Destination Uncovered for Shiba Inu Shibarium Stolen Funds

Almost three months after the Shibarium bridge hack, on-chain investigator Shima shares how one small mistake allowed him to uncover the full path of the stolen funds. 

In a recent thread on X, he explained that after the attacker ignored the K9 Finance bounty that could have helped resolve the issue earlier, he continued studying the transactions until he found an unexpected link that exposed the entire laundering route.

Sleuth Uncovers Movement of Funds from the Shibarium Hack

Shima said the attacker made one major error that revealed every stage of the Tornado Cash withdrawals and the later movements into KuCoin. 

According to him, this slip gave him enough information to connect the original exploit wallets, the Tornado-linked withdrawal wallets, and dozens of KuCoin accounts that he believes money mules used to convert the stolen funds. 

The on-chain sleuth first shared his findings with the Shibarium team so they could involve law enforcement while KuCoin still had the option to freeze any funds. 

He added that his team reached out to KuCoin’s fraud department, but the exchange insisted on receiving a law-enforcement case number before taking action. When progress stalled, he decided to publish the complete analysis so victims and authorities could act on their own.

Initial Path of the Funds

Notably, Shima presented how the laundering process played out in his X thread. He began with the hacker’s main wallet and nine “dumping” wallets that received the stolen assets. 

In the MetaSleuth chart, the wallets formed an orange cluster that showed the original Shibarium bridge exploit address, the movement of funds into nine wallets, and the gradual sale of the stolen tokens for ETH. These wallets led to the trail that eventually moved through Tornado Cash and into KuCoin. 

During the review, Shima noticed something unusual. Specifically, the attacker sold every stolen token except LEASH. Instead of selling it, the exploiter moved all of the LEASH into a wallet that begins with 0x0db3. 

Shima noted that this was odd for a quick smash-and-grab attack and said it suggested a possible link to the earlier “LEASH Rebase Exploiter” case from a few weeks before the bridge hack. This wasn’t actual proof, but the pattern was suspicious enough to note.

Moving on, from the nine wallets, the attacker sent 260 ETH into Tornado Cash. The exploiter pushed 250 ETH through the 10 ETH pool and 10 ETH through the 1 ETH pool. 

Next step: Tornado Cash 🌪️

From the 9 orange dumping wallets, we see 260 ETH total being sent into Tornado Cash (red addresses):
• 250 ETH sent into the Tornado 10 ETH pool
• 10 ETH sent into the Tornado 1 ETH pool

This is the classic “clean break” stage ⛓️‍💥where the hacker… pic.twitter.com/t5qWUJbsRP

— Shima 島。 (@MRShimamoto) December 1, 2025

Shima stressed that this was the attacker’s attempt to break the connection between the stolen funds and the later withdrawal wallets. For a while, it looked like the trail might end there, until Shima spotted the mistake that changed everything.

The Error That Changed Everything

Forty days after the hack, one of the wallets linked to a Tornado depositor sent exactly 0.0874 ETH to a secret withdrawal wallet. Shima identified the sender as 0x45b5 and the receiver as 0x4476. 

He noticed this transfer while preparing a second bounty message and checking every address tied to the attacker. The small amount immediately stood out, and he said he realized it provided the link he needed to uncover the entire laundering operation.

The on-chain investigator then traced every transaction around 0x4476 and uncovered a larger cluster of Tornado-linked withdrawal wallets. Because the 0.0874 ETH transfer tied 0x4476 directly to the hack, he treated all of the connected wallets as part of the laundering network. 

From there, he saw a pattern. Specifically, the attacker withdrew funds from Tornado Cash, moved them through one to three intermediary wallets, and funneled them into KuCoin deposit addresses.

Funds Moved to KuCoin 

Shima eventually identified 48 KuCoin deposits involving 45 unique deposit addresses. He found that 232.4949 ETH reached KuCoin through 25 depositors and also found one reused deposit address that linked to DAI from a separate exploit, which he called sloppy operational security.

Notably, the sleuth later expanded the view to show the full path from Tornado Cash to KuCoin. Tornado wallets appeared in red, intermediary wallets formed a branching network, and KuCoin deposit wallets appeared in green. 

He said the attacker likely avoided completing KYC at KuCoin and instead relied on money mules who cashed out the assets. He warned that any of these mules who participated from North America or Europe might face serious consequences once authorities identify them.

Shima then called on victims and investigators to file reports in their own countries. He said he would share his full MetaSleuth graph, address list, and methodology with law-enforcement teams and help them verify victim claims.

The Shibarium Bridge Hack

For context, the Shibarium hack itself took place in September 2025. Specifically, attackers exploited the Shibarium bridge through a flash-loan attack that allowed them to compromise 10 of 12 validator keys and manipulate cross-chain transfers. 

They stole about $2.4 million in ETH, SHIB, BONE, ROAR, and 248 billion KNINE tokens worth about $717,000 at the time. K9 Finance later blacklisted the stolen KNINE, which made the tokens worthless.

Meanwhile, K9 Finance offered a bounty for only the KNINE tokens that started at 5 ETH and later increased to 20 ETH before expiring. The Shiba Inu team also offered a 50 ETH bounty for the remaining stolen assets.