Coinbase Commerce Hack Wallet Springs Back to Life After Two-Year Hiatus
A wallet linked to a major Coinbase Commerce hack has suddenly reactivated—nearly two years after it went silent. The dormant address just moved funds, sparking fresh speculation in crypto circles.
What the Wallet Woke Up To Do
The transaction cut through the blockchain's memory like a knife. It didn't just sit there—it moved value. This isn't a ghost story; it's a ledger update with real consequences.
Why This Timing Raises Eyebrows
Two years is a long time in crypto—long enough for markets to cycle, for protocols to fork, and for most people to forget. Reactivating now bypasses the peak of regulatory scrutiny and public attention. It's a move that smells of calculated patience, not panic.
The Ripple Effect for Commerce Platforms
Every transaction from a hacked wallet sends a tremor through merchant payment systems. It forces a re-check of security assumptions and a hard look at cold storage policies. For platforms built on trust, a ghost from the past can haunt today's balance sheets.
Finance's Ironic Twist
In traditional finance, a stolen vault staying quiet for two years would trigger asset write-offs and insurance payouts. In crypto, the ledger never forgets—and the 'stolen' assets can reappear to trade another day, making a mockery of conventional accounting. Somewhere, a forensic accountant is crying into their spreadsheet.
The reactivation proves a hard truth: on the blockchain, no hack is ever truly over until the wallets are empty—or the keys are lost for good.
Coinbase Commerce exploit
The incident traces back to the date flagged in April 2024. On-chain investigator ZachXBT reported suspicious outflows from a Coinbase Commerce contract at the time. On April 21, 2024, the contract recorded more than 1,700 USDC outflows over a 16-hour window on Polygon. The total value reached $15.97 million.
The pattern suggested a merchant using Coinbase Commerce had been exploited. The funds were drained in repeated transfers. The stolen USDC was later bridged from Polygon to Ethereum. It was swapped for Ether and was split across three wallets.
The attacker has resumed activity after nearly two years of dormancy and is now depositing stolen funds into Tornado Cash.
A total of $5.4M has been deposited so far.
Prior to this, the theft address transferred $5.8M DAI to a fresh wallet, which was subsequently swapped for… https://t.co/6hZWByeuRQ pic.twitter.com/67vx2CLk6U
— Specter (@SpecterAnalyst) January 26, 2026
Shortly after the theft, a threat actor using the alias “Excite” began discussing the funds in private chats. ZachXBT linked those claims to addresses tied to the outflows. He mentioned that back in May 2024, a Telegram user using the handle “tezedasads12” sent a 1 DAI transaction. The transfer was used to prove control over a wallet holding about $6 million from the theft.
The same actor claimed ownership of the Instagram username “Excite.” He also attempted to purchase a matching Telegram username but failed. The Instagram account was initially private, but it later went public. The account showed luxury watches and other high-value items.
ZachXBT stated that open source intelligence suggested the individual may have been based in Denmark. That detail was not independently confirmed. After the initial laundering phase, most of the funds stopped moving. Wallets linked to the exploit went dormant. Meanwhile, a smaller portion of funds was later routed through decentralized exchanges and staking platforms. Those transactions were used to MOVE assets into new wallets.
One deposit address showed high exposure to known drainer infrastructure. Investigators flagged that as a risk signal. The January 2026 Tornado Cash deposits mark the first major activity tied to the exploit in nearly two years.
Coinbase hack 2025
The case adds to a series of security incidents tied to Coinbase. In May 2025, Coinbase disclosed a separate cyber attack. The company said the incident could cost up to $400 million. In that case, attackers obtained limited customer data by paying contractors and employees. The data was used to impersonate Coinbase and trick users.
Coinbase said fewer than 1 percent of customers were affected. The attackers demanded $20 million and Coinbase refused to pay. Private keys were not compromised. However, the company said it WOULD reimburse affected users.
Join a premium crypto trading community free for 30 days - normally $100/mo.
