It is no secret that the majority of the cryptospace has been speculating about Coinbene’s solvency in recent days.
Most of the speculation was prompted by a CoinTelegraph article which featured research from crypto firm, Elementus, that revealed that $100M+ worth of crypto belonging to Coinbene had been moved:
This report was released almost simultaneously with news that other exchanges in the crypto space had been compromised as well. Most notably, Bithumb was compromised around the same time that this report was released:
What This Report Reveals
After being contacted by some interested parties in the crypto space, Zerononcense elected to scour through Coinbene’s Ethereum wallets.
After looking through the suspected target wallet where the hacked funds were sent as well as Coinbene’s hot wallet and cold wallet (the latter has received nearly all of Coinbene’s hot wallet funds over the past few days), we came across several notable aberrations that garnered our attention.
Our research showed us that $100M+ had indeed moved from Coinbene’s wallet into an unidentified address that did not exist prior to March 25th, as stated by prior reports. However, during our research, we also noticed that Coinbene’s cold wallet address still contained $200M in crypto, which seemed a bit strange since we observed that Coinbene’s Hot Wallet had been depleted of all ERC20 tokens (with the exception of $MXM [Maximine]).
Additionally, it appears that in the immediate aftermath of the hack, Coinbene did not possess a cumulative balance between their hot and cold wallets (Ethereum) that exceeded $10M total.
Thus, we set about looking a bit deeper into the transaction history of the exchange.
Discoveries Made by Zerononcense
We saw that the majority of Coinbene’s funds had come from a recent transaction from Maximine worth nearly $200M.
Upon further inspection, we also observed that Maximine’s decision to create a new contract address for their token coincided with the depletion of Coinbene’s Ethereum/ERC20 token funds. In fact, Maximine’s announcement declaring that they had deployed a new contract address for their tokens came within 72 hours of Coinbene’s wallets being drained.
Notably, the $MXM token also represented the bulk of lost value for Coinbene in the supposed hack that occurred on March 25th-26th.
However, at the time of publication, Maximine’s official explanation for their transition to a new contract address was because:
“MaxiMine has officially launched the development of its public chain. This development will entail an upgrade in token address of all existing tokens.”
Maximine also clarified the distribution protocol for this new contract address by stating:
“ Currently, new tokens have already been issued to all existing token holders in a 1:1 ratio.”
Given the above statements, there is no perceivable reason for why Coinbene would have received 1.8 billion $MXM tokens (worth approximately $200M at the time of transfer), because Coinbene only had 1.2 billion tokens on-hand (in their cold wallet) at the time of the new contract distribution. The $MXM tokens that had been extracted by the alleged hacker had also already been liquidated at that point in time as well.
What is even more confounding is that this amount greatly exceeds what the circulating supply for $MXM is supposed to be currently. In fact, on CMC — $MXM’s circulating supply is still listed at 1.6 billion tokens as of April 5th, 2018:
Also, the flow of transactions reflects that $MXM was liquidated in a different manner than almost all other tokens that were extracted from Coinbene’s hot wallet address (a total of 110, excluding $MXM, were extracted entirely from Coinbene).
Before we begin the report, let’s list out some addresses that are worth remembering for future reference (more will be listed throughout the report, but these are the main ones that we will consistently refer back to).
- Coinbene’s Ethereum Hot Wallet Address = 0x9539e0b14021a43cDE41d9d45Dc34969bE9c7cb0
- Coinbene’s Ethereum Cold Wallet Address = 0x33683b94334eebc9bd3ea85ddbda4a86fb461405
- Maximine’s Old Contract Address =
- Maximine’s New Contract Address = 0x8e766f57f7d16ca50b4a0b90b88f6468a09b0439
- Alleged ‘Hacker’ Address = 0xB3DF999C5DC026DEA265AEB02B8519844C9B6D5E
To begin our analysis, we’re going to start with March 25th, 2019.
Below is a Look at the Alleged ‘Hacker’ Address:
If we go back to the initial incoming transaction for the Alleged ‘Hack’ Address, we can see that it was created on March 25th, 2019 at 7:04 p.m. UTC via a deposit that came directly from Coinbene’s Hot Wallet Address.
Each transaction from the Coinbene Hot Wallet Address to the Alleged ‘Hack’ Address is for a significant amount of some token that was held by Coinbene, and upon further inspection, it appears that these transactions essentially “cleaned out” Coinbene of whatever asset was being transferred.
For example, the first incoming transaction to the Alleged ‘Hack’ Wallet Address from Coinbene was a 74.2 million token transfer of the $GETX coin.
If we check Coinbene’s $GETX reserves, we can see that this transaction was for the entire amount of Coinbene’s $GETX was in their wallet at the time:
Below is a list of tokens that were ‘cleaned out’ from Coinbene’s Hot Wallet Address:
- Guaranteed Ethurance Token Extra
- Fountain 2
- Insureum Token
- Sakura Bloom
- Aston X
- Pundi X Token * (Coinbene recently received a new send to the address worth about $10,000 USD)
- UTN-P: Universa Token
- Mobile Integrated Blockchain
- Endor Protocol Token
- Paxos Standard
- CNN Token
- Mass Vehicle Ledger Token
- XMED Chain Token
- Credo Token
- AiLink Token
- TokenClub Token
- Social Lending Token
- Verime Mobile
- vSporf Coin
- Gemini dollar
- MT Token
- IvyKoin Public Network Tokens
- FarmaTrust Token
- No BS Crypto
- Ink Protocol
- Level-Up Coin
- Moeda Loyalty Points
- ChainLink Token
- QuarkChain Token
- Cortex Coin
- Content and Ad Network
- Sentinel Chain
- Genesis Vision
- Kora Network Token
- Medical Token Currency
- INCX Coin
- Nebula AI Token
All of the above tokens (with the exception of Pundi X Token) currently hold a balance of zero in the Coinbene Hot Wallet Address at the time of writing (April 7th, 2019).
Additionally, a large proportion of all tokens that were sent to Alleged ‘Hack’ Wallet Address have already been liquidated.
Given the fact that Coinbene’s coffers for each individual token listed above were completely drained in their subsequent transfer to the Alleged ‘Hack’ Wallet Address and then subsequently liquidated on a decentralized Ethereum exchange (IDEX), it is reasonable to conclude that this was a hack of some sort.
The reasons why it would be reasonable (and logical) to conclude that this is a hack/theft/inside job are:
- There is no way that the Alleged ‘Hack’ Wallet Address is the sole source of deposits for all of the coins listed above.
- The Alleged ‘Hack’ Wallet Address is not an extension of Coinbene that was used to distribute funds to customers, because all funds were sent to IDEX and subsequently liquidated. IDEX is not a distribution method for exchanges to satisfy customer withdrawal requests.
Additional Assets Not Accounted For in the List Above
For whatever reason, the following three assets were not sent to the Alleged ‘Hack’ Wallet Address:
- CoinBene Coin
Instead, they were redirected to the following addresses:
- 0xa1bf1ed1e8de34477fb3dce27c2ea2ea4163acba (Wallet #1)
- 0x6585329751de1140d68bd6cad1b46ebec1131f75 (Wallet #2)
- 0xc163a86f2f095150562c1c4cf48c55ad085aeb6b (Wallet #3)
- 0x49800268af45f54ead1176d41272bc409f40d6c9 (Wallet #4)
- 0xc85f8f41c4f12816c72fe35f01ae32fa40f512f7 (Wallet #5)
- 0xba351e7f0c630b3baa30a0ff38f6f4a333ef2133 (Wallet #6)
- 0x8d12a197cb00d4747a1fe03395095ce2a5cc6819 (Wallet #7)
- 0x712ae2390e296311d69fcd143a2ad2117a7ca997 (Wallet #8)
- 0xfc35ab44d544a2d7c406d4648f38e042f7d70cdc (Wallet #9)
- 0x5af89ddde021869679530dc77ceb5cdb72f7d5e0 (Wallet #10)
- 0x6ec8572dac56c5a400cf2a94eb629b3eae029550 (Wallet #11)
- 0xeefe879ca85b53ae6f48ba5f0bf4a74a841d83d1 (Wallet #12)
Each wallet listed above was created within the last 10–12 days from the date of publication (April 7th, 2019).
Sample Analysis of Wallet #1
The following notes will be of Wallet #1 to give a general idea of the liquidation pattern flowing out from Coinbene during the time of the suspected security breach as well as the interconnectedness of the wallets listed above.
- Wallet #1 received 669 million $MXM tokens from Coinbene directly.
- Wallet #1 also received 364,526,151 (364 million) CoinBene coins as well.
- Wallet #1 also received 16,730 Ethereum as well.
- Ethereum from Wallet #1 was then sent into 0xfc35ab44d544a2d7c406d4648f38e042f7d70cdc , which also contains funds from Ethereum Wallet #3 and Ethereum Wallet #6. Altogether, 0xfc35ab44d544a2d7c406d4648f38e042f7d70cdc received 18,935 Ethereum, which were then sent to 0xA2Bf029e9d903CeF68FD5943AB0cB9cf5570C4AC.
The 18.9k Ethereum that were sent to 0xA2Bf029e9d903CeF68FD5943AB0cB9cf5570C4AC are still in the address at the time of writing and are parked.
Strange Activity With Maximine Token
As noted in the ‘Report Summary’, there were significant concerns that the Zerononcense team found within the Maximine token and contract.
What should be noted first, is that the Maxamine Old Contract Address was 86’d (publicly) on March 28th, 2019.
This is not necessarily an issue though. What is an issue, is the transfer of tokens that followed.
What was also noted in the report summary was the fact that Maximine was supposed to distribute the new contract address tokens to holders on a 1:1 basis, per their press release.
However, Coinbene ended up receiving 1.9 billion $MXM tokens from the new contract.
Analyzing Coinbene’s Holdings of $MXM (MaxiMine)
As stated before, the address to the new contract for Maximine can be found here: https://etherscan.io/token/0x8e766f57f7d16ca50b4a0b90b88f6468a09b0439
Notably, Coinbene’s Cold Wallet Address currently holds 1.9 billion $MXM tokens:
The vast majority of these tokens were sent in one bulk transaction on March 27th, 2019 at 8:12 a.m. UTC:
Notably, this address is the contract creator for the new Maximine contract address.
So this begs the question of why and how Coinbene was able to receive 1.9 billion $MXM tokens from Maximine directly despite not having 1.9 billion tokens from the old contract on hand.
Coinbene Did Have Possession of 1.2 Billion $MXM Tokens (Old Contract) in Their Cold Wallet
Here is the URL for that transfer: https://etherscan.io/tx/0xacc9d8b0bdb1fa3bd7014bf74ea7f3f38adac11987eb543bd38824edeceb41bc
As shown in the picture above, it appears that this transfer occurred on March 26th, 2019 at 6:44 a.m. UTC.
What is interesting though is that it appears the Coinbene wallet had already been compromised at that point.
The screenshot proves that the Coinbene hot wallet was compromised on March 25th, 2019 around 7–8 p.m. UTC.
The intruder/hacker/entity wasted no time in completely transferring the entire balance of every other ERC20 token that Coinbene had in its possession.
However, this was not done with Maximine. Instead, only 1/3 of the tokens were distributed.
This left Coinbene with 1.2 billion $MXM tokens (old contract), which they sent to their cold wallet address on March 26th.
However, this transfer to their cold wallet address did not take place until 7–8 hours after the last extraction from the wallet by the hacker/illicit source.
The above, of course, begs the question of why such a malevolent entity would have left 1.2 billion $MXM tokens (old contract) to the exchange.
It Appears Maximine Compensated Coinbene for Those Tokens
As stated above, Coinbene was able to successfully transfer 1,203,498,805 $MXM tokens to its cold wallet, but the hacker was successful in extracting 669,874,712.47 $MXM from the exchange before subsequently liquidating the vast majority of them down at IDEX.
Now, let’s go back to the total $MXM that Maximine compensated Coinbene’s Hot Wallet with once they swapped their contract (literally only a few hours after the initial transfer):
Specifically, $MXM sent Coinbene 1,869,874,712.473940796455758495 tokens.
Coincidentally, if you add 1,203,498,805 (tokens successfully transferred to the Coinbene cold wallet address) to 669,874,712.47 (tokens extracted by “hacker”), you’ll get a total of 1,873,373,517.47.
This total is only .2% off from the amount of tokens that $MXM gave Coinbene.
Thus, it appears pretty obvious that $MXM compensated Coinbene for the loss of 669M $MXM tokens, but the question is ‘why’? That additional compensation represents approximately $70M in value.
This also makes it seem as though $MXM launched an entirely new contract for the sake of keeping Coinbene afloat.
In Zerononcense’s opinion and research, it appears that Coinbene and $MXM are deeply intertwined (perhaps Coinbene owns $MXM). There is no real value behind $MXM, but the coin has been duly pumped by Coinbene (which accounts for 99% of its volume).
Since Coinbene obviously has clear directive over the project, it appears they voluntarily liquidated down all of their users funds knowing that they would be able to replace them by simply having $MXM issue a new contract (March 27th) that replaced the “stolen” $MXM funds, then selling off those tokens to simply rebuy the ERC20 tokens necessary to fulfill customer withdrawal demands.
Essentially, Coinbene used $MXM as an unlimited funding source.