Armed Robbery & Wallet Drain

Section 01

The Incident

This was not a remote hack, phishing attack, or smart contract exploit. The attackers gained physical access to the victim, used weapons and violence to coerce the transfer, and had pre-staged wallet infrastructure to receive and split the funds.

🚫

Attack Vector

Physical kidnapping → armed coercion (axes) → forced wallet transfer under duress → funds split to pre-staged attacker wallets.

Section 02

Drain Transaction

$23.6M

aEthUSDC Transferred

$19.1M

DAI to Staging Wallets

~$1.87M

Via Li.Fi to Hyperliquid

XMR

Converted to Monero

Field	Value
Tx Hash	0x73afe9ec...4724be4bc
Block	24,585,515
Timestamp	March 4, 2026 — 17:13:23 UTC
From (victim’s wallet)	0xd2e8827d...45eca41
Contract Called	ATokenInstance (Aave aEthUSDC) Aave
Function	`transfer()`
Amount	23,596,490.28 aEthUSDC (~$23.6M)
Recipient	0x6fe0fab2...24060322 Victim

The attacker forced the victim to call transfer() directly on the Aave aEthUSDC token contract, moving the entire Aave USDC lending position in a single transaction. This was not a withdrawal from Aave — it was a direct aToken transfer, which is unusual and suggests the attacker understood DeFi mechanics.

Section 03

Attack Sequence

Step 1 — Physical Kidnapping & Coercion

Attackers kidnapped the victim and used weapons (axes over hands and feet) and threats of sexual violence to gain compliance. The victim resisted as long as possible.

Step 2 — Forced Transfer

Under duress, the victim was forced to execute a transfer() of 23,596,490 aEthUSDC from their whale wallet (0xd2e8...a41) to an intermediary address.

Step 3 — Split & CowSwap Aggregation

From 0x6Fe0: $23.13M routed to 0x0D5c and $2.48M directly to 0xb98E. The $23.13M was aggregated via CowSwap into 0xb98E.

Step 4 — DAI Conversion & Staging

From 0xb98E: converted to DAI and split — 10.01M DAI to staging wallet #1 (0xd0c2) and 9.09M DAI to staging wallet #2 (0xdCA9).

Step 5 — Li.Fi Bridge to Hyperliquid

From 0xb98E: ~$1.87M sent in 15 chunks ($100K–$200K each) via Li.Fi cross-chain bridge to 15 separate addresses, which then forwarded to 14 Hyperliquid addresses.

Step 6 — XMR Conversion (COMPLETED)

All 14 Hyperliquid addresses (gas-funded by 0xBEEF...B27) swapped everything to Monero (XMR) and dispersed to 14 final addresses. These funds are now untraceable.

Section 04

Address Profiles

Victim’s Whale Wallet

Forced Transfer Source

0xd2e8827d4b1c44f64d1fa01bfbc14dc8545eca41

Field	Value
Type	EOA
Total Txns	1,032
Active Since	February 2017 (9 years)
Deployed Contracts	3
Remaining Balance	~$78K ETH, ~$52K PORTAL, ~$44K USDC
Pre-Drain Aave Position	~$23.6M aEthUSDC
Behavior	Long-time DeFi whale. Regular $15–22K/mo withdrawals from Aave. PORTAL token vesting recipient.

Victim Address / Intermediary

Victim

0x6fe0fab2164d8e0d03ad6a628e2af78624060322

Field	Value
Type	EOA
Outbound Txns	0
Received	~$23.6M aEthUSDC
Current Balance	0.135 aEthUSDC (dust), $0.10 ETH
Assessment	Pass-through. Funds split: $23.13M → `0x0D5c`, $2.48M → `0xb98E`.

CowSwap Router

Aggregator

0x0D5c41C6...d602Ed059Bb

Received $23.13M → CowSwap swap → forwarded to 0xb98E

Primary Aggregator

Attacker Hub

0xb98E8eeF...935AA872

Central hub. Received all funds. Split to staging wallets + 15 Li.Fi transfers.

Staging Wallet #1

Attacker

0xd0c2C387...43c9dd3E

10,010,000 DAI · EOA

Staging Wallet #2

Attacker

0xdCA9F78a...d3eC9C4

9,090,000 DAI + 0.047 ETH · EOA

Gas Funder

Operational

0xBEEF0000072943D4872462D9C7BD727f672eCB27

Funded gas for all 14 Hyperliquid addresses. Key operational address — may link to attacker identity.

Section 05

Fund Flow

VICTIM (under armed duress) controls: 0xd2e8827d...eca41 (whale wallet, 1,032 txns, since 2017) | | FORCED transfer() — 23,596,490 aEthUSDC ($23.6M) | Block 24,585,515 — Mar 4, 2026 17:13 UTC v 0x6fe0fab2...060322 (intermediary / pass-through) | +——————————————————+ | | $23.13M $2.48M v | 0x0D5c41C6...059Bb | | CowSwap | | $23.13M | v v 0xb98E8eeF...AA872 ←———————— PRIMARY AGGREGATOR HUB | +———————————————+——————————————+ | | | v v v 0xd0c2...9dd3E 0xdCA9...eC9C4 15 ADDRESSES 10.01M DAI 9.09M DAI ~$1.87M via Li.Fi STAGING #1 STAGING #2 $100K-$200K chunks | v 14 HYPERLIQUID ADDRESSES gas from 0xBEEF...B27 | v SWAPPED TO XMR (MONERO) 14 final addresses UNTRACEABLE

The $3.6M gap is now accounted for: ~$1.87M was bridged via Li.Fi in 15 separate $100K–$200K chunks to Hyperliquid, where it was swapped to Monero. The remaining ~$1.7M represents CowSwap slippage, DEX fees, and conversion costs across $23.6M in volume. The ~$19.1M in DAI remains in the two staging wallets.

Section 06

Staging Wallets — Current Status

$10.01M

DAI · Staging #1

$9.09M

DAI · Staging #2

~$1.87M

Already laundered via Li.Fi → HL → XMR

~$1.7M

Fees & Slippage

Both staging wallets are fresh EOAs. The two-wallet split ($10.01M + $9.09M) is a classic laundering preparation pattern. The attacker has already demonstrated the playbook with the ~$1.87M Li.Fi batch: bridge to Hyperliquid in $100K–$200K chunks, swap to XMR. Expect the same pattern for the $19.1M.

Section 07

Laundering Method — CONFIRMED

The laundering route has been confirmed by on-chain evidence. The attacker used Li.Fi (cross-chain bridge) to move funds from Ethereum to Hyperliquid, where they were swapped to Monero (XMR). This is NOT wagyu.xyz as initially suspected.

🔴

~$1.87M Already Converted to XMR

15 Li.Fi bridge transfers ($100K–$200K each) from the aggregator hub (0xb98E) have been completed. All funds reached 14 Hyperliquid addresses, were swapped to Monero, and dispersed to 14 final addresses. These funds are now untraceable. The remaining ~$19.1M DAI in staging wallets will likely follow the same path.

Attribute	Detail
Bridge Used	Li.Fi (cross-chain aggregator)
Destination Chain	Hyperliquid
Final Asset	XMR (Monero) — untraceable
Chunk Size	$100K–$200K per transfer
Total Chunks	15 bridge transfers → 14 HL addresses → 14 XMR addresses
Gas Funder	0xBEEF...B27 — funded all 14 HL wallets
wagyu.xyz	NOT used — initial suspicion was incorrect

1

Aggregate

CowSwap → 0xb98E hub

2

Chunk & Bridge

$100K–$200K via Li.Fi

3

Hyperliquid

14 wallets, gas from 0xBEEF

4

Monero

14 XMR addresses — gone

This pipeline has been fully executed for ~$1.87M. The attacker split funds into 15 chunks, bridged via Li.Fi to Hyperliquid, used 14 separate wallets (all gas-funded by the same 0xBEEF address), swapped to XMR, and dispersed. The ~$19.1M DAI in staging wallets is expected to follow the identical pattern.

Section 08

All Known Addresses

Primary Addresses

Role	Address	Detail
Victim whale wallet	0xd2e8...eca41	Source of $23.6M aEthUSDC
Intermediary	0x6fe0...060322	Pass-through, now dust
CowSwap router	0x0D5c...059Bb	Received $23.13M, CowSwap → 0xb98E
Aggregator hub	0xb98E...AA872	Central hub → staging + Li.Fi
Staging #1	0xd0c2...9dd3E	10.01M DAI
Staging #2	0xdCA9...eC9C4	9.09M DAI + 0.047 ETH
Gas funder	0xBEEF...CB27	Funded gas for all 14 HL wallets
Victim secondary	0xead7...7d0e	~$1K ETH

Amount	Address
$162.1K	0xe205...8526
$161.5K	0xbCD2...d7dA
$160K	0xC600...f9b6
$150K	0x2b25...F561
$200K	0xd8ce...70c6
$200K	0x0b17...fec0
$107K	0x610e...7237
$107K	0xa5cC...8134
$107K	0x9B9F...96CB
$107K	0x7aeb...f043
$106K	0xACd1...d6d
$107K	0xEa7f...2D3c
$100K	0x9431...56Ca
$100K	0x896A...9927
$5K	0x4876...9385

#	Address
1	0x06b0...697f
2	0xF928...D5B9
3	0x15Fc...4608
4	0xA2Bc...391b
5	0x5106...12a3
6	0xe438...3748
7	0x9e73...6eba
8	0x1c25...4e32
9	0x02bb...2dd3
10	0x8632...f451
11	0x6859...aebe
12	0x782b...2891
13	0x7528...1fe5
14	0x1a0d...6faf

#	Address
1	0x7d3a...9215
2	0x03be...4307
3	0x0855...77fd
4	0xa1e1...1dbf
5	0x69dc...de65
6	0xd193...c6d2
7	0x2d6f...5c32
8	0xb8d1...e1cd
9	0x0028...4092
10	0xaf9b...8ca3
11	0xb7e0...f7e6
12	0x7241...ab94
13	0x35b9...f88e
14	0xb34f...9eb4

Section 09

Urgent Actions

1

URGENT: Monitor staging wallets — ~$19.1M DAI has NOT moved yet. Set real-time alerts on 0xd0c2...3E and 0xdCA9...C4. When they move, expect Li.Fi bridge transfers in $100K–$200K chunks.
2

Alert Li.Fi team immediately — Li.Fi was the confirmed bridge used for laundering. They should block the staging wallet addresses and the aggregator hub (0xb98E...A872).
3

Alert Hyperliquid team — funds were swapped to XMR on Hyperliquid. Flag all 14 receiving addresses and the gas funder 0xBEEF...B27. Block further XMR swaps from related addresses.
4

Investigate 0xBEEF...B27 (gas funder) — this address funded gas for all 14 Hyperliquid wallets. It’s an operational address that may link to attacker identity via funding source, exchange deposits, or prior activity.
5

Flag with Chainalysis / TRM Labs / Arkham — add ALL addresses (primary, Li.Fi intermediaries, HL wallets, XMR destinations, gas funder) to compliance databases.
6

Contact CowSwap — CowSwap was used to aggregate the stolen funds. Request transaction logs and any metadata (IP, API keys) associated with the swap.
7

Law enforcement: subpoena Li.Fi and Hyperliquid — both services processed the laundering pipeline. Request IP logs, API access records, and any KYC data for the accounts involved.

Section 10

For Law Enforcement & Investigators

Summary card for sharing with investigators, on-chain tracers, and compliance teams.

Field	Value
Crime Type	Armed robbery, kidnapping, assault, threats of sexual violence
Amount Stolen	~$24M (aEthUSDC → DAI)
Date	March 4, 2026
Police Involved	Yes
Drain Tx	0x73afe9ec...be4bc
Victim Wallet	0x6fe0fab2...060322
Forced-Transfer Wallet	0xd2e8827d...eca41
Attacker Staging #1	0xd0c2C387...9dd3E — ~$10M DAI
Attacker Staging #2	0xdca9f78a...ec9c4 — ~$10M DAI
Laundering Method	CONFIRMED: Li.Fi bridge → Hyperliquid → XMR (Monero)
Already Laundered	~$1.87M converted to XMR via 15 chunks
Remaining at Risk	~$19.1M DAI in staging wallets (not yet moved)
Gas Funder	0xBEEF...B27 — key operational address

The victim’s whale wallet (0xd2e8...a41) showed consistent behavior over months: large USDC deposits into Aave ($1.7M–$11.9M), periodic small withdrawals ($15–22K), transfers to a personal secondary wallet, and PORTAL token vesting claims. The $23.6M full-position transfer on March 4 completely broke this pattern.

Several indicators suggest the attackers had crypto/DeFi knowledge beyond basic wallet operations:

Used direct aToken transfer() rather than Aave withdraw() — faster, single-tx approach
Pre-staged 30+ fresh EOA wallets across multiple chains (Ethereum, Hyperliquid)
Converted to DAI rather than USDC — DAI cannot be frozen by a central authority
Used CowSwap for aggregation — MEV-protected, harder to front-run or detect
Used Li.Fi for cross-chain bridging in $100K–$200K chunks — stays under monitoring thresholds
Swapped to XMR on Hyperliquid — sophisticated multi-chain laundering pipeline
Dedicated gas funder (0xBEEF...B27) for all Hyperliquid wallets — pre-planned infrastructure
14 separate Hyperliquid wallets for XMR conversion — distributed to avoid single-point blocking

$3.6M gap resolved: ~$1.87M went through Li.Fi → Hyperliquid → XMR. Remaining ~$1.7M is CowSwap/DEX slippage and fees on $23.6M volume.
How did attackers identify the victim as a whale? OPSEC breach, social media, or insider information?
Who controls 0xBEEF...B27? This gas funder is the strongest operational link to attacker identity.
Were the 14+ wallets pre-generated or created during the attack? The infrastructure suggests pre-planning.
Will the ~$19.1M DAI in staging wallets follow the same Li.Fi → HL → XMR pipeline?

🔎

Operational Profile

Organized violent crime with professional-grade laundering infrastructure. 30+ pre-staged wallets across Ethereum and Hyperliquid. DeFi-aware execution (direct aToken transfer, CowSwap for MEV protection, DAI over freezable USDC). Multi-chain laundering pipeline: CowSwap aggregation → Li.Fi bridge → Hyperliquid → XMR. Dedicated gas funder (0xBEEF). ~$1.87M already converted to untraceable Monero. $19.1M DAI remains in staging wallets — recovery window is still open but narrowing.

$24M Armed Robbery& Wallet Drain