Cyber Threat Actor: Coinbene Hacker

The threat actor known as CoinEx Hacker and Coinbene Hacker is identified through a single publicly reported security incident targeting the cryptocurrency exchange CoinBene. On March 24, 2019, CoinBene disclosed a breach that resulted in significant financial losses, with industry observers estimating the theft at over $45 million. The exchange subsequently entered maintenance mode to investigate the incident and improve its infrastructure, confirming that unauthorized fund transfers had occurred from its platform. The specific attack vector or method employed during this breach remains unspecified in public reports, leaving the initial access and subsequent actions unclear. This incident represents the only attributed operation linking this alias set to a concrete criminal action. The target was a digital asset trading platform, indicating a focus on the cryptocurrency sector where valuable holdings are concentrated. The immediate outcome was the direct theft of user funds, demonstrating a clear financial objective aimed at immediate monetary gain through the exfiltration of assets.

The breach had substantial operational consequences for the exchange, causing service disruptions and a loss of user trust due to the unauthorized movement of funds. The total financial impact was not officially confirmed by CoinBene itself, though external estimates placed the loss well into the tens of millions of dollars. The investigation involved authorities from multiple jurisdictions, highlighting the inherently cross-border nature of cryptocurrency-related crime where platforms and attackers often operate across national boundaries. This incident underscored persistent security vulnerabilities within digital asset exchanges, platforms that hold large aggregates of cryptocurrency and thus present high-value targets. No specific malware families, tools, or tactical patterns are described in relation to this actor, and no state affiliation or criminal consortium has been publicly attributed. The single documented operation suggests a focus on opportunistic theft from exchanges rather than a broader campaign with varied tactics or targets. The lasting significance lies in the demonstration of the financial rewards and relative accessibility of attacking centralized cryptocurrency custodians.