Kraken User — $18.2M Social Engineering Theft
End-to-end on-chain attribution of an $18.2M social engineering theft from a Kraken user. Traced ETH fund flows across multiple staging wallets, reconstructed a THORChain ETH→BTC cross-chain swap, documented a failed Chainflip exit attempt, and performed dual-chain cash-out attribution to HitBTC — including an assessment of HitBTC's regulatory posture across two jurisdictions (BVI FSC and SVG FSA). Published publicly with full transaction evidence.
Mandate
Trace the destination of funds stolen from a Kraken user via social engineering and establish where they were cashed out across chains.
Methodology
Address clustering on victim-adjacent Ethereum source wallet → identification of multiple staging wallets → THORChain router contract identification → ETH→BTC cross-chain swap reconstruction → BTC destination address attribution via timing and amount matching → Chainflip bridge monitoring → HitBTC deposit address attribution → jurisdictional assessment of HitBTC across BVI FSC and SVG FSA.
Findings
Stolen ETH moved through multiple staging wallets before entering a THORChain ETH→BTC swap. A secondary exit via Chainflip was attempted and failed. The BTC output was attributed to a HitBTC deposit address. HitBTC holds licences under both BVI FSC and SVG FSA — jurisdictions with limited enforcement cooperation capacity.
Outcome
100% of stolen funds attributed to HitBTC across two chains within 72 hours of the theft. Full transaction evidence published publicly. HitBTC's dual-jurisdiction status (BVI FSC / SVG FSA) assessed as offering low probability of voluntary asset recovery without active law enforcement escalation to either regulator.