M that disappeared.

What Happened →

Technical Analysis

The deposit() vs depositETH() event collision. The zero-address EOA trick. The suspicious parameter change.

Technical Analysis →

Timeline

From the January 28 exploit to four years of silence — a complete chronological record.

Timeline →

Nine Unanswered Questions

Why did the team ignore people with hacker information? Why was unaudited code deployed? Why was the CTO’s LinkedIn deleted?

The Evidence →

Team Response

The moderator who removed victims. The CTO who vanished from LinkedIn. The Binance security team that was never called.

Team Response →

Follow the Money

The hacker’s wallet. The $20M silent victim connected to Binance Hot Wallet. Four years of zero movement toward recovery.

Money Flow →

The Company

Mound Inc. — Who Is Responsible

Section titled “Mound Inc. — Who Is Responsible”

Qubit Finance was built by Mound Inc., registered in Daejeon, South Korea (Registration: 160111-0556766). The company is 90.5% owned by Krypton PTE. LTD. (Singapore), which is 60% owned by CEO Jun Hur. Mound Inc. had already lost ~$45M in the May 2021 PancakeBunny hack. They built Qubit Finance to recover — then lost $80M more.

Jun HurCEO — 60% of Krypton PTESeocho-gu, Seoul · LinkedIn activeAaron Yooshin KimCTO — 20% of Krypton PTE⚠ Deleted LinkedIn Feb 1, 2022 — 4 days post-hackKim HyungchulCSO — 20% of Krypton PTEResponsible for security — deployed unaudited bridgeYonggon KimResearch DirectorProtocol architecture and designKim TaeeunProduct OwnerApproved launch without completed audit

Full corporate structure, addresses, and shareholder filings →

The Money

Hacker Wallet — Unrecovered

Section titled “Hacker Wallet — Unrecovered”
0xd01ae1a708614948b2b5e0b7ab5be6afa01325c7

Etherscan (ETH) · BSCScan (BSC) · Full money flow analysis →

One wallet lost 8,510.12 ETH (~$20M USD at the time) — one quarter of the entire hack. All transfers ran through the Binance Hot Wallet. This person has never said a word publicly.

Binance

Binance Endorsed This Project

Section titled “Binance Endorsed This Project”

Qubit Finance was a Binance Smart Chain project with explicit Binance endorsement. When victims appealed directly to CZ and Binance to intervene — to blacklist the attacker’s wallet, to pressure Mound Inc., to use their platform influence — they were ignored.

“Hi Sir, on same BSC, why you protected Squid Game, but did nothing with Bunny this time? This is not fair play.” — Victim appeal to @cz_binance, 2022

Read the victim appeals to Binance →

Take Action

Join the Fight for Accountability

Section titled “Join the Fight for Accountability”

Report Information

Have information about the hacker, fund movements, or Mound Inc.’s internal decisions? Submit it — confidentially if needed.

Report Information →

Victims Community

Connect with other victims. The Qubit Victims Alliance has been fighting for accountability since 2022.

Telegram: @qbtvictims →

Media Coverage

Bloomberg, CoinDesk, The Verge, ZDNet, The Register and more covered this story. It isn’t over.

Media Reports →

Share This Site

The best way to keep pressure on Mound Inc. is to keep this story alive. Share qbt.wiki.

How to Share →