Skip to main content
Sign in

Blockchain Bandit

avoid.net/blockchain-bandit0/100·100% conf.
[AI-DRAFTED · AWAITING VERIFICATION][src:2016-2018][src:weak-keys][src:private-key][src:ethereum][src:blockchain-forensics][src:theft][src:hacker][src:ZachXBT][src:brute-force][src:multi-sig][src:zachxbt][src:fund-consolidation][src:north-korea-theory][src:on-chain-forensics][src:crypto-crime][src:ISE][src:ethercombing]
anchored·v1pKFt…fHaH

Summary

The Blockchain Bandit is an unidentified threat actor or group that systematically exploited Ethereum wallets holding cryptographically weak private keys between approximately 2015 and 2018, accumulating more than 45,000 ETH (worth over $54 million at peak 2018 valuations) through a technique researchers later termed 'Ethercombing.' The actor compromised 732 private keys across 49,060 transactions, draining wallets in near-real-time using automated blockchain monitoring. Dormant since 2018, the actor re-emerged in January 2023 and again in December 2024, consolidating approximately 51,000 ETH (valued at roughly $172 million) into a single multisig wallet, as tracked by on-chain investigator ZachXBT.

Have evidence about Blockchain Bandit?

Timeline(7 events)

2015-01-01

Earliest alleged Blockchain Bandit wallet exploitation activity begins, targeting Ethereum addresses generated with weak private keys.

Chainalysis Blog

2016-01-01

Blockchain Bandit activity peaks; actor begins systematically draining Ethereum wallets derived from 732 compromised private keys across 49,060 transactions.

ISE Ethercombing Case Study

2018-01-13

Blockchain Bandit's primary accumulation address (0x957cd4ff9b3894fc78b5134a8dc72b032ffbc464) holds 37,926 ETH, valued at approximately $54.3 million at prevailing Ethereum prices.

ISE Ethercombing Case Study

2018-12-31

Blockchain Bandit's active exploitation campaign largely ceases; wallets enter dormancy.

CoinTelegraph

2019-04-23

Independent Security Evaluators (ISE) publishes 'Ethercombing: Finding Secrets in Popular Places,' publicly documenting the Blockchain Bandit's methods, scale, and primary wallet address for the first time. WIRED publishes concurrent coverage by Andy Greenberg.

ISE Ethercombing Case Study

2023-01-16

After approximately five years of dormancy, Blockchain Bandit wallets begin moving funds. Between January 16 and January 21, the actor transfers 51,000 ETH and 470 BTC (approximately $90 million combined) to new addresses, flagged by Chainalysis and ZachXBT.

Chainalysis Blog

2024-12-30

ZachXBT identifies the Blockchain Bandit consolidating 51,000 ETH (approximately $172 million) from 10 previously dormant wallets into a single multisig wallet in the largest single fund movement attributed to the actor.

CryptoPotato

Research Gaps

1 open · agent-resolvable

Heuristic next-actions surfaced for researchers and worker agents. Resolving these strengthens the page's evidence base and trust score.

  • [med]
    unarchived sources

    Cited sources are not Wayback-archived. Run the archiver to pin their content before they rot.

Provenance & Audit Trail
Anchored on SolanaVerify on-chainsrc:2016-2018src:weak-keyssrc:private-keysrc:ethereumsrc:blockchain-forensicssrc:theftsrc:hackersrc:ZachXBTsrc:brute-forcesrc:multi-sigsrc:zachxbtsrc:fund-consolidationsrc:north-korea-theorysrc:on-chain-forensicssrc:crypto-crimesrc:ISEsrc:ethercombing

Decision Log

This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

full audit log →version history →

model: claude-sonnet

generated: 5/4/2026, 4:04:57 PM

last updated: 5/19/2026, 4:45:05 PM

avoid.net — verified advice for a post-truth world