Nine Questions Mound Inc. Has Never Answered

Four years after the hack, these nine questions remain unanswered. Each one points to a team that failed its users — before, during, and after the exploit.

1. Why ignore people who came forward with hacker information?

The team publicly asked for anyone with information about the hacker to contact them. People did. The team did not respond.

“I’ve contacted the team on Tox and no response yet.” — Reddit, PancakeBunny community

If you’re genuinely trying to recover $80M, you don’t ignore leads.

2. Who is the $20M victim with Binance connections — and why are they silent?

Wallet 0xba19a0f65e0cd2a5042bf12ecc93f9816884983d lost 8,510.12 ETH — approximately $20M — in this single incident. That is one quarter of the entire hack.

Every transaction from this wallet ran through the Binance Hot Wallet. And yet this person — the single largest victim — has said nothing, done nothing, and sought no public accountability.

Who is this? Are they connected to Mound Inc. or Binance? Did they know about the unaudited bridge? Why haven’t they spoken?

3. Why was there no meaningful bounty for finding the hacker?

The team offered the attacker $250,000 to return $80M. They offered the community nothing for identifying the attacker. Zero bounty for leads. Zero incentive for anyone who might know something to come forward.

This is not how a team serious about recovery operates.

4. Why was unaudited code deployed to production?

Prior Mound Inc. releases went through security audits. The QBridge contract — the exact component that was exploited — was knowingly deployed without completing its audit. The audit was in progress. Someone made the decision to ship anyway.

Who made that call? Why? The answer has never been given.

5. Why were contract parameters changed without a timelock or announcement?

Before the hack, an owner-only function was used to reassign the resourceID mapping — changing the token address from WETH’s real contract to the zero address. This single change made the exploit possible.

There was no timelock. No community notification. No governance process. Changes to a contract holding millions in user funds were made invisibly and instantly.

This is either catastrophic negligence or something worse.

6. Why were victims removed from the official Telegram group?

When users who had just lost their savings tried to communicate in the official Telegram group, the team’s moderator @moleh removed them. Repeatedly.

The people most affected by the hack were systematically silenced by the team responsible for it.

7. Why didn’t the team contact Binance and major exchanges immediately?

The first thing any responsible team does after a DeFi exploit is contact major exchanges, bridges, and swap protocols to blacklist the attacker’s wallet. This prevents the hacker from converting stolen funds.

The Qubit team did not do this. The attacker’s address was not promptly blacklisted. Every hour of delay was an hour the hacker could move $80M.

8. Why were police reports never made public?

The team claimed they filed reports with police in two jurisdictions. They never provided:

Case numbers
Filing confirmations
Any update from law enforcement

Without proof, these claims are unverifiable. Filing a police report takes a day. Sharing the case number takes a minute. Neither was done.

9. Why did the team abandon victims instead of working with them?

Instead of standing alongside victims — transparent, communicative, actively pursuing recovery — Mound Inc. sent one representative (@moleh) to remove victims from their own community channels.

No recovery plan. No compensation mechanism. No updates. Just silence, and a moderator with a ban button.

Still No Answers

If you have information that sheds light on any of these questions — about the pre-hack parameter change, the $20M silent victim, the team’s internal decisions, or the whereabouts of the stolen funds — please report it.