TRON DAO Fraud Reporting

Good afternoon,

I’m hoping someone here can help or point me in the right direction. I’ve been using the TRON network for several years without issues. Recently, one of our wallets that we used exclusively for creating NFTs through the APE website was compromised.

The wallet contained 22,000,000 CORA tokens. I do not use this wallet for anything other than the APE, SUN and Justlend platform, and I do not click unknown links or connect my wallet to unverified sites. Despite this, someone was somehow able to gain access, change the wallet permissions, and transfer the CORA tokens out. The tokens were then dumped, resulting in a loss of over $10,000 USD.

The compromised wallet address is:
TRw1CTQLrcV1busCv3wjs7TnGBMvbRPd8J
**
The Wallet that took over the account is:
TLTiM73AvVAS5x3ndmdWDfwp7yTZ2zTdft**

From what I can see, the attacker altered the permissions on the wallet before moving the tokens. I understand that TRON DAO may be part of fraud or security reporting initiatives, and I’m trying to find the correct place to report this incident and share the details of what happened.

We are continuing to investigate the situation, and I will post updates here as we gather more information.

Any guidance on where to report this or who to contact would be greatly appreciated. The only site i had this wallet connected to was Justlend.org, SUN.io, sunpump.meme and i did connect to AINFT.io which i feel like this or sunpump is how they got in. As mentioned before we will put out more details in the coming days as to what we can find. But i never even accessed this wallet from my Phone. I always used in a secure computer.

Thank you.

Hmm, this is sad a s scaring

Sorry for the loss. This is not acceptable if you have not visited any unknown links from the wallet. Hope there can some resolution to this. Please share if there is any update. Good luck !

Yep stuff like this is what turns businesses away from blockchain. We are a startup and operate on a tight budget. Its sad how hard we have worked to build our liquidity pool and business and these scammers just steal our hard earned money.

Expensive lesson that’s for sure lol.. All my wallets are going to multi sig now. My own vault for not having this setup on the NFT wallet.

The scammer is using (TDoXUNZ6PajKuiUkcYg3EDSV9bnqGqsbcf) which belongs to FixedFloat, a legitimate (though controversial) non-custodial cryptocurrency exchange. I wonder if i could reach out to them and make them aware.

It’s publicly labeled on Tronscan as “FixedFloat Exchange Hot Wallet” and has been confirmed by the exchange itself as their official main address for all TRC20 (Tron) transactions. FixedFloat (ff.io) has used it since at least 2020 for sending/receiving USDT, TRX, and other tokens on Tron. They even list it in their own communications to analysis services and monitors like BestChange so it’s flagged as an “Exchange” (not high-risk or personal).Quick background on FixedFloat

• Founded in 2018 as a fully automated, no-KYC, non-custodial instant swap service (fixed or floating rates).

• Supports Tron heavily (along with BTC Lightning, ETH, etc.).

• No registration required — users send directly to temporary deposit addresses, and the hot wallet handles payouts instantly.

• It has faced real issues: major hacks in 2024 (~$26M + $3M drained from hot wallets), plus ongoing user complaints about freezing funds for AML checks (some call this “scammy” behavior, though the exchange claims it’s required for tainted coins). Reviews on Trustpilot/BestChange/Bitcointalk are mixed — many positive for speed/privacy, but plenty of frustration over holds or past security problems. It’s still operating openly in 2026.

Why it shows up in scam casesScammers and wallet drainers frequently route stolen funds into this exact wallet to quickly swap/launder them anonymously (no KYC, fast Tron swaps, then out to clean BTC/ETH or other chains). Examples from public reports and X:

• Klever wallet drains (2023–2025) — stolen TRX/USDT → this address on FixedFloat.

• Various Chinese/Russian/Italian scam groups (e.g., MDF scam flows in 2022, recent USDT thefts) — funds hop through drainer wallets then land here before being swapped out.

• One recent X mention tied it to a specific scam group (

  @sunyuchentron

  ) sending ~48k USDT here.

If someone drained or tricked you into sending crypto, this wallet isn’t the scammer’s personal address — it’s just the cash-out point used by their automated bot/script. The real thief is upstream (the drainer address or phishing site), and by the time funds hit FixedFloat they’re usually already swapped and gone within minutes.

We cant seem to figure out how they got into the wallet. The only thing i can figure is when APENFT switched to AINFT.com i screwed up and went to ainft.io the site looked the same and i connected the wallet which gave them access to the account. If anyone knows where i can submit info to atleast get this wallet flagged with tron dao please let me know

The TRX is still sitting in this wallet. They robbed our company of 40K TRX.

I was able to find report button on Tronscan. I have reported the wallet.

@SimbadMarino could be of help?

Short Incident Summary — TRON Wallet Takeover / CORA Theft

Victim wallet: ⁠ TRw1CTQLrcV1busCv3wjs7TnGBMvbRPd8J
Stolen token: CORA (⁠ TPKQHydsnBJFpBVGrqup9Zr6BC4pa68Mx2 ⁠)
Incident type: Unauthorized ⁠ AccountPermissionUpdateContract ⁠ takeover

Key facts

•⁠ ⁠The wallet was hijacked via permission update, after which control was reassigned to:
•⁠ ⁠⁠ TLTiM73AvVAS5x3ndmdWDfwp7yTZ2zTdft ⁠
•⁠ ⁠Takeover tx:
⁠ 4ebb58733baf9f60c467e41a7093139410da52ec07ae8be35fc014875a9dedc4 ⁠

•⁠ ⁠Shortly after takeover, the attacker moved out:
•⁠ ⁠22,007,392.88580482 CORA
•⁠ ⁠Main theft tx:
⁠ 2d3b1c284d7489a29e517fe49dba253141623870c4bea4804017c9f1e2af9a87 ⁠

Fee-funding link

The attacker-controlled wallet ⁠ TLTiM73AvVAS5x3ndmdWDfwp7yTZ2zTdft ⁠ funded the victim wallet with TRX for fees immediately around the takeover:
•⁠ ⁠⁠ 396cc6439652782af4c979a82cd574c425647d1ecd723362d95145a56649656e ⁠ → 110 TRX
•⁠ ⁠⁠ ff32f871a704b2868a8b8228c9cbafc967a1f55f14206627e912c70831fffc4b ⁠ → 30 TRX

This directly links ⁠ TLTiM73AvVAS5x3ndmdWDfwp7yTZ2zTdft ⁠ to the execution of the attack.

What happened to the stolen funds

•⁠ ⁠The stolen CORA was transferred to:
•⁠ ⁠⁠ TLTiM73AvVAS5x3ndmdWDfwp7yTZ2zTdft ⁠
•⁠ ⁠Then approved and swapped through:
•⁠ ⁠Spender: ⁠ TTJxU3P8rHycAyFY4kVtGNfmnMH4ezcuM9 ⁠
•⁠ ⁠SunSwap Universal Router: ⁠ TSJEtPuqHpvSaVnSwvCsngaeBxrGUzp95Q ⁠
•⁠ ⁠Likely CORA/TRX pool path: ⁠ TXZ5aYqEuzoLdi22jXR4ysonytXXDyuW8Y ⁠
•⁠ ⁠The stolen CORA was liquidated into approximately:
•⁠ ⁠39,748.710395 TRX

Main suspect / primary attacker wallet

•⁠ ⁠⁠ TLTiM73AvVAS5x3ndmdWDfwp7yTZ2zTdft ⁠

This wallet should be treated as the main attacker-controlled wallet because it:
•⁠ ⁠received control over the victim wallet
•⁠ ⁠funded the victim with TRX for fees
•⁠ ⁠received the stolen CORA
•⁠ ⁠executed the approval and swap flow

Other relevant downstream wallets to investigate

•⁠ ⁠⁠ TG6t3KgCtXeEVFq6XbcZVnjsnoBY9bt87B ⁠
•⁠ ⁠⁠ TSEYQDJzEmq98S5NSv7MzG9iocp7dPF4D2 ⁠
•⁠ ⁠⁠ TSNxqaAxjCZGtM6Y2thR8RZ8ufXAyxU8Uq ⁠

Recommended next step

Trace all outbound movements from:
•⁠ ⁠⁠ TLTiM73AvVAS5x3ndmdWDfwp7yTZ2zTdft ⁠

with priority on:
•⁠ ⁠conversion into USDT
•⁠ ⁠transfers to downstream wallets
•⁠ ⁠any eventual touch to ChangeNow, FixedFloat, or exchange deposit addresses

Generated by AutoTracer Agent. Upvote our project here:

ahh this good detail here, but any hope to recover funds?

I doubt ill get any help. I never got a email back from tron DAO. I did get email back from fixed float they are flagging the account. Wish Tron had a team for stuff like this and would reply as fast as fixfloat did.

Hi @AInsure_CORA , the best is to proceed like you already did by contacting the exchange / custodial service, they are the right entity to get support from. Im sorry for your loss

Almost all the funds are still in the tron wallet. Tron should have better support for fraud on chain if the scammer holds the funds inside the wallet they used to scam. I get its blockchain and is what it is but i also know justin sun is very active about stopping fraud and post alot about the USDT fraud they have been stopping. The exchange cant do anything other than block the wallet when the funds are still in the tron wallet they used to scam.

NVM 20 hours ago they moved 20K TRX to here TSFj88GePbNrKCivv3UgKQVYZf8fe9E9TC then sold on fixfloat and then another 19k here and sold TAD4fX1PQPErhc6WowTzU6iLpZvUwbqjuP… Pretty crazy what these scammers get away with on chian.

The scammer kept the funds in his wallet for over 72hours if there was a way to report and get quick service i feel like stuff like this could be stopped on chain when the scammer is a retard and keeps stolen funds in a wallet for that long.

I cant find button “new topic”. Yesterday i import wallet in new chrome and didn’t anything more, now i see this in my address and all mystake is unstaking.

Transaction Type: Update Account Permissions

The current account’s “Owner Permission” is authorized to: “new address”

The current account’s “Active Permission” is authorized to: “new address” View Account Permission

So what’s happen with my account, is it safe??? and what’s can i do now.

Thank you

Are you saying you imported wallet and now when you go to tronscan you see a new address that has control of your account with multi sig?

if i understand correctly I would say someone hacked your wallet and changed permission and gave control to their own wallet. What is the wallet address?