Hacker Swaps $42.5 Million via THORChain After Coinbase Data Breach

The hacker responsible for the Coinbase data breach has taunted blockchain investigator ZachXBT with an onchain message following a significant cryptocurrency swap. On May 21, the hacker, who had previously stolen data from at least 69,400 Coinbase users, used Ethereum transaction input data to convey a message reading “L bozo,” accompanied by a meme video featuring former NBA player James Worthy smoking a cigar. This message surfaced after the attacker swapped approximately $42.5 million from Bitcoin to Ether via THORChain.

ZachXBT, a prominent blockchain investigator, flagged the message on his Telegram channel, linking it to the same entity responsible for the Coinbase data breach. The hacker's actions have drawn attention to the ongoing investigation and the potential vulnerabilities within the cryptocurrency exchange's security measures.

Following the initial swap, the hacker continued to move funds. On May 22, blockchain security firm PeckShield reported that the hacker had swapped 8,697 ETH for 22 million Dai. A separate but closely linked address, which received 9,081 ETH via THORChain, also converted the assets into 23 million DAI. These transactions highlight the hacker's efforts to launder the stolen funds and evade detection.

The Coinbase data breach, which occurred in December 2024 and was discovered on May 11, has had significant repercussions. The stolen data includes names, home addresses, and other personal information of Coinbase users. Following the disclosure, the attackers demanded a $20 million ransom in Bitcoin to prevent the release of the stolen data. Coinbase refused the ransom demand and instead offered a $20 million bounty for information leading to the identification of the hackers. The company estimates a potential financial impact between $180 million and $400 million due to remediation costs and customer compensation.

In response to the breach, Coinbase has faced a wave of lawsuits. At least six legal complaints were filed between May 15 and 16, with plaintiffs accusing the exchange of failing to implement adequate security measures and mishandling its response to the breach. The legal actions underscore the severity of the data breach and the potential risks faced by Coinbase users.

The hacker's use of THORChain to swap $42.5 million worth of Bitcoin into Ether has also brought the protocol under scrutiny. THORChain has faced growing criticism over its role in facilitating illicit transactions. In March, the platform came under fire after its swap volume surged following the $1.4 billion Bybit hack. Blockchain security firms identified North Korea’s Lazarus Group as the main suspect, using THORChain to launder a significant portion of the stolen funds. The controversy intensified when a THORChain developer, known as “Pluto,” resigned after a vote to block transactions linked to Lazarus was overturned. These developments raise questions about the security and oversight of decentralized finance protocols and their potential misuse by criminal entities.