There appears to be an ongoing hack involving @hedera Network, with over $3.7M already bridged to Ethereum by the attacker.
The stolen funds are currently being swapped from WBTC for ETH after being bridged from the Hedera network via Layerzero.
Theft addresses:
0x9A4966152F6e10b33Cb7a37975e8619816d6a494
0xaf20D792A19fD42dCf697ceBa6100291D96dD93e
Stay smart.
Following my investigation into a potential rug pull, @CodexField changed its handle to @CodexField_AI .
All of the subdomains have also been taken down after being used to generate over $85M, based on my on-chain tracing.
The timing of these changes immediately after the investigation raises serious questions and further strengthens my concerns that the project may be a scam and potential rug pull.
I hope @cz_binance and @BNBCHAIN look into this and investigate the project's activities.
Stay smart.
🚨COMMUNITY ALERT: @CodexField on BNB Chain could be a scam project and a potential rug pull.
CodexField is a project on BNB Chain that has been heavily supported and promoted by @BNBCHAIN .
Based on my on-chain tracing, the project has generated over $85M.
Yesterday, I noticed unusual on-chain fund movements that, after further tracing, linked back to CodexField.
The wallets began bridging $17.3M USDT from TRON to Ethereum, then swapping the funds for DAI on Polygon via Bitget Swap.
So far, $6.5M has been moved, with $10.8M still remaining.
EVM:
0xBc606358910b3720d136F0d4Ce12b759C270747a
TRON:
TQNTEYadFVVQeobBtctSjurJ5RpfBsTmqh
TAzpg8L1WkkzCxxZk8TYnvaRYahehh52MK
The funds were originally bridged to TRON from Ethereum around six months ago from a wallet linked to the CodexField deposit contract.
0x9E6A75b546B65E7B9D34E2c9aB8Fe224B9aA52AA
The project asks users to join by depositing a minimum of $100.
Interestingly, Blocksec MetaSuites labels the deposit contract as "Fake CodexField." However, after further investigation, I found that the contract appears to be operated by the CodexField team themselves.
CodexField operates two domains:
https://t.co/UPBMtpyWky
https://t.co/8hoj8ZBOkG
More interestingly, there are four separate subdomains serving the same purpose:
https://t.co/IMS1yejaqM
https://t.co/D74CRklKnr
https://t.co/773fdwXeds
https://t.co/wNQxW1VR4M
All four are used for user deposits.
I confirmed that both domains belong to the team, as they have publicly shared them on their official channels.
One community member even posted a YouTube tutorial showing users how to deposit through pool[.[codexfield[.]co, using the same contract that MetaSleuth labels as "Fake CodexField."
I also found a community member previously asking the team whether the .co domain was official because users were reporting that the website was scamming people.
The movement of project funds is also unusual. Rather than straightforward treasury management, the funds are being bridged across multiple chains, routed through intermediary wallets, and sent to centralized exchanges.
The following two TRON wallets alone have deposited more than $3.4M to exchanges:
TJ8ptXUKKpUxCd3oudcPeVR6bhxRW2buxM
TYdVYGnNdvMqQF9iqYKKNBykMYYe5pkQk1
Key addresses:
0x288EE1f81F8e6B9A11C40739f03B9432FD6f9DB8
0xC8CcBAF2e6b23f27Fd5381Fe78662791fd308a9e
0x6F5825F49a41f42B7fb6784B3D7e88Aec224Da12
0x9E6A75b546B65E7B9D34E2c9aB8Fe224B9aA52AA
Based on the on-chain activity, I believe this project warrants further scrutiny. Anyone interacting with CodexField should exercise extreme caution until the team provides a transparent explanation for these fund movements.
The majority of their users appear to be Chinese. I hope @cz_binance and @BNBCHAIN take a look into this and, if necessary, investigate the project's fund movements.
Stay smart.
@wei_crypto8888@ismaritagorguis Sorry I do not support or promote meme coins.
I have just donated $25K (entire amount I sold) to @GiveDirectly via @TheGivingBlock to support charity efforts for the recent Venezuela earthquakes.
0x687556d7011b0750f3daf9e3a9f800d04ba233c84362faf8c3851b40cd0f71ae
Sixteen hours ago, a wallet linked to Mining Express swapped 5,004 ETH for 8.8M DAI.
Mining Express was a collapsed Ponzi scheme launched in 2019 in Ukraine by Brazilian founder Kaze Fuziyama. The scheme recruited investors through an MLM structure before eventually ceasing payouts and pivoting to cloud video rendering.
In early 2022, Ukrainian law enforcement raided Mining Express's data center for several days, seizing cryptocurrency mining equipment as part of their investigation.
On March 19, 2024, this wallet received 4,512 ETH from wallet linked to Mining Express. The funds were later staked through Lido and Etherfi. By April 2026, all of the ETH had been staked, before being fully unstaked on May 4, 2026.
I first flagged this address on June 15, but didn't have the opportunity to investigate it further until now.
Related addresses:
0x9D6c9E135f96e5317f58b7B5Bf49C0d5dB03F3c1
0x06B8C5883Ec71bC3f4B332081519f23834c8706E
bc1qduw5sqvdc8dl4l7r84743xmang0ql2xghm407v
Stay smart.
Arthur Hayes Exit Liquidity – June Report
Arthur Hayes started shilling what he called his "Holy Trinity" coins:
$HYPE $ZEC $NEAR
He predicted $150 for $HYPE and even published a Substack post promoting it.
A few days later, Arthur sold all three "Holy Trinity" coins.
He then shilled $WLD, posting:
"This shitcoin is going to moon."
Three days later, Arthur announced:
"I'm out."
Next came $CARDS.
He predicted a $4 price target, saying:
"The price will be pamping."
Just one day later, a wallet linked deposited 1.9M $CARDS to an exchange.
This isn't new.
In 2024, Arthur heavily promoted $ENA. About an hour later, he deposited $8.4M $ENA to a CEX
Arthur's BitMine, has also been accused of operating an insider trading desk, price manipulation, and insider trading.
He is now actively promoting $SYN, which will probably make it into next month's report. 😂
Arthur Hayes continues to use his followers as exit liquidity under the guise of simply sharing his "market views." With a following of his size, he should be far more careful about what he promotes but that doesn't seem to be the case.
The difference between Arthur Hayes and James Wynn is simply how they package their exit liquidity strategy.
Stay smart.
While it's true that some money launderers use gambling and prediction platforms to move illicit funds, this particular trader may not fit that profile.
The account was created in November 2024 but became active in November
Most of the positions are on outcomes with relatively high probabilities, for example:
A Democrat will win the New Mexico presidential election.
The U.S. will not strike Iran by February 1, 2026.
Bitcoin will reach $130,000 in November 2026.
The average position size is around $100,000, with most of the larger bets initially focused on the "U.S. strikes Iran" market before shifting to World Cup markets.
Despite primarily trading higher-probability outcomes, the trader is currently down about $58,190 in PnL.
All deposits into Polymarket appear to originate from Nexo, a KYC lending platform, and withdrawals also return to Nexo.
A money launderer typically wouldn't operate that way.
Tracing back the trader's 4years old Nexo deposit address further links it to other wallets, showing activity dating back at least 8 years.
The wallet also appears to have been a user of Celsius Network, another lending protocol that went bankrupt in 2022.
I also links the trader to several KYC exchanges, including Binance and Bybit.
While on-chain analysis can never provide complete certainty, it would be unusual for someone laundering funds to maintain this level of long-term, identifiable exposure.
Just as some gamblers chase massive returns, others are willing to accept smaller profits in exchange for lower risk.
Based on the available on-chain evidence, this trader doesn't appear to be who many people think they are.
Stay smart.
The attacker has finally begun laundering the stolen funds after more than three years of inactivity.
In January 2023, the attacker swapped the stolen GMX for 2,819 ETH, worth $3.4M at the time. Due to ETH's price appreciation, those funds are now worth $4.4M.
The assets remained dormant until a few minutes ago, when the attacker deposited the stolen ETH into Tornado Cash in 28 of 100 ETH each.
Stay smart.
@AscendEX_ I recommend your team answers the following questions for the community:
1) Why are AscendEX users reporting delayed or incomplete withdrawals?
2) Why do the AscendEX hot wallets currently not have any liquid assets?
No one should deposit funds to this CEX.
It appears there may be a phishing attack targeting Polymarket users, with estimated losses of $2.94M so far.
The attacker has drained funds from 11+ victim wallets holding PUSD, swapped the stolen assets for ETH, and consolidated the proceeds into the following address:
0xe65b1C586757c5510B60F998Eebb14C1eF71E1eD
Other theft addresses:
0xC771A30a7c1aCA828eeEF7B822ac864a64cBaAe2
0xC44F2Ca6B30A54d17a62ceF8FAdaF2e8C8632eC4
0x10366AdBB5C4101A65C840Da6639546179C5A107
0x7BCECe0d8fd92ECCf39Bc35242c6D9aAc0aA75A6
Stay Smart
A short story about Indian scammers who called the cops on themselves:
Earlier this week a follower DM'd me from his personal account complaining that 5.73 BTC ($475K) of his was 'unjustly' frozen at Changelly in Mar 2025.
So I went and plotted the Bitcoin transaction in my compliance tools.
The inflows trace back to illicit sources via social engineering thefts targeting Americans through US exchanges and Bitcoin ATMs.
The broader cluster of high confidence thefts has taken $1M+ from victims since 2025, with several of them elderly.
His story kept changing. It was a loan. No, his boss sent it. No, his boss invested in Bitcoin "during 2014 and 2015" through a friend in the US.
The best part? In Dec 2025 he claims to have filed a police report in India over these frozen funds (3207-P/2025).
In our DMs he shared email screenshots which I queried to surface more data points and map his group out.
I suspect AmanKesar11 is a mule for his boss 'Mr Parveen,' as the 'proof' he sent included bank statements under a different name / location.
While you can message me for help and I'll respect your privacy, at least use common sense and don't contact me with stolen funds.
5.73 BTC frozen order: fb931baac66bfc116deb10fa81417fb3da61e4362cd2997ee1eaa577e96272f3
AmanKesar11 BTC address: bc1q5yjxzcvfswvyx9y6cvlc3xe4laqqnqsjp3f9t2
AmanKesar11 Tron address: TQkEVXjtvSbigGa5fqFUpcYJnGvpKPPBEm
While working on an investigation, I came across a company called HUIONE PAY. I immediately recognized it as an entity known for laundering stolen funds, thanks to @SpecterAnalyst and @zachxbt posts who have been covering it for a long time now.
Huione is an OFAC-sanctioned entity known for laundering stolen funds across South East Asia, primarily used by criminal organizations such as pig butchering scam operations
The attacker continues to drain hundreds of ethereum:0xcf5104d094e3864cfcbda43b82e1cefd26a016eb holders, with total losses now $20M + .
$9M has been swapped for ETH, while $9.9M remains in ethereum:0xcf5104d094e3864cfcbda43b82e1cefd26a016eb tokens and has yet to be swapped.
The Humanity token price have dumped 87% due to the sell pressure
Theft addresses below
Stay smart.
We reported a security issue to one of the biggest password managers and exactly how to fix it (they couldn't find the solution). It took them more than 100 days to fix it. They will not include it for a bug bounty. In return they will give us $10 of credit in our account.
This is not a joke. 🤡
According to @zachxbt from his telegram account, Circle froze the Zama cUSDC contract which held 12.6M USDC.
Here is the Zama contract address frozen : 0xe978F22157048E5DB8E5d07971376e86671672B2
The cUSDC contract received $12.4M from this address on May 11: 0xf7Fcc767dE537953b3519D4b3097A24A6dFE1c84, the address appears to be linked to a protocol accused of rug pulling (Overnight Finance).
Like Zach, I feel bad for Zama users who are now impacted by this freeze through no fault of their own.