Blockchain investigator ZachXBT has reported a major security incident involving a Kraken exchange user who lost $18.2 million in a suspected social engineering heist. The stolen funds are already being moved across different blockchain networks in an apparent laundering attempt.
According to ZachXBT's Telegram channel alert, the threat actor began bridging 878 ETH (worth approximately $1.8 million) from Ethereum to Bitcoin through the decentralized cross-chain liquidity protocol THORChain. The transaction was executed using a SafePal wallet, with the theft address on Ethereum identified as 0xC55149BbD560435a9FbEabFdcF9711cf928acA21 and the corresponding Bitcoin address as 1D8f8956EEFLXN28AHfioEx4ywVbxCz8KN.
On-chain data from the THOR InfoBot confirmed that the streaming swap was initiated roughly 45 minutes before ZachXBT's public alert, lending credibility to the investigator's claims. The 878 ETH visible on-chain may represent only one portion of the total $18.2 million being moved, as attackers in prior cases have frequently split stolen assets across multiple transactions and chains simultaneously.
This incident highlights THORChain's repeated use as a tool for laundering stolen funds due to its lack of KYC verification requirements. In January 2026, an attacker used the same protocol to move portions of $282 million in stolen BTC and Litecoin after tricking a hardware wallet user into revealing their seed phrase. In that case, 818 BTC worth $78 million was swapped into ETH, XRP, and LTC through THORChain.
ZachXBT has tracked several similar large-scale thefts involving social engineering and cross-chain fund movement, including a $330 million theft in 2025 and a $91 million loss in August of that year. Neither Kraken nor SafePal has publicly commented on the latest incident at the time of writing, and the investigation remains in its early stages as on-chain trackers monitor further fund movements from the flagged addresses.
