Hacker Steals $15.97 Million from Coinbase Commerce

In April 2024, an account belonging to an unnamed merchant on Coinbase Commerce executed a series of suspicious USDC transactions totaling $15.97 million. According to online sleuth ZachXBT, the funds were stolen by a hacker.

1/ Earlier this year in April 2024 a Coinbase Commerce contract saw $15.9M of suspicious outflows indicating a merchant had potentially been exploited.

Shortly after a threat actor with the alias ‘Excite’ began showing off the stolen funds in chats.

Let’s dive in. pic.twitter.com/srM7ksPXPa

— ZachXBT (@zachxbt) December 10, 2024

The investigation revealed that the money was withdrawn over 16 hours through more than 1700 transactions, each under $10,000, likely to evade the exchange’s AML system.

Initially, the USDC was moved to the Polygon platform, then to Ethereum. There, the assets were converted into ETH and split across three addresses.

Most of the coins have remained inactive since, although some were moved to the eXch automated exchange and the Stake protocol.

ZachXBT discovered that within a month of the attack, the hacker began flaunting their wealth on social media. In a private Telegram conversation, the hacker confirmed control over an address holding $6 million of the stolen amount.

The hacker also claimed ownership of an Instagram account with the alias Excite and unsuccessfully attempted to buy a Telegram account with the same name for $2000.

6/ Initially the IG account was private, the account eventually went public and has multiple stories showing off expensive watches and a monkey.

OSINT shows they potentially were in Denmark. https://t.co/grvY31RV3e pic.twitter.com/wVyfq0bb65

— ZachXBT (@zachxbt) December 10, 2024

Among other things, the profile owner identified by the investigator showcased expensive watches and pet monkeys.

Based on open-source intelligence, ZachXBT concluded that the hacker is located in Denmark.

Several commentators noted a post that allegedly shows the hacker’s face.

This him? pic.twitter.com/DY0I5YCUjf

— Nasse Nøff  (@NoffNasse) December 10, 2024

It is suspected that the hacker had accomplices. The detective stated that he has sufficient evidence to hold the perpetrators accountable.

The victim’s identity remains unknown. The platform has not disclosed details of the incident.

The investigator and social media commentators expressed surprise that Coinbase’s security system did not detect or prevent the attack.

“I have a question: why didn’t Coinbase’s AML monitoring system detect this suspicious activity over 16 hours?” concluded ZachXBT.

Some pointed out that the platform applies different standards to private and corporate clients, not restricting transactions of large accounts to avoid inconvenience.

though Coinbase AML is very fast at freezing funds on personal $10k accounts on withdrawal, of course they don’t go this thorough on their big corporate accounts and risk losing them

— Leonardo Faoro (@leonardofaoro) December 10, 2024

“While Coinbase AML is very quick to freeze funds on personal $10k accounts upon withdrawal, they, of course, don’t apply the same thoroughness to large corporate accounts due to the risk of losing them,” wrote one user on X.

Another commentator found it comical that Coinbase’s security system could be bypassed by making several small transactions.

10k is the limit for extra scrutiny, that’s no secret. But it’s pretty comical how cb of all places didn’t improve their system on flagging patterns for total amounts to detect sub 10k transfers. Such as several 9k.

gj as always.

— Snorlax of Pizza Street (@OfSnorlax) December 10, 2024

“It’s no secret that $10,000 is the threshold for extra scrutiny. But it’s quite amusing how, of all places, [Coinbase] didn’t improve their system to flag patterns for total amounts to detect sub-$10,000 transfers, like several $9,000 ones. Great job, as always,” noted a commentator.

According to ZachXBT, the investigation is ongoing.

Back on December 9, Coinbase responded to rumors of mass account freezes.