Coinbase Hacker Launders $45 Million In Stolen ETH, Openly Mocks Sleuth ZachXBT

2025-05-22

The hacker responsible for one of the largest breaches in crypto exchange Coinbase’s history has begun laundering stolen funds and is openly mocking investigators while doing so.

Coinbase Hacker Launders $45 Million In Stolen ETH, Openly Mocks Sleuth ZachXBT

The hacker responsible for one of the largest breaches in crypto exchange Coinbase’s history has begun laundering stolen funds and is openly mocking investigators while doing so.

According to blockchain analytics platform Spot On Chain, the threat actor sold 17,778 ETH, worth approximately $45.48 million and converted to DAI stablecoins at an average price of $2,558 per ETH. The transactions reportedly zipped through three newly created wallets over just four hours.

Critically, the hacker leaned on THORChain, a decentralized liquidity protocol, to handle the laundering. THORChain is known for enabling cross-chain swaps, a go-to tool for those looking to muddy the waters and obscure the trail of illicit funds.

Not stopping there, the hacker performed a . One of the wallets spent 536,000 DAI to repurchase 207.17 ETH at a higher average price of $2,587, a move that suggests either calculated positioning or an intent to stir further confusion in tracking efforts.

But what stands out most in this unfolding cyber-heist drama is the hacker’s taunt of one of the crypto community’s most respected on-chain sleuths, ZachXBT.

On Wednesday evening, the threat actor sent an Ethereum transaction embedded with a mock message directed at ZachXBT.

The message stated a dismissive slang phrase, “L bozo”, implying that the investigator had taken a loss. The message also included a link to a YouTube video showing NBA legend James Worthy smoking a cigar–a visual metaphor for celebration and ridicule.

The taunt was via the Investigations Telegram channel, where he confirmed that the threat actor is the same individual or group behind the massive data breach targeting Coinbase users.

According to data from Etherscan, the same wallet (tagged as “Fake_Phishing1158790”) moved 8,698 ETH, worth over $22.6 million, shortly after sending the provocative message.

The saga began with a data breach affecting at least 69,400 Coinbase customers. Discovered on May 11, the breach reportedly stems from a vulnerability exploited in December of the previous year.

In response to Coinbase’s refusal to pay a $20 million ransom in Bitcoin, the hacker has escalated both technical maneuvers and psychological warfare. On the other hand, Coinbase countered with its own $20 million bounty, aiming to incentivize whistleblowers or informants to aid in the arrest of the perpetrator(s).