Coinbene Colluded with Maximine ($MXM) to Abscond With $200 Million in User Funds

Image result for Coinbene
Image result for Coinbene

It is no secret that the majority of the cryptospace has been speculating about Coinbene’s solvency in recent days.

Most of the speculation was prompted by a CoinTelegraph article which posted research by crypto firm, Elementus, which revealed that $100M+ worth of crypto belonging to Coinbene had been moved:

This report was released almost simultaneously with news that other exchanges in the crypto space had been compromised as well. Most notably, Bithumb was compromised around the same time that this report was released:


What This Report Reveals

After looking through the suspected target wallet where the hacked funds were sent as well as Coinbene’s main wallet and cold wallet (the latter has received nearly all of Coinbene’s hot wallet funds over the past few days), we noticed something very strange.

Our research showed us that $100M+ had indeed moved from Coinbene’s wallet into an unidentified address that did not exist prior to March 25th. However, during our research, we noticed that Coinbene’s cold wallet address still contained $200M in crypto, which seemed a bit strange since we saw that Coinbene’s hot wallet (and cold wallet) were nowhere near this amount following the extraction of Ethereum and tens of millions of dollars worth of ERC-20 tokens from their wallet.

Thus, we set about looking a bit deeper into the transactions, and we noticed something strange.

We saw that the majority of Coinbene’s funds had come from a recent transaction of Maximine worth nearly $200M.

Upon further inspection, we saw that Maximine’s decision to create a new contract address for their token coincided with the depletion of Coinbene’s Ethereum/ERC20 token funds. In fact, Maximine’s announced decision came within 72 hours of Coinbene’s wallets being drained.

Notably, the $MXM token represented the bulk of lost value for Coinbene in the supposed hack that occurred on March 25th. Based on Maximine’s announcement, the transition to a new contract address was because:

“ MaxiMine has officially launched the development of its public chain. This development will entail an upgrade in token address of all existing tokens.”

They also reassured users that:

“ Currently, new tokens have already been issued to all existing token holders in a 1:1 ratio.”

Given the above statements, there is no perceivable reason for why Coinbene would have received any $MXM token because their coffers were drained in the alleged hack.

$MXM sent Coinbene (directly) 1.9 billion tokens, which had a value of approximately $200 million USD at the time of transfer.

What is even more confounding is that this amount greatly exceeds what the circulating supply for $MXM is supposed to be currently. In fact, on CMC — $MXM’s circulating supply is still listed at 1.6 billion tokens as of April 5th, 2018:

Also, the flow of transactions reflects that $MXM was liquidated in a different manner than almost all other tokens that were extracted from Coinbene’s hot wallet address.

Official Report

Before we begin the report, let’s list out some addresses that are worth remembering for future references (more will be listed throughout the report, but these are the main ones that we will consistently refer back to).

  1. Coinbene’s Ethereum Hot Wallet Address = 0x9539e0b14021a43cDE41d9d45Dc34969bE9c7cb0
  2. Coinbene’s Ethereum Cold Wallet Address = 0x33683b94334eebc9bd3ea85ddbda4a86fb461405
  3. Maximine’s Old Contract Address =
  4. Maximine’s New Contract Address = 0x8e766f57f7d16ca50b4a0b90b88f6468a09b0439
  5. Alleged ‘Hacker’ Address = 0xB3DF999C5DC026DEA265AEB02B8519844C9B6D5E

For this report, we’re going to start with March 25th, 2019.

In specific, that was the day the massive outgoing transactions from Coinbene’s Ethereum Hot Wallet Address to the Alleged ‘Hacker’ Address began.

Below is a Look at the Alleged ‘Hacker’ Address:


If we go back to the initial incoming transaction for the Alleged ‘Hack’ Address, we can see that it was created on March 25th, 2019 at 7:04 p.m. UTC via a withdrawal directly from Coinbene’s Hot Wallet Address.

Each transaction is for a significant amount of some token that was held by Coinbene, and upon further inspection, it appears that these transactions essentially “cleaned out” Coinbene.

For example, the first incoming transaction to the Alleged ‘Hack’ Wallet Address from Coinbene was a 74.2 million token transfer of the $GETX coin.

If we check Coinbene’s $GETX reserves, we can see that this transaction essentially cleaned out Coinbene’s store of $GETX.


This is the case for most other tokens that were transferred from Coinbene’s Hot Wallet Address to the Alleged ‘Hack’ Wallet Address as well.

Below is a list of tokens that were ‘cleaned out’ from Coinbene’s Hot Wallet Address:

  1. Guaranteed Ethurance Token Extra
  2. EBCoin
  3. Fountain 2
  4. HuobiPoolToken
  5. TMTG
  6. Insureum Token
  7. BaaSid
  8. VOLT
  9. Sakura Bloom
  10. Aston X
  11. CosmoCoin
  12. PRASM
  13. uDOO
  14. Pundi X Token * (Coinbene recently received a new send to the address worth about $10,000 USD)
  15. PumaPay
  16. BTNT
  17. OVC
  18. SRCOIN
  19. GoToken
  20. FuzeX
  21. UTN-P: Universa Token
  22. Tokenomy
  23. FNKOSToken
  24. Mobile Integrated Blockchain
  25. Endor Protocol Token
  26. Paxos Standard
  27. CNN Token
  28. Mass Vehicle Ledger Token
  29. EnergiToken
  30. KST
  31. eQUAD
  32. Bethereum
  33. ABYSS
  34. XMED Chain Token
  35. Credo Token
  36. Omix
  37. AiLink Token
  38. VeriSafe
  39. LatiumX
  41. CEDEX
  42. AID
  44. ELF
  45. TokenClub Token
  46. IOSToken
  47. RECORD
  48. Social Lending Token
  49. Aeternity
  50. Cryptaur
  51. Verime Mobile
  52. Polymath
  53. ArcBlock
  54. Simmitri
  55. vSporf Coin
  56. Gemini dollar
  57. PATRON
  58. shinechain
  59. MT Token
  61. FundRequest
  62. IvyKoin Public Network Tokens
  63. Reputation
  64. Bez
  65. HalalChain
  66. BAT
  67. OmiseGO
  68. FarmaTrust Token
  69. No BS Crypto
  70. DENT
  71. Ink Protocol
  72. Level-Up Coin
  73. Moeda Loyalty Points
  74. Bezop
  75. MedToken
  76. Bancor
  77. ChainLink Token
  78. QuarkChain Token
  79. Cortex Coin
  80. ZRX
  81. Civic
  82. Content and Ad Network
  83. Storiqa
  84. Sentinel Chain
  85. AIT
  86. Loom
  87. BANKEX
  88. DGD
  89. Genesis Vision
  90. Kora Network Token
  91. Aditus
  92. SeeleToken
  93. COZ
  94. Zippie
  95. BitStation
  96. Salt
  97. SwftCoin
  98. SHVR
  99. ClearPoll
  100. TRUE
  101. Medical Token Currency
  102. Herocoin
  103. AIDOC
  104. Populous
  105. INCX Coin
  106. Nebula AI Token
  107. VisionX
  108. Data

All of the above tokens (with the exception of Pundi X Token) currently hold a balance of zero in the Coinbene Hot Wallet Address at the time of writing (April 6th, 2019).

Additionally, a large proportion of all tokens that were sent to Alleged ‘Hack’ Wallet Address have already been liquidated.

Given the fact that Coinbene’s coffers for each individual token listed above were completely drained in their subsequent transfer to the Alleged ‘Hack’ Wallet Address and then subsequently liquidated on a decentralized Ethereum exchange (IDEX), it is reasonable to conclude that this was a hack of some sort.

The reasons why it would be reasonable (and logical) to conclude that this is a hack/theft/inside job are:

  1. There is no way that the Alleged ‘Hack’ Wallet Address is the sole source of deposits for all of the coins listed above.
  2. The Alleged ‘Hack’ Wallet Address is not an extension of Coinbene that was used to distribute funds to customers, because all funds were sent to IDEX and subsequently liquidated. IDEX is not a distribution method for exchanges to satisfy customer withdrawal requests.

Additional Assets Not Accounted For in the List Above

For whatever reason, the following three assets were not sent to the Alleged ‘Hack’ Wallet Address:

  1. Ethereum
  2. Maximine
  3. CoinBene Coin

Instead, they were redirected to the following addresses:

  1. 0xa1bf1ed1e8de34477fb3dce27c2ea2ea4163acba (Wallet #1)
  2. 0x6585329751de1140d68bd6cad1b46ebec1131f75 (Wallet #2)
  3. 0xc163a86f2f095150562c1c4cf48c55ad085aeb6b (Wallet #3)
  4. 0x49800268af45f54ead1176d41272bc409f40d6c9 (Wallet #4)
  5. 0xc85f8f41c4f12816c72fe35f01ae32fa40f512f7 (Wallet #5)
  6. 0xba351e7f0c630b3baa30a0ff38f6f4a333ef2133 (Wallet #6)
  7. 0x8d12a197cb00d4747a1fe03395095ce2a5cc6819 (Wallet #7)
  8. 0x712ae2390e296311d69fcd143a2ad2117a7ca997 (Wallet #8)
  9. 0xfc35ab44d544a2d7c406d4648f38e042f7d70cdc (Wallet #9)
  10. 0x5af89ddde021869679530dc77ceb5cdb72f7d5e0 (Wallet #10)
  11. 0x6ec8572dac56c5a400cf2a94eb629b3eae029550 (Wallet #11)
  12. 0xeefe879ca85b53ae6f48ba5f0bf4a74a841d83d1 (Wallet #12)

Each wallet listed above was created within the last 10–12 days from the date of publication (April 6th, 2019).

Sample Analysis of Wallet #1

The following notes will be of Wallet #1 to give a general idea of the liquidation pattern flowing out from Coinbene during the time of the suspected security breach as well as the interconnectedness of the wallets listed above.

Wallet #1

  • Wallet #1 received 669 million $MXM tokens from Coinbene directly.
  • Wallet #1 also received 364,526,151 (364 million) CoinBene coins as well.
  • Wallet #1 also received 16,730 Ethereum as well.

The 18.9k Ethereum that were sent to 0xA2Bf029e9d903CeF68FD5943AB0cB9cf5570C4AC are still in the address at the time of writing and are parked.

Strange Activity With Maximine Token

As noted in the ‘Report Summary’, there were significant issues identified regarding the Maximine token and contract.

What should be noted first, is that the Maxamine Old Contract Address was 86’d (publicly) on March 28th, 2019.

Official Announcement: Update of Token Address
_Dear MXM holders,

However, the new contract was actually created on March 27th, 2019 at 12:40 a.m. UTC.

This is not necessarily an issue though. What is an issue, is the transfer of tokens that followed.

What was also noted in the report summary was the fact that Maximine was supposed to distribute the new contract address tokens to holders on a 1:1 basis, per their press release.

However, Coinbene ended up receiving 1.9 billion $MXM tokens from the new contract (somehow).

Analyzing Coinbene’s Holdings of $MXM (MaxiMine)

As stated before, the address to the new contract for Maximine can be found here:

Notably, Coinbene’s Cold Wallet Address currently holds 1.9 billion $MXM tokens:

The vast majority of these tokens were sent in one bulk transaction on March 27th, 2019 at 8:12 a.m. UTC:

These funds were sent to Coinbene’s Hot Wallet Address from 0x3feea02bc920e80351f0f1e976fab7b57640466d.

Notably, this address is the contract creator for the new Maximine contract address.

So this begs the question of why and how Coinbene was able to receive 1.9 billion $MXM tokens from Maximine directly despite not having 1.9 billion tokens from the old contract on hand.

Coinbene Did Have 1.2 Billion $MXM Tokens in Possession in Their Cold Wallet

Strangely, Coinbene was able to salvage 1.2 billion $MXM tokens (from the old contract) somehow.

See below:


Here is the URL for that transfer:

As shown in the picture above, it appears that this transfer occurred on March 26th, 2019 at 6:44 a.m. UTC.

What is interesting though is that it appears the Coinbene wallet had already been compromised at that point.

The screenshot proves that the Coinbene hot wallet was compromised on March 25th, 2019 around 7–8 p.m. UTC.

The intruder/hacker/entity wasted no time in completely transferring the entire balance of every other ERC20 token that Coinbene had in its possession.

However, this was not done with Maximine. Instead, only 1/3 of the tokens were distributed.

This left Coinbene with 1.2 billion $MXM tokens, which they sent to their cold wallet address on March 26th.

However, this transfer to their cold wallet address did not take place until 7–8 hours after the last extraction from the wallet by the hacker/illicit source.

The above, of course, begs the question of why such a malevolent entity would have left 1.2 billion $MXM tokens to the exchange.

It Appears Maximine Compensated Coinbene for Those Tokens

As stated above, Coinbene was able to successfully transfer 1,203,498,805 $MXM tokens to its cold wallet, but the hacker was successful in extracting 669,874,712.47 $MXM from the exchange before subsequently liquidating the vast majority of them down at IDEX.

Now, let’s go back to the total $MXM that Maximine compensated Coinbene’s Hot Wallet with once they swapped their contract (literally only a few hours after the initial transfer):

Specifically, $MXM sent Coinbene 1,869,874,712.473940796455758495 tokens.

Coincidentally, if you add 1,203,498,805 (tokens successfully transferred to the Coinbene cold wallet address) to 669,874,712.47 (tokens extracted by “hacker”), you’ll get a total of 1,873,373,517.47.

This total is only .2% off from the amount of tokens that $MXM gave Coinbene.

Thus, it looks pretty obvious that $MXM compensated Coinbene for the loss of 669M $MXM tokens, but the question is ‘why’? That additional compensation represents approximately $70M in value.

This also makes it seem as though $MXM launched an entirely new contract for the sake of keeping Coinbene afloat.