The hacker behind the massive Coinbase data breach moved approximately $42.5 million in Bitcoin to Ethereum via THORChain. After the transaction, the user sent a mocking on-chain message to blockchain investigator ZachXBT.
On-chain messaging embeds text directly into blockchain transactions, allowing users to write notes, warnings, or links permanently recorded on the ledger. Despite its potential for legitimate announcements, this feature has been predominantly used by scammers seeking to contact victims.
Hacker Taunts ZachXBT
The attacker embedded a taunting message directly into the Ethereum transaction’s input data. The text “L bozo” is internet slang for a foolish person. It hints that the hacker is expressing contempt for ZachXBT’s tracking efforts.
Immediately following the phrase “L bozo,” the hacker included a hyperlink to a YouTube video of James Worthy smoking a cigar. For context, the meme is widely used within crypto communities to signify victory and mockery. Hence, the hacker may also be implying that they will remain on top of the game, never to be uncovered by ZachXBT and his partners.
The on-chain sleuth publicly flagged the transaction on his Telegram channel, “Investigations by ZachXBT.” He confirmed that the wallet responsible for the taunt is linked to the Coinbase breach.
Why Target ZachXBT?
ZachXBT has gained remarkable popularity as an on-chain sleuth. He has uncovered numerous high-profile scams and hacks across the crypto industry. His real-time tracing of the hacker’s on-chain movements (including the THORChain swaps) has repeatedly frustrated the attacker, prompting his on-chain message.
Interestingly, before Coinbase’s recent public disclosure of stolen data, ZachXBT had publicly criticized the exchange for failing to fortify its security measures. Since mid-2024, his investigations have revealed that over $300 million has been stolen annually from Coinbase users via phishing attacks.
CTW previously reported three related incidents totalling $46 million in stolen crypto. The funds from those scams were laundered by bridging from Bitcoin to Ethereum via Thorchain and Chainflip before being converted into stablecoin DAI.
Meanwhile, Coinbase’s response to the data theft has been twofold. The exchange refused to negotiate with the attacker’s ransom demands. Instead, it offered a $20 million bounty to incentivize community and law enforcement collaboration. No arrests or public identifications related to the hack have been made at press time.
