Coinbene Used MXM to Liquidate All of its Users Funds

Image result for Coinbene

It is no secret that the majority of the cryptospace has been speculating about Coinbene’s solvency in recent days.

Most of the speculation was prompted by a CoinTelegraph article which featured research from crypto firm, Elementus, that revealed that $100M+ worth of crypto belonging to Coinbene had been moved:

This report was released almost simultaneously with news that other exchanges in the crypto space had been compromised as well. Most notably, Bithumb was compromised around the same time that this report was released:

 

What This Report Reveals

After being contacted by some interested parties in the crypto space, Zerononcense elected to scour through Coinbene’s Ethereum wallets.

After looking through the suspected target wallet where the hacked funds were sent as well as Coinbene’s hot wallet and cold wallet (the latter has received nearly all of Coinbene’s hot wallet funds over the past few days), we came across several notable aberrations that garnered our attention.

Our research showed us that $100M+ had indeed moved from Coinbene’s wallet into an unidentified address that did not exist prior to March 25th, as stated by prior reports. However, during our research, we also noticed that Coinbene’s cold wallet address still contained $200M in crypto, which seemed a bit strange since we observed that Coinbene’s Hot Wallet had been depleted of all ERC20 tokens (with the exception of $MXM [Maximine]).

Additionally, it appears that in the immediate aftermath of the hack, Coinbene did not possess a cumulative balance between their hot and cold wallets (Ethereum) that exceeded $10M total.

Thus, we set about looking a bit deeper into the transaction history of the exchange.

Discoveries Made by Zerononcense

We saw that the majority of Coinbene’s funds had come from a recent transaction from Maximine worth nearly $200M.

Upon further inspection, we also observed that Maximine’s decision to create a new contract address for their token coincided with the depletion of Coinbene’s Ethereum/ERC20 token funds. In fact, Maximine’s announcement declaring that they had deployed a new contract address for their tokens came within 72 hours of Coinbene’s wallets being drained.

Notably, the $MXM token also represented the bulk of lost value for Coinbene in the supposed hack that occurred on March 25th-26th.

However, at the time of publication, Maximine’s official explanation for their transition to a new contract address was because:

“MaxiMine has officially launched the development of its public chain. This development will entail an upgrade in token address of all existing tokens.”

Maximine also clarified the distribution protocol for this new contract address by stating:

“ Currently, new tokens have already been issued to all existing token holders in a 1:1 ratio.”

Given the above statements, there is no perceivable reason for why Coinbene would have received 1.8 billion $MXM tokens (worth approximately $200M at the time of transfer), because Coinbene only had 1.2 billion tokens on-hand (in their cold wallet) at the time of the new contract distribution. The $MXM tokens that had been extracted by the alleged hacker had also already been liquidated at that point in time as well.

What is even more confounding is that this amount greatly exceeds what the circulating supply for $MXM is supposed to be currently. In fact, on CMC — $MXM’s circulating supply is still listed at 1.6 billion tokens as of April 5th, 2018:

Also, the flow of transactions reflects that $MXM was liquidated in a different manner than almost all other tokens that were extracted from Coinbene’s hot wallet address (a total of 110, excluding $MXM, were extracted entirely from Coinbene).

Official Report

Before we begin the report, let’s list out some addresses that are worth remembering for future reference (more will be listed throughout the report, but these are the main ones that we will consistently refer back to).

  1. Coinbene’s Ethereum Hot Wallet Address = 0x9539e0b14021a43cDE41d9d45Dc34969bE9c7cb0
  2. Coinbene’s Ethereum Cold Wallet Address = 0x33683b94334eebc9bd3ea85ddbda4a86fb461405
  3. Maximine’s Old Contract Address =
    0x6a750d255416483bec1a31ca7050c6dac4263b57
  4. Maximine’s New Contract Address = 0x8e766f57f7d16ca50b4a0b90b88f6468a09b0439
  5. Alleged ‘Hacker’ Address = 0xB3DF999C5DC026DEA265AEB02B8519844C9B6D5E

To begin our analysis, we’re going to start with March 25th, 2019.

In specific, that was the day massive outgoing transactions from Coinbene’s Ethereum Hot Wallet Address to the Alleged ‘Hacker’ Address began.

Below is a Look at the Alleged ‘Hacker’ Address:

Source: https://etherscan.io/tokentxns?a=0xB3DF999C5DC026DEA265AEB02B8519844C9B6D5E&p=5

 

If we go back to the initial incoming transaction for the Alleged ‘Hack’ Address, we can see that it was created on March 25th, 2019 at 7:04 p.m. UTC via a deposit that came directly from Coinbene’s Hot Wallet Address.

Each transaction from the Coinbene Hot Wallet Address to the Alleged ‘Hack’ Address is for a significant amount of some token that was held by Coinbene, and upon further inspection, it appears that these transactions essentially “cleaned out” Coinbene of whatever asset was being transferred.

For example, the first incoming transaction to the Alleged ‘Hack’ Wallet Address from Coinbene was a 74.2 million token transfer of the $GETX coin.

If we check Coinbene’s $GETX reserves, we can see that this transaction was for the entire amount of Coinbene’s $GETX was in their wallet at the time:

Source: https://etherscan.io/token/0x07a58629aaf3e1a0d07d8f43114b76bd5eee3b91?a=0x9539e0b14021a43cde41d9d45dc34969be9c7cb0

 

This is the case for all other ERC20 tokens that were transferred from Coinbene’s Hot Wallet Address to the Alleged ‘Hack’ Wallet Address as well (a total of 108).

Below is a list of tokens that were ‘cleaned out’ from Coinbene’s Hot Wallet Address:

  1. Guaranteed Ethurance Token Extra
  2. EBCoin
  3. Fountain 2
  4. HuobiPoolToken
  5. TMTG
  6. Insureum Token
  7. BaaSid
  8. VOLT
  9. Sakura Bloom
  10. Aston X
  11. CosmoCoin
  12. PRASM
  13. uDOO
  14. Pundi X Token * (Coinbene recently received a new send to the address worth about $10,000 USD)
  15. PumaPay
  16. BTNT
  17. OVC
  18. SRCOIN
  19. GoToken
  20. FuzeX
  21. UTN-P: Universa Token
  22. Tokenomy
  23. FNKOSToken
  24. Mobile Integrated Blockchain
  25. Endor Protocol Token
  26. Paxos Standard
  27. CNN Token
  28. Mass Vehicle Ledger Token
  29. EnergiToken
  30. KST
  31. eQUAD
  32. Bethereum
  33. ABYSS
  34. XMED Chain Token
  35. Credo Token
  36. Omix
  37. AiLink Token
  38. VeriSafe
  39. LatiumX
  40. POPCHAIN-CASH
  41. CEDEX
  42. AID
  43. CREDITS
  44. ELF
  45. TokenClub Token
  46. IOSToken
  47. RECORD
  48. Social Lending Token
  49. Aeternity
  50. Cryptaur
  51. Verime Mobile
  52. Polymath
  53. ArcBlock
  54. Simmitri
  55. vSporf Coin
  56. Gemini dollar
  57. PATRON
  58. shinechain
  59. MT Token
  60. ESSENTIA
  61. FundRequest
  62. IvyKoin Public Network Tokens
  63. Reputation
  64. Bez
  65. HalalChain
  66. BAT
  67. OmiseGO
  68. FarmaTrust Token
  69. No BS Crypto
  70. DENT
  71. Ink Protocol
  72. Level-Up Coin
  73. Moeda Loyalty Points
  74. Bezop
  75. MedToken
  76. Bancor
  77. ChainLink Token
  78. QuarkChain Token
  79. Cortex Coin
  80. ZRX
  81. Civic
  82. Content and Ad Network
  83. Storiqa
  84. Sentinel Chain
  85. AIT
  86. Loom
  87. BANKEX
  88. DGD
  89. Genesis Vision
  90. Kora Network Token
  91. Aditus
  92. SeeleToken
  93. COZ
  94. Zippie
  95. BitStation
  96. Salt
  97. SwftCoin
  98. SHVR
  99. ClearPoll
  100. TRUE
  101. Medical Token Currency
  102. Herocoin
  103. AIDOC
  104. Populous
  105. INCX Coin
  106. Nebula AI Token
  107. VisionX
  108. Data

All of the above tokens (with the exception of Pundi X Token) currently hold a balance of zero in the Coinbene Hot Wallet Address at the time of writing (April 7th, 2019).

Additionally, a large proportion of all tokens that were sent to Alleged ‘Hack’ Wallet Address have already been liquidated.

Given the fact that Coinbene’s coffers for each individual token listed above were completely drained in their subsequent transfer to the Alleged ‘Hack’ Wallet Address and then subsequently liquidated on a decentralized Ethereum exchange (IDEX), it is reasonable to conclude that this was a hack of some sort.

The reasons why it would be reasonable (and logical) to conclude that this is a hack/theft/inside job are:

  1. There is no way that the Alleged ‘Hack’ Wallet Address is the sole source of deposits for all of the coins listed above.
  2. The Alleged ‘Hack’ Wallet Address is not an extension of Coinbene that was used to distribute funds to customers, because all funds were sent to IDEX and subsequently liquidated. IDEX is not a distribution method for exchanges to satisfy customer withdrawal requests.

Additional Assets Not Accounted For in the List Above

For whatever reason, the following three assets were not sent to the Alleged ‘Hack’ Wallet Address:

  1. Ethereum
  2. Maximine
  3. CoinBene Coin

Instead, they were redirected to the following addresses:

  1. 0xa1bf1ed1e8de34477fb3dce27c2ea2ea4163acba (Wallet #1)
  2. 0x6585329751de1140d68bd6cad1b46ebec1131f75 (Wallet #2)
  3. 0xc163a86f2f095150562c1c4cf48c55ad085aeb6b (Wallet #3)
  4. 0x49800268af45f54ead1176d41272bc409f40d6c9 (Wallet #4)
  5. 0xc85f8f41c4f12816c72fe35f01ae32fa40f512f7 (Wallet #5)
  6. 0xba351e7f0c630b3baa30a0ff38f6f4a333ef2133 (Wallet #6)
  7. 0x8d12a197cb00d4747a1fe03395095ce2a5cc6819 (Wallet #7)
  8. 0x712ae2390e296311d69fcd143a2ad2117a7ca997 (Wallet #8)
  9. 0xfc35ab44d544a2d7c406d4648f38e042f7d70cdc (Wallet #9)
  10. 0x5af89ddde021869679530dc77ceb5cdb72f7d5e0 (Wallet #10)
  11. 0x6ec8572dac56c5a400cf2a94eb629b3eae029550 (Wallet #11)
  12. 0xeefe879ca85b53ae6f48ba5f0bf4a74a841d83d1 (Wallet #12)

Each wallet listed above was created within the last 10–12 days from the date of publication (April 7th, 2019).

Sample Analysis of Wallet #1

The following notes will be of Wallet #1 to give a general idea of the liquidation pattern flowing out from Coinbene during the time of the suspected security breach as well as the interconnectedness of the wallets listed above.

Wallet #1

  • Wallet #1 received 669 million $MXM tokens from Coinbene directly.
  • Wallet #1 also received 364,526,151 (364 million) CoinBene coins as well.
  • Wallet #1 also received 16,730 Ethereum as well.

The 18.9k Ethereum that were sent to 0xA2Bf029e9d903CeF68FD5943AB0cB9cf5570C4AC are still in the address at the time of writing and are parked.

Strange Activity With Maximine Token

As noted in the ‘Report Summary’, there were significant concerns that the Zerononcense team found within the Maximine token and contract.

What should be noted first, is that the Maxamine Old Contract Address was 86’d (publicly) on March 28th, 2019.

However, the new contract was actually created on March 27th, 2019 at 12:40 a.m. UTC.

This is not necessarily an issue though. What is an issue, is the transfer of tokens that followed.

What was also noted in the report summary was the fact that Maximine was supposed to distribute the new contract address tokens to holders on a 1:1 basis, per their press release.

However, Coinbene ended up receiving 1.9 billion $MXM tokens from the new contract.

Analyzing Coinbene’s Holdings of $MXM (MaxiMine)

As stated before, the address to the new contract for Maximine can be found here: https://etherscan.io/token/0x8e766f57f7d16ca50b4a0b90b88f6468a09b0439

Notably, Coinbene’s Cold Wallet Address currently holds 1.9 billion $MXM tokens:

The vast majority of these tokens were sent in one bulk transaction on March 27th, 2019 at 8:12 a.m. UTC:

https://etherscan.io/tx/0x13f648663654a4f9ea2b4615adcee0fbd378f0e99da9057a055459be7199bf91

These funds were sent to Coinbene’s Hot Wallet Address from 0x3feea02bc920e80351f0f1e976fab7b57640466d.

Notably, this address is the contract creator for the new Maximine contract address.

So this begs the question of why and how Coinbene was able to receive 1.9 billion $MXM tokens from Maximine directly despite not having 1.9 billion tokens from the old contract on hand.

Coinbene Did Have Possession of 1.2 Billion $MXM Tokens (Old Contract) in Their Cold Wallet

Strangely, Coinbene was able to salvage 1.2 billion $MXM tokens (from the old contract) somehow.

See below:

Source: https://etherscan.io/token/0x6a750d255416483bec1a31ca7050c6dac4263b57?a=0x9539e0b14021a43cde41d9d45dc34969be9c7cb0

 

Here is the URL for that transfer: https://etherscan.io/tx/0xacc9d8b0bdb1fa3bd7014bf74ea7f3f38adac11987eb543bd38824edeceb41bc

As shown in the picture above, it appears that this transfer occurred on March 26th, 2019 at 6:44 a.m. UTC.

What is interesting though is that it appears the Coinbene wallet had already been compromised at that point.

The screenshot proves that the Coinbene hot wallet was compromised on March 25th, 2019 around 7–8 p.m. UTC.

The intruder/hacker/entity wasted no time in completely transferring the entire balance of every other ERC20 token that Coinbene had in its possession.

However, this was not done with Maximine. Instead, only 1/3 of the tokens were distributed.

This left Coinbene with 1.2 billion $MXM tokens (old contract), which they sent to their cold wallet address on March 26th.

However, this transfer to their cold wallet address did not take place until 7–8 hours after the last extraction from the wallet by the hacker/illicit source.

The above, of course, begs the question of why such a malevolent entity would have left 1.2 billion $MXM tokens (old contract) to the exchange.

It Appears Maximine Compensated Coinbene for Those Tokens

As stated above, Coinbene was able to successfully transfer 1,203,498,805 $MXM tokens to its cold wallet, but the hacker was successful in extracting 669,874,712.47 $MXM from the exchange before subsequently liquidating the vast majority of them down at IDEX.

Now, let’s go back to the total $MXM that Maximine compensated Coinbene’s Hot Wallet with once they swapped their contract (literally only a few hours after the initial transfer):

https://etherscan.io/tx/0x27eb05ee89c2402474ba40a85d092885b932709a28794aff03974095d1b0ade2

Specifically, $MXM sent Coinbene 1,869,874,712.473940796455758495 tokens.

Coincidentally, if you add 1,203,498,805 (tokens successfully transferred to the Coinbene cold wallet address) to 669,874,712.47 (tokens extracted by “hacker”), you’ll get a total of 1,873,373,517.47.

This total is only .2% off from the amount of tokens that $MXM gave Coinbene.

Thus, it appears pretty obvious that $MXM compensated Coinbene for the loss of 669M $MXM tokens, but the question is ‘why’? That additional compensation represents approximately $70M in value.

This also makes it seem as though $MXM launched an entirely new contract for the sake of keeping Coinbene afloat.

Conclusion

In Zerononcense’s opinion and research, it appears that Coinbene and $MXM are deeply intertwined (perhaps Coinbene owns $MXM). There is no real value behind $MXM, but the coin has been duly pumped by Coinbene (which accounts for 99% of its volume).

Since Coinbene obviously has clear directive over the project, it appears they voluntarily liquidated down all of their users funds knowing that they would be able to replace them by simply having $MXM issue a new contract (March 27th) that replaced the “stolen” $MXM funds, then selling off those tokens to simply rebuy the ERC20 tokens necessary to fulfill customer withdrawal demands.

Essentially, Coinbene used $MXM as an unlimited funding source.

 

 

 

83 Comments:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.