Audits
Services
Services
Smart Contract Audit
Blockchain Protocol Audit
Penetration Testing
dApp Audit
Crypto Wallet Audit
Cross-Chain Bridge Audit
Bug Bounty
Proof of Reserves
CCSS Audit
Tokenomics Audit & Design
Smart Contract Audit
Mitigate weaknesses in your smart contract and improve its functionality with a double line-to-line code analysis and a separate review by a lead auditor.
Blockchain Protocol Audit
Secure the entire architecture and implementation layers of your blockchain protocol with professional security audits and testing.
Penetration Testing
Proactively detect vulnerabilities in your Web3 project by subjecting your systems to a simulated cyberattack in a secure and controlled environment.
dApp Audit
Identify vulnerabilities in applications interacting with blockchain networks with secure code review and static security analysis.
Crypto Wallet Audit
Code review & static security analysis for crypto wallet apps.
Cross-Chain Bridge Audit
Code review & security analysis for cross-chain crypto bridges.
Bug Bounty
Receive only relevant bug reports or undergo crowdsourced penetration testing with the help of thousands of ethical hackers curated by HackenProof.
Proof of Reserves
Enhance transparency in crypto exchanges with independent on-chain proof of assets’ true collateralization.
CCSS Audit
Assess and strengthen your security practices, identify vulnerabilities, and safeguard valuable digital assets in the ever-evolving cryptocurrency landscape.
Tokenomics Audit & Design
Ensure your token model robustness and efficiency and convey trust to investors and community with our thorough, independent audit of protocol economic security.
Solutions
Post-deployment security solution
Hacken Extractor
Real-time smart contract protection from assets loss
Learn more
Solutions
Featured ecosystems:
Ethereum (EVM)
BSC
Polygon
Near
Avalanche
Fantom
Aptos
Sui
Optimism
zkSync
Arbitrum
Solana
Polkadot
Cosmos
Radix
Linea
MetaMask
Others
By Languages:
Solidity
Rust
Move
Blog
Company
Company

The window to exchange $HAI for Hacken Equity Shares ($HES) is now open > Claim your spot today

Fintoch Rug Pull Explained

Fintoch Rug Pull Explained

Share via:

TL;DR

In May 2023, a DeFi platform, Fintoch, rug pulled its users for $31.6M.
Fintoch claimed to be backed by Morgan Stanley, had a fake CEO played by an actor, and offered outrageous 1% daily returns.
The case goes in DeFi history as the biggest exit scam of 2023.

On May 22, 2023, Fintoch – a fraudulent DeFi exchange operating on BSC – rug pulled their investors with a shocking $31.6 million scam. A reputable on-chain analyst, ZachXBT, was the first to draw widespread media attention to this scam.

Key Events in Fintoch Crypto Scam

Launched in March 2023, Fintoch posed as a legit DeFi platform with backing from the prominent Morgan Stanley. However, Morgan Stanley debunked these claims in a statement in May.
In early May, the Monetary Authority of Singapore (MAS) issued a cautionary investor warning regarding Fintoch. Around the same time, Fintoch made claims of launching its own blockchain.
Fast forward to May 22: stolen USDT finds its way to TRON and Ethereum network. On May 23, the platform abruptly halted withdrawals, citing a supposed chain migration.
However, the real bombshell dropped a day later. It was on May 24 that a collective outcry about the withdrawal issues on X raised the alarm among on-chain experts, ultimately leading to the exposure of the scam.
A bonus twist? Bob Lambert, the supposed CEO of Fintoch, turned out to be nothing more than a paid actor! His real name is Mike Provenzano, and he has played in several short films and series.

A total of $31.6 Million was stolen from deceived users.

Bob Lambert - a paid actor was posing as the CEO of Fintoch.

Looking Through Deception: How Fintoch Deceived Everyone?

Fintoch lured investors with the promise of a 1% daily ROI and claimed affiliation with Morgan Stanley. Although investors were warned numerous times, people rode the bandwagon and invested millions.

The Fintoch rug pull scam used deceptive techniques, including:

False Identity: Claimed ties to Morgan Stanley, used actor Bobby Lambert as fake CEO.
Unrealistic Returns: Promised unsustainable 1% daily returns indicate a Ponzi scheme.
Social Media Deception: Used platforms like X and Telegram, used bots and shills for fake reviews on Trustpilot and Medium.
Blockchain Tricks: Used smart contracts for fund collection and bridges for moving stolen assets across blockchains (e.g., Tron, Ethereum) to operate covertly.

What Sparked The Suspicion?

On May 24, Fintoch transferred 31.6 million USDT to multiple addresses on the Tron and Ethereum networks:

The DFintoch project deployed the FintochSTO contract. During deployment, 100,000 FTH tokens were minted and sent to the 0xfcE4.. address.
On May 22, 2023, a transfer of 34,341 FTH tokens was made from 0xfcE4.. to 0x19a0..
After that, the scammers swapped FTM tokens to BSC-USD and used Multichain and SWFT to bridge the stolen funds.

This move caused panic among investors as they reported being unable to withdraw their assets.

Following Fintoch’s silence on the withdrawal issue, several users flocked to the comment section of the platform’s last tweet, published on May 23, demanding an explanation. Their pleas were met with cold automated bot responses.

After a few days of inactivity, on May 26, the stolen USDT started moving on Tron to different deposit addresses on exchanges like Binance and Huione Pay.

So far, there has been no legal action or reimbursement plan, as the identities of the real founders remain anonymous.

An illustrative representation depicting the flow of stolen funds. — Source: ZachXBT

Aftermath & Reactions

The aftermath of the Fintoch rug pull scam had a profound impact on both investors and the reputation of DeFi. First and foremost, investors who had put their money into FTC (the Fintoch native token) found themselves in a tough spot, holding onto assets that had essentially lost their value.

What made matters worse was that the Fintoch team remained anonymous, leaving these investors with no real options for recovery or legal action. But the ramifications extended beyond the immediate victims. The scam shed a bad light on the reputation of crypto, implanting seeds of skepticism, especially toward emerging DeFi projects.

This incident didn’t just impact the interest of disheartened investors. It also drew the attention of regulators, legislators, and the media. BSC, where FTC had been actively traded, also took a hit.

Post-Hack Security Measures & Lessons Learned

Fintoch was a Ponzi project that showed all the warning signs of an exit scam. Many of the project’s claims — its CEO, affiliation with Morgan Stanley, and registration in Silicon Valley — were completely fabricated.

It promised guaranteed ROI and multiple organizations issued warnings about the scam. Despite this, the founders were able to net over $31M of user funds. This Fintoch rug pull was one of the largest exit scams in the DeFi in 2023. And it highlighted the risks and vulnerabilities of investing in unregulated and unverified projects.

In our view, the best approach is to check a project’s rating by different auditing companies. It gives you a heads-up if there is something suspicious.