Hacker Behind CoinStats Breach Funnels Nearly $1 Million to Tornado Cash

Two wallets associated with the CoinStats breach have transferred 311 ETH (~$959,000) to the mixer Tornado Cash. These transactions were recorded by CertiK.

#CertiKInsight ?

Two wallets linked to EOA
0xb48b, labeled CoinStats Exploiter 31, have deposited a combined 311 ETH (~$960k) to @TornadoCash

EOA 0xe0994eD541e6E6dc053Fd9eB03A32f3d9A9876C6 still holds 221 ETH ? pic.twitter.com/amrsTvOSTn

— CertiK Alert (@CertiKAlert) July 9, 2024

On June 22, the project team reported a cyberattack affecting 1,590 cryptocurrency wallets hosted on the platform (1.3% of the total). The damage amounted to $2 million.

The company shared a list of compromised addresses, which was later found to be incomplete. However, the exploit did not affect users’ externally connected wallets or accounts on centralized exchanges.

The perpetrators attempted to exploit the CoinStats breach to promote fake refund programs.

On June 26, CoinStats CEO Narek Gevorkyan revealed some details of the investigation. According to him, evidence points to the deception of a company employee who downloaded malware onto a work computer.

On June 28, six days after the incident, the team restored the service’s functionality and announced compensation for those affected.

Later, CoinStats stated it would optimize its transaction database and migrate to a different platform to enhance efficiency and reliability. The service’s representatives promised to strengthen systems with updates and audits.

Quick updates! Currently, we’re focused on:

— Optimizing our transaction database and migrating to a more robust platform for improved efficiency and reliability.

— Enhancing our security systems with upgrades and audits to ensure top-notch data protection.

— CoinStats (@CoinStats) June 30, 2024

On July 3, CoinStats informed users of the restoration of the platform’s full functionality.

All functionalities on CoinStats are now fully recovered and functional.

Thank you for your patience and support! ?

— CoinStats (@CoinStats) July 3, 2024

On July 5, service representatives reported that they continue to investigate the incident and are taking measures to protect the new infrastructure. The team will soon provide additional information, including support measures for affected clients.

We are still investigating the security incident on June 22 and taking rapid and committed actions to ensure the security of our new infrastructure.

We are working hard to share additional information as soon as we can, including measures to support any victims.

Again, thank…

— CoinStats (@CoinStats) July 4, 2024

On July 10, Cyvers experts detected the transfer of funds stolen in the July 2023 Curve Finance hack to Tornado Cash.

Blockchain explorer data indicates the service received 1,500 ETH (~$4.67 million).

?ALERT?@CurveFinance has suffered a security breach on Jul-2023 at https://t.co/lPQnlNhMwF

The exploiter has started depositing funds to @TornadoCash , with over 400 $ETH $1.2M athttps://t.co/0P0JnHq6Mp

Discover how @Cyvers_ ‘s address reputation product can help you detect… pic.twitter.com/v8rSV6Jr7o

— ? Cyvers Alerts ? (@CyversAlerts) July 10, 2024

In June, CertiK specialists recorded the transfer of 1,209.5 ETH (~$4.3 million) stolen from the Remilia DAO treasury to Tornado Cash.