BlueMove’s $500K SUI loss raises insider job suspicions

Around $500,000 worth of $SUI tokens was drained from BlueMove DEX’s locked pools last weekend, leading users to speculate that the incident may have been an inside job.
Quantum Void Labs founder, Tyler Simpson, shared screenshots last Saturday appearing to show over 700,000 $SUI tokens being drained from the locked liquidity pools provided by BlueMove.
Simpson initially accused the platform of draining its locked liquidity pools, and implied its alleged actions were “crime.” However, he later noted that the firm was exploited.
The next day, he claimed that BlueMove had “shipped the backdoor themselves” after it implemented a package on May 31 that laid the groundwork for the exploit.
He said it added immutable functions like “add_liquidity_returns,” and “double-mint LP inflation” before, over 40 days later, the exploit began.
BlueMove team shipped the backdoor themselves.
They upgraded the package on May 31 (by the upgrade cap holder):https://t.co/t0smmnd8LO
Earlier same day: https://t.co/nHlXz1NNcF
v12 added add_liquidity_returns + double-mint LP inflation. Package made immutable immediately… pic.twitter.com/CB2wFyNLCn
— Tyler Simpson (@quantumvoidlabs) July 12, 2026
Because of this, Simpson has described the draining event as a “delayed rug pull.”
BlueMove says it will compensate users
BlueMove disagrees. It claims on its website that it was the fault of an attacker exploiting “a long-standing arithmetic overflow bug in BlueMove’s legacy AMM contract to drain liquidity from 389 pools.”
The bug has reportedly been visible since at least 2023, with BlueMove explaining that an upgrade overlooking the bug was partly responsible for the exploit as it prevented any further patches.
It claims that “because the UpgradeCap was burned on June 3, BlueMove currently has no on-chain path left to patch or disable the vulnerable v1 package.”
BlueMove added that a fix would now require “an independent admin/freeze capability (if one exists outside the UpgradeCap) or a full migration to a new, audited package.”

At the time of writing, BlueMove said the attacker has just over 12 hours to respond to its bounty.
BlueMove also sent a message to a crypto address in an attempt to contact the hacker and strike a white hat bounty deal with them.
It says, “You drained the BlueMove DEX pool (~$400k). Keep 30% as a white hat bounty and return 70% within 48h to our Sui address.”
BlueMove added, “If returned, we will consider the matter resolved. Otherwise, we will pursue all available legal and recovery actions.”
That’s around $150,000 for the hacker (as long as the price of 700,000 $SUI remains roughly $500,000).
BlueMove also claims it will compensate all affected users if it doesn’t receive a response from the hacker in the next 48 hours, adding that the project will shut down going forward.
The company’s operation’s remain suspended as it continues to investigate what happened.
A $SUI Network spokesperson responded “no comment” when Protos asked it about the draining event and the recovery of funds.