Coinbase Hacker Sends Onchain Taunt to ZachXBT After $42.5M Swap The hacker behind the Coinbase data breach resurfaced this week, taunting blockchain detective ZachXBT after swapping $42.5 million in cryptocurrency via THORChain. Mocking Message Embedded in Ethereum Transaction On May 21st, the hacker placed a message in Ethereum transaction input data that read “L bozo,” along with a meme video of NBA legend James Worthy smoking a cigar. The jab was clearly aimed at ZachXBT, a prominent onchain investigator who had previously pointed out the hacker’s wallet activity. ZachXBT highlighted the troll message on his Telegram channel, tracing it to the same address that is also linked to the Coinbase hack on over 69,000 users. Hacker Transfers Millions from Bitcoin to Ethereum and DAI Before posting the message, the hacker had swapped approximately $42.5 million in Bitcoin (BTC) for Ether (ETH) using the decentralized cross-chain protocol THORChain. On May 22, security firm PeckShield observed that the hacker also converted 8,697 ETH into 22 million DAI, while a second related address exchanged 9,081 ETH for 23 million DAI. Coinbase Breach Fallout: Ransom Demands and Lawsuits Coinbase first announced the breach in May 2025, with the attack itself traced to December 2024. The hacked data includes users’ names, addresses, and other identifying details. Once the breach had been confirmed, the attackers issued a ransom demand for $20 million in Bitcoin. Coinbase refused, instead issuing a bounty for the same value for information that would lead to their arrest. The financial damage has been estimated at between $180 million and $400 million, which has led to at least six lawsuits alleging negligence on the part of the exchange in its security measures. THORChain Under Fire For Criminal Utilization The hacker’s manipulation of THORChain has also provided fodder for the fears of the protocol being used in laundering illicit funds. The protocol, which facilitates anonymous crypto swaps, had previously been in the news following the $1.4 billion Bybit hack in March. Security firms blamed that exploit on the Lazarus Group of North Korea as the likely perpetrator, with THORChain being allegedly used to launder significant sums. The platform had processed $5.4 billion in swaps over a month, with $5 million in revenue. Controversy deepened when the resignation of one THORChain developer, “Pluto,” came after an unsuccessful governance vote to block addresses that were associated with Lazarus.
