In a startling development that has reignited concerns about DeFi security and cross-border justice, an address linked to two of decentralized finance’s most brazen exploits has suddenly liquidated over $2 million in cryptocurrency. According to on-chain analytics firm Lookonchain, the wallet associated with the 2021 Indexed Finance hack and the 2023 KyberSwap exploit ended approximately one year of dormancy by selling holdings of UNI, LINK, CRV, and YFI tokens over an intense eight-hour period. This transaction occurs while U.S. prosecutors continue their international pursuit of Canadian national Andean Medjedovic, the indicted fugitive allegedly responsible for stealing an estimated $65 million from the two protocols.
Indexed Finance and KyberSwap Hacker Resurfaces with Major Sale
The blockchain never forgets. On-chain data reveals the precise moment the dormant address sprang back to life, initiating a series of transactions that moved millions in digital assets. Analysts at Lookonchain, cited in a report by CryptoBriefing, tracked the movement of four major Ethereum-based tokens from the suspect wallet. The sale represents a significant liquidation event, potentially indicating an attempt to cash out or obfuscate funds. Consequently, this activity provides a fresh digital trail for investigators and security researchers to follow.
This event underscores a persistent challenge in the crypto ecosystem: the pseudonymous nature of blockchain transactions can provide cover, but forensic analysis often creates a permanent, public record. The wallet’s activity directly ties back to two specific incidents that shook investor confidence in decentralized finance.
- Indexed Finance (2021): An exploit manipulated the protocol’s index pool mechanics, draining approximately $16 million in assets.
- KyberSwap (2023): A complex attack on the decentralized exchange’s Elastic pools led to a loss of nearly $49 million.
Authorities have connected these two events to a single individual, highlighting a pattern of targeting sophisticated DeFi infrastructure.
DeFi Security and the Fugitive Challenge
The saga of these hacks extends far beyond smart contract code. It delves into international law enforcement, asset tracing, and the long memory of distributed ledger technology. U.S. prosecutors have publicly identified Andean Medjedovic as the alleged perpetrator. They secured an indictment detailing charges related to wire fraud and money laundering. However, Medjedovic remains a fugitive, demonstrating the complex jurisdictional hurdles in prosecuting cross-border crypto crime.
This case exemplifies the “delay and disperse” tactic sometimes used by sophisticated actors. After an exploit, hackers often let stolen funds sit idle in dormant wallets, waiting for public attention to fade and for improved mixing or swapping services to emerge. The recent $2 million sale after a year of inactivity fits this pattern. It suggests a calculated effort to monetize a portion of the illicit gains while potentially testing surveillance by chain analysis firms and authorities.
Expert Analysis on On-Chain Forensics and Recovery
Security experts note that while transactions are transparent, converting stolen crypto to clean, spendable fiat currency remains a significant obstacle for hackers. Centralized exchanges increasingly integrate advanced compliance software that flags deposits from known malicious addresses. This sale of blue-chip DeFi tokens like UNI and LINK likely required the use of decentralized exchanges (DEXs) or cross-chain bridges, methods that leave their own forensic signatures. The public nature of this sale may actually aid investigators by providing a new set of transaction outputs to monitor, potentially leading to off-ramps where identity verification is required.
The timeline of events is critical for understanding the persistence of crypto investigations:
| October 2021 | Indexed Finance Exploit | $16 Million |
| April 2023 | KyberSwap Elastic Exploit | $49 Million |
| Late 2023 | U.S. Indictment of Medjedovic | Charges Filed |
| Early 2025 | Dormant Address Sells $2M in Assets | Liquidation Event |
This sequence shows that legal and investigative processes operate on a longer timeframe than blockchain transactions, but they are relentless. The recent on-chain movement proves that even dormant addresses are under constant scrutiny by both private analytics firms and government agencies.
Conclusion
The $2 million cryptocurrency sale from an address linked to the Indexed Finance and KyberSwap hacks serves as a powerful reminder of the enduring nature of blockchain forensics and the ongoing efforts to bring DeFi exploiters to justice. While the pseudonymous hacker remains a fugitive, each on-chain action creates new data points for investigators. This case continues to shape discussions around protocol security, the importance of real-time monitoring tools, and the evolving collaboration between the crypto industry and global law enforcement. The resolution of the Indexed Finance and KyberSwap saga will likely set important precedents for how the digital asset world handles high-value, cross-jurisdictional theft.
FAQs
Q1: What cryptocurrencies did the hacker sell?
The address sold holdings of UNI (Uniswap), LINK (Chainlink), CRV (Curve DAO Token), and YFI (yearn.finance) over an eight-hour period, totaling over $2 million in value.
Q2: Who is suspected of being behind these hacks?
U.S. prosecutors have identified and indicted Canadian national Andean Medjedovic as the alleged perpetrator behind both the Indexed Finance and KyberSwap exploits. He remains a fugitive as of early 2025.
Q3: How much was stolen in the original hacks?
The combined estimated loss from the 2021 Indexed Finance exploit and the 2023 KyberSwap exploit is approximately $65 million.
Q4: Why would a hacker wait a year to move funds?
Hackers often use a “delay and disperse” strategy, letting funds sit dormant to avoid immediate tracking and heat, waiting for improved obfuscation techniques or for surveillance to lessen before attempting to cash out.
Q5: What does this mean for DeFi security?
This incident highlights the persistent security challenges in DeFi, the importance of rigorous smart contract audits, and the critical role of continuous on-chain monitoring and analytics to track stolen funds long after an initial exploit.
