TLDR
- Hacker who stole over $300 million from Coinbase users has started laundering the funds using decentralized exchanges.
- The attacker converted $42.5 million in Bitcoin to Ethereum via Thorchain, then sold $22M in ETH for stablecoins.
- ZachXBT received a mocking message and meme from the hacker on-chain.
- The December 2024 data breach reportedly affected 69,461 users, with up to $400M in damages.
The cybercriminal responsible for one of the most devastating heists in recent crypto history has begun laundering stolen assets, according to blockchain investigators.
Hacker is Using Thorchain
The attacker, who is believed to have siphoned off more than $300 million from Coinbase users through a series of exploits and social engineering attacks, has now started converting portions of the loot using decentralized finance (DeFi) tools.
On-chain analyst and crypto sleuth ZachXBT reported that the attacker recently swapped $42.5 million worth of Bitcoin into Ethereum through Thorchain, a cross-chain decentralized exchange known for its privacy features. The move is widely interpreted as the attacker’s first attempt to obscure the origins of the stolen funds and make them more difficult to trace.
On-Chain Mockery Aimed at Investigators
Adding insult to injury, the attacker left a mocking on-chain message for ZachXBT, saying “L bozo,” a slang phrase used online to imply ridicule or gloating over someone’s failure. The taunt was accompanied by a YouTube meme clip of NBA Hall of Famer James Worthy exhaling cigar smoke in triumph, a symbolic “checkmate” gesture aimed squarely at blockchain investigators and law enforcement.
ZachXBT, who has been vocal in tracking fraudulent activity on the Coinbase platform, took the message as a personal jab. Over the past several months, he has documented multiple instances of customer asset theft on Coinbase, including a $45 million breach earlier this month that relied on social engineering tactics. According to his estimates, users of the exchange have collectively lost over $300 million to scams and hacks in 2025 alone.
Coinbase itself confirmed part of the attack timeline last week. On May 15, the exchange disclosed that a December 2024 breach exposed sensitive data of over 69,000 users. The breach reportedly stemmed from the bribery of overseas customer support agents who provided unauthorized access to internal systems. The attacker then demanded a $20 million ransom, threatening to leak the stolen data on the dark web.
Refusing to negotiate, Coinbase responded by setting up a $20 million bounty fund for information leading to the capture of the perpetrators.
https://t.co/evpIBMFvRW pic.twitter.com/f6UPdkL5R0
— Brian Armstrong (@brian_armstrong) May 15, 2025
In an apparent escalation, shortly after the ransom demand was rejected, the attacker’s wallet , labeled “Fake_Phishing1158790” by monitoring platforms, converted the newly acquired Ethereum into 8,698 ETH, which was quickly sold for over $22 million in DAI, a stablecoin pegged to the U.S. dollar.
Coinbase’s Image at Risk
Notably, the financial damage to Coinbase is already severe. The company estimated the cost of managing the data leak, securing affected accounts, and compensating users at between $180 million and $400 million. Although the breach reportedly affected fewer than 1% of the platform’s active users, the leaked KYC data , including names, addresses, and emails raised serious concerns about user safety.
On Tuesday, TechCrunch founder Michael Arrington harshly criticized Coinbase for its delayed response, warning that compromised KYC data could lead to real-world threats against users.
