Revisiting How Coinbene Stole Over $100M in Broad Day Without Question

Coinbene Nov 16, 2020

Back in September 2019, Coinbene was allegedly hacked for north of $100M. This was widely reported by several different cryptocurrency news media outlets.

However, further investigation (by Librehash and subsequently covered by CoinTelegraph), revealed that there were several inconsistencies in the story being told by Coinbene exchange.

In essence, after further investigation, it was found that $MXM (Maximine) launched a new ERC20 smart contract to issue new tokens and compensate Coinbene with over $70M.

As research (below) shows, there was no logical reason for the $MXM team to do this. The only plausible explanation for why $MXM made this charitable donation to Coinbene is that MXM was colluding with Coinbene to perpetrate a fake "hack" to cover the theft of user funds from the exchange.

To be more clear, the scheme that Coinbene pulled off with $MXM was as follows:

  1. Extract a ton of user assets off of the exchange en masse (i.e., in this case all ERC20 tokens).
  2. Liquidate said funds that were once legitimately owned by users.
  3. When someone in the community notices that >$100M in funds has left the exchange for seemingly no reason at all, the exchange must claim that they were "hacked", but that they have some sort of 'insurance' / emergency measure to ensure that all users will be fully compensated for their losses.
  4. Following this action, $MXM printed $70M worth of their new token.
  5. Coinbene then sold that token on their exchange and others, absorbing various counter orders (some of these transfers were made through 'DEX' platforms like EtherDelta and others).
  6. Given the arbitrary printing of said tokens, $MXM was able to effectively manifest $70M out of thin air to then give to Coinbene.
  7. The net result is that Coinbene was able to abscond >$100 million in user funds, then get away with doing so by simply generating $70M of some coin and then selling it to the highest bidder on the market.
  8. Users that have not seen this analysis or were unable to conduct one themselves would be entirely unaware of this subversive actvity by Coinbene.

The report below proves that this was exactly what Coinbene was doing, without equivocation. Going further, if we analyze some of the other 'exchange' and 'DeFi hacks' that have occurred in the space since, it appears that this technique has been utilized much more than one (with the latest example being KuCoin).

Introductory Information

Before we begin the report, let’s list out some addresses that are worth remembering for future references (more will be listed throughout the report, but these are the main ones that we will consistently refer back to).

Coinbene’s Ethereum Hot Wallet Address = 0x9539e0b14021a43cDE41d9d45Dc34969bE9c7cb0

Coinbene’s Ethereum Cold Wallet Address = 0x33683b94334eebc9bd3ea85ddbda4a86fb461405

Maximine’s Old Contract Address =
0x6a750d255416483bec1a31ca7050c6dac4263b57

Maximine’s New Contract Address = 0x8e766f57f7d16ca50b4a0b90b88f6468a09b0439

Alleged ‘Hacker’ Address = 0xB3DF999C5DC026DEA265AEB02B8519844C9B6D5E

For this report, we’re going to start with March 25th, 2019.

In specific, that was the day the massive outgoing transactions from Coinbene’s Ethereum Hot Wallet Address to the Alleged ‘Hacker’ Address began.

Examining the Hacker's Address

Here is a Look at the Alleged ‘Hacker’ Address

If we go back to the initial incoming transaction for the Alleged ‘Hack’ Address, we can see that it was created on March 25th, 2019 at 7:04 p.m. UTC via a withdrawal directly from Coinbene’s Hot Wallet Address.

Each transaction is for a significant amount of some token that was held by Coinbene, and upon further inspection, it appears that these transactions essentially “cleaned out” Coinbene's supply of each respective token.

For example, the first incoming transaction to the Alleged ‘Hack’ Wallet Address from Coinbene was a 74.2 million token transfer of the $GETX coin.

If we check Coinbene’s $GETX reserves, we can see that this transaction essentially cleaned out Coinbene’s store of $GETX

Source: https://etherscan.io/token/0x07a58629aaf3e1a0d07d8f43114b76bd5eee3b91?a=0x9539e0b14021a43cde41d9d45dc34969be9c7cb0

Complete List of Tokens That Were Extracted From Coinbene

This is the case for most other tokens that were transferred from Coinbene’s Hot Wallet Address to the Alleged ‘Hack’ Wallet Address as well.

Below is a list of tokens that were ‘cleaned out’ from Coinbene’s Hot Wallet Address:

  1. Guaranteed Ethurance Token Extra
  2. EBCoin
  3. Fountain2
  4. HuobiPoolToken
  5. TMTG
  6. Insureium Token
  7. BaaSid
  8. VOLT
  9. Sakura Bloom
  10. Aston X
  11. CosmoCoin
  12. PRASM
  13. uDOO
  14. Pundi X Token* (Coinbene received a new send to their hot wallet address worth about $10k USD circa April 4th-6th, 2019)
  15. PumaPay
  16. BTNT
  17. OVC
  18. SRCOIN
  19. GoToken
  20. FuzeX
  21. UTN-P: Universa Token
  22. Tokenomy
  23. FNKOSToken
  24. Mobile Integrated Blockchain
  25. Endor Protocol Token
  26. Paxos Standard
  27. CNN Token
  28. Mass Vehicle Ledger Token
  29. EnergiToken
  30. KST
  31. eQUAD
  32. Bethereum
  33. ABYSS
  34. XMED Chain Token
  35. Credo Token
  36. Omix
  37. AiLink Token
  38. VeriSafe
  39. LatiumX
  40. POPCHAIN-CASH
  41. CEDEX
  42. AID
  43. CREDITS
  44. ELF
  45. TokenClub Token
  46. IOSToken
  47. RECORD
  48. Social Lending Token
  49. Aeternity
  50. Cryptaur
  51. Verime Mobile
  52. Polymath
  53. ArcBlock
  54. Simmitri
  55. vSporf Coin
  56. Gemini dollar
  57. PATRON
  58. shinechain
  59. MT Token
  60. ESSENTIA
  61. FundRequest
  62. IvyKoin Public Network Tokens
  63. Reputation
  64. Bez
  65. HalalChain
  66. BAT
  67. OmiseGO
  68. FarmaTrust Token
  69. No BS Crypto
  70. DENT
  71. Ink Protocol
  72. Level-Up Coin
  73. Moeda Loyalty Points
  74. Bezop
  75. MedToken
  76. Bancor
  77. ChainLink Token
  78. QuarkChain Token
  79. Cortex Coin
  80. ZRX
  81. Civic
  82. Content and Ad Network
  83. Storiqa
  84. Sentinel Chain
  85. AIT
  86. Loom
  87. BANKEX
  88. DGD
  89. Genesis Vision
  90. Kora Network Token
  91. Aditus
  92. SeeleToken
  93. COZ
  94. Zippie
  95. BitStation
  96. Salt
  97. SwftCoin
  98. SHVR
  99. ClearPoll
  100. TRUE
  101. Medical Token Currency
  102. Herocoin
  103. AIDOC
  104. Populous
  105. INCX Coin
  106. Nebula AI Token
  107. VisionX
  108. Data

All of the above tokens (with the exception of Pundi X Token) held a balance of zero on April 6th, 2019.

Additionally, a large proportion of all tokens that were sent to Alleged ‘Hack’ Wallet Address have already been liquidated.

Given the fact that Coinbene’s coffers for each individual token listed above were completely drained in their subsequent transfer to the Alleged ‘Hack’ Wallet Address and then subsequently liquidated on a decentralized Ethereum exchange (IDEX), it is reasonable to conclude that this was a hack of some sort.

Reasons For Questioning Coinbene's Narrative

The reasons why it would be reasonable (and logical) to conclude that this is a hack/theft/inside job are:

  • There is no way that the Alleged ‘Hack’ Wallet Address is the sole source of deposits for all of the coins listed above.
  • The Alleged ‘Hack’ Wallet Address is not an extension of Coinbene that was used to distribute funds to customers, because all funds were sent to IDEX and subsequently liquidated. IDEX is not a distribution method for exchanges to satisfy customer withdrawal requests.

Additional Assets Not Accounted For in the List Above

For whatever reason, the following three assets were not sent to the Alleged ‘Hack’ Wallet Address:

  • Ethereum
  • Maximine
  • CoinBene Coin

Instead, they were redirected to the following addresses:

  • 0xa1bf1ed1e8de34477fb3dce27c2ea2ea4163acba (Wallet #1)
  • 0x6585329751de1140d68bd6cad1b46ebec1131f75 (Wallet #2)
  • 0xc163a86f2f095150562c1c4cf48c55ad085aeb6b (Wallet #3)
  • 0x49800268af45f54ead1176d41272bc409f40d6c9 (Wallet #4)
  • 0xc85f8f41c4f12816c72fe35f01ae32fa40f512f7 (Wallet #5)
  • 0xba351e7f0c630b3baa30a0ff38f6f4a333ef2133 (Wallet #6)
  • 0x8d12a197cb00d4747a1fe03395095ce2a5cc6819 (Wallet #7)
  • 0x712ae2390e296311d69fcd143a2ad2117a7ca997 (Wallet #8)
  • 0xfc35ab44d544a2d7c406d4648f38e042f7d70cdc (Wallet #9)
  • 0x5af89ddde021869679530dc77ceb5cdb72f7d5e0 (Wallet #10)
  • 0x6ec8572dac56c5a400cf2a94eb629b3eae029550 (Wallet #11)
  • 0xeefe879ca85b53ae6f48ba5f0bf4a74a841d83d1 (Wallet #12)

Each wallet listed above was created within the last 10–12 days from the original date of this being posted (April 6th, 2019).

Sample Analysis of Wallet #1

The following notes will be of Wallet #1 to give a general idea of the liquidation pattern flowing out from Coinbene during the time of the suspected security breach as well as the interconnectedness of the wallets listed above.

Wallet #1

  1. Wallet #1 received 669 million $MXM tokens from Coinbene directly.
  2. Wallet #1 also received 364,526,151 (364 million) CoinBene coins.
  3. Wallet #1 also received 16,730 Ethereum as well.
  • Ethereum from Wallet #1 was then sent into 0xfc35ab44d544a2d7c406d4648f38e042f7d70cdc , which also contains funds from Ethereum Wallet #3 and Ethereum Wallet #6. Altogether, 0xfc35ab44d544a2d7c406d4648f38e042f7d70cdc received 18,935 Ethereum, which were then sent to 0xA2Bf029e9d903CeF68FD5943AB0cB9cf5570C4AC.

The 18.9k Ethereum that were sent to 0xA2Bf029e9d903CeF68FD5943AB0cB9cf5570C4AC were still in that address as of April 6th, 2019.

Strange Activity With Maximine Token

As noted in the ‘Report Summary’, there were significant concerns that the Zerononcense team found with the Maximine token and contract.

What should be noted first, is that the Maxamine Old Contract Address was 86'd (publicly) on March 28th, 2019:

https://medium.com/@maximinecoin/official-announcement-update-of-token-address-da9862d4fd45

However, the new contract was actually created on March 27th, 2019 at 12:40 a.m. UTC.This is not necessarily an issue though. What is an issue, is the transfer of tokens that followed.

What was also noted in the report summary was the fact that Maximine was supposed to distribute the new contract address tokens to holders on a 1:1 basis, per their press release.

However, Coinbene ended up receiving 1.9 billion $MXM tokens from the new contract (somehow).

Analyzing Coinbene’s Holdings of $MXM (MaxiMine)

As stated before, the address to the new contract for Maximine can be found here: https://etherscan.io/token/0x8e766f57f7d16ca50b4a0b90b88f6468a09b0439

Notably, Coinbene’s Cold Wallet Address held 1.9 billion $MXM tokens as of April 6th, 2019.

The vast majority of these tokens were sent in one bulk transaction on March 27th, 2019 at 8:12 a.m. UTC:

  1. https://etherscan.io/tx/0x13f648663654a4f9ea2b4615adcee0fbd378f0e99da9057a055459be7199bf91
  2. These funds were sent to Coinbene’s Hot Wallet Address from 0x3feea02bc920e80351f0f1e976fab7b57640466d.
  3. Notably, this address is the contract creator for the new Maximine contract address.

So this begs the question of why and how Coinbene was able to receive 1.9 billion $MXM tokens from Maximine directly despite not having 1.9 billion tokens from the old contract on hand.

Coinbene Did Have 1.2 Billion $MXM Tokens in Possession in Their Cold Wallet

Strangely, Coinbene was able to salvage 1.2 billion $MXM tokens (from the old contract) somehow.

See below:

Source: https://etherscan.io/token/0x6a750d255416483bec1a31ca7050c6dac4263b57?a=0x9539e0b14021a43cde41d9d45dc34969be9c7cb0
Here is the URL for that transfer: https://etherscan.io/tx/0xacc9d8b0bdb1fa3bd7014bf74ea7f3f38adac11987eb543bd38824edeceb41bc

As shown in the picture above, it appears that this transfer occurred on March 26th, 2019 at 6:44 a.m. UTC.

What is interesting though is that it appears the Coinbene wallet had already been compromised at that point.

Proving the Claim Above About When Coinbene Was Compromised

  • The screenshot above proves that the Coinbene hot wallet was compromised on March 25th, 2019 around 7–8 p.m. UTC.
  • The intruder/hacker/entity wasted no time in completely transferring the entire balance of every other ERC20 token that Coinbene had in its possession.
  • However, this was not done with Maximine. Instead, only 1/3 of the tokens were distributed.
  • This left Coinbene with 1.2 billion $MXM tokens, which they sent to their cold wallet address on March 26th.
  • However, this transfer to their cold wallet address did not take place until 7–8 hours after the last extraction from the wallet by the See below:hacker/illicit source.

The above, of course, begs the question of why such a malevolent entity would have left 1.2 billion $MXM tokens to the exchange.

It Appears Maximine Compensated Coinbene for Those Tokens

As stated above, Coinbene was able to successfully transfer 1,203,498,805 $MXM tokens to its cold wallet, but the hacker was successful in extracting 669,874,712.47 $MXM from the exchange before subsequently liquidating the vast majority of them down at IDEX.

Now, let’s go back to the total $MXM that Maximine compensated Coinbene’s Hot Wallet with once they swapped their contract (literally only a few hours after the initial transfer): https://etherscan.io/tx/0x27eb05ee89c2402474ba40a85d092885b932709a28794aff03974095d1b0ade2

Specifically, $MXM sent Coinbene 1,869,874,712.473940796455758495 tokens.

Coincidentally, if you add 1,203,498,805 (tokens successfully transferred to the Coinbene cold wallet address) to 669,874,712.47 (tokens extracted by “hacker”), you’ll get a total of 1,873,373,517.47.

This total is only .2% off from the amount of tokens that $MXM gave Coinbene.

Thus, it looks pretty obvious that $MXM compensated Coinbene for the loss of 669M $MXM tokens, but the question is ‘why’? That additional compensation represents approximately $70M in value.

This also makes it seem as though $MXM launched an entirely new contract for the sake of keeping Coinbene afloat.

This Entire Situation Brings Up a Potent Philosophical Dilemma in the Crypto Space

If ERC20 tokens are not tied to equity and they can be arbitrarily produced and distributed (unlike PoW-based cryptos), then the only difference between ERC20 tokens and Tether (USDT) is that ERC20 tokens have a floating value and Tether doesn't.

Otherwise, all the other properties are the same:

  1. Tokens/USDT can be 'printed' at will.
  2. Tokens/USDT can be distributed at will.
  3. Tokens/USDT can be allocated at will.
  4. The value given for tokens/USDT is based off of pure speculative hopium rather than legitimate real-world use.

Think about it - you can't use USDT in the real world...Anywhere. USDT's only purpose is to buy other cryptos in the hopes that said purchase will result in more fiat/Bitcoin at the end of the day.

The vast majority of these tokens have no immediate use case and even those that folks argue do have a use case have use cases that are not targeted at retail investors but rather large corporations/entities (i.e., $XRP).

Counter Arguments Run Stale Here

Making the counter-argument, "But the Federal Reserve prints money and money has no value!" is disingenuous at best.

The government doesn't just 'print money' or there would be no national debt, necessary budget or deficit (think about it, why would your country have any debt if it could just "print money" and pay that debt?).

Also, the reality is that the dollar has a demonstrable value (whether you agree with its origins or not). If you have enough dollars you can purchase a house, clothes, cars, wherever money is accepted (in America) and any other country with a financial system will be more than happy to exchange your dollars for their currency if that's what must be done.

The same cannot be said of ERC20 tokens/USDT.

99% of ERC20 tokens and USDT only have value within the context of crypto trading and markets.

99% of ERC20 tokens have no objective value in terms of what they allow you to do at this present moment in time.

And because these crypto entities own tens of millions of these tokens with an arbitrary floating value, they have the ability to "create" millions for themselves out of 'thin air'. It is a philosophical issue that most acknowledge but we have not yet found a solution.

Tags

cryptomedication

Happy to serve and help wherever I'm needed in the blockchain space. #Education #EthicalContent #BringingLibretotheForefront

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.