- Coinbase hacker uses Thorchain for a $42.5M BTC to ETH cross-chain crypto swap activity.
- Decentralized protocol Thorchain identified as key tool in Coinbase hacker’s fund launder.
- PeckShield reports Coinbase hacker utilized Thorchain in converting stolen crypto to DAI.
The hacker tied to a significant data breach at Coinbase has reappeared on-chain, kicking off large-scale crypto swaps and dispatching threatening messages aimed squarely at blockchain investigator ZachXBT. The attacker, who managed to breach sensitive data from over 69,000 Coinbase users, has now funneled tens of millions in digital assets across different chains, in a renewed and bold display of control over the stolen funds.
Fresh activity flared up on May 21, when the attacker tapped Thorchain, a decentralized protocol known for facilitating cross-chain swaps. They used it to exchange an estimated $42.5 million worth of Bitcoin (BTC) for Ethereum (ETH). Blockchain data clearly shows these transactions bypassed intermediaries, highlighting the hacker’s use of unapproved, decentralized protocols to launder substantial amounts of crypto.
Shortly after completing the BTC to ETH swap, the hacker took things a step further by embedding a message in an Ethereum transaction pointed directly at blockchain analyst ZachXBT. The on-chain message contained the dismissive slang phrase “L bozo” and included a link to a meme video featuring NBA legend James Worthy, clearly intended as a taunt. ZachXBT later flagged this transaction on his Telegram channel, connecting it to the same address implicated in the original Coinbase data breach.
Related: Coinbase Data Breach: Brian Armstrong Offers $20 Million Bounty for Intel on Attackers
Millions More in ETH Converted to DAI Stablecoin, PeckShield Reports
The illicit fund movements didn’t stop there. On May 22, blockchain security firm PeckShield identified further transactions involving the same attacker. According to PeckShield’s findings, the hacker swapped 8,697 ETH, valued at approximately $22 million, for DAI, a U.S. dollar-pegged stablecoin.
In a closely related move, an address that had previously received 9,081 ETH via Thorchain also converted its entire holdings into 23 million DAI. Both of these large transactions occurred in quick succession and utilized different but connected wallet addresses.
Renewed Activity Follows Major Coinbase Data Breach, Extortion Attempt
The original data breach at Coinbase occurred back in December 2024 but was only publicly disclosed on May 11, 2025. It targeted user data including names and home addresses, with details of the incident reported in a filing with the Maine Attorney General’s office. At the time, Coinbase stated that the attackers appeared to be building a database of targets for social engineering schemes rather than directly draining user funds from their accounts.
Related: Coinbase Faces Lawsuit Over Alleged Breach of Illinois Biometric Privacy Laws
In response to the breach and a subsequent $20 million extortion demand from the attackers, Coinbase flatly refused to pay. Instead, the company issued its own $20 million bounty, offering a reward for information that could lead to the identification and prosecution of those responsible for the data breach. The hacker’s latest on-chain maneuvers and taunts indicate they remain undeterred.
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
