Revisiting How Coinbene Stole Over $100M in Broad Day Without Question

Back in September 2019, Coinbene was allegedly hacked for north of $100M. This was widely reported by several different cryptocurrency news media outlets.

However, further investigation (by Librehash and subsequently covered by CoinTelegraph), revealed that there were several inconsistencies in the story being told by Coinbene exchange.

In essence, after further investigation, it was found that $MXM (Maximine) launched a new ERC20 smart contract to issue new tokens and compensate Coinbene with over $70M.

As research (below) shows, there was no logical reason for the $MXM team to do this. The only plausible explanation for why $MXM made this charitable donation to Coinbene is that MXM was colluding with Coinbene to perpetrate a fake "hack" to cover the theft of user funds from the exchange.

To be more clear, the scheme that Coinbene pulled off with $MXM was as follows:

1. Extract a ton of user assets off of the exchange en masse (i.e., in this case all ERC20 tokens).
2. Liquidate said funds that were once legitimately owned by users.
3. When someone in the community notices that >$100M in funds has left the exchange for seemingly no reason at all, the exchange must claim that they were "hacked", but that they have some sort of 'insurance' / emergency measure to ensure that all users will be fully compensated for their losses.
4. Following this action, $MXM printed $70M worth of their new token.
5. Coinbene then sold that token on their exchange and others, absorbing various counter orders (some of these transfers were made through 'DEX' platforms like EtherDelta and others).
6. Given the arbitrary printing of said tokens, $MXM was able to effectively manifest $70M out of thin air to then give to Coinbene.
7. The net result is that Coinbene was able to abscond >$100 million in user funds, then get away with doing so by simply generating $70M of some coin and then selling it to the highest bidder on the market.
8. Users that have not seen this analysis or were unable to conduct one themselves would be entirely unaware of this subversive actvity by Coinbene.

The report below proves that this was exactly what Coinbene was doing, without equivocation. Going further, if we analyze some of the other 'exchange' and 'DeFi hacks' that have occurred in the space since, it appears that this technique has been utilized much more than one (with the latest example being KuCoin).

Introductory Information

Before we begin the report, let’s list out some addresses that are worth remembering for future references (more will be listed throughout the report, but these are the main ones that we will consistently refer back to).

Coinbene’s Ethereum Hot Wallet Address = 0x9539e0b14021a43cDE41d9d45Dc34969bE9c7cb0

Coinbene’s Ethereum Cold Wallet Address = 0x33683b94334eebc9bd3ea85ddbda4a86fb461405

Maximine’s Old Contract Address =
0x6a750d255416483bec1a31ca7050c6dac4263b57

Maximine’s New Contract Address = 0x8e766f57f7d16ca50b4a0b90b88f6468a09b0439

Alleged ‘Hacker’ Address = 0xB3DF999C5DC026DEA265AEB02B8519844C9B6D5E

For this report, we’re going to start with March 25th, 2019.

In specific, that was the day the massive outgoing transactions from Coinbene’s Ethereum Hot Wallet Address to the Alleged ‘Hacker’ Address began.

Examining the Hacker's Address

Here is a Look at the Alleged ‘Hacker’ Address

If we go back to the initial incoming transaction for the Alleged ‘Hack’ Address, we can see that it was created on March 25th, 2019 at 7:04 p.m. UTC via a withdrawal directly from Coinbene’s Hot Wallet Address.

Each transaction is for a significant amount of some token that was held by Coinbene, and upon further inspection, it appears that these transactions essentially “cleaned out” Coinbene's supply of each respective token.

For example, the first incoming transaction to the Alleged ‘Hack’ Wallet Address from Coinbene was a 74.2 million token transfer of the $GETX coin.

If we check Coinbene’s $GETX reserves, we can see that this transaction essentially cleaned out Coinbene’s store of $GETX

Source: https://etherscan.io/token/0x07a58629aaf3e1a0d07d8f43114b76bd5eee3b91?a=0x9539e0b14021a43cde41d9d45dc34969be9c7cb0

Complete List of Tokens That Were Extracted From Coinbene

This is the case for most other tokens that were transferred from Coinbene’s Hot Wallet Address to the Alleged ‘Hack’ Wallet Address as well.

Below is a list of tokens that were ‘cleaned out’ from Coinbene’s Hot Wallet Address:

1. Guaranteed Ethurance Token Extra
2. EBCoin
3. Fountain2
4. HuobiPoolToken
5. TMTG
6. Insureium Token
7. BaaSid
8. VOLT
9. Sakura Bloom
10. Aston X
11. CosmoCoin
12. PRASM
13. uDOO
14. Pundi X Token* (Coinbene received a new send to their hot wallet address worth about $10k USD circa April 4th-6th, 2019)
15. PumaPay
16. BTNT
17. OVC
18. SRCOIN
19. GoToken
20. FuzeX
21. UTN-P: Universa Token
22. Tokenomy
23. FNKOSToken
24. Mobile Integrated Blockchain
25. Endor Protocol Token
26. Paxos Standard
27. CNN Token
28. Mass Vehicle Ledger Token
29. EnergiToken
30. KST
31. eQUAD
32. Bethereum
33. ABYSS
34. XMED Chain Token
35. Credo Token
36. Omix
37. AiLink Token
38. VeriSafe
39. LatiumX
40. POPCHAIN-CASH
41. CEDEX
42. AID
43. CREDITS
44. ELF
45. TokenClub Token
46. IOSToken
47. RECORD
48. Social Lending Token
49. Aeternity
50. Cryptaur
51. Verime Mobile
52. Polymath
53. ArcBlock
54. Simmitri
55. vSporf Coin
56. Gemini dollar
57. PATRON
58. shinechain
59. MT Token
60. ESSENTIA
61. FundRequest
62. IvyKoin Public Network Tokens
63. Reputation
64. Bez
65. HalalChain
66. BAT
67. OmiseGO
68. FarmaTrust Token
69. No BS Crypto
70. DENT
71. Ink Protocol
72. Level-Up Coin
73. Moeda Loyalty Points
74. Bezop
75. MedToken
76. Bancor
77. ChainLink Token
78. QuarkChain Token
79. Cortex Coin
80. ZRX
81. Civic
82. Content and Ad Network
83. Storiqa
84. Sentinel Chain
85. AIT
86. Loom
87. BANKEX
88. DGD
89. Genesis Vision
90. Kora Network Token
91. Aditus
92. SeeleToken
93. COZ
94. Zippie
95. BitStation
96. Salt
97. SwftCoin
98. SHVR
99. ClearPoll
100. TRUE
101. Medical Token Currency
102. Herocoin
103. AIDOC
104. Populous
105. INCX Coin
106. Nebula AI Token
107. VisionX
108. Data

All of the above tokens (with the exception of Pundi X Token) held a balance of zero on April 6th, 2019.

Additionally, a large proportion of all tokens that were sent to Alleged ‘Hack’ Wallet Address have already been liquidated.

Given the fact that Coinbene’s coffers for each individual token listed above were completely drained in their subsequent transfer to the Alleged ‘Hack’ Wallet Address and then subsequently liquidated on a decentralized Ethereum exchange (IDEX), it is reasonable to conclude that this was a hack of some sort.

Reasons For Questioning Coinbene's Narrative

The reasons why it would be reasonable (and logical) to conclude that this is a hack/theft/inside job are:

• There is no way that the Alleged ‘Hack’ Wallet Address is the sole source of deposits for all of the coins listed above.
• The Alleged ‘Hack’ Wallet Address is not an extension of Coinbene that was used to distribute funds to customers, because all funds were sent to IDEX and subsequently liquidated. IDEX is not a distribution method for exchanges to satisfy customer withdrawal requests.

Additional Assets Not Accounted For in the List Above

For whatever reason, the following three assets were not sent to the Alleged ‘Hack’ Wallet Address:

• Ethereum
• Maximine
• CoinBene Coin

Instead, they were redirected to the following addresses:

• 0xa1bf1ed1e8de34477fb3dce27c2ea2ea4163acba (Wallet #1)
• 0x6585329751de1140d68bd6cad1b46ebec1131f75 (Wallet #2)
• 0xc163a86f2f095150562c1c4cf48c55ad085aeb6b (Wallet #3)
• 0x49800268af45f54ead1176d41272bc409f40d6c9 (Wallet #4)
• 0xc85f8f41c4f12816c72fe35f01ae32fa40f512f7 (Wallet #5)
• 0xba351e7f0c630b3baa30a0ff38f6f4a333ef2133 (Wallet #6)
• 0x8d12a197cb00d4747a1fe03395095ce2a5cc6819 (Wallet #7)
• 0x712ae2390e296311d69fcd143a2ad2117a7ca997 (Wallet #8)
• 0xfc35ab44d544a2d7c406d4648f38e042f7d70cdc (Wallet #9)
• 0x5af89ddde021869679530dc77ceb5cdb72f7d5e0 (Wallet #10)
• 0x6ec8572dac56c5a400cf2a94eb629b3eae029550 (Wallet #11)
• 0xeefe879ca85b53ae6f48ba5f0bf4a74a841d83d1 (Wallet #12)

Each wallet listed above was created within the last 10–12 days from the original date of this being posted (April 6th, 2019).

Sample Analysis of Wallet #1

The following notes will be of Wallet #1 to give a general idea of the liquidation pattern flowing out from Coinbene during the time of the suspected security breach as well as the interconnectedness of the wallets listed above.

Wallet #1

1. Wallet #1 received 669 million $MXM tokens from Coinbene directly.
2. Wallet #1 also received 364,526,151 (364 million) CoinBene coins.
3. Wallet #1 also received 16,730 Ethereum as well.

• Ethereum from Wallet #1 was then sent into 0xfc35ab44d544a2d7c406d4648f38e042f7d70cdc , which also contains funds from Ethereum Wallet #3 and Ethereum Wallet #6. Altogether, 0xfc35ab44d544a2d7c406d4648f38e042f7d70cdc received 18,935 Ethereum, which were then sent to 0xA2Bf029e9d903CeF68FD5943AB0cB9cf5570C4AC.

The 18.9k Ethereum that were sent to 0xA2Bf029e9d903CeF68FD5943AB0cB9cf5570C4AC were still in that address as of April 6th, 2019.

Strange Activity With Maximine Token

As noted in the ‘Report Summary’, there were significant concerns that the Zerononcense team found with the Maximine token and contract.

What should be noted first, is that the Maxamine Old Contract Address was 86'd (publicly) on March 28th, 2019:

https://medium.com/@maximinecoin/official-announcement-update-of-token-address-da9862d4fd45

However, the new contract was actually created on March 27th, 2019 at 12:40 a.m. UTC.This is not necessarily an issue though. What is an issue, is the transfer of tokens that followed.

What was also noted in the report summary was the fact that Maximine was supposed to distribute the new contract address tokens to holders on a 1:1 basis, per their press release.

However, Coinbene ended up receiving 1.9 billion $MXM tokens from the new contract (somehow).

Analyzing Coinbene’s Holdings of $MXM (MaxiMine)

As stated before, the address to the new contract for Maximine can be found here: https://etherscan.io/token/0x8e766f57f7d16ca50b4a0b90b88f6468a09b0439

Notably, Coinbene’s Cold Wallet Address held 1.9 billion $MXM tokens as of April 6th, 2019.

The vast majority of these tokens were sent in one bulk transaction on March 27th, 2019 at 8:12 a.m. UTC:

1. https://etherscan.io/tx/0x13f648663654a4f9ea2b4615adcee0fbd378f0e99da9057a055459be7199bf91
2. These funds were sent to Coinbene’s Hot Wallet Address from 0x3feea02bc920e80351f0f1e976fab7b57640466d.
3. Notably, this address is the contract creator for the new Maximine contract address.

So this begs the question of why and how Coinbene was able to receive 1.9 billion $MXM tokens from Maximine directly despite not having 1.9 billion tokens from the old contract on hand.

Coinbene Did Have 1.2 Billion $MXM Tokens in Possession in Their Cold Wallet

Strangely, Coinbene was able to salvage 1.2 billion $MXM tokens (from the old contract) somehow.

See below:

Source: https://etherscan.io/token/0x6a750d255416483bec1a31ca7050c6dac4263b57?a=0x9539e0b14021a43cde41d9d45dc34969be9c7cb0

Here is the URL for that transfer: https://etherscan.io/tx/0xacc9d8b0bdb1fa3bd7014bf74ea7f3f38adac11987eb543bd38824edeceb41bc

As shown in the picture above, it appears that this transfer occurred on March 26th, 2019 at 6:44 a.m. UTC.

What is interesting though is that it appears the Coinbene wallet had already been compromised at that point.

Proving the Claim Above About When Coinbene Was Compromised

• The screenshot above proves that the Coinbene hot wallet was compromised on March 25th, 2019 around 7–8 p.m. UTC.
• The intruder/hacker/entity wasted no time in completely transferring the entire balance of every other ERC20 token that Coinbene had in its possession.
• However, this was not done with Maximine. Instead, only 1/3 of the tokens were distributed.
• This left Coinbene with 1.2 billion $MXM tokens, which they sent to their cold wallet address on March 26th.
• However, this transfer to their cold wallet address did not take place until 7–8 hours after the last extraction from the wallet by the See below:hacker/illicit source.

The above, of course, begs the question of why such a malevolent entity would have left 1.2 billion $MXM tokens to the exchange.

It Appears Maximine Compensated Coinbene for Those Tokens

As stated above, Coinbene was able to successfully transfer 1,203,498,805 $MXM tokens to its cold wallet, but the hacker was successful in extracting 669,874,712.47 $MXM from the exchange before subsequently liquidating the vast majority of them down at IDEX.

Now, let’s go back to the total $MXM that Maximine compensated Coinbene’s Hot Wallet with once they swapped their contract (literally only a few hours after the initial transfer): https://etherscan.io/tx/0x27eb05ee89c2402474ba40a85d092885b932709a28794aff03974095d1b0ade2

Specifically, $MXM sent Coinbene 1,869,874,712.473940796455758495 tokens.

Coincidentally, if you add 1,203,498,805 (tokens successfully transferred to the Coinbene cold wallet address) to 669,874,712.47 (tokens extracted by “hacker”), you’ll get a total of 1,873,373,517.47.

This total is only .2% off from the amount of tokens that $MXM gave Coinbene.

Thus, it looks pretty obvious that $MXM compensated Coinbene for the loss of 669M $MXM tokens, but the question is ‘why’? That additional compensation represents approximately $70M in value.

This also makes it seem as though $MXM launched an entirely new contract for the sake of keeping Coinbene afloat.

This Entire Situation Brings Up a Potent Philosophical Dilemma in the Crypto Space

If ERC20 tokens are not tied to equity and they can be arbitrarily produced and distributed (unlike PoW-based cryptos), then the only difference between ERC20 tokens and Tether (USDT) is that ERC20 tokens have a floating value and Tether doesn't.

Otherwise, all the other properties are the same:

1. Tokens/USDT can be 'printed' at will.
2. Tokens/USDT can be distributed at will.
3. Tokens/USDT can be allocated at will.
4. The value given for tokens/USDT is based off of pure speculative hopium rather than legitimate real-world use.

Think about it - you can't use USDT in the real world...Anywhere. USDT's only purpose is to buy other cryptos in the hopes that said purchase will result in more fiat/Bitcoin at the end of the day.

The vast majority of these tokens have no immediate use case and even those that folks argue do have a use case have use cases that are not targeted at retail investors but rather large corporations/entities (i.e., $XRP).

Counter Arguments Run Stale Here

Making the counter-argument, "But the Federal Reserve prints money and money has no value!" is disingenuous at best.

The government doesn't just 'print money' or there would be no national debt, necessary budget or deficit (think about it, why would your country have any debt if it could just "print money" and pay that debt?).

Also, the reality is that the dollar has a demonstrable value (whether you agree with its origins or not). If you have enough dollars you can purchase a house, clothes, cars, wherever money is accepted (in America) and any other country with a financial system will be more than happy to exchange your dollars for their currency if that's what must be done.

The same cannot be said of ERC20 tokens/USDT.

99% of ERC20 tokens and USDT only have value within the context of crypto trading and markets.

99% of ERC20 tokens have no objective value in terms of what they allow you to do at this present moment in time.

And because these crypto entities own tens of millions of these tokens with an arbitrary floating value, they have the ability to "create" millions for themselves out of 'thin air'. It is a philosophical issue that most acknowledge but we have not yet found a solution.