Coinbase Data Breach Hacker Launders $42.5 Miilion BTC to ETH via THORChain, Cashes Out $44.94 Million DAI

On May 22, 2025, blockchain investigator ZachXBT revealed that an address linked to a hacker who stole sensitive user data from Coinbase sent a taunting on-chain message, including a video link titled "James Worthy Smoking that Pack." The address, tied to funds exceeding $300 million stolen from Coinbase users, converted over $42.5 million in Bitcoin (BTC) to Ethereum (ETH) via the cross-chain protocol THORChain. According to on-chain analyst @EmberCN, the hacker then sold 17,778.7 ETH for approximately $44.94 million in DAI, at an average price of $2,528 per ETH, as of the latest reports.

Coinbase Data Breach: A Social Engineering Attack

The incident traces back to a significant data breach disclosed by Coinbase on May 15, 2025, which exposed sensitive information of 69,461 users, including names, addresses, phone numbers, government-issued ID images, and account details. The breach, initiated in January 2025, involved cybercriminals bribing customer support agents and contractors based in India to access user data through social engineering tactics. On May 11, Coinbase received an anonymous email demanding a $20 million Bitcoin ransom to prevent the data’s release. The exchange rejected the demand and instead offered a $20 million bounty for information leading to the identification and arrest of the perpetrators.

On May 19, the U.S. Department of Justice (DOJ) launched an investigation into the breach, with criminal investigators now involved. The probe aims to uncover the full scope of the attack and identify those responsible. Coinbase has stated it is cooperating fully with authorities while working to notify and support affected users. The breach has raised concerns about the security of centralized exchanges and the vulnerabilities in outsourced customer support operations.

THORChain’s Role in Illicit Fund Transfers

The hacker’s use of THORChain to convert BTC to ETH and subsequently to DAI highlights the protocol’s recurring role in laundering illicit funds. @EmberCN noted that THORChain is frequently used for cross-chain swaps of “less clean” funds, pointing to a prior incident where hackers laundered $1.39 billion in ETH stolen from Bybit in February 2025. Between February and March, THORChain processed over $5.4 billion in transaction volume, generating over $5 million in fees, largely tied to the Bybit hack. The protocol’s pseudonymous nature and cross-chain capabilities make it attractive for such activities, though it has faced scrutiny. In late February, a THORChain developer exited the project after a vote to block funds linked to North Korean hackers was overturned.

Implications for Coinbase and the Industry

The Coinbase breach and subsequent fund laundering highlight ongoing challenges in the crypto industry, particularly around centralized exchange security and the exploitation of cross-chain protocols. Coinbase’s refusal to pay the ransom and its cooperation with the DOJ signal a firm stance against cybercriminals, but the incident may impact user trust. The exchange is now facing a potential class-action lawsuit under the Illinois Biometric Information Privacy Act (BIPA) for mishandling biometric data, adding legal pressure.

As the DOJ investigation progresses, the crypto community awaits further developments on whether the perpetrators will be identified and the stolen funds recovered. The incident serves as a reminder for exchanges to strengthen internal security and vetting processes for third-party contractors.