22-5-2025 – The hacker responsible for a major data breach targeting Coinbase users has taunted blockchain investigator ZachXBT with a mocking on-chain message. Embedded within Ethereum transaction data on May 21, the culprit inscribed the phrase “L bozo,” accompanied by a meme video featuring NBA star James Worthy puffing on a cigar. This audacious gesture followed the hacker’s conversion of approximately $42.5 million in Bitcoin (BTC, valued at $110,946 per coin) into Ether (ETH, priced at $2,634) through the THORChain protocol, as reported by ZachXBT on his Telegram channel. The investigator linked this activity to the same entity behind the Coinbase breach, which compromised the personal details of at least 69,400 users.
The fallout from the December 2024 breach, uncovered on May 11 and documented in a filing with the Maine Attorney General’s office, has been seismic. The stolen data, encompassing names, home addresses, and other sensitive information, prompted the hackers to demand a $20 million Bitcoin ransom to withhold its release. Coinbase, unmoved, countered with a $20 million bounty for information identifying the perpetrators. The exchange now braces for a financial hit estimated between $180 million and $400 million, driven by remediation efforts and customer compensation. Legal repercussions have swiftly followed, with six lawsuits filed on May 15 and 16, accusing Coinbase of inadequate security measures and a mishandled response to the crisis.
Meanwhile, the hacker’s activities have continued unabated. On May 22, blockchain security firm PeckShield reported further movement of funds, with the attacker converting 8,697 ETH into 22 million Dai (DAI, valued at $0.9997). A closely linked address, having received 9,081 ETH via THORChain, also exchanged its holdings for 23 million DAI, highlighting the scale and sophistication of the operation.
The use of THORChain has cast a spotlight on the protocol’s growing notoriety for facilitating illicit transactions. In March, its swap volume soared to $5.4 billion, generating over $5 million in revenue, with $1 billion processed in a single day. This surge followed the $1.4 billion Bybit hack, with blockchain security experts pointing to North Korea’s Lazarus Group as a primary culprit using THORChain to launder funds. The controversy deepened when a THORChain developer, known as “Pluto,” resigned after a community vote overturned a proposal to block transactions tied to the Lazarus Group, raising urgent questions about the protocol’s role in the crypto ecosystem’s darker corners.
The #Bybit hacker is laundering funds via #THORChain!
So far, the #Bybit hacker has laundered 270K $ETH($605M, 54% of the stolen funds) and still holds 229,395 $ETH($514M). pic.twitter.com/NtcKUpxsxc
— Lookonchain (@lookonchain) February 28, 2025
