The hacker behind the massive May 2025 exploit of Coinbase users is now using the stolen proceeds to amass a large position in Ethereum.

On‑chain transaction trackers show the individual or group bought 4,863 ETH for 12.5 million DAI at about 2,569 DAI per ETH.

A hacker who stole funds from a #Coinbase user has bought 4,863 $ETH for $12.5M $DAI at a price of $2,569.

The hacker still holds $45.36M $DAI across 2 different wallets and is likely to buy more $ETH.

Address: 0xb574d779c391eac47fa09b6e50cb79cccb57a8c8$DAI Holding Addresses:… https://t.co/zquj05yczI pic.twitter.com/Mloq2SoYEb

— Onchain Lens (@OnchainLens) July 7, 2025

After this latest purchase, the hacker holds 45.36 million DAI worth of assets spread across two cold wallets. The move follows the theft that saw up to $400 million  lifted from the exchange, allegedly with help from insiders.

Exploit Details

In May, Coinbase suffered a breach that it blamed on collusion between hackers and fraudulent employees. Insiders reportedly supplied less than 1% of user information. 

Hackers then used that data to drain accounts, netting as much as $400  million. Coinbase refused the hackers’ demand of $20  million  for silence and pledged instead to make its users whole.

Taunt and On‑Chain Tracking

Shortly after the hack, the attacker taunted blockchain investigator ZachXBT by embedding a mocking message in an Ethereum transaction on May 21. 

That stunt drew the attention of multiple on‑chain trackers. Using open‑source tools and detailed blockchain analysis, analysts linked the flow of stolen funds through a chain of wallet transfers back to the original Coinbase exploit.

Also Read: Coinbase Hit With Class Action Lawsuit For Stock Price Drop After Data Breach Nondisclosure & Regulator Violation

Ethereum Accumulation

The trackers noted the hacker’s recent move to convert a chunk of the stolen DAI into ETH. By buying 4,863 ETH at 2,569 DAI each, the attacker has shifted a large share of their holdings into a single crypto asset. 

With 45.36 million DAI remaining across two wallets, observers suspect more ETH purchases could follow. The accumulation spree shows a clear intent to build a long‑term position in Ethereum.

What This Means?

By converting stolen stablecoins into ETH, the hacker may be seeking both anonymity and upside potential. Ethereum’s public ledger lets anyone see the wallet balances, but tracing the person behind the keys remains tough.

Large buys can move the market price, especially if sold quickly. This strategy could expose the hacker to price swings and heighten the risk of detection if they cash out.

Efforts to Recover and Apprehend

Despite intense efforts by law enforcement and private investigators, no funds have been recovered. Authorities in multiple countries have opened probes, but each lead has so far ended without arrests. 

The hacker’s use of cold wallets and mixing services has made tracing and seizing assets difficult. In the meantime, victims wait for reimbursement from Coinbase, and blockchain sleuths continue to monitor the stolen funds.

As the attacker grows their ETH stash, the crypto world watches closely to see if market forces or law enforcement pressure will force a mistake. Ultimately, this case highlights both the transparency and limits of blockchain tracing in the fight against digital theft.

Also Read: Coinbase Boosts Base Privacy With Iron Fish Team Acquisition, Amid Record Crypto Hacks In 2025