Coinshift (aka "C8 theft")

Date:: August 16th, 2023

Amount Stolen:: $2,900,000

It appears an individual had multiple keys compromised and drained, including at least 2 of their Gnosis Safes. NFTs were sold and all proceeds were consolidated and sent to Tornado Cash.

Based on laundering and co-mingling with other identified thefts, including the Steadefi hack, it's likely the result of malware via malicious Google Drive phishing.

Individual appears to be a long-time leader in the same, founding his own Web3 company and active both on-chain and on-Twitter prior to the theft and since the theft.

On-Chain

Compromised (Victim) Addresses:

0x9e68d31fa10ab3702495c77bb2fb5263975b2625
0x5970892478ac8987b7069819ee307d0c255528cc - Gnosis Safe
0xbd3496fe269aa8bbf685836b63b3cadedbe2eb56
0x83d592be9606663538adcad6f4bc39b22c2eb9d3

Theft Addresses:

0x979ec2af1aa190143d294b0bfc7ec35d169d845c
0x68c4a151d436ec1c5448d225a97bd19cce4dfed0
0x4c7c2b39e3d642d452adfca632939a60b1baacf7
0xbcd5b968a79a04bf2bb942a449f10c20a7121ed8

Tornado Outputs:

0x9F8941cD7229Aa3047F05a7eE25c7ce13cBB8c41
0x4E75c46c299ddC74BAc808a34A778c863BB59A4E

Post-Tornado Laundering

0x5d65aeb2bd903bee822b7069c1c52de838f11bf8
0xa34500c4be803a608b226e8e6cdadcdfea1f8c96
0x4272200ef626d409e9bac681aa0efdb653a9ef0b - Noones Deposit
0x246569f8b420c8d850c475c53d0d59973b3f08fc - Paxful Deposit
0x0258c2af4fe694df026cca55d17feebd5b361acc - Paxful Deposit
0x3af55ab7edbca175f80f3a7ddeac5dabf611347b - Paxful Deposit

Laundering:

9 Deposits of 100 ETH were made to Tornado Cash from 0x68c4a151d436ec1c5448d225a97bd19cce4dfed0:

2023-08-24 6:50:59 100 ETH
2023-08-24 6:49:47 100 ETH
2023-08-24 6:29:47 100 ETH
2023-08-24 6:24:47 100 ETH
2023-08-23 15:08:35 100 ETH
2023-08-23 15:08:11 100 ETH
2023-08-23 15:07:35 100 ETH
2023-08-23 15:06:47 100 ETH
2023-08-23 15:06:23 100 ETH

The most likely outputs for these 9 deposits are:

2023-08-24 6:17:47 0x9F8941cD7229Aa3047F05a7eE25c7ce13cBB8c41
2023-08-24 6:30:47 0x4E75c46c299ddC74BAc808a34A778c863BB59A4E
2023-08-24 6:34:59 0x4E75c46c299ddC74BAc808a34A778c863BB59A4E
2023-08-24 6:45:11 0x4E75c46c299ddC74BAc808a34A778c863BB59A4E
2023-08-24 6:58:47 0x4E75c46c299ddC74BAc808a34A778c863BB59A4E
2023-08-26 0:28:23 0x4E75c46c299ddC74BAc808a34A778c863BB59A4E
2023-08-26 0:30:47 0x4E75c46c299ddC74BAc808a34A778c863BB59A4E
2023-08-26 0:55:47 0x9F8941cD7229Aa3047F05a7eE25c7ce13cBB8c41
2023-08-26 2:38:11 0x4E75c46c299ddC74BAc808a34A778c863BB59A4E

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

coinshift.md

coinshift.md

Coinshift (aka "C8 theft")

On-Chain

Compromised (Victim) Addresses:

Theft Addresses:

Tornado Outputs:

Post-Tornado Laundering

Laundering:

9 Deposits of 100 ETH were made to Tornado Cash from 0x68c4a151d436ec1c5448d225a97bd19cce4dfed0:

The most likely outputs for these 9 deposits are:

Files

coinshift.md

Latest commit

History

coinshift.md

File metadata and controls

Coinshift (aka "C8 theft")

On-Chain

Compromised (Victim) Addresses:

Theft Addresses:

Tornado Outputs:

Post-Tornado Laundering

Laundering:

9 Deposits of 100 ETH were made to Tornado Cash from 0x68c4a151d436ec1c5448d225a97bd19cce4dfed0:

The most likely outputs for these 9 deposits are: