The Theft

On 11/11/2020 1000 ETH was stolen from a victim on Coinbase - @cryptolawsuit. At the time, the score was worth about 460K, now that ETH is worth close to 3 MILLION in today’s prices.

0xea37DbE2e9D5A6001a0DdADdAE62fB60a5D95F16 was the Main Wallet used to transfer assets.

You can read the details from the Victim’s point of view here.

This was a sad one for me as the victim sued Coinbase blaming the exchange for the hack.

The victim’s Coinbase account was compromised and social engineering techniques were used to increase the withdrawal limits from 150K to 400K.

Once the withdrawal limits were increased, everything was swapped to ETH allowing the hacker to withdraw the entire balance in less than 3 hours.

The stolen ETH was sent to the following wallets:

• 0xa2Db056805e4D5628cdEbE0539E012193EF9D0c1 - (434 ETH)

• 0x667Bc3cF446A7f5E57B82f6cBc0866c65d410419 - (434 ETH) 

• 0xE8dd92ba440990eC3a55f669b4941f6Ddf4ed6E8 - (52 ETH)

• 0xAe255583fa934bBAC9b74d59b55CA4A67F04aDaa - (52 ETH)

Above is an image of the outgoing transactions of 0xea37DbE2e9D5A6001a0DdADdAE62fB60a5D95F16. All of the incoming transactions are Coinbase deposit addresses from the victim.

Most of the funds ended up in deposit addresses owned by Konstantin, including 0x05a8fC18C8150cBD6cEc07621dE2aA7c426a21e6 - Yobit, 0xD995B8e922Dad50062A0082ee503BD73F73209e1 - FTX (lol) and 0xEEe016bDD360cd5A327eCEff075E21b6A4c1D7A1 - Peatio. Some funds were sent to Binance and others to buy gift cards or pay for services.

Following the funds of 0xa2Db056805e4D5628cdEbE0539E012193EF9D0c1, most of the stolen funds end up at 0x05a8fC18C8150cBD6cEc07621dE2aA7c426a21e6 - Yobit while the rest get peeled off into various Binance deposit addresses and a Fixed Float Deposit.

The Connection to Konstantin Pylinskiy

The blockchain is permanent. All it takes is one mistake and you’re cooked. I stumbled upon this hack researching another hack.

About 434 in stolen ETH was moved to this intermediary wallet 0xa2Db056805e4D5628cdEbE0539E012193EF9D0c1 and 3 hours later to this wallet 0x2eF3cb572e0D114fCb6F0Afd80Dab7D43C7b1b4d.

A look inside the wallet of 0xa2Db056805e4D5628cdEbE0539E012193EF9D0c1. Funds get sent to the “b1b4d” wallet with this Etherscan transaction.

Above is the wallet 0x2eF3cb572e0D114fCb6F0Afd80Dab7D43C7b1b4d sorted by highest value transaction amounts. Most of the stolen funds get sent to 0x05a8fC18C8150cBD6cEc07621dE2aA7c426a21e6 - Yobit, a deposit address owned by Konstantin.

I mentioned this deposit address in a previous post where pking007 on Reddit lost his 60K in life savings due to a Ledger Live hack.

All of the wallets inside this deposit address link back to Konstantin aka “konpyl”.

How did this hack happen?

There was most likely malware the victim interacted with that allowed the attacker to gain access to the Coinbase account from the victim’s own computer.

Additionally, the request to increase the withdrawal limits came from the same IP as the victim in Florida. The attacker could of remote accessed the computer, increased the withdrawal limits, and stole all the assets inside the account.

The victim could of been a target of a spear phishing attack or the hacker could of stumbled upon the Coinbase login once the computer was compromised.

In regards to the above, no matter how the attack happened Coinbase isn’t the one to blame here. The hack links directly back to Konstantin.