Hacker Launders $64.5 Million via Thorchain After Coinbase Breach

The hacker responsible for the Coinbase data breach has resurfaced, conducting large-scale cryptocurrency swaps and sending threatening messages to blockchain investigator ZachXBT. The attacker, who breached sensitive data from over 69,000 Coinbase users, has moved tens of millions in digital assets across different chains, demonstrating control over the stolen funds. On May 21, the hacker used Thorchain, a decentralized protocol for cross-chain swaps, to exchange approximately $42.5 million worth of Bitcoin (BTC) for Ethereum (ETH). This transaction bypassed intermediaries, highlighting the hacker’s use of decentralized protocols to launder substantial amounts of crypto.

Following the BTC to ETH swap, the hacker embedded a message in an Ethereum transaction directed at ZachXBT. The message included the phrase “L bozo” and a link to a meme video featuring NBA legend James Worthy, intended as a taunt. ZachXBT later flagged this transaction on his Telegram channel, connecting it to the same address implicated in the original Coinbase data breach.

On May 22, blockchain security firm PeckShield identified further transactions involving the same attacker. According to PeckShield’s findings, the hacker swapped 8,697 ETH, valued at approximately $22 million, for DAI, a U.S. dollar-pegged stablecoin. An address that had previously received 9,081 ETH via Thorchain also converted its entire holdings into 23 million DAI. Both of these large transactions occurred in quick succession and utilized different but connected wallet addresses.

The original data breach at Coinbase occurred in December 2024 but was only publicly disclosed on May 11, 2025. The breach targeted user data including names and home addresses. Coinbase stated that the attackers appeared to be building a database of targets for social engineering schemes rather than directly draining user funds from their accounts. In response to the breach and a subsequent $20 million extortion demand from the attackers, Coinbase refused to pay and instead issued its own $20 million bounty for information leading to the identification and prosecution of those responsible.

The hacker's choice of Thorchain was strategic. Thorchain is a decentralized, cross-chain liquidity protocol that allows users to swap native assets like Bitcoin and Ethereum directly and quickly without intermediaries or wrapped tokens. Its design revolves around Continuous Liquidity Pools (CLPs), which autonomously facilitate trades in seconds. Crucially, Thorchain does not impose Know Your Customer (KYC) or Anti-Money Laundering (AML) checks, making it an attractive avenue for laundering stolen funds. Transactions finalize rapidly, and validators earn fees from volume, creating little incentive to halt suspicious swaps. This environment poses significant challenges for investigators who rely on centralized platforms to freeze or track illicit funds.

ZachXBT and his team have long been at the forefront of crypto investigations, using advanced techniques such as address clustering and transaction graph analysis to link wallets and trace fund flows. However, Thorchain’s rapid cross-chain swaps and lack of user identification severely limit these methods. The hacker’s wallet, "Fake_Phishing1158790," was tracked from the initial Coinbase breach, but once funds entered Thorchain, following their trail became nearly impossible. Despite these obstacles, ZachXBT’s public warnings have helped alert users to ongoing phishing campaigns exploiting stolen data, highlighting both the promise and the limits of blockchain transparency when faced with sophisticated decentralized protocols.

In response to the breach and subsequent laundering, Coinbase has taken several steps to mitigate the damage. The company committed to reimbursing victims, with estimates ranging from $180 million to $400 million in total costs. Security enhancements include the establishment of U.S.-based support hubs, stricter withdrawal verification, and real-time scam alerts for users. Coinbase also announced a $20 million bounty for information leading to the hacker’s capture, a direct counter to the attacker’s ransom demands. However, the breach has triggered multiple class-action lawsuits accusing Coinbase of negligence and delayed disclosure. The Securities and Exchange Commission (SEC) has also launched an inquiry, particularly scrutinizing the timing of the breach, which occurred just before Coinbase’s entry into the S&P 500. Investor confidence has been shaken, underscoring the broader regulatory and reputational risks facing crypto exchanges.

For cryptocurrency users, the Coinbase hack serves as a stark warning. The stolen data has fueled waves of phishing and credential-stuffing attacks, exploiting reused passwords and weak security setups. Experts emphasize the importance of enabling hardware-based two-factor authentication and being skeptical of unsolicited support requests. Coinbase has reiterated that it will never ask for seed phrases or demand transfers, a critical point to remember amid rising scams. This incident also highlights the need for users to understand the risks of decentralized platforms like Thorchain, where the lack of centralized control can mean stolen funds vanish without recourse.

The Coinbase hack and the subsequent laundering of funds through Thorchain illustrate the complex tension between decentralization and security. While platforms like Thorchain push the boundaries of what is possible in cross-chain finance, they also create new avenues for criminals to exploit. Investigators like ZachXBT are adapting, but the game is evolving rapidly. As regulators tighten scrutiny and exchanges bolster defenses, the crypto community faces a pivotal challenge: how to preserve the innovation and freedom of decentralized finance while ensuring accountability and protecting users from increasingly sophisticated threats. Until that balance is struck, stories like this will continue to unfold in the public eye.