Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
Analyze » 0x » MAKCOW0X1769425866

Incident Score: Analysis & Impact (MAKCOW0X1769425866)

The details regarding individual company incidents & reports gives you full view from every side.

Rankiteo Score Impact Analysis

Rankiteo Incident Impact-42
Company Score Before Incident754 / 1000
Company Score After Incident712 / 1000
Company LinkView 0x Profile
INCIDENT NUMBERMAKCOW0X1769425866
Type of Cyber IncidentCyber Attack
ATTACK VECTORToken approval exploitation
DATA EXPOSEDNA
INCIDENT DATE15/06/2025
STATUSOngoing

Key Highlights From The Incident Analysis

  • Timeline of 0x's Cyber Attack and lateral movement inside company's environment.
  • Overview of affected data sets, including SSNs and PHI, and why they materially increase incident severity.
  • How Rankiteo’s incident engine converts technical details into a normalized incident score.
  • How this cyber incident impacts 0x Rankiteo cyber scoring and cyber rating.
  • Rankiteo’s MITRE ATT&CK correlation analysis for this incident, with associated confidence level.

Full Incident Analysis Transcript

In this Rankiteo incident briefing, we review the 0x breach identified under incident ID MAKCOW0X1769425866.

The analysis begins with a detailed overview of 0x's information like the linkedin page: https://www.linkedin.com/company/0x, the number of followers: 9550, the industry type: Software Development and the number of employees: 344 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 754 and after the incident was 712 with a difference of -42 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on 0x and their customers.

On 25 January 2026, Matcha Meta disclosed Security Breach issues under the banner "Matcha Meta Suffers $16.8M Exploit via SwapNet Security Breach".

Matcha Meta, a swap and bridge aggregation platform built by 0x, confirmed a $16.8 million loss in digital assets due to a security breach in SwapNet, an external aggregator integrated into its interface.

The disruption is felt across the environment, affecting SwapNet aggregator, Matcha Meta platform, plus an estimated financial loss of $16.8 million.

In response, moved swiftly to contain the threat with measures like Disabled direct allowance settings for aggregators, and began remediation that includes Urged users to revoke existing permissions on SwapNet’s router contract, and stakeholders are being briefed through Public disclosure and user advisories.

The case underscores how Ongoing, teams are taking away lessons such as Unlimited token allowances pose significant security risks; One-Time Approval systems are more secure, and recommending next steps like Users should revoke unnecessary token permissions and enable One-Time Approvals. Platforms should disable direct allowance settings for third-party aggregators, with advisories going out to stakeholders covering Users advised to revoke SwapNet permissions and enable One-Time Approvals.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

MITRE ATT&CK® Correlation Analysis

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Link (T1566.002) with lower confidence (30%), supported by evidence indicating users...granted direct token permissions to SwapNet and Supply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.002) with moderate confidence (50%), supported by evidence indicating external aggregator integrated into its interface. Under the Credential Access tactic, the analysis identified Unsecured Credentials: Private Keys (T1552.004) with high confidence (90%), supported by evidence indicating exploited token approvals to drain funds...unlimited token allowances and Multi-Factor Authentication Interception (T1111) with lower confidence (40%), supported by evidence indicating users who had disabled Matcha Meta’s One-Time Approvals feature. Under the Lateral Movement tactic, the analysis identified Use Alternate Authentication Material: Pass the Hash (T1550.002) with moderate to high confidence (70%), supported by evidence indicating attacker...moved funds without user signatures once permissions were granted. Under the Collection tactic, the analysis identified Data from Information Repositories: Sharepoint (T1213.002) with lower confidence (30%), supported by evidence indicating digital assets (USDC, ETH) compromised. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating bridging the assets to the Ethereum mainnet to obscure transaction trails and Automated Exfiltration (T1020) with moderate to high confidence (80%), supported by evidence indicating swapping 10.5 million USDC...for 3,655 ETH before bridging. Under the Defense Evasion tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (80%), supported by evidence indicating exploited token approvals...without user signatures once permissions were granted and Hide Artifacts: Hidden Window (T1564.003) with moderate confidence (60%), supported by evidence indicating obscure transaction trails. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with lower confidence (20%), supported by evidence indicating $16.8 million loss in digital assets and Financial Theft (T1657) with high confidence (100%), supported by evidence indicating $16.8M drained...attacker exploited token approvals to drain funds. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.

Initial Access
Phishing: Spearphishing Link (30%)
Supply Chain Compromise: Compromise Software Dependencies and Development Tools (50%)
Credential Access
Unsecured Credentials: Private Keys (90%)
Multi-Factor Authentication Interception (40%)
Lateral Movement
Use Alternate Authentication Material: Pass the Hash (70%)
Collection
Data from Information Repositories: Sharepoint (30%)
Exfiltration
Exfiltration Over C2 Channel (90%)
Automated Exfiltration (80%)
Defense Evasion
Valid Accounts: Cloud Accounts (80%)
Hide Artifacts: Hidden Window (60%)
Impact
Data Encrypted for Impact (20%)
Financial Theft (100%)