Kraken and Coinbase user has lost approximately $6.7 million in cryptocurrency after attackers executed large unauthorized withdrawals from both exchange accounts. From the Kraken account, the attackers withdrew 1,554 ETH (valued at approximately $3.3 million) and 10.5 BTC (worth around $812,000 at the time). At the same time, they drained 34.1 cbBTC (approximately $2.6 million) from the victim’s Coinbase account.
According to on-chain investigator Specter, the incident is notable for the speed and coordination shown by the attackers. They managed to access and withdraw significant funds from two different major exchanges in a very short time frame. This indicates they had complete control over the victim’s login credentials, active sessions, and 2FA approval mechanisms. A large portion of the stolen funds, estimated at around $5.3 million, was rapidly sent through Tornado Cash, a privacy mixer, in order to obscure the transaction trail and hinder recovery.
A Kraken and Coinbase user lost $6.7M, likely as a result of a physical attack.
A total of 1,554 $ETH (~$3.3M) and 10.5 bitcoin:native were withdrawn from the victim’s Kraken account, while 34.1 $cbBTC (~$2.6M) was withdrawn from Coinbase.
The attackers have already laundered… pic.twitter.com/Y9CvvWY0EQ
— Specter (@SpecterAnalyst) May 20, 2026
The primary theft addresses associated with this incident are:
- Ethereum: 0xd3191Cba17504BDf7172ba9859aC854e3A79982A
- Bitcoin: bc1qxn9d9cecex7hkqw5mugw8makgrqq6crf26nqv3
This substantial loss once again highlights how vulnerable even experienced cryptocurrency users can be when holding large balances on centralized exchanges.
How the Attack Likely Occurred: Initial Suspected Cause
Physical attacks in the cryptocurrency space, often referred to as wrench attacks, involve real-world coercion rather than purely digital hacking. In this incident, the attackers appear to have obtained direct login access to both exchange accounts. They executed large withdrawals in a short time window across two different platforms. This strongly suggests that the victim was forced under duress to provide passwords, 2FA codes, or hand over devices and approve the transactions. Such attacks commonly involve home invasions, threats to family members, or holding the victim at gunpoint until the transfers are completed.
Investigator’s Update
However, Specter later clarified that further analysis indicated it was not a classic physical attack. The pattern of the theft pointed more towards sophisticated credential theft, malware infection, or session hijacking that mimicked the speed and access level of a physical coercion incident. Despite the clarification, the rapid cross-exchange withdrawals still highlight a highly targeted operation against this user.
Fund Laundering
The attackers wasted no time in laundering the stolen funds. Within hours of the withdrawals, approximately $5.3 million worth of the cryptocurrency was funneled through Tornado Cash, a well-known Ethereum-based privacy mixer. Tornado Cash works by pooling funds from multiple users and redistributing them in a way that breaks the direct link between the source and destination addresses, making it extremely difficult to trace the money back to the victim.
This rapid move to a privacy protocol is a common tactic used by crypto thieves to evade on-chain tracking by investigators and law enforcement. By using such mixers, the attackers have significantly reduced the chances of the funds being recovered or frozen. As a result, tracing the stolen assets has become highly challenging, and the victim’s prospects of recovering any meaningful portion of the $6.7 million appear very low at this stage.
Security Lessons
This incident serves as a serious reminder of the growing risks faced by cryptocurrency users, even on well-regulated platforms like Kraken and Coinbase. It shows that if attackers can reach the human element, whether through physical force or advanced social engineering, significant losses can occur rapidly.
Crypto users are advised to move large holdings into self-custody using hardware wallets instead of keeping substantial amounts on exchanges. Enabling hardware-based 2FA such as YubiKey, setting up withdrawal whitelisting and time delays, and maintaining strong device security are essential protective steps. High-value users should also consider multi-signature setups and other advanced security measures.
