Multichain aggregator KyberSwap appeared to have been exploited late on Wednesday night, with multiple users reporting that millions of dollars worth of crypto was drained from the platform.

In an X post, the KyberSwap team notified users that it had suffered a “security incident” and urged users to withdraw their funds as a precautionary measure.

“KyberSwap’s aggregator is not impacted and is operating fully as normal,” the team said in a follow up post.

According to Debank data, $48 million has been stolen so far, of which $20 million was in wrapped Ether (wETH) and $7 million was in Lido’s staked Ether (stETH) tokens.

Blockchain sleuth “@spreekaway” noted that the exploit took place on all chains, with $7.5 million on mainnet, $315,000 on Base, $15 million on Optimism, $2 million on Polygon and $20 million on Arbitrum. 

According to Spreek, the exploit was not an approval-based issue, but rather the Total Value Locked (TVL) held in Kyber’s liquidity pools. Data from DeFiLlama shows that Kyber’s TVL dropped 83% over the last few hours from $84 million to $14 million at the time of writing.

Spreek also highlighted a blockchain transaction with a message embedded from the hacker to Kyber’s developers, employees, DAO and liquidity providers that read “negotiations will start in a few hours when I am fully rested.”

The Kyber team appeared to have replied to the hacker with their own message, asking “how is Ontario this time of year,” likely implying that they traced the attacker’s IP address.