Hacker swapped $42.5M in Bitcoin for Ethereum using THORChain.
Onchain message "L bozo" targeted investigator ZachXBT.
Breach compromised data of 69,461 Coinbase users.
Hacker converted 17,778 ETH to $45.48M in DAI.
Coinbase offered $20M bounty to catch the perpetrator.
A hacker behind a major Coinbase data breach swapped $42.5 million in Bitcoin for Ethereum through THORChain and publicly taunted blockchain investigator ZachXBT with an onchain message. The breach, which exposed sensitive information of 69,461 users, has drawn attention to vulnerabilities in cryptocurrency platforms.
On May 21, the hacker used Ethereum transaction input data to write “L bozo” and linked to a meme video of NBA player James Worthy smoking a cigar. This followed the conversion of 1,101 Bitcoin, valued at $42.5 million, into Ethereum via THORChain, a decentralized cross-chain protocol. The move was an apparent attempt to launder stolen funds.
The breach, first reported in December 2024, involved bribed customer support agents granting unauthorized access to Coinbase’s internal systems. Hackers obtained names, addresses, phone numbers, emails, and, in some cases, government IDs of nearly 70,000 users. Coinbase has estimated potential losses between $180 million and $400 million, including user compensation and legal fees.
Funds on the Move
The hacker continued moving assets after the initial swap. On May 22, blockchain security firm PeckShield reported that 8,697 ETH, worth $22.6 million, was exchanged for 22 million DAI, a stablecoin pegged to the U.S. dollar. A related address, which received 9,081 ETH via THORChain, converted those assets into 23 million DAI. Another transaction involved 8,569 ETH, valued at $22.4 million, also swapped through THORChain.
THORChain’s role in these transactions has sparked debate. The protocol enables anonymous cross-chain swaps without centralized exchanges, which often enforce Know Your Customer and Anti-Money Laundering regulations. This has made it a target for scrutiny, with reports linking it to illicit activities, including by North Korea’s Lazarus Group. The platform’s design complicates efforts to trace and recover stolen funds.
Coinbase refused the hacker’s $20 million ransom demand, opting instead to offer a $20 million bounty for information leading to the perpetrator’s arrest. The company has pledged to reimburse affected users and is overhauling its security systems. The wallet tied to the hacker, labeled “Fake_Phishing1158790” on Etherscan, remains active, with ongoing transfers raising concerns about further laundering.
Taunting the Tracker
ZachXBT, known for exposing crypto scams, shared details of the hacker’s actions on his Telegram channel, Investigations. The onchain taunt, calling him a “loser” in slang, underscores the hacker’s boldness. The message and meme video were embedded in a transaction, a public jab at the investigator’s efforts to track the stolen funds.
The hacker’s actions have intensified focus on THORChain’s vulnerabilities. Decentralized protocols offer privacy but can enable illicit transactions, challenging law enforcement and investigators. The Coinbase breach has already cost users over $300 million, with the hacker’s continued activity signaling confidence in evading capture.
Coinbase’s response includes firing all involved employees and contractors, primarily overseas support agents. The company is also facing lawsuits and growing pressure to address security gaps. The breach highlights the risks of centralized platforms relying on third-party support, a vulnerability exploited through social engineering.
The hacker’s use of THORChain and public taunting of ZachXBT mark a brazen escalation in the ongoing saga. As funds continue to move, the crypto community watches closely, with implications for platform security and decentralized protocols under scrutiny.