logo

Decrypting DeFi

Blockchain&Beyond

Coin Quest

NFT Revolution

Futureproofed

  • decrypting defi
  • blockchain&beyond
  • news
  • 11 Dec 24

Hacker Exploits Coinbase AML System Stealing $15.9M — ZachXBT Report

Prominent crypto analyst and blockchain researcher ZachXBT has released a new investigation into the theft of $15.9 million from a Coinbase Commerce contract in April 2024.

  • 68
  • 0
  • 0
nft.eu
  • rating +15
  • subscribers 59

Prominent crypto analyst and blockchain researcher ZachXBT has released a new investigation into the theft of $15.9 million from a Coinbase Commerce contract in April 2024. The incident occurred on the Polygon network, after which the stolen funds were quickly transferred to Ethereum and split among several addresses. Most intriguingly, the perpetrator later bragged about the stolen funds in Telegram chats.

What the Hack?

On April 21, the Coinbase Commerce contract on Polygon recorded more than 1,700 USDC transactions over 16 hours, totaling nearly $16 million. The funds were then moved to Ethereum, converted into ETH, and distributed among three addresses:

  • 0xd467e8134314d66d685bd3e6da8901b8683028ae
  • 0x42ab2e5b91fcdba8aa00b710ad01a249d5082445
  • 0xa3e083422ee587ff20c91d814baade85856861b6

Funds Distribution. Source: X
Funds Distribution. Source: X

Tracing the Attacker

After stealing the funds, the hacker went off the radar. However, in May 2024, a user under the nickname tezedasads12 began openly referencing the stolen funds in Telegram. They also made 1 DAI transactions to prove ownership of one of the previously mentioned addresses, which held $6 million at the time. The hacker attempted to purchase a unique Telegram username but was rejected.

The individual also claimed to own the Instagram account Excite. When this account later went public, it featured photos of luxury watches. OSINT data suggests the suspect may be located in Denmark.

Posts in Instagram. Source: X
Posts in Instagram. Source: X

According to ZachXBT, while most of the stolen funds remain untouched, some have been transferred to the eXch and Stake platforms via decentralized exchanges. These transfers involved using new addresses to conceal the source of the funds. One of the addresses also showed a connection to a client linked to “drainers”—software complexes designed to quickly and automatically empty a crypto wallet.

Questions for Coinbase’s Security

Despite clear signs of suspicious activity, Coinbase’s monitoring mechanism failed to detect the problem in time. ZachXBT questions why the company’s Anti-Money Laundering (AML) system did not trigger alerts during the 16-hour window that allowed the thief to withdraw millions.

At this time, the identity of the victim remains unknown. However, the analyst believes the collected evidence could pave the way for potential legal action. He also suggests that multiple individuals may have been involved, given the division of stolen funds across three addresses.

ZachXBT’s full investigation, including detailed transaction records and the attacker’s actions, is available on his blog.

Earlier: ZachXBT Exposes Memecoin Scam by Former Fortnite Player

  • 68
  • 0
  • 0