Coinbene Colluded with Maximine ($MXM) to Abscond With $200 Million in User Funds
It is no secret that the majority of the cryptospace has been speculating about Coinbene’s solvency in recent days.
Most of the speculation was prompted by a CoinTelegraph article which posted research by crypto firm, Elementus, which revealed that $100M+ worth of crypto belonging to Coinbene had been moved: https://cointelegraph.com/news/crypto-exchange-coinbene-assures-users-that-prolonged-maintenance-not-due-to-hack
This report was released almost simultaneously with news that other exchanges in the crypto space had been compromised as well. Most notably, Bithumb was compromised around the same time that this report was released:
What This Report Reveals
After looking through the suspected target wallet where the hacked funds were sent as well as Coinbene’s main wallet and cold wallet (the latter has received nearly all of Coinbene’s hot wallet funds over the past few days), we noticed something very strange.
Our research showed us that $100M+ had indeed moved from Coinbene’s wallet into an unidentified address that did not exist prior to March 25th. However, during our research, we noticed that Coinbene’s cold wallet address still contained $200M in crypto, which seemed a bit strange since we saw that Coinbene’s hot wallet (and cold wallet) were nowhere near this amount following the extraction of Ethereum and tens of millions of dollars worth of ERC-20 tokens from their wallet.
Thus, we set about looking a bit deeper into the transactions, and we noticed something strange.
We saw that the majority of Coinbene’s funds had come from a recent transaction of Maximine worth nearly $200M.
Upon further inspection, we saw that Maximine’s decision to create a new contract address for their token coincided with the depletion of Coinbene’s Ethereum/ERC20 token funds. In fact, Maximine’s announced decision came within 72 hours of Coinbene’s wallets being drained.
Notably, the $MXM token represented the bulk of lost value for Coinbene in the supposed hack that occurred on March 25th. Based on Maximine’s announcement, the transition to a new contract address was because:
“ MaxiMine has officially launched the development of its public chain. This development will entail an upgrade in token address of all existing tokens.”
They also reassured users that:
“ Currently, new tokens have already been issued to all existing token holders in a 1:1 ratio.”
Given the above statements, there is no perceivable reason for why Coinbene would have received any $MXM token because their coffers were drained in the alleged hack.
$MXM sent Coinbene (directly) 1.9 billion tokens, which had a value of approximately $200 million USD at the time of transfer.
What is even more confounding is that this amount greatly exceeds what the circulating supply for $MXM is supposed to be currently. In fact, on CMC — $MXM’s circulating supply is still listed at 1.6 billion tokens as of April 5th, 2018:
Also, the flow of transactions reflects that $MXM was liquidated in a different manner than almost all other tokens that were extracted from Coinbene’s hot wallet address.
Before we begin the report, let’s list out some addresses that are worth remembering for future references (more will be listed throughout the report, but these are the main ones that we will consistently refer back to).
- Coinbene’s Ethereum Hot Wallet Address = 0x9539e0b14021a43cDE41d9d45Dc34969bE9c7cb0
- Coinbene’s Ethereum Cold Wallet Address = 0x33683b94334eebc9bd3ea85ddbda4a86fb461405
- Maximine’s Old Contract Address =
- Maximine’s New Contract Address = 0x8e766f57f7d16ca50b4a0b90b88f6468a09b0439
- Alleged ‘Hacker’ Address = 0xB3DF999C5DC026DEA265AEB02B8519844C9B6D5E
For this report, we’re going to start with March 25th, 2019.
In specific, that was the day the massive outgoing transactions from Coinbene’s Ethereum Hot Wallet Address to the Alleged ‘Hacker’ Address began.
Below is a Look at the Alleged ‘Hacker’ Address:
If we go back to the initial incoming transaction for the Alleged ‘Hack’ Address, we can see that it was created on March 25th, 2019 at 7:04 p.m. UTC via a withdrawal directly from Coinbene’s Hot Wallet Address.
Each transaction is for a significant amount of some token that was held by Coinbene, and upon further inspection, it appears that these transactions essentially “cleaned out” Coinbene.
For example, the first incoming transaction to the Alleged ‘Hack’ Wallet Address from Coinbene was a 74.2 million token transfer of the $GETX coin.
If we check Coinbene’s $GETX reserves, we can see that this transaction essentially cleaned out Coinbene’s store of $GETX.
This is the case for most other tokens that were transferred from Coinbene’s Hot Wallet Address to the Alleged ‘Hack’ Wallet Address as well.
Below is a list of tokens that were ‘cleaned out’ from Coinbene’s Hot Wallet Address:
- Guaranteed Ethurance Token Extra
- Fountain 2
- Insureum Token
- Sakura Bloom
- Aston X
- Pundi X Token * (Coinbene recently received a new send to the address worth about $10,000 USD)
- UTN-P: Universa Token
- Mobile Integrated Blockchain
- Endor Protocol Token
- Paxos Standard
- CNN Token
- Mass Vehicle Ledger Token
- XMED Chain Token
- Credo Token
- AiLink Token
- TokenClub Token
- Social Lending Token
- Verime Mobile
- vSporf Coin
- Gemini dollar
- MT Token
- IvyKoin Public Network Tokens
- FarmaTrust Token
- No BS Crypto
- Ink Protocol
- Level-Up Coin
- Moeda Loyalty Points
- ChainLink Token
- QuarkChain Token
- Cortex Coin
- Content and Ad Network
- Sentinel Chain
- Genesis Vision
- Kora Network Token
- Medical Token Currency
- INCX Coin
- Nebula AI Token
All of the above tokens (with the exception of Pundi X Token) currently hold a balance of zero in the Coinbene Hot Wallet Address at the time of writing (April 6th, 2019).
Additionally, a large proportion of all tokens that were sent to Alleged ‘Hack’ Wallet Address have already been liquidated.
Given the fact that Coinbene’s coffers for each individual token listed above were completely drained in their subsequent transfer to the Alleged ‘Hack’ Wallet Address and then subsequently liquidated on a decentralized Ethereum exchange (IDEX), it is reasonable to conclude that this was a hack of some sort.
The reasons why it would be reasonable (and logical) to conclude that this is a hack/theft/inside job are:
- There is no way that the Alleged ‘Hack’ Wallet Address is the sole source of deposits for all of the coins listed above.
- The Alleged ‘Hack’ Wallet Address is not an extension of Coinbene that was used to distribute funds to customers, because all funds were sent to IDEX and subsequently liquidated. IDEX is not a distribution method for exchanges to satisfy customer withdrawal requests.
Additional Assets Not Accounted For in the List Above
For whatever reason, the following three assets were not sent to the Alleged ‘Hack’ Wallet Address:
- CoinBene Coin
Instead, they were redirected to the following addresses:
- 0xa1bf1ed1e8de34477fb3dce27c2ea2ea4163acba (Wallet #1)
- 0x6585329751de1140d68bd6cad1b46ebec1131f75 (Wallet #2)
- 0xc163a86f2f095150562c1c4cf48c55ad085aeb6b (Wallet #3)
- 0x49800268af45f54ead1176d41272bc409f40d6c9 (Wallet #4)
- 0xc85f8f41c4f12816c72fe35f01ae32fa40f512f7 (Wallet #5)
- 0xba351e7f0c630b3baa30a0ff38f6f4a333ef2133 (Wallet #6)
- 0x8d12a197cb00d4747a1fe03395095ce2a5cc6819 (Wallet #7)
- 0x712ae2390e296311d69fcd143a2ad2117a7ca997 (Wallet #8)
- 0xfc35ab44d544a2d7c406d4648f38e042f7d70cdc (Wallet #9)
- 0x5af89ddde021869679530dc77ceb5cdb72f7d5e0 (Wallet #10)
- 0x6ec8572dac56c5a400cf2a94eb629b3eae029550 (Wallet #11)
- 0xeefe879ca85b53ae6f48ba5f0bf4a74a841d83d1 (Wallet #12)
Each wallet listed above was created within the last 10–12 days from the date of publication (April 6th, 2019).
Sample Analysis of Wallet #1
The following notes will be of Wallet #1 to give a general idea of the liquidation pattern flowing out from Coinbene during the time of the suspected security breach as well as the interconnectedness of the wallets listed above.
- Wallet #1 received 669 million $MXM tokens from Coinbene directly.
- Wallet #1 also received 364,526,151 (364 million) CoinBene coins as well.
- Wallet #1 also received 16,730 Ethereum as well.
- Ethereum from Wallet #1 was then sent into 0xfc35ab44d544a2d7c406d4648f38e042f7d70cdc , which also contains funds from Ethereum Wallet #3 and Ethereum Wallet #6. Altogether, 0xfc35ab44d544a2d7c406d4648f38e042f7d70cdc received 18,935 Ethereum, which were then sent to 0xA2Bf029e9d903CeF68FD5943AB0cB9cf5570C4AC.
The 18.9k Ethereum that were sent to 0xA2Bf029e9d903CeF68FD5943AB0cB9cf5570C4AC are still in the address at the time of writing and are parked.
Strange Activity With Maximine Token
As noted in the ‘Report Summary’, there were significant issues identified regarding the Maximine token and contract.
What should be noted first, is that the Maxamine Old Contract Address was 86’d (publicly) on March 28th, 2019.
This is not necessarily an issue though. What is an issue, is the transfer of tokens that followed.
What was also noted in the report summary was the fact that Maximine was supposed to distribute the new contract address tokens to holders on a 1:1 basis, per their press release.
However, Coinbene ended up receiving 1.9 billion $MXM tokens from the new contract (somehow).
Analyzing Coinbene’s Holdings of $MXM (MaxiMine)
As stated before, the address to the new contract for Maximine can be found here: https://etherscan.io/token/0x8e766f57f7d16ca50b4a0b90b88f6468a09b0439
Notably, Coinbene’s Cold Wallet Address currently holds 1.9 billion $MXM tokens:
The vast majority of these tokens were sent in one bulk transaction on March 27th, 2019 at 8:12 a.m. UTC:
These funds were sent to Coinbene’s Hot Wallet Address from 0x3feea02bc920e80351f0f1e976fab7b57640466d.
Notably, this address is the contract creator for the new Maximine contract address.
So this begs the question of why and how Coinbene was able to receive 1.9 billion $MXM tokens from Maximine directly despite not having 1.9 billion tokens from the old contract on hand.
Coinbene Did Have 1.2 Billion $MXM Tokens in Possession in Their Cold Wallet
Strangely, Coinbene was able to salvage 1.2 billion $MXM tokens (from the old contract) somehow.
Here is the URL for that transfer: https://etherscan.io/tx/0xacc9d8b0bdb1fa3bd7014bf74ea7f3f38adac11987eb543bd38824edeceb41bc
As shown in the picture above, it appears that this transfer occurred on March 26th, 2019 at 6:44 a.m. UTC.
What is interesting though is that it appears the Coinbene wallet had already been compromised at that point.
The screenshot proves that the Coinbene hot wallet was compromised on March 25th, 2019 around 7–8 p.m. UTC.
The intruder/hacker/entity wasted no time in completely transferring the entire balance of every other ERC20 token that Coinbene had in its possession.
However, this was not done with Maximine. Instead, only 1/3 of the tokens were distributed.
This left Coinbene with 1.2 billion $MXM tokens, which they sent to their cold wallet address on March 26th.
However, this transfer to their cold wallet address did not take place until 7–8 hours after the last extraction from the wallet by the hacker/illicit source.
The above, of course, begs the question of why such a malevolent entity would have left 1.2 billion $MXM tokens to the exchange.
It Appears Maximine Compensated Coinbene for Those Tokens
As stated above, Coinbene was able to successfully transfer 1,203,498,805 $MXM tokens to its cold wallet, but the hacker was successful in extracting 669,874,712.47 $MXM from the exchange before subsequently liquidating the vast majority of them down at IDEX.
Now, let’s go back to the total $MXM that Maximine compensated Coinbene’s Hot Wallet with once they swapped their contract (literally only a few hours after the initial transfer):
Specifically, $MXM sent Coinbene 1,869,874,712.473940796455758495 tokens.
Coincidentally, if you add 1,203,498,805 (tokens successfully transferred to the Coinbene cold wallet address) to 669,874,712.47 (tokens extracted by “hacker”), you’ll get a total of 1,873,373,517.47.
This total is only .2% off from the amount of tokens that $MXM gave Coinbene.
Thus, it looks pretty obvious that $MXM compensated Coinbene for the loss of 669M $MXM tokens, but the question is ‘why’? That additional compensation represents approximately $70M in value.
This also makes it seem as though $MXM launched an entirely new contract for the sake of keeping Coinbene afloat.