For business
KYT office
Compliance solution to monitor risks, detect sanctions and ensure AML rules.
KYT office
Compliance solution to monitor risks, detect sanctions and ensure AML rules.
AML certification
How industry players can get up-to-date knowledge and professional certification.
AML certification
How industry players can get up-to-date knowledge and professional certification.
Comprehensive transaction analytics that helps to build graphs and trace funds.
Graph
Travel rule
(soon)
For personal use
Telegram bot
Bot for checking crypto for risks, providing AML reports.
Telegram bot
Bot for checking crypto for risks, providing AML reports.
Getting money back
Services are focused on tracking
and recovering crypto assets.
and recovering crypto assets.
Getting money back
Services are focused on tracking
and recovering crypto assets.
and recovering crypto assets.
Docs and reports
All types of documents related
to cryptocurrency.
to cryptocurrency.
Docs and reports
All types of documents related
to cryptocurrency.
to cryptocurrency.
Portfolio tracker
Information about all assets and risk assessment in one place.
Portfolio tracker
Information about all assets and risk assessment in one place.
AML checks
Сhecking wallets and transactions
for illicit funds.
for illicit funds.
AML checks
Сhecking wallets and transactions
for illicit funds.
for illicit funds.
AML-сертификация
Актуальные знания в области AML/KYT от ведущих экспертов отрасли.
AML-сертификация
Актуальные знания в области AML/KYT от ведущих экспертов отрасли.
Graph
Визуализация перемещения активов
и связей между кошельками.
и связей между кошельками.
Graph
Визуализация перемещения активов
и связей между кошельками.
и связей между кошельками.
KYT Office
Мониторинг транзакций и кошельков для вашего отдела комплаенса.
KYT Office
Мониторинг транзакций и кошельков для вашего отдела комплаенса.
Для себя
Для Бизнеса
Travel rule
(Cкоро)
Телеграм-бот
Бот для проверки кошельков и транзакций с выдачей отчётов.
Телеграм-бот
Бот для проверки кошельков и транзакций с выдачей отчётов.
Возврат средств
Услуги по отслеживанию и возврату украденных криптоактивов.
Возврат средств
Услуги по отслеживанию и возврату украденных криптоактивов.
AML-проверки
Проверка кошельков и транзакций на наличие "грязной" криптовалюты.
AML-проверки
Проверка кошельков и транзакций на наличие "грязной" криптовалюты.
Портфолио трекер
Информация о всех активах и оценка рисков в одном месте.
Портфолио трекер
Информация о всех активах и оценка рисков в одном месте.
Отчёты
Все типы документов связанные
с криптовалютой.
с криптовалютой.
Отчёты
Все типы документов связанные
с криптовалютой.
с криптовалютой.
Table of Contents:
1.Summary
2.How the Money Was Hidden
3.Flow A: DAI ($19.987 Million)
4.Flow B: XMR ($2.48 Million)
5.Flow C: BTC and Mixers (~$1.1 Million + 375 ETH)
6.Level of Professionalism
7.Conclusion: A Wrench Attack with Axes and Crypto
1.Summary
2.How the Money Was Hidden
3.Flow A: DAI ($19.987 Million)
4.Flow B: XMR ($2.48 Million)
5.Flow C: BTC and Mixers (~$1.1 Million + 375 ETH)
6.Level of Professionalism
7.Conclusion: A Wrench Attack with Axes and Crypto
Summary
Summary
Imagine: you’re Alex Amsel. A developer with 15+ years in game development, one of the crypto industry’s pioneers. You’ve been in blockchain since 2012, back when almost no one had heard of Bitcoin.
In 2021, you sold one of the most expensive digital works in history — CryptoPunk #7523 ("Covid Alien") for $ 11.75 million at a Sotheby’s auction. It was one of the biggest NFT sales of its time.
Since then, you co-founded the Soulcast platform, became a partner at Outlier Ventures, advised major AI, DeFi, and NFT projects, and even joined BAFTA. You’re basically a celebrity.
Years passed. You built up $ 23.6 million — earmarked for projects, charity, open source. You kept it all in crypto because you believed in the technology.
One mistake: you never hid your blockchain address. It’s out there in public sources. Anyone can see those $ 23.6 million sitting right there. And you’re a fairly well-known figure. Finding out where a celebrity lives isn’t that hard.
On March 4, 2026, several people armed with axes showed up at your door. Beatings, threats of kidnapping and rape. The choice: your money or your life. Not much of a choice at all.
Within hours, the robbers funneled the funds through a series of intermediary addresses and schemes — but you survived.
This is a cautionary tale about how sometimes blockchain security gets defeated by guys in masks carrying axes.
This investigation is based on materials from BitOK, a crypto-analytics platform that traced the on-chain movement of the stolen funds.
In 2021, you sold one of the most expensive digital works in history — CryptoPunk #7523 ("Covid Alien") for $ 11.75 million at a Sotheby’s auction. It was one of the biggest NFT sales of its time.
Since then, you co-founded the Soulcast platform, became a partner at Outlier Ventures, advised major AI, DeFi, and NFT projects, and even joined BAFTA. You’re basically a celebrity.
Years passed. You built up $ 23.6 million — earmarked for projects, charity, open source. You kept it all in crypto because you believed in the technology.
One mistake: you never hid your blockchain address. It’s out there in public sources. Anyone can see those $ 23.6 million sitting right there. And you’re a fairly well-known figure. Finding out where a celebrity lives isn’t that hard.
On March 4, 2026, several people armed with axes showed up at your door. Beatings, threats of kidnapping and rape. The choice: your money or your life. Not much of a choice at all.
Within hours, the robbers funneled the funds through a series of intermediary addresses and schemes — but you survived.
This is a cautionary tale about how sometimes blockchain security gets defeated by guys in masks carrying axes.
This investigation is based on materials from BitOK, a crypto-analytics platform that traced the on-chain movement of the stolen funds.
How the Money Was Hidden
How the Money Was Hidden
The stolen asset was aEthUSDC. Here’s what that means:
aEthUSDC is a token Alex received when he deposited USDC into the Aave lending protocol. Instead of holding regular USDC, he put it into Aave and got aEthUSDC in return — essentially a deposit receipt.
When you hold aEthUSDC, its value steadily grows as the protocol accrues interest on your USDC deposit. The longer the token sits in the system, the more it’s worth.
aEthUSDC is a token Alex received when he deposited USDC into the Aave lending protocol. Instead of holding regular USDC, he put it into Aave and got aEthUSDC in return — essentially a deposit receipt.
When you hold aEthUSDC, its value steadily grows as the protocol accrues interest on your USDC deposit. The longer the token sits in the system, the more it’s worth.
Total stolen: 23,596,293 units of aEthUSDC — roughly $23.6 million.
Partial diagram of the stolen funds flow:
Partial diagram of the stolen funds flow:
Right after receiving the money, it was split into three simultaneous streams.
Flow A: DAI ($19.987 Million)
Flow A: DAI ($19.987 Million)
The bulk was swapped into DAI and parked across two addresses:
● Address 1: $10.010 million in DAI
● Address 2: $9.977 million in DAI
● Address 2: $9.977 million in DAI
Why DAI?
USDC and USDT are stablecoins — cryptocurrencies pegged to the US dollar, issued by Circle and Tether respectively. If law enforcement tells them to freeze certain addresses, these companies are subject to government authority and can comply.
DAI is also a dollar-pegged stablecoin. But it works in a fundamentally different way.
Unlike USDC and USDT, where the issuing company can freeze addresses on a government order, DAI is minted in a decentralized manner through the Maker protocol. You lock up cryptocurrency (such as Ethereum) as collateral, and a smart contract automatically issues DAI. There’s no company you can order to comply. No central bank to enforce it. The protocol runs on the rules baked into its code — automatically, with no intermediaries. Even if a court orders an address frozen, there’s simply no one to execute that order.
USDC and USDT are stablecoins — cryptocurrencies pegged to the US dollar, issued by Circle and Tether respectively. If law enforcement tells them to freeze certain addresses, these companies are subject to government authority and can comply.
DAI is also a dollar-pegged stablecoin. But it works in a fundamentally different way.
Unlike USDC and USDT, where the issuing company can freeze addresses on a government order, DAI is minted in a decentralized manner through the Maker protocol. You lock up cryptocurrency (such as Ethereum) as collateral, and a smart contract automatically issues DAI. There’s no company you can order to comply. No central bank to enforce it. The protocol runs on the rules baked into its code — automatically, with no intermediaries. Even if a court orders an address frozen, there’s simply no one to execute that order.
The criminals understood this. By choosing DAI over centralized stablecoins, they picked an asset that cannot be frozen.
Investigator’s note: The rapid conversion of aEthUSDC to DAI was neither a mistake nor a coincidence. The criminals understood the difference between a nominally centralized USDC and decentralized DAI. This was a deliberate choice by people well-versed in DeFi infrastructure.
Investigator’s note: The rapid conversion of aEthUSDC to DAI was neither a mistake nor a coincidence. The criminals understood the difference between a nominally centralized USDC and decentralized DAI. This was a deliberate choice by people well-versed in DeFi infrastructure.
Flow B: XMR ($2.48 Million)
Flow B: XMR ($2.48 Million)
Another portion of the funds traveled a complex route through multiple systems. First, via the cross-chain bridge aggregator LI. FI, the funds moved from Ethereum to Arbitrum. From there, they passed through Hyperliquid — a decentralized exchange. Then through Wagyu — a trading platform — where they were converted into XMR1 (wrapped Monero). Finally, they were withdrawn as real Monero.
Let’s unpack that.
Arbitrum is a Layer 2 (L2) solution built on top of Ethereum. A cross-chain bridge is a tool that moves assets from one blockchain to another. When money hops between different blockchains, the analytical trail gets murkier. An analyst can see the exit from Ethereum and the entry into Arbitrum, but the link between them blurs. The first layer of obfuscation starts right here.
Investigator’s note: LI. FI + Arbitrum wasn’t a random pick. The cross-chain route deliberately complicates continuous analysis. When funds pass through multiple blockchains, analytical systems lose the big picture. Each bridge adds a break point in the trace. This is a deliberate trail-blurring technique used by professionals.
Partial diagram of the stolen funds flow:
Arbitrum is a Layer 2 (L2) solution built on top of Ethereum. A cross-chain bridge is a tool that moves assets from one blockchain to another. When money hops between different blockchains, the analytical trail gets murkier. An analyst can see the exit from Ethereum and the entry into Arbitrum, but the link between them blurs. The first layer of obfuscation starts right here.
Investigator’s note: LI. FI + Arbitrum wasn’t a random pick. The cross-chain route deliberately complicates continuous analysis. When funds pass through multiple blockchains, analytical systems lose the big picture. Each bridge adds a break point in the trace. This is a deliberate trail-blurring technique used by professionals.
Partial diagram of the stolen funds flow:
Hyperliquid is a decentralized exchange. Unlike centralized platforms like Binance or Coinbase, it requires no identity verification (KYC). You connect a wallet and start trading. For criminals, this is critical: no checkpoint, no control.
Investigator’s note: Choosing Hyperliquid over a centralized exchange is yet another sign of professionalism. The criminals deliberately avoided any point where identity verification could occur. A DEX with no KYC is a key element of this scheme — it’s the last stop before the exit into Monero, where verification becomes physically impossible.
XMR1 and Monero — this is where the cryptography kicks in. Monero was designed specifically for privacy.
With something like USDC or DAI, every transaction is visible on the blockchain. An analyst can see the sender’s address, the recipient’s address, the exact amount, date, and time. The entire chain is traceable.
Monero is a different story. Transactions exist on the ledger, but every detail is encrypted. Addresses are obscured, amounts are hidden, sender and recipient are unknown. Even if you can see that a transaction took place, you have no idea who sent what to whom, or how much.
XMR1 is wrapped Monero — an Ethereum-compatible version used for trading. The criminals converted their funds into XMR1 on Hyperliquid, then withdrew it as native Monero.
Under the hood, the system relies on two mechanisms:
Investigator’s note: Choosing Hyperliquid over a centralized exchange is yet another sign of professionalism. The criminals deliberately avoided any point where identity verification could occur. A DEX with no KYC is a key element of this scheme — it’s the last stop before the exit into Monero, where verification becomes physically impossible.
XMR1 and Monero — this is where the cryptography kicks in. Monero was designed specifically for privacy.
With something like USDC or DAI, every transaction is visible on the blockchain. An analyst can see the sender’s address, the recipient’s address, the exact amount, date, and time. The entire chain is traceable.
Monero is a different story. Transactions exist on the ledger, but every detail is encrypted. Addresses are obscured, amounts are hidden, sender and recipient are unknown. Even if you can see that a transaction took place, you have no idea who sent what to whom, or how much.
XMR1 is wrapped Monero — an Ethereum-compatible version used for trading. The criminals converted their funds into XMR1 on Hyperliquid, then withdrew it as native Monero.
Under the hood, the system relies on two mechanisms:
● Ring signatures — the sender's signature is blended with those of other network participants, making it impossible to pinpoint who actually initiated the transaction.
● Stealth addresses — addresses are generated so that even by inspecting the blockchain, you cannot identify the recipient.
● Stealth addresses — addresses are generated so that even by inspecting the blockchain, you cannot identify the recipient.
Total transferred: 6,174.4 XMR.
Investigator’s note: The criminals didn’t pick Monero just for its privacy features. They knew that anonymity is baked into the protocol itself — it’s not a workaround, it’s the foundation. Ring signatures conceal who sent the money by mixing the sender’s signature with others. Stealth addresses conceal who received it. Beyond that point, tracing the movement of funds becomes impossible — not just difficult, but theoretically impossible. This isn’t a security flaw waiting to be patched. This is Monero’s fundamental architecture. The criminals chose it because it offers absolute anonymity that no one can break.
Past this point, tracking the money on any public blockchain is no longer possible. Even if you spot a transaction on the Monero network, you have no way of knowing the sender, the recipient, or the amount.
Investigator’s note: The criminals didn’t pick Monero just for its privacy features. They knew that anonymity is baked into the protocol itself — it’s not a workaround, it’s the foundation. Ring signatures conceal who sent the money by mixing the sender’s signature with others. Stealth addresses conceal who received it. Beyond that point, tracing the movement of funds becomes impossible — not just difficult, but theoretically impossible. This isn’t a security flaw waiting to be patched. This is Monero’s fundamental architecture. The criminals chose it because it offers absolute anonymity that no one can break.
Past this point, tracking the money on any public blockchain is no longer possible. Even if you spot a transaction on the Monero network, you have no way of knowing the sender, the recipient, or the amount.
Flow C: BTC and Mixers (~$1.1 Million + 375 ETH)
Flow C: BTC and Mixers (~$1.1 Million + 375 ETH)
Some of the money was moved into Bitcoin via cross-chain bridges. Unlike Monero, BTC isn’t fully private — transactions are visible on the blockchain. About $ 1.1 million went this route.
The criminals also used Tornado Cash — a mixer that pools funds together. You deposit money, it gets blended with other people’s deposits, and on the other side, there’s no way to tell where it originally came from.
Tornado Cash relies on zero-knowledge proofs — a mathematical technique that lets you prove your right to withdraw funds without revealing any link to the original deposit. This makes it far more robust than a conventional mixer.
375 ETH went through this flow — roughly $ 0.75 million.
The criminals also used Tornado Cash — a mixer that pools funds together. You deposit money, it gets blended with other people’s deposits, and on the other side, there’s no way to tell where it originally came from.
Tornado Cash relies on zero-knowledge proofs — a mathematical technique that lets you prove your right to withdraw funds without revealing any link to the original deposit. This makes it far more robust than a conventional mixer.
375 ETH went through this flow — roughly $ 0.75 million.
Tornado Cash deserves a separate mention. In 2022, the US sanctioned the service. But it kept running, because it’s just code on a blockchain that no one can shut down. In 2025, incidentally, the sanctions were lifted. Still, Tornado Cash remains an example of how the crypto ecosystem gives criminals tools that are nearly impossible to control through traditional means.
Level of Professionalism
Level of Professionalism
This wasn't a robbery pulled off by people who simply know how to steal cryptocurrency. This was an operation carried out by people who understand the DeFi ecosystem more deeply than most fintech engineers. And, judging by the evidence, they're pretty handy with axes too.
The perpetrators knew:
The perpetrators knew:
● the difference between centralized and decentralized assets;
● how monitoring systems work and what thresholds they track;
● how cross-chain protocols blur the trail between blockchains;
● that Hyperliquid requires no identity verification;
● that Monero makes further tracing cryptographically impossible;
● how mixers like Tornado Cash work.
● how monitoring systems work and what thresholds they track;
● how cross-chain protocols blur the trail between blockchains;
● that Hyperliquid requires no identity verification;
● that Monero makes further tracing cryptographically impossible;
● how mixers like Tornado Cash work.
Investigator's note: Every choice in this scheme neutralizes a specific vulnerability in the monitoring system. DAI instead of USDC — protection from asset freezing. Multiple addresses instead of one — protection from alerts. Cross-chain transfers — protection from analysis. Hyperliquid instead of a CEX — protection from identity verification. Monero instead of Bitcoin — protection from public tracing. These are not mistakes or luck. This is professional work by people who understand how the entire monitoring system is built and how each DeFi tool can be used to circumvent it.
Conclusion: A Wrench Attack with Axes and Crypto
Conclusion: A Wrench Attack with Axes and Crypto
People tend to think that crypto losses only happen through code vulnerabilities — smart contract bugs, problems in protocols. In this story, the code had absolutely nothing to do with it.
This is a wrench attack — targeting the person, not the technology. The oldest trick in the book: grab a wrench, walk up to someone, and demand the keys. The blockchain, the smart contracts, the cryptography — all of it worked flawlessly. There was only one weak link: the human.
It all came down to the human factor. A public figure, visible wealth, an exposed address — that's all it took.
If you're a prominent name in crypto and your address is public, you're a target. The takeaway isn't that blockchain is insecure. The takeaway is that personal security matters.
You can bury your crypto in cold wallets under every layer of protection imaginable. Alex Amsel's story teaches us that sometimes the blockchain breaks when someone shows up with a couple of hammers.
This is a wrench attack — targeting the person, not the technology. The oldest trick in the book: grab a wrench, walk up to someone, and demand the keys. The blockchain, the smart contracts, the cryptography — all of it worked flawlessly. There was only one weak link: the human.
It all came down to the human factor. A public figure, visible wealth, an exposed address — that's all it took.
If you're a prominent name in crypto and your address is public, you're a target. The takeaway isn't that blockchain is insecure. The takeaway is that personal security matters.
You can bury your crypto in cold wallets under every layer of protection imaginable. Alex Amsel's story teaches us that sometimes the blockchain breaks when someone shows up with a couple of hammers.
