Six hacker-controlled wallets lost more than $13.4 million after panic-selling 7,816 ETH during Friday’s crypto market downturn, having bought in near local highs earlier in the week, according to blockchain analytics firm Lookonchain. At least one of the wallets has been linked to the Coinbase funds theft earlier this year, in which approximately $35 million in bitcoin was stolen.
Lookonchain’s analysis showed the exploiters initially purchased 9,240 ETH valued at $39.45 million when Ethereum traded near $4,269. As prices dropped sharply on Tuesday, the hacker-controlled wallets sold 8,638 ETH for $32.5 million, realizing an immediate $5.5 million loss. By Friday, further panic-driven liquidation pushed their total loss to over $13 million in less than five days.
“This appears to be a case of emotional trading even by malicious actors,” said blockchain analyst Tomáš Urban of Chainalysis. “The on-chain data indicates they entered near the local top and sold near the local bottom which is a behavior common among retail traders during volatile conditions.”
The hacker-controlled wallets had repeatedly moved funds between Ethereum and stablecoin DAI via CoW Protocol, with several transactions exceeding $6 million. One wallet received over 6.9 million DAI before swapping 1,815 ETH across multiple settlements. Other wallets conducted transfers between $3.8 million and $6.9 million within a 15-hour span.
Blockchain forensics link losses to Coinbase exploit
One of the hacker-controlled wallets involved in the sell-off has been linked to the Coinbase funds theft, a high-profile security incident in which approximately 400 Bitcoin (then worth $35 million) were stolen earlier this year. Independent crypto sleuths Specter Analyst and ZachXBT confirmed that the same wallet was later observed converting portions of the stolen Bitcoin into Ethereum to obscure its origins.
“The address activity matches patterns consistent with laundering behavior, splitting and cycling funds through decentralized exchanges before re-entering liquid markets,” — ZachXBT, blockchain investigator, via X.
That wallet is now reportedly among those facing steep Ethereum losses, suggesting the hacker-controlled wallets’ strategy to diversify into ETH may have backfired amid market weakness.
Ethereum’s downturn accelerated during the broader crypto correction, dropping 1.5% to around $3,850 at publication time. According to Coinglass, approximately $269 million in ETH long positions were liquidated on Friday, contributing to the cascade.
Ethereum has already broken down the Descending Triangle and is looking bearish, Catalyst Trading Group, via X.
Market-wide liquidation and leveraged trading pressure
The meltdown affecting the hacker-controlled wallets mirrored a wider crypto sell-off that erased over $100 billion from global market capitalization by week’s end. Bitcoin fell more than 6% to near $103,850 before rebounding above $106,000, while Ether remained roughly 22% below its all-time high of $4,900.
Analysts attribute the volatility to surging leveraged trading activity. According to CryptoQuant contributor Amr Tah, open interest (OI) on Binance derivatives spiked 30% in one week, marking one of the largest increases this quarter.
When OI rises this fast, it usually means speculative money is flooding derivatives, Tah explained. That often leads to increased risk-taking and when prices move sharply, it triggers chain liquidations.
Meanwhile, Binance funding rates which determine the cost of maintaining perpetual futures have turned deeply negative, signaling an imbalance where short positions dominate. This dynamic often precedes market squeezes, as excessive short bets can be violently unwound if prices reverse upward.
Lessons from the hacker-controlled wallets’ missteps
The events highlight a paradox in the digital asset ecosystem: even sophisticated hacker-controlled wallets can suffer heavy losses due to poor timing and emotional responses to market conditions. Experts say this underscores both the transparency and unpredictability of blockchain-based trading.
Unlike traditional markets, on-chain data allows everyone including forensic analysts to see precisely how hackers lose money, said Carla Mendes, cybersecurity researcher at Elliptic. Their missteps are public, permanent, and traceable.
While investigators continue tracing the origins of the compromised funds, the case reinforces how decentralized protocols from CoW Protocol to Ethereum’s open ledger make illicit transactions visible and often counterproductive for the attackers themselves.
The latest market slump, combined with the hackers’ poor execution, adds another cautionary tale to the ongoing volatility that defines digital assets.