Coinbase Commerce hack wallet reactivated after nearly two years

Coinbase Commerce hack (2024) linked wallet came back to life after nearly two years of inactivity. On-chain data shows the attacker began moving funds in January 2026. In the fresh moves, it deposited $5.4 million worth of Ethereum into Tornado Cash so far.

Before the deposits, the theft-linked address moved roughly $5.8 million in DAI to a fresh wallet. That DAI was swapped for Ether. The ETH was then broken into multiple deposits, and Tornado Cash activity followed a clear batching pattern. The attacker sent twenty deposits of 100 ETH, and then smaller amounts followed. These included 10 ETH, 1 ETH, and fractional transfers. However, a separate wallet linked to the attacker is still holding about $4.6 million in DAI.

This comes in when the global crypto market is dealing with heavy selling pressure. Ethereum has dropped by almost 10% in the last 7 days. ETH was trading in the range of $3,100-$3,700 in April 2024, when the exploit happened. As of now, Ether is trading at an average price of $2,890.

Coinbase Commerce exploit

The incident traces back to the date flagged in April 2024. On-chain investigator ZachXBT reported suspicious outflows from a Coinbase Commerce contract at the time. On April 21, 2024, the contract recorded more than 1,700 USDC outflows over a 16-hour window on Polygon. The total value reached $15.97 million.

The pattern suggested a merchant using Coinbase Commerce had been exploited. The funds were drained in repeated transfers. The stolen USDC was later bridged from Polygon to Ethereum. It was swapped for Ether and was split across three wallets.

The attacker has resumed activity after nearly two years of dormancy and is now depositing stolen funds into Tornado Cash.

A total of $5.4M has been deposited so far.

Prior to this, the theft address transferred $5.8M DAI to a fresh wallet, which was subsequently swapped for… https://t.co/6hZWByeuRQ pic.twitter.com/67vx2CLk6U

— Specter (@SpecterAnalyst) January 26, 2026

Shortly after the theft, a threat actor using the alias “Excite” began discussing the funds in private chats. ZachXBT linked those claims to addresses tied to the outflows. He mentioned that back in May 2024, a Telegram user using the handle “tezedasads12” sent a 1 DAI transaction. The transfer was used to prove control over a wallet holding about $6 million from the theft.

The same actor claimed ownership of the Instagram username “Excite.” He also attempted to purchase a matching Telegram username but failed. The Instagram account was initially private, but it later went public. The account showed luxury watches and other high-value items.

ZachXBT stated that open source intelligence suggested the individual may have been based in Denmark. That detail was not independently confirmed. After the initial laundering phase, most of the funds stopped moving. Wallets linked to the exploit went dormant. Meanwhile, a smaller portion of funds was later routed through decentralized exchanges and staking platforms. Those transactions were used to move assets into new wallets.

One deposit address showed high exposure to known drainer infrastructure. Investigators flagged that as a risk signal. The January 2026 Tornado Cash deposits mark the first major activity tied to the exploit in nearly two years. 

Coinbase hack 2025

The case adds to a series of security incidents tied to Coinbase. In May 2025, Coinbase disclosed a separate cyber attack. The company said the incident could cost up to $400 million. In that case, attackers obtained limited customer data by paying contractors and employees. The data was used to impersonate Coinbase and trick users.

Coinbase said fewer than 1 percent of customers were affected. The attackers demanded $20 million and Coinbase refused to pay. Private keys were not compromised. However, the company said it would reimburse affected users.

Join a premium crypto trading community free for 30 days - normally $100/mo.