Web3 attackers are getting more creative, and the number of hacks affecting exchanges and other financial institutions is increasing. In many cases, attackers drain an exchange’s wallets, and those of their users, resulting in the loss of millions of dollars, trust, and huge reputational damage. But today, that changes.
As a part of our mission to bring real-time, intelligence-driven security to Web3, we are proud to announce the launch of Hexagate’s Wallet Compromise Detection Kit, the first proactive, behavior-based Web3 security defense tool that integrates deeply into wallet flows to identify and respond to early signs of wallet-level takeovers from external and internal attackers before they can drain wallets.
While existing security solutions like MPC wallets effectively secure private keys, they can’t detect whether a transaction is malicious — only if it’s valid within set rules. That’s where Hexagate comes in, ensuring your keys aren’t used against you through real-time behavioral monitoring and pre-signing transaction simulation.
How Hexagate’s Wallet Compromise Detection Kit works
Hexagate’s Wallet Compromise Detection Kit employs highly customizable monitors to learn how wallets behave over time and adjust dynamically. Machine learning (ML) models augment this with anomaly detection, identifying risk before it becomes loss. When alerts occur, Hexagate takes automatic action to protect assets.
Deployed in a matter of minutes and designed to scale with security operations, the Wallet Compromise Detection Kit gives CISOs, SecOps teams, and asset managers the tools they need to detect anomalous behavior, enforce protective measures, and stay one step ahead of malicious actors.
To get a better understanding of the types of attacks the Wallet Compromise Detection Kit was built to prevent, let’s take a closer look at some of the ways bad actors currently circumvent exchange security tools and policies, and how the Wallet Compromise Detection Kit is able to catch threats that others miss.
Heist via Social Engineering
A malicious actor with a keen interest in an exchange likely spends months quietly observing which teams handle treasury operations, who approves large transfers, and which vendors have privileged access.
The attacker is looking to exploit ordinary workplace dynamics: a lack of trust between teams, rushed decision‑making, or any tendency to take shortcuts when under pressure. Once identified, the attacker can contact the target through email or social media; pose as a legitimate individual; and manipulate the victim into handing over sensitive information, installing malicious code, and/or clicking a link that enables them to gain unauthorized access to internal systems.
Once those credentials are in the attacker’s hands, they can then initiate large, rapid transfers from an exchange’s treasury to addresses under their control before anyone even notices.
Heist via 3rd party API Compromise
Here’s how an attacker might steal millions from an exchange:
- First, the attacker gains access to a cloud-stored API key through a trusted third-party partner that has been integrated into the exchange’s tech stack. That key is used to handle staking or treasury operations — for example, giving the attacker indirect but legitimate control over fund movements.
- With the key compromised, the attackers are able to modify code and/or begin submitting malicious instructions disguised as routine transactions. This might be in the form of small, seemingly harmless actions like un-staking or rebalancing that happen dozens or hundreds of times a day.
- At the right moment, the attacker moves millions of dollars from the exchange to personally-controlled wallets.
This type of attack bypasses conventional controls and exploits trusted automation processes.
How Hexagate’s Wallet Compromise Detection Kit and GateSigner change the story
Attacks like the ones described above are exactly why Hexagate’s Wallet Compromise Detection Kit exists. Designed to detect and prevent blind signing as a result of API-level compromises, among others, the Wallet Compromise Detection Kit is purpose-built to defend against these “invisible” threats, with the following protective features tailored to API key and third-party risks:
1. Anomalous Behavior Detection
At the core of the kit is a dynamic, rule-aware monitoring engine. It continuously evaluates transactions across all wallets, tokens, and chains — not just for static thresholds, but in the context of who initiated them, how they differ from past behavior, and whether they violate expected operational patterns. When something breaks protocol, the system can trigger alerts or even take on-chain action.
Specifically, it is capable of recognizing:
- multiple hidden or unauthorized instructions bundled into a single transaction;
- suspicious transfer of withdrawal rights embedded within apparently “routine” operations;
- and anomalous timing or frequency of API calls compared to prior behavior.
2. Machine Learning Models
When attackers are constantly evading expected patterns and finding new ways to gain unauthorized access, adaptive layers of intelligence are required to keep one step ahead. That’s why Hexagate adds an ML model purpose-built to spot wallet compromises.
In the case of the API attack outlined above, every step would appear routine. The malicious instructions would be buried inside what looks like normal activity, and no alarms would go off until the funds are gone.
This is where Wallet Compromise Detection Kit’s ML model could change how that story ends. Trained on real-world compromise events, the model learns what “normal” looks like across wallets and ecosystems. It then spots the subtle deviations, such as timing irregularities, unusual flows, or hidden authority shifts.
3. GateSigner: The Pre-Signing Simulation Engine
Finally, as Hexagate’s pre-signing simulation and verification solution, GateSigner serves as a real-time transaction firewall and a critical checkpoint in the transaction approval process.
Every transaction, whether initiated by automation or by a human, is simulated to reveal its true downstream on-chain effects before any signature is provided. This process analyzes the full logic encoded in the transaction, raising any hidden authorization commands or illicit transfers, even if the instruction is buried within a routine-appearing call.
GateSigner then provides real-time, actionable alerts that the transactions in question are malicious and presents evidence of hidden authority transfers before they are blindly signed and executed.
But what if my exchange is using an MPC solution to secure its wallet?
If your exchange’s wallets are running on an MPC solution, your private keys are most likely safe, enforcing who can sign what, and making sure transactions are authorized correctly. However, it is critical to take a layered approach to Web3 security.
MPC solutions protect private keys and enforce access with robust policies, but don’t have visibility into whether a transaction is malicious — only if it’s valid within the rules set by the user.
Consequently, if an API key is compromised, a front-end deceives a user, a partner submits a malicious transaction, or something similar occurs, MPC wallets alone cannot fully protect funds.
Wallet Compromise Detection Kit monitors for wallet behavior in real time and flags anomalies; GateSigner watches wallet behavior in real time, simulates transactions before they’re signed, and flags anomalies the moment activity drifts from “normal.” MPC wallets secure your keys, but Hexagate ensures they’re not used against you.
Some final words
Losing millions of dollars and finding your exchange’s name in tomorrow’s headlines isn’t always the result of poor technology or recklessness. But it is one sign that a multi-layered approach to security is needed to protect yourself against known and unknown threats.
Web3 security technologies such as Hexagate’s Wallet Compromise Detection Kit can enable exchanges to spot and automatically react to attacks. To see how Hexagate’s GateSigner and Wallet Compromise Detection Kit can protect your organization’s treasury, book a demo today.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.