article

The CoinBene situation: $105 million in crypto on the move

Author
Elementus
Date
Mar 27, 2019

Yesterday, rumors began circulating about a possible hack of CoinBene, after the exchange announced they were down for maintenance.

This morning, they sent out the following Tweet, assuring the public that users' assets are 100% secure.

#Announcement
Somebody doubt CoinBene was attacked by hacker recently because our maintenance.
We CoinBene are so sorry that made everyone worried for this problem.
Truth is 👇
pic.twitter.com/2P8Ulwjj6C

— CoinBene Global (@CoinBene) March 27, 2019

The beauty of the blockchain is that it is completely transparent to those who know how to read it. Our rationale behind releasing the findings below is to make public what is already public.

We are not here to refute what CoinBene is claiming, but to present what we found via the Elementus Query Engine.

All information shown below is independently verifiable. The raw data may be downloaded here and compared against the Ethereum blockchain.

$105 million in ETH + tokens were sent from CoinBene to three different addresses

Below is a timeline of events. All times are Eastern Time (GMT-4).

  • Monday 25-Mar, 2:58pm: A series of transfers totaling $105m in value begins out of CoinBene's hot wallet into three different addresses.
  • Monday 25-Mar, 6:24pm: CoinBene's hot wallet ceases all activity and remains inactive for 8 hours.
  • Tuesday 26-Mar, 2:44am: CoinBene's hot wallet begins moving funds to the cold wallet.
  • Tuesday 26-Mar, 9:20am: In response to complaints from users unable to make withdrawals, CoinBene claims that their platform is undergoing maintenance.
  • Wednesday 27-Mar, 5:21am: CoinBene releases an announcement dismissing rumors of a hack and reassuring users their assets are 100% secure.

The graphic below shows the movement of these funds after leaving CoinBene.

coinbene

The movements of funds after leaving CoinBene

Observations

$105m in crypto just left CoinBene and is now being sold on various exchanges

The amount of crypto involved is huge. Transfers of this size are not unheard-of when an exchange is moving funds between hot and cold wallets, but that is clearly not what's happening here.

After leaving CoinBene, the tokens were quickly moved into Etherdelta, where they were sold for ETH. A large amount of funds were also moved into centralized Exchanges, including Binance, Huobi and Bittrex. The funds continue to move into exchanges as I write this.

Moving funds through sweeping addresses is not commonly done by exchanges

The pattern of transfers between multiple intermediary wallets is not commonly seen among exchanges. It is, however, a common tactic for people who want to cover their tracks -- moving the crypto through a series of "sweeping addresses" to make the trail more difficult to follow.

The sequence of events is consistent with a hack

The sequence of events -- large amount of funds withdrawn quickly, period of inactivity, remaining funds secured into the cold wallet -- is consistent with how exchange hacks commonly play out.

CoinBene was example #1 in BitWise's fake exchange volumes report

We have no basis for judging CoinBene's credibility, but it is noteworthy they were example #1 in BitWise's recent report on fake exchange volumes.

CoinBene suspicious exchange volumes

Screen grab from Bitwise Asset Management: Presentation to the U.S. Securities and Exchange Commission

The $105m in market value includes positions in 110 different cryptos (see the full breakdown here). The largest position is $70m of Maximine, a token whose price has climbed 754.5% since the start of the month.

We will continue monitoring events and updating this post with new developments.

Edit: As of 28-Mar @ 8pm (ET), $50m in tokens has been moved to Etherdelta and other exchanges

All data shown in this report may be downloaded here.