Defend Against Cybercrime with the Power of Community

Date: June 22, 20260. Forensic MethodologyTo reconstruct this complex cross-chain incident, the ChainBounty Threat Intelligence team deployed the SentinelTX Blockchain Forensic Intelligence System. Our technical investigation utilized a structured, multi-layered approach to establish an immutable chain of custody:OSINT Ingestion: Seeded the initial technical parameters by identifying 4 core attacker entity addresses via public security alerts from PeckShield and Blockaid.Multi-Chain Screening: Monitored real-time transaction activity and balance state changes across both the Ethereum Mainnet and the Taiko Layer-2 (L2) network.Outbound Proximity Tracing: Tracked the downstream movement of illicitly extracted funds up to an operational depth of 5 distinct hops.Token-Specific Forensics: Isolated and tracked individual asset ledgers independently, including TKO, USDC, USDT, WBTC, CRV, crvUSD, WETH, iZi, and weETH.Bridge Tracking: Identified and verified cross-chain telemetry data passing through the official Taiko Bridge contract.Inbound & Cluster Attribution: Analyzed the funding sources and internal transfer ties of the swap executor address to evaluate joint-control relationships.Smart Contract Reverse-Engineering: Audited creation timestamps, internal state calls, and event logs for malicious proxy architectures.Centralized Exchange Identification: Traced endpoints reaching exchange hot wallets and cross-verified counterparty profiles against international regulatory lists (including the South Korean FIU blocklist).Valuation Metric Note: All digital asset values are calculated using the spot exchange rates at the exact block timestamp of the respective transaction. Low-liquidity tokens (e.g., iZi) are tracked strictly by native token volume to preserve the primary evidentiary value of the chain of custody.1. Executive SummaryOn June 21, 2026, at approximately 22:07 UTC, the Taiko Bridge infrastructure suffered a major exploit. The threat actor successfully executed a forged message proof verification attack by exploiting a leak of the system's SGX signing keys, allowing them to extract approximately $1,700,000 in multi-token digital assets.The attacker deployed an aggressive, multi-path liquidation and layering operation across the Ethereum Mainnet using 4 core wallets, with the primary exploit engine identified as EOA address 0x7506DeA0c38ca0B55364B22424374c5Alae1B76a.Key Investigation Findings:CEX Liquidation (MEXC Global): The attacker moved 1,990,000 TKO tokens through a 2-hop layering sequence into a MEXC Exchange hot wallet. MEXC is currently flagged as an unregistered, high-risk counterparty on the South Korean Financial Intelligence Unit (KoFIU) blocklist.Decentralized Token Swapping: The attacker transferred a massive basket of stolen assets—including 649,761 USDC, 138,139 USDT, 0.426 WBTC, 126,160 CRV, and 156,832 crvUSD—into a dedicated swap agent address to convert them into ETH via Uniswap V3. Cluster analysis confirms this agent operates under the same unified operator control as the main exploiter.Layer-2 Bridge Escapism: The attacker successfully routed 500.005 ETH through the official Taiko Bridge back into a Taiko L2 address. These funds are currently sitting stagnant on Layer-2.Stagnant L1 Residue: The primary exploit wallet still holds a residue balance of 2,140,403 iZi and 0.53 weETH on the Ethereum mainnet.2. Complete Chronological Attack TimelineTimestamp (UTC) Event Transaction Hash (TX) Associated Addresses Amount / Assets 2024-05-01Target Vault CreationN/A0x996282calle5deb6b5d122cc3b9alfcaad4415abExploit Source Vault2026-03-04Malicious Proxy DeploymentN/A0x6f21c543a4af5189ebdb0723827577elef57eflfSuspicious Contract2026-06-18 05:47:59Pre-Attack L2 Setup0x8744d8364abf6f5a7e2010af3198aa86ed820f018067ebe9f19849f985912ee20x7506DeA0...1B76a -> 0xa98035081fb739ebe9c8f80904668fb11438a8460.005 ETH2026-06-21 22:07:00Exploit ExecutionMultiple Consolidated Traces0x996282ca...15ab -> 0x7506DeA0c38ca0B55364B22424374c5AlaelB76aBulk Stolen Assets2026-06-21 22:11:35Swap Agent Delegation0x1b6d504f2e35eabeda731bbbbda5f2a8acad2aea8e7ecalebc701fd37f7dd26c0x7506DeA0...1B76a -> 0x9108828e30f2de407aadb0af677b4a9228e4acd4Multi-Token Basket2026-06-21 22:26:23Secondary USDC Swap0x85c4d6c318a0060a169b8e8b47410603216a94a1b238d4c6b7a77fa27e87c78d0x9108828e...acd4 -> 0x7506DeA0...1B76a26,000 USDC Swap2026-06-21 22:28:59TKO Layering - Hop 10x5d8127d07d0b94263c11be2a51f01b610f287580fb29ed3f4d35aa27359837d40x7506DeA0...1B76a -> 0x5fbc60a12bc6635e7d587d8dac52e4b1388b49901,990,000 TKO2026-06-21 22:37:35TKO Layering - Hop 20x6f262f8860a21761023e63d3b6c2291c27eba85c865d9aaa2387c3d9967eded50x5fbc60a1...990 -> 0x3cc936b795a188f0e246cbb2d74c5bd190aecf181,990,000 TKO2026-06-21 23:58:11Bridge Injection (1/5)0xa2b259f7daeb5485327f472afcdc638c6ca26d6a83537ad8e5f658b2bf8d38870x7506DeA0...1B76a -> 0xa98035081fb739ebe9c8f80904668fb11438a846100 ETH2026-06-21 23:58:59Bridge Injection (2/5)0x93fle93c47173d6d1811c62d49f84f5eaab95a3041dd7f7ale639adac19d40d40x7506DeA0...1B76a -> 0xa98035081fb739ebe9c8f80904668fb11438a846100 ETH2026-06-21 23:59:59Bridge Injection (3/5)0x467bd50f788f5e934503ab95cc0396fda5775fe26459f5455d81221444cf9c5d0x7506DeA0...1B76a -> 0xa98035081fb739ebe9c8f80904668fb11438a846100 ETH2026-06-22 00:10:11Bridge Injection (4/5)0x43431c9eee9c8d4b764a9d7e6ea83614361b804d42eb4b910a24d67fb9f0f49b0x7506DeA0...1B76a -> 0xa98035081fb739ebe9c8f80904668fb11438a846100 ETH2026-06-22 00:32:11Bridge Injection (5/5)0x25f2dc828d6c66d880f9b92ecda9e6531f85d82df629628f86a9ba5cec104dfd0x7506DeA0...1B76a -> 0xa98035081fb739ebe9c8f80904668fb11438a846100 ETH[cite: 2]2026-06-22 00:33:35Auxiliary EOA Setup0x9ce9d5529e6ff01d05c80ef16a8c687aefa78f35710298c365925d9e85f624100x7506DeA0...1B76a -> 0x2f205367f408269b2aae3dd5fd4358aa6ae8d7e00.05 ETH[cite: 2]2026-06-22 00:43:59Supplementary Bridge0x4096b723fa8f06a84ed6f5d8dd4e88ea71e793e379585c625731887496dec09d0x7506DeA0...1B76a -> 0xa98035081fb739ebe9c8f80904668fb11438a846100 ETH[cite: 2]2026-06-22 00:55:23L2 Micro-Bridge Route0xfee99d74e8459d7ed28a9f9aa488af32cae55e7e0dd00905170b73025e3b5b880x2f205367...d7e0 -> 0xd60247c6848b7ca29eddf63aa924e53db6ddd8ec0.01 ETH[cite: 2]2026-06-22 01:07:47Secondary Micro-Bridge0xee20d87660670033faa486589e115b74ac788be6ce047bf9647408930a068def0x2f205367...d7e0 -> 0xd60247c6848b7ca29eddf63aa924e53db6ddd8ec0.01 ETH[cite: 2]2026-06-22 01:27:59Proxy Intercept (1/3)0x67900d1499ee23864bf857662f6cde6e059de4d9a3b4b9d335862b3b626dc2a50x2f205367...d7e0 -> 0x6f21c543a4af5189ebdb0723827577elef57eflf0.001 ETH[cite: 2]2026-06-22 01:48:47Proxy Intercept (2/3)0x77b219ef57e98875f2159c1d569b7f965ealee0adedd6a22ca96c2aaa5da5a7e0x2f205367...d7e0 -> 0x6f21c543a4af5189ebdb0723827577elef57eflf0.001 ETH[cite: 2]2026-06-22 02:31:47Proxy Intercept (3/3)0xdb21315494272eba02ccad0fe94dcb5c71d1fb6d94384b4a80b1de3875a524410x2f205367...d7e0 -> 0x6f21c543a4af5189ebdb0723827577elef57eflf0.001 ETH[cite: 2]2026-06-22 11:38:47Terminal CEX Deposit0x9efa97d7a5f695ad6e5b249abcef9b40cee775105f11d6ac9f1c7452293dd03b0x3cc936b795a188f0e246cbb2d74c5bd190aecf18 -> MEXC Hot Wallet1,990,000 TKO[cite: 2]3. Detailed Inventory of Stolen AssetsAsset Symbol Extracted Token Volume Asset Classification / Operational Status USDC649,761.00Stablecoin Ledger / Fully Liquidated to ETH via Uniswap V3[cite: 2]USDT138,139.00Stablecoin Ledger / Fully Liquidated to ETH via Uniswap V3[cite: 2]WBTC0.42634415Wrapped Bitcoin / Fully Liquidated to ETH via Uniswap V3[cite: 2]CRV126,160.973069Curve DAO Asset / Fully Liquidated to ETH via Uniswap V3[cite: 2]crvUSD156,832.011092Curve Stablecoin / Fully Liquidated to ETH via Uniswap V3[cite: 2]WETH20.700000Wrapped Ethereum / Consolidated into Main Capital Flow[cite: 2]iZi2,140,403.026072Low-Liquidity Token / Stagnant Residue inside Main Exploit Wallet[cite: 2]weETH0.530999Wrapped Liquid Staking ETH / Stagnant Residue inside Main Exploit Wallet[cite: 2]4. Advanced Fund Flow & Cluster AnalysisPath A: The TKO Layering & CEX Liquidation RouteTo obscure the origin of the Taiko (TKO) native tokens, the attacker utilized a programmatic, 2-hop layering architecture before initiating cash-out sequences.This rapid, highly coordinated multi-hop execution (completed within a tight window) proves a clear intent to delay corporate asset freezes and defeat automated exchange heuristics.Path B: Uniswap V3 Coordinated Swap ClusterThe non-native token balances were offloaded to a dedicated external address: 0x9108828e30f2de407aadb0af677b4a9228e4acd4. This entity interacted across five isolated liquidity pools on Uniswap V3:USDC Pool: 0x88e6a0c2ddd26feeb64f039a2c41296fcb3f5640USDT Pool: 0x11b815efb8f581194ae79006d24e0d814b7697f6CRV Pool: 0x919fa96e88d67499339577fa202345436bcdaf79WBTC Pool: 0xcbcdf9626bc03e24f779434178a73a0b4bad62edcrvUSD Pool: 0x4dece678ceceb27446b35c672dc7d61f30bad69eOur inbound flow analysis explicitly proves a Single Operator Cluster model: the swap agent interacted exclusively with the primary exploit engine, maintained zero individual financial upside, and returned 100% of the newly acquired ETH straight to the primary attacker EOA.Path C: Cross-Chain Gateway Loop (Taiko L2)Following capital consolidation, the attacker pushed a significant liquidity block back into Layer-2 through the official Taiko Bridge (0xd60247c6848b7ca29eddf63aa924e53db6ddd8ec). A total volume of 500.005 ETH was funneled directly into L2 address 0xa98035081fb739ebe9c8f80904668fb11438a846.Our ongoing 7-day deep tracking confirms that these Layer-2 assets remain completely stagnant. The attacker may be keeping the funds idle on L2 to evade the immediate automated tooling and tracking focus applied to Layer-1.5. Comprehensive Key Address LedgerTarget Address Entity Type System Identity / Forensic Role First Spotted Activity On-Chain Notes & Anomalies 0x7506DeA0c38ca0B55364822424374c5Alae1B76aEOAPrimary Exploit Engine2026-06-18Drained L1 Vault; holds 2.14M iZi & 0.53 weETH0x5fbc60a12bc6635e7d587d8dac52e4b1388b4990EOAHop-1 TKO Intermediary Proxy2026-06-21Single-use disposable transit wallet0x3cc936b795a188f0e246cbb2d74c5bd190aecf18EOAHop-2 Dedicated MEXC Depositor2026-06-21User-level CEX deposit intake pipeline0x9108828e30f2de407aadb0af677b4a9228e4acd4EOAProgrammatic Swap Router Agent2026-06-21Part of single operator cluster; balance now zero0xa98035081fb739ebe9c8f80904668fb11438a846EOATarget L2 Attacker Vault2026-06-18Sits on 500.005 ETH with zero L2 outbound moves0x2f205367f408269b2aae3dd5fd4358aa6ae8d7e0EOAAuxiliary Operational Address2026-06-22Created post-exploit; routed micro-bridge gas funds0x6f21c543a4af5189ebdb0723827577elef57eflfContractMalicious Proxy Intercept2026-03-04Inbound-only execution; yields 0 event logs0x996282calle5deb6b5d122cc3b9alfcaad4415abContractExploit Source Target Vault2024-05-01Source of the bulk unauthorized token drainage0x75e89d5979e4f6fba9f97c104c2f0afb3f1dcb88CEXMEXC Global Hot WalletHistoricalTerminal destination for 1.99M stolen TKO tokensForensic Noise Exclusion: During the data compilation phase, we intercepted a transfer of 138,139 ha138com spam tokens originating from 0x757c3a8883b11b2e15c30dee9813ddcb64cbf76a. This has been formally classified as an Address-Poisoning / Air-Drop phishing attack and is entirely unrelated to the core exploit architecture.6. Centralized Exchange Vulnerability & AttributionThe single most critical vector for off-chain identity attribution lies within the TKO cash-out trajectory to MEXC Global (0x75e89d5979e4f6fba9f97c104c2f0afb3f1dcb88).The terminal transaction hash 0x9efa97d7a5f695ad6e5b249abcef9b40cee775105f11d6ac9f1c7452293dd03b deposited 1,990,000 TKO on June 22 at 11:38 UTC. Because the source depositor EOA (0x3cc936b795a188f0e246cbb2d74c5bd190aecf18) is directly mapped as a unique, user-level intake lane, a formal compliance disclosure request to MEXC will expose crucial security logs, including registration IPs, device IDs, and linked fiat withdrawal routes.7. Immediate Threat Mitigation & Action PlanChainBounty advises asset issuers, core foundations, and global compliance cells to coordinate on the following intervention pathways immediately:MEXC Emergency Asset Freeze (Urgent): Submit a formal asset preservation request to MEXC Compliance to freeze any credit equivalent to the 1.99M TKO deposit. Concurrently, law enforcement should prepare an international Mutual Legal Assistance Treaty (MLAT) or Letter Rogatory to subpoena the account owner's KYC profile.Layer-2 Containment Protocols: Request that the Taiko Foundation and L2 bridge operators enforce a structural monitor and circuit breaker on address 0xa98035081fb739ebe9c8f80904668fb11438a846 to freeze the stagnant 500 ETH before any outbound L2 transfer can execute.Token Blacklisting: Coordinate with the dev teams at Izumi Finance and EtherFi to evaluate blacklisting capabilities for the remaining 2,140,403 iZi and 0.53 weETH currently stranded inside the L1 hacker address.Regulatory Reporting Escalation: File a Suspicious Transaction Report (STR) with international financial intelligence networks (e.g., South Korean KoFIU) regarding the use of blocked, high-risk platforms for criminal laundering purposes.8. ConclusionThe Taiko Bridge exploit underscores the devastating ecosystem risks of core cryptographic key management failures, specifically regarding SGX signing environments. By manufacturing forged message validation proofs, the attacker bypassed traditional contract boundaries to steal $1.7M in multi-token assets.While the attacker's sophisticated use of multi-hop TKO layering and dedicated automated Uniswap swap agents temporarily complicated tracing, their operational security broke down at the exchange onboarding endpoints. The combination of a locked 500 ETH block on Layer-2 and an explicit KYC trail at MEXC provides global security forces with an actionable framework for fund recovery and attribution.ChainBounty Threat Intelligence has locked webhooks onto all associated cluster addresses. Real-time updates will be deployed automatically if any L2 state updates occur.

Date: June 19, 2026Executive SummaryOn June 15, 2026, the Web3 ecosystem witnessed a sophisticated attack targeting the Thetanuts Finance Legacy Index Vault on the Ethereum mainnet. ChainBounty’s Threat Intelligence team has conducted a full on-chain forensic investigation into the incident, mapping the attacker's execution methods and subsequent money laundering operations. While the initial exploit successfully drained approximately $2,100,000 in option tokens, rapid intervention by a whitehat hacker resulted in the recovery of approximately $2,000,000. The attacker managed to successfully bridge and launder the remaining assets, resulting in a realized net loss of approximately $105,000. Forensic MethodologyTo unearth the full scope of this attack, ChainBounty utilized the SentinelTX Blockchain Forensic Intelligence System, analyzing on-chain data up to June 19, 2026. Trace Parameters: We tracked outbound fund movements on Ethereum (Chain ID 1) with a maximum query depth of 5 hops, successfully reaching the terminal endpoints within 3 hops. Data Enrichment: Our analysis cross-referenced 40+ cross-chain bridge APIs, the Sentinel TRDB, and the June 2026 OFAC SDN Sanctions list. OSINT Verification: Intelligence was corroborated using public alerts from Blockaid, PeckShieldAlert, SlowMist, and CryptoTimes.Anatomy of the Exploit: Integer Division VulnerabilityThe exploit was directed at the vulnerable legacy contract 0xC2C3AE0a7b405058558C9b4a63b373486CB86Ac7. The attacker (0x30498e4466789E534c72e03B52A16c978655b41e) executed the attack by weaponizing a flash loan against a Solidity integer division flaw. Here is the step-by-step breakdown of the attack execution:Capital Acquisition: The attacker initiated a massive flash loan to borrow capital. Supply Manipulation: By heavily burning the vault's tokens, the attacker manipulated the contract's state, driving the totalSupply variable down to a value approaching zero. Exploiting the Math: The contract utilized a redemption formula calculated as backing * amount / totalSupply. Due to Solidity's integer division characteristics and inadequate handling of edge cases for near-zero supply, dividing by this manipulated totalSupply caused the function to return a value of 0. Free Minting: Because the deposit function's share calculation evaluated to 0, the attacker was able to repeatedly mint new option tokens entirely for free. Value Extraction & Repayment: The attacker immediately redeemed these illegitimately minted tokens to extract the vault's actual underlying USDC assets, subsequently repaying the flash loan to secure the profit. Post-Exploit Money Laundering TacticsFollowing the extraction, the attacker initiated a 5-step layering process designed to obfuscate the origin of the funds. On June 15, the stolen assets were consolidated into a dedicated "Loot Wallet" (0xaf3a0fdbfb0e3127247b66a042310e09c32f2299), which was initially funded with 0.027575 ETH to cover gas fees. From the Loot Wallet, ChainBounty identified three distinct laundering vectors:Path A: Extreme Fan-Out via DEX AggregatorExecution: On June 15, the attacker routed 105,471.499078 USDC into a DEX aggregator/hub address (0x709de0b97e369661c99ad54f2b858139897d3dba). Dispersion: Over a 7-day period, this address operated as a massive fan-out hub, executing 419 transactions to disperse the capital across 313 distinct addresses. Asset Swapping: To further break the tracking chain, the USDC was swapped into varying amounts of USDT, ETH, and highly volatile meme coins, including DOGEUS, KISHU, and ASTEROID. Path B: Structuring via OFAC-Sanctioned MixersExecution: To completely sever the on-chain link, the attacker converted a portion of the funds into ETH and utilized the Tornado Cash protocol. Structuring Pattern: On June 17, a total of 57 ETH was sent to the Tornado Cash Router (0xd90e2f925da726b50c4ed8d0fb90ad053324f31b). To avoid triggering volume-based alerts, the attacker used a deliberate "structuring" technique, dividing the deposits into five batches of 10 ETH and seven batches of 1 ETH. Sanctions Violation: Because the Tornado Cash Router is an OFAC SDN-sanctioned entity, this interaction represents a severe violation of international sanctions. Path C: Centralized Exchange Liquidation (Binance)Execution: ChainBounty analysts discovered a critical operational security failure by the attacker. On June 17, exactly 0.85 ETH was moved from the Loot Wallet. Routing: This micro-transaction was routed through a single intermediary address (0x9ad8859dad6ab6d027855ff5f7ac2ddf73f9701d) and deposited directly into a Binance hot wallet (0x28c6c06298d514db089934071355e5743bf21d60). ChainBounty Strategic RecommendationsWhile the funds mixed through Tornado Cash currently possess a recovery probability of less than 5%, other avenues remain actionable. ChainBounty advises the following immediate steps: Exploit Centralized Exchange KYC: Because Binance enforces mandatory global KYC, the 0.85 ETH deposit pathway is the strongest lead. Law enforcement agencies should immediately submit a Mutual Legal Assistance Treaty (MLAT) or Letter Rogatory to subpoena the identity associated with the intermediary deposit address (0x9ad8859dad6ab6d027855ff5f7ac2ddf73f9701d). Regulatory Reporting: A Suspicious Transaction Report (STR) must be filed with financial intelligence units (such as KoFIU) regarding the deliberate use of the sanctioned Tornado Cash mixer. Real-Time Mixer Monitoring: Analysts must deploy real-time monitoring to flag any exchange deposits that mathematically correlate with future Tornado Cash withdrawals originating from this exploit. ConclusionThe Thetanuts Finance Legacy Vault exploit serves as a stark reminder of the persistent risks associated with legacy smart contracts, specifically regarding floating-point limitations and integer division vulnerabilities. While the prompt action of the whitehat community prevented a devastating $2 million loss, the attacker's sophisticated use of DEX fan-outs and sanctioned mixers allowed them to successfully launder approximately $105,000. ChainBounty will continue to monitor the dormant assets linked to this exploit. For the latest Web3 forensic analysis and threat alerts, follow the ChainBounty intelligence feed.

How a Single Infected Laptop Triggered a $36 Million Crypto Heist — An On-Chain Forensic Analysis of the Humanity Protocol HackTL;DR: On June 8–9, 2026, an attacker exploited a catastrophically mismanaged multisig setup on Humanity Protocol — all keys on one laptop — to drain $36M+ across Ethereum and BNB Chain. This report traces the money. It went to KyberSwap, 0x Protocol, a BNB intermediary hub, NomiswapPair DEX, and ultimately to Binance. 711 ETH remains dormant at an unattributed address. The attacker's structuring pattern — identical 2,992,500 H token batches sold dozens of times — is textbook layering.1. Background: What Is Humanity Protocol?Humanity Protocol was a decentralized identity project that used palm-scan biometrics and zero-knowledge cryptography to let users prove their humanity without revealing personal data — positioning itself as a direct rival to Sam Altman's Worldcoin. The project raised $50 million from 27 investors including Jump Crypto, Pantera Capital, Hex Trust, Animoca Brands, and Kingsway Capital, reaching a peak valuation of $1.1 billion.The native token, H, had been trading near all-time highs of ~$0.80 in the week preceding the attack. A major token unlock of 2.86% of total supply (over 15% of free float) was scheduled for June 25 — just 16 days away.That context matters.2. The Attack: One Laptop to Rule Them AllOn the night of June 8, 2026, a malware infection on a single developer's machine exposed seven private keys simultaneously. These included:3 of 6 Ethereum multisig keys (sufficient for threshold)3 of 5 BNB Chain multisig keys (sufficient for threshold)The private key for one of the protocol's hot walletsThe attacker seized proxy admin control over the ERC-BNB bridge, enabling unauthorized minting of H tokens directly. Within hours, Humanity Protocol's founder Terence Kwok confirmed on-chain that attackers had compromised the keys of a foundation member.3. The Attacker's WalletPrimary attacker address: 0x6aa22cb8420e94fc2119364b4c7885710ae753bbCurrent balance at time of investigation: $0.54 (BNB dust only). The community has already tagged this address with commemorative tokens: H-HACKER, FUCKH (Fuck Humanity), and Humanity Hacker — an ironic but forensically useful confirmation that this is the correct address.The address is not registered in any threat intelligence database as of the time of analysis, suggesting a freshly created operational wallet — a common DPRK Lazarus Group pattern (more on this later).4. Fund Flow Analysis: Following the MoneyThis is where it gets interesting. The attack was not just a theft — it was a pre-planned, structured liquidation operation executed with disciplined speed.4.1 Ethereum Path: The Silent HoardThe attacker moved stolen H → ETH on Ethereum and immediately forwarded the ETH to a single receiving address:TX 1: 0x2ec21c7f25e54f39e9e12c2e5144d0b28fc0b704a8048b91f37be90e63805a9c Sender: 0x6aa22cb8420e94fc2119364b4c7885710ae753bb (Attacker) Receiver: 0x59eff548cd9bcfbc169b6340f734e442c764a814 Amount: 688.81 ETH Date: 2026-06-09 TX 2: 0xc7356ba6cfbd44cba4670015efa7edb251aea1018375403544aafd6bd9ead8ff Sender: 0x6aa22cb8420e94fc2119364b4c7885710ae753bb (Attacker) Receiver: 0x59eff548cd9bcfbc169b6340f734e442c764a814 Amount: 22.61 ETH Date: 2026-06-10 Total Ethereum outflow: 711.42 ETH (approximately $2.37M at time of transfer)The receiving address 0x59eff548cd9bcfbc169b6340f734e442c764a814 shows no subsequent outbound Ethereum activity in the 30-day trace window. This is a dormant holding address — the funds are parked, waiting. Law enforcement should flag this address for real-time monitoring; any movement should trigger immediate exchange notification.4.2 BNB Chain Path: The Structured Liquidation MachineThe BNB Chain operation was far more sophisticated. The attacker ran what forensic analysts call a peel chain / structuring fan-out — selling stolen H tokens in precisely identical batches, routing through multiple DEX aggregators to obscure the origin.Step 1 — Mass H token dumps via DEX aggregators:The attacker submitted hundreds of transactions routing H tokens through:KyberSwap Meta Aggregation Router v2 (0x6131b5fae19ea4f9d964eac0408e4408b66337b5)0x Protocol Allowance Holder (0x0000000000001ff3684f28c67538d4d072c22734)PancakeSwap Router v2 (0x10ed43c718714eb63d5aa57b78b54704e256024e)The structuring pattern is unmistakable:The ratio of 99.75% / 0.25% is consistent across every batch — a programmatic split strongly suggesting automated bot execution, not manual trading.Step 2 — BNB consolidation through an intermediary hub:Converted BNB was funneled through 0xad7baae94959317929723a277694f3ecbd7358e1: TX: 0xd7afb62182857ab63ec28caabcf000f2e4a5fdbb0ccf815efb017cb30e5b5528 Amount: 1,101 BNB → intermediary hub (2026-06-09) TX: 0x740625ad7393851b3b1a92d064ca08fdc14c45a14de2a05826b57a79106a4a29 Amount: 366.61 BNB → intermediary hub (2026-06-09) TX: 0xa3d2ad2d8019c2b7b609fb5b1849d2cdfaeb9beebe05dd1f7f6535e642735f1c Return: 1,467.66 BNB returned to attacker for redistribution Step 3 — DEX-based layering via NomiswapPair:Significant BNB was routed through 0xe82e2d3b9db59f7c7b438239d92e2190a64e26ce (NomiswapPair), which received 200 BNB in 8+ identical transactions on June 9 alone: TX: 0xe821458e8d908a60c680ef0c1ff1b0e1395f9cd04b7936e416a21bd874ebc904 — 200 BNB TX: 0x2381acb7501c7a63504655c74472a29514b65b8f3f77e29b4de36f1bdd264774 — 200 BNB TX: 0x68d2d45cce2f520c9e6bd6208079b7393e641faa39e4df700b74c82e3feb987b — 200 BNB TX: 0x1d4ffd1187b20e8ee370e3a5c9450b1b3b760361405131af75b259359de2c6fd — 200 BNB TX: 0x4dbc7aafc0cac2dc9d14a7aaed09e9c5d1b01bdce39fa56c8ef7ba25f08fa3e9 — 200 BNB TX: 0x1b932f80c4a52ea78abfd8c37fd4ec09b4dde06e0aec55e3b7a34ab08c4590c — 200 BNB NomiswapPair served as a high-velocity mixer proxy — the attacker exploited the DEX's normal user traffic to blend stolen funds with legitimate transactions.Step 4 — Final cash-out: Binance:The trail terminates at Binance. On-chain data confirms a value-bearing transfer to: Binance Deposit Address: 0xb300000b72deaeb607a12d5f54773d1c19c7028d TX: 0x0068ddd18d... (BNB Chain) Assets deposited: USDC + USDT (post-swap) This is the critical KYC link. Binance's deposit address system assigns individual addresses to verified users. The entity that controls this deposit address has a verified Binance account — KYC documents exist and are obtainable via legal process.Step 5 — Cross-chain bridge attempt:The attacker also used the Din CrossChain Forwarder (0x663dc15d3c1ac63ff12e45ab68fea3f0a883c251) to move assets to an additional chain. The destination chain and receiving address require further tracing but constitute a separate laundering leg.5. The DPRK QuestionMultiple forensic indicators overlap with known Lazarus Group (DPRK) operational signatures:On-chain sleuth ZachXBT raised the possibility that this incident was "possibly staged" — citing aggressive market-making practices before the hack and the suspicious timing ahead of the June 25 token unlock. This remains an analytical inference (not confirmed on-chain) and would require examination of off-chain communications, market-maker agreements, and internal wallet clustering to substantiate.6. Complete On-Chain Evidence TrailKey AddressesKey Transactions7. What Remains Untraced711 ETH ($2.37M equivalent) sitting at 0x59eff548cd9bcfbc169b6340f734e442c764a814 on Ethereum — no outbound movement detected in the 30-day trace window.Cross-chain destination via Din Bridge — the receiving chain and address have not yet been identified. This constitutes a second active laundering leg.Residual BNB distributed across 340+ addresses via the DEX layering operation — the bulk has likely been converted to stablecoins and is either parked or slowly bleeding into OTC desks.8. Recommended Actions for InvestigatorsImmediate (within 24 hours):🔴 Submit freeze request to Binance Compliance for deposit address 0xb300000b72deaeb607a12d5f54773d1c19c7028d — cite TX hash and wallet attribution. Binance has cooperated in similar cases.🔴 Register 0x59eff548cd9bcfbc169b6340f734e442c764a814 for real-time monitoring — 711 ETH dormant, may move at any time. Flag with all major exchanges.🟠 Report to relevant FIU — the structuring pattern (repeated identical batch sizes, DEX layering) meets the threshold for suspicious transaction reporting under FATF Recommendation 16 / applicable national AML law.Within 30 days:Trace the Din CrossChain Bridge destination — identify the receiving chain and address.Subpoena market-maker communications referenced by ZachXBT — determine whether the "staged hack" thesis has merit.Submit MLAT/legal assistance request to Binance's home jurisdiction for KYC records tied to the deposit address.Cross-reference the attacker wallet with known Lazarus Group infrastructure clusters.9. ConclusionThe Humanity Protocol hack is a masterclass in what happens when operational security is treated as an afterthought. Seven keys on one laptop. A multisig that wasn't. A pre-hack price rally that now looks suspicious in retrospect. And a June 25 unlock that would have diluted the supply anyway.On-chain, the attacker was disciplined: structured selling in identical batches, rapid DEX hops to obscure origin, an intermediary hub that bounced BNB before redistribution, and a final exit through Binance. The 711 ETH parked on Ethereum is the most actionable frozen asset remaining — if law enforcement moves quickly, that money is recoverable.The DPRK attribution remains a working hypothesis, not a confirmed finding. The behavioral overlap is significant, but attribution requires corroborating intelligence beyond what on-chain data alone can provide.What is certain: the funds are not gone. They are traceable. The Binance KYC link exists. The dormant ETH address is known. The window is open — but it won't stay open forever.🔗 All on-chain data cited in this report is publicly verifiable on BscScan and [filtered]. Analysis was performed using SentinelTX Blockchain Forensic Intelligence System as of June 17, 2026.⚠️ This report constitutes analytical findings only. DPRK attribution and internal staging allegations are working hypotheses and have not been confirmed by law enforcement. All addresses and transaction hashes are presented in full for independent verification.