Evidence guide

File a cybercrime / police report

This page helps affected Purrlend users organize the information needed to file a police or cybercrime report.

This is not legal advice. It is a community-created evidence guide.

Never submit private keys, seed phrases, passwords, or wallet recovery phrases.

Do not upload ID documents or private personal documents to public Discord/X channels.

Before you file

Before filing, prepare:

  • Your wallet address
  • Your estimated loss amount
  • Screenshot of your claim row on Purrhack
  • Explorer links showing your deposits or position, if available
  • Purrlend exploit links below
  • Any Discord/X screenshots relevant to your case
  • Your personal ID only if the official police portal requests it

For police report copy/paste

Short version for forms that only allow a brief incident summary.

I am reporting a cryptocurrency cybercrime involving Purrlend, a DeFi lending protocol on HyperEVM and MegaETH. I was a user/liquidity provider and lost approximately USD [INSERT LOSS] when the protocol was exploited on or around April 25, 2026. The reported total loss across users is approximately USD 1.5M. The exploit appears to have involved privileged admin/role-change activity, minting of unbacked aTokens, borrowing against unbacked collateral, and draining protocol markets. The main attacker address is 0xd8010aca201f6113160200b8a521F35BE9f94C24. The stolen funds were initially routed to the holding wallet 0x09CF48BEb67e8Ca3573CBfEb32F03363FFf0cb29 and have since been transferred to a new holding wallet 0x6dbc377c5261225594f7ff7aaf3f691b8fb9685c, which currently holds the stolen funds. The attacker wallet appears to have been funded via Tornado Cash: https://etherscan.io/tx/0xd54c8b9b2e7a2a06ad7236bffbff026b22c045237cfee5c83483324806fa8ef0. I request that a cybercrime report be opened and that I receive a case/reference number for follow-up with exchanges, service providers, KYC providers, and investigators.

Full investigator report summary

Structured version for investigators, exchanges, KYC providers, and cybercrime portals.

Purrlend Exploit Cybercrime Report Summary

1. Incident Overview

I am reporting a cryptocurrency cybercrime involving Purrlend, a DeFi lending protocol deployed on HyperEVM and MegaETH.

I was a user/liquidity provider of Purrlend and lost funds when the protocol was exploited on or around April 25, 2026.

The reported total loss across affected users is approximately USD 1.5 million.

My estimated personal loss is approximately:
USD [INSERT PERSONAL LOSS]

This report is submitted to request that a formal cybercrime case be opened and that a case/reference number be issued for follow-up with exchanges, service providers, KYC providers, and investigators.

2. Summary of Suspected Exploit Method

Based on public transaction evidence and community investigation, the exploit appears to have involved:

- use of a privileged admin or role-change path;
- execution of set_unbacked / mint_unbacked style transactions;
- minting of unbacked aTokens;
- borrowing against unbacked collateral;
- draining of Purrlend protocol markets across HyperEVM and/or MegaETH.

This appears to be a privileged-role/admin-path exploit rather than a normal user trading loss.

3. Primary Attacker Wallets

Main attacker address:
0xd8010aca201f6113160200b8a521F35BE9f94C24

Current holding wallet (stolen funds):
0x6dbc377c5261225594f7ff7aaf3f691b8fb9685c
Etherscan:
https://etherscan.io/address/0x6dbc377c5261225594f7ff7aaf3f691b8fb9685c

Previous holding wallet:
0x09CF48BEb67e8Ca3573CBfEb32F03363FFf0cb29
Previously reported holding: 652 ETH. Funds have since been transferred to the current holding wallet above.
Etherscan:
https://etherscan.io/address/0x09CF48BEb67e8Ca3573CBfEb32F03363FFf0cb29

Relevant links:

HyperEVM attacker transaction list:
https://hyperevmscan.io/txs?a=0xd8010aca201f6113160200b8a521F35BE9f94C24

Example exploit transaction:
https://hyperevmscan.io/tx/0xcaf098f607cab97a01d22205ac7471d0511c420061dca8e9bd7945bbb6704594

Ethereum attacker address:
https://etherscan.io/address/0xd8010aca201f6113160200b8a521F35BE9f94C24

Attacker wallet funding lead via Tornado Cash:
https://etherscan.io/tx/0xd54c8b9b2e7a2a06ad7236bffbff026b22c045237cfee5c83483324806fa8ef0

MegaETH attacker address:
https://mega.etherscan.io/address/0xd8010aca201f6113160200b8a521f35be9f94c24

4. Purrlend Safe / Multisig

The following Safe / multisig appears relevant to protocol administration:

0x4c2444d88AD61B0842Fba7CCdCb226260eBfA1bc

Relevant links:

Safe on MegaETH:
https://app.safe.global/home?safe=megaeth:0x4c2444d88AD61B0842Fba7CCdCb226260eBfA1bc

Safe on HyperEVM:
https://app.safe.global/home?safe=hyper-evm:0x4c2444d88AD61B0842Fba7CCdCb226260eBfA1bc

Arkham multisig entity:
https://intel.arkm.com/explorer/entity/6a04b931-e0e1-4ec5-9c2c-0999742ed76f

5. Signer / Admin Linkage Leads

The signer/admin wallets appear linked through funding paths. These links are transaction-based leads and should be independently reviewed by investigators.

The current working theory is:
- S1 was funded by Binance on Ethereum.
- S2, S3, HyperEVM activity, and MegaETH activity appear to have been funded by S1.
- These wallets may be relevant to protocol administration, multisig activity, or the exploit path.

S1 / Signer 1:
0x7312F0b280f4Bbaa47fC6485809f1C5Cc629d7bB
S1 Binance funding transaction:
https://etherscan.io/tx/0x3502498c9ddd1407d8c631094c8aa7cb8d9d8bbf0cf6fa8fc3871d6b4055eb54

S2 / Signer 2:
0x2BceF069eAEA664397A28F99b0DE5D4A4f78E23E
S2 appears funded by S1:
https://hyperevmscan.io/tx/0xb206a9cc2eb81e2d534d34de268cd3b1cf4bd931b6860ac85e949d13c673c88f

S3 / Signer 3:
0xB4837962855A1594E7ADe6B87dAA3E8F4a34baeD
S3 funded by S1:
https://hyperevmscan.io/tx/0x6f566d51e30ddf850bf1bb35e606818fbc42a9295e960b6b4e6a54d7e39dd6ee

HyperEVM funded by S1:
https://hyperevmscan.io/tx/0xb206a9cc2eb81e2d534d34de268cd3b1cf4bd931b6860ac85e949d13c673c88f

MegaETH funded by S1:
https://mega.etherscan.io/tx/0x0eb65003f72f7dc38058eb52ba9e9828f305f135dfde6ea5ad1219a75e1b1917

6. Additional Funding Path Leads

Campaign Manager Funding Path

A related campaign manager wallet appears to have been funded via deBridge.

Funding transaction:
https://hyperevmscan.io/tx/0xbf8b62f5a36115b91f07d06159af4e497aa1530fff442b2bbefbf86c6cb99844

Origin wallet:
0xbfceedca763d1a88b08b9bf4f2555ca0c25e0eb3

Origin wallet funded by:
0x20044619f284dab78A61c308eb9bedC9d3f591aC

Final Binance funding transaction on BSC:
https://bscscan.com/tx/0xc1ecdac8799b2ecd37e1f84112d195e31fca02809fa39f01e449235e83ff1ed9

Founder New Wallet Funding Path

Founder-linked new wallet:
0x63aB25C168319388d6CF214ED95C05e29f459946

This wallet appears to have been funded by deBridge from the following Solana wallet:
BvRnapENboELiVGex6Y9Ge2Jg44wNbk4B5JByRnuRkwc

The Solana wallet was reportedly funded by Bybit:
https://solscan.io/tx/5jCJXNtbzTpKyLtGv9W9fwQ8JSvV8GPjHJ7n6VALwNowrgZUnmd2h7gcxNfXJrnnBNQdkTqwtqfLuLp4JECWXrEN

7. Community and Supporting Reports

Community claim snapshot:
https://purrhack.io

Purrhack X incident article:
https://x.com/PurrHack/status/2050226223683366996?s=20

Hyperlend founder X article:
https://x.com/fbsloXBT/status/2049906482808779073?s=20

Chainabuse report:
https://chainabuse.com/report/fa7d8097-6474-4d1c-9817-e384dded6445

SEAL 911 has reportedly been contacted by affected users. Relevant wallet addresses have also been submitted to abuse/reporting channels and exchanges for preservation, monitoring, and potential KYC escalation.

8. Requested Action

I respectfully request that:

1. a formal cybercrime report be opened;
2. a case/reference number be issued;
3. the listed wallet addresses and transactions be preserved as evidence;
4. exchanges and service providers connected to the funding paths be contacted where appropriate;
5. Binance, Bybit, deBridge, and relevant chain analytics providers be asked to preserve logs, KYC records, and transaction metadata connected to the listed addresses and transactions;
6. affected users be allowed to reference this case number in further reports to exchanges, KYC providers, service providers, and investigators.

9. Key Evidence Table

Category | Address / Link
Main attacker | 0xd8010aca201f6113160200b8a521F35BE9f94C24
Current holding wallet | 0x6dbc377c5261225594f7ff7aaf3f691b8fb9685c
Previous holding wallet | 0x09CF48BEb67e8Ca3573CBfEb32F03363FFf0cb29
Purrlend Safe / multisig | 0x4c2444d88AD61B0842Fba7CCdCb226260eBfA1bc
S1 / Signer 1 | 0x7312F0b280f4Bbaa47fC6485809f1C5Cc629d7bB
S2 / Signer 2 | 0x2BceF069eAEA664397A28F99b0DE5D4A4f78E23E
S3 / Signer 3 | 0xB4837962855A1594E7ADe6B87dAA3E8F4a34baeD
Campaign origin wallet | 0xbfceedca763d1a88b08b9bf4f2555ca0c25e0eb3
Campaign upstream funder | 0x20044619f284dab78A61c308eb9bedC9d3f591aC
Founder-linked new wallet | 0x63aB25C168319388d6CF214ED95C05e29f459946
Solana funding wallet | BvRnapENboELiVGex6Y9Ge2Jg44wNbk4B5JByRnuRkwc

Key addresses and links

Signer/admin/founder-related wallets and entities are investigation leads only. They may have been compromised or mislabeled. Do not treat them as confirmed attacker identities.

Attacker wallets

Current wallet holding stolen funds

Current wallet holding the stolen funds. Funds were transferred to this wallet from the previous holding wallet listed below.

0x6dbc377c5261225594f7ff7aaf3f691b8fb9685c

Previous holding wallet

Previously held the stolen funds (reported 652 ETH). Funds have since been transferred to the current holding wallet above.

0x09CF48BEb67e8Ca3573CBfEb32F03363FFf0cb29

Multisig / admin leads

Signer / admin leads

Signer/admin leads. Attribution unconfirmed. These wallets may have been compromised.

0x7312F0b280f4Bbaa47fC6485809f1C5Cc629d7bB

0xB4837962855A1594E7ADe6B87dAA3E8F4a34baeD

0x2BceF069eAEA664397A28F99b0DE5D4A4f78E23E

Purrlend Founder entity

Public Arkham entity / investigation reference. Attribution and responsibility should be handled by investigators.

Purrhack X incident article

Community article describing the hack and evidence references.

Hyperlend founder X article

Related article for investigators reviewing founder-linked context.

Wallet funding patterns and linkage

These funding paths are transaction-linkage leads for investigators. They identify wallet funding patterns and possible origination sources, not confirmed personal identity or responsibility.

Signer wallet funding

These are transaction-linkage leads for investigators. They show funding paths between wallets and services, not confirmed personal identity.

Signer 1 / S1

S1 was funded by Binance on Ethereum.

0x7312F0b280f4Bbaa47fC6485809f1C5Cc629d7bB

Signer 2 / S2

S2 appears funded by S1 on HyperEVM.

0x2BceF069eAEA664397A28F99b0DE5D4A4f78E23E

Signer 3 / S3

S3 appears funded by S1 on HyperEVM.

0xB4837962855A1594E7ADe6B87dAA3E8F4a34baeD

Cross-chain funding from S1

HyperEVM and MegaETH activity appears funded by S1.

Campaign manager funding path

deBridge funding

Campaign manager wallet appears funded via deBridge.

Origin and upstream funder

Origin wallet and upstream wallet in the funding path.

0xbfceedca763d1a88b08b9bf4f2555ca0c25e0eb3

0x20044619f284dab78A61c308eb9bedC9d3f591aC

Binance funding source

Upstream funding source on BSC.

Founder new wallet funding path

Founder new wallet

New wallet reportedly funded by deBridge from Solana.

0x63aB25C168319388d6CF214ED95C05e29f459946

BvRnapENboELiVGex6Y9Ge2Jg44wNbk4B5JByRnuRkwc

Solana source funding

Solana wallet reportedly funded by Bybit.

Key evidence table

Investigator-ready address list for quick copying and review.

CategoryAddress / link
Main attacker0xd8010aca201f6113160200b8a521F35BE9f94C24
Current holding wallet0x6dbc377c5261225594f7ff7aaf3f691b8fb9685c
Previous holding wallet0x09CF48BEb67e8Ca3573CBfEb32F03363FFf0cb29
Purrlend Safe / multisig0x4c2444d88AD61B0842Fba7CCdCb226260eBfA1bc
S1 / Signer 10x7312F0b280f4Bbaa47fC6485809f1C5Cc629d7bB
S2 / Signer 20x2BceF069eAEA664397A28F99b0DE5D4A4f78E23E
S3 / Signer 30xB4837962855A1594E7ADe6B87dAA3E8F4a34baeD
Campaign origin wallet0xbfceedca763d1a88b08b9bf4f2555ca0c25e0eb3
Campaign upstream funder0x20044619f284dab78A61c308eb9bedC9d3f591aC
Founder-linked new wallet0x63aB25C168319388d6CF214ED95C05e29f459946
Solana funding walletBvRnapENboELiVGex6Y9Ge2Jg44wNbk4B5JByRnuRkwc

Evidence checklist

Attach if possible:

  • Screenshot of your wallet claim on Purrhack
  • Screenshot of your Purrlend position, if available
  • Deposit / supply transaction links
  • Borrow / repay / withdraw transaction links
  • Screenshot of Purrlend post-mortem or official statements
  • Purrhack X incident article
  • Hyperlend founder X article
  • Screenshot of Discord communications, if relevant
  • Chainabuse report link
  • Attacker wallet links
  • Your own wallet address
  • Any exchange/provider ticket numbers

Where to report

UAE Federal

You may also use UAE Ministry of Interior eCrime channels, My Safe Society app, nearest police station, or emergency services for urgent situations.

FBI IC3

https://www.ic3.gov

Use if you are US-based, a US person is affected, or funds touched US infrastructure, US exchanges, or USDC/Circle.

Other countries

File with your local police or cybercrime unit. Use the incident summary above and request a case/reference number.

After filing

  1. 1. Save your case/reference number
  2. 2. Save the PDF or screenshot confirmation
  3. 3. Use the case number when contacting exchanges or service providers
  4. 4. Do not share ID documents publicly in Discord/X
  5. 5. Submit your case number privately through the correction/contact form if you want affected users to coordinate legal follow-up