The attacker responsible for the high-profile May 2025 Coinbase hack is actively maneuvering stolen funds on-chain, converting millions into Ethereum despite ongoing investigations and intensified scrutiny from law enforcement and blockchain analysts.
Attacker Converts Millions to Ethereum in Calculated Moves
Blockchain data shows that the hacker recently purchased 4,863 ETH using $12.5 million worth of DAI, executing the trade at an average price of $2,569 per token.
Analysts confirmed these transactions were traced back to wallets directly connected to the exploit, indicating the hacker is attempting to re-enter the Ethereum market after earlier liquidations.
Authorities tracking the wallets revealed the attacker still holds $45.36 million in DAI across two addresses. These positions stem from prior trades, including a massive sell-off of 17,779 ETH for $45.48 million roughly six weeks ago, followed by a smaller buyback of 207.17 ETH with $536,000 in DAI.
The transactions were conducted via THORChain, a decentralized exchange specializing in cross-chain swaps that can complicate efforts to monitor asset flows.
According to Chainalysis, decentralized exchanges like THORChain and Uniswap are increasingly leveraged by hackers to obfuscate the movement of illicit funds, presenting a challenge for investigators.
Hack Enabled by Insider Collaboration, Limited Data Leak Confirmed
Coinbase confirmed that the breach was facilitated by rogue contractors posing as fake employees, who provided the attacker access to a small fraction of user data.
The company stated that less than 1 percent of customers were impacted, but damages still amounted to approximately $400 million in stolen funds.
The attackers reportedly demanded $20 million to keep the incident secret, but Coinbase refused negotiations, opting instead for transparency.
In a statement, the exchange pledged to fully reimburse affected customers and disclosed that enhanced security protocols have been implemented to prevent future breaches.
Speaking on the breach, Coinbase’s Chief Security Officer noted:
“We are committed to bolstering our internal controls and have taken decisive actions to identify the contractors involved. This incident highlights the evolving risks posed by social engineering and insider threats in the cryptocurrency sector.”
Investigation Continues as Hacker Accumulates Ethereum
Despite concerted efforts by blockchain intelligence firms and law enforcement agencies, the attacker remains at large. The strategic timing of the trades indicates a calculated effort to avoid detection and maximize returns on the stolen assets.
By utilizing decentralized protocols, the hacker has been able to obscure fund flows, delaying any potential recovery efforts.
Experts warn that the hacker’s ongoing activity underscores persistent vulnerabilities in both centralized exchanges and decentralized finance ecosystems.
According to a recent report by Elliptic, exploits involving insiders or social engineering are increasingly common, with total crypto thefts exceeding $1.7 billion in the first half of 2025 alone.
Coinbase has stated it continues to work closely with federal investigators and cybersecurity partners to trace the hacker’s moves. Analysts believe the outcome of this case could set important precedents for the recovery of stolen crypto assets and the handling of insider-enabled breaches in the industry.
