Source: Cointelegraph.com NewsAn elderly crypto whale known as \u201cHEX 19\u201d lost nearly $4.5 million in a slow-moving hack that drained his staked HEX over multiple years.\u00a0
\nAt first, it looked like a HEX whale was cashing out. But it wasn\u2019t long before the community realized he didn\u2019t voluntarily unstake his tokens \u2014 he had become a victim of a major exploit.
\nThe cyberattack started in November 2021, touched multiple phishing wallets and was traced back to an online entity known as \u201cKonpyl,\u201d a threat actor familiar to crypto investigators.
\nThe breach not only shook the token\u2019s price but also exposed a web of fraudulent operations tied to Inferno Drainer and the $1.6 million fake Rabby wallet scam of February 2024.
\nHEX token price sinks following the HEX19 hack. Source: CoinGeckoHEX hackers and the web of connections
\nA blockchain investigator who spoke to Cointelegraph on condition of anonymity said, “There\u2019s direct counterparty exposure with wallets used in the fake Rabby app scam as well as the HEX19 Victim\u2019s funds flowing directly into wallets used to launder illicit Inferno Drainer phishing scam proceeds.”\u00a0
\nThe first major batch of outflows from the victim\u2019s wallet occurred in November 2021 and has continued over the years as assets locked away in decade-long stakes continued to unlock, some prematurely closed by the hacker with penalties.\u00a0
\nHEX19 wallet loses almost $4 million on Nov. 21. Source: Arkham IntelligenceRelated: THORChain at crossroads: Decentralization clashes with illicit activity
\nThe deeper investigators dug into the wallets tied to the HEX19 hack, the more it became clear that this wasn’t a one-off for the hacker. The same addresses appeared again and again across phishing campaigns, wallet drainers and laundering trails.
\nWallets used by the HEX19 hacker, the fake Rabby wallet scam, and several schemes related to Inferno Drainer, share a common address: Konpyl.
\nIn an October 2024 investigation, Cointelegraph Magazine analyzed on- and offchain evidence gathered by an investigator and a US government agency which links Konpyl to Konstantin Pylinskiy, an executive of a Dubai-based investment firm who uses the nickname in his online activities. Pylinskiy has denied any involvement with scams.
\nThe investigator said the attack on HEX19 was possible because the victim had stored his seed phrases in the cloud. Transaction records show that the hackers use victim funds for initial transfers to their illicit accounts, a common trait of Konpyl-linked schemes.\u00a0
\n\u201cThe HEX19 hacker follows similar patterns from other scams by \u2018Konpyl,\u2019\u201d they said.
\nIn a November 2024 report, Cointelegraph learned that Konpyl-linked wallets had a high number of interactions with scams connected to Inferno Drainer, a scam-as-a-service threat actor.
\nFantasy, a forensics specialist and investigations lead at crypto insurance firm Fairside Network, told Cointelegraph that Konpyl may possibly function less as a direct attacker and more as a laundering proxy.
\nInside the HEX hack
\nThe first batch of funds started moving out from the wallet on Nov. 21, 2021, but blockchain records show that the wallet may have been compromised as early as Nov. 3, as the victim wallet (0x97E\u20267a7df) had an outflow to one of the hacker\u2019s wallets.<\/p>\n
On Nov. 21, the HEX19 was drained nearly $4 million across nine separate transactions. The majority of the losses were in HEX tokens. The primary destination was address 0xcfe\u20268A11D, which we will call HEX Hacker 1 (HH1).
\nThat same day, HH1 began splitting the stolen funds. It sent $2.64 million (12.33 million HEX) to a second wallet 0xA30\u20262EA17, or HEX Hacker 2 (HH2).
\nA follow-up transaction on Dec. 10, 2021, sent another 616,700 HEX (worth around $86,700 at the time) from HH1 to HH2.
\nThen, on Feb. 18, 2022, HH1 transferred 5.2 million HEX (worth about $1 million at the time) and some Ether to yet another address: 0x719a…4Bd0c, where the funds remain parked to this day.<\/p>\n
The HH2 wallet appears central to laundering efforts.
\nFrom December 2021 to March 2022, HH2 sent over $1 million to Tornado Cash, Ethereum\u2019s best-known anonymizing protocol.<\/p>\n
HH2 also transferred $106,758 in DAI to an intermediary wallet, 0x837\u20262Ba9B, which was used to interact with DeFi platforms like 1inch to further obscure or swap funds.
\nThe intermediary interacts with 0x7BF\u2026C4eAa, a wallet that received direct inflows from Konpyl (an online persona that has appeared in numerous phishing and draining operations).
\nHH2\u2019s laundering chain also intersects with a high-risk wallet \u2014 0x909\u2026e4371 \u2014 flagged for over 70 suspicious transactions.<\/p>\n
On May 16, 2024, a third wallet Hex Hacker (HH3) wallet 0xdCe\u20264f0d8 began withdrawing funds from the compromised HEX19 address.<\/p>\n
HH3 has received around $108,000 in HEX from the victim\u2019s account.\u00a0
\nHH3 connects to 0x87B\u202653d92, an address previously Cointelegraph\u2019s November investigation as part of an Inferno Drainer-linked scam. That same wallet shares a commingling address (0xF2F…6a608) with Konpyl, which connects a March 2024 Inferno-linked scam and the Rabby wallet phishing incident.<\/p>\n
Finally, a fourth wallet 0x7cc\u202659ee2 \u2014 HEX Hacker 4 (HH4) \u2014 enters the picture. Beginning on Jan. 12, 2024, HH4 began siphoning funds from the HEX19 wallet through March. Source: Cointelegraph.com NewsAn elderly crypto whale known as \u201cHEX 19\u201d lost nearly $4.5 million in a slow-moving hack that drained his staked HEX over multiple years.\u00a0 At first, it looked… <\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"_links":{"self":[{"href":"http:\/\/cryptospotters.net\/index.php?rest_route=\/wp\/v2\/posts\/126991"}],"collection":[{"href":"http:\/\/cryptospotters.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/cryptospotters.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"http:\/\/cryptospotters.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=126991"}],"version-history":[{"count":0,"href":"http:\/\/cryptospotters.net\/index.php?rest_route=\/wp\/v2\/posts\/126991\/revisions"}],"wp:attachment":[{"href":"http:\/\/cryptospotters.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=126991"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/cryptospotters.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=126991"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/cryptospotters.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=126991"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nRelated: From Sony to Bybit: How Lazarus Group became crypto\u2019s supervillain
\nThis wallet interacts with\u00a0 0x4E9\u2026c71C2, which is a known address used by the fake Rabby wallet scammer.
\nLessons from the HEX19 Hack
\nHEX19, the retired tech veteran, has been through booms and busts before \u2014 just not ones that emptied millions of dollars from his digital wallet in a single day.
\nHe filed police reports, and exchanges couldn\u2019t do much to help, he said. The remaining staked funds, including 10-year HEX locks, became ticking time bombs. He knew the hackers had access and were just waiting to extract more.
\nCointelegraph has found at least 180 suspicious transactions from November 2021 to October 2024, totaling over $4.5 million. The victim’s wallet still has nine active stakes remaining, though their values aren\u2019t as significant as those prematurely closed and withdrawn by the thieves.
\nThe active stakes are not as valuable as those closed by hackers. Source: HEXscout\u201cYou have this feeling in the pit of your stomach and you say, \u2018Oh my God.\u2019 And then you say, \u2018Oh, geez, I gotta tell my family that I\u2019ve screwed up again,\u2019\u201d HEX19, purportedly a retiree in his 80s, said in an interview with HEX community member Mati Allin soon after the exploit. Cointelegraph attempted to get in touch with HEX19 but did not receive a response.
\nDespite the loss, HEX19 maintains a surprising sense of calm: \u201cWe\u2019re retired. We live without debt. We live very simply. We have a great family, awesome daughters, granddaughters,\u201d he said in the 2021 community interview. \u201cThere\u2019s more to life than money.\u201d
\nWhile he doesn\u2019t expect to recover the funds, he does hope his experience helps others think twice before storing their seed phrases online.
\nMagazine: Financial nihilism in crypto is over \u2014 It\u2019s time to dream big againRead More<\/a><\/p>","protected":false},"excerpt":{"rendered":"