2 Million in Motion: The Indexed Finance and KyberSwap Hacker Resurges After Months of Silence

After remaining dormant for approximately one year, a wallet address associated with two of the largest attacks against DeFi protocols has just executed a massive sell-off. In just eight hours, the address liquidated holdings worth over $2 million in top-tier digital assets, triggering alarms once again among researchers and security agencies.

The Digital Reappearance: When and How

Blockchain data does not lie. According to Lookonchain’s analysis, the wallet linked to the exploits of Indexed Finance (2021) and KyberSwap (2023) woke from its slumber by executing coordinated transactions. In an eight-hour span, it dispatched significant amounts of Uniswap (UNI), currently valued at $5.40, Chainlink (LINK) at $13.17, Curve (CRV) at $0.40, and yearn.finance (YFI) trading at $3.36K.

This movement was not accidental. The selling pattern suggests deliberate coordination: multiple governance token transactions from leading platforms executed within narrow time windows. Investigators interpret this as a strategic attempt to convert stolen assets into cash without immediately triggering surveillance alarms.

Following the Hacker’s Trail: Andean Medjedovic

U.S. prosecutors have named the anonymous face behind these attacks: Andean Medjedovic, a Canadian citizen, currently formally charged in U.S. jurisdiction. The charges include aggravated electronic fraud and international money laundering, offenses carrying substantial penalties.

However, Medjedovic remains at large. As of early 2025, he continues to be an actively sought fugitive internationally. This fact exposes an uncomfortable reality of the crypto ecosystem: although blockchain technology leaves permanent records, physically apprehending the perpetrator requires cross-border cooperation that does not always move swiftly.

Breakdown of Two Historic Attacks

The wallet linked to this hacker was responsible for two devastating vulnerabilities:

October 2021 - Indexed Finance Exploit: By manipulating mechanisms of indexed pools, the attacker extracted approximately $16 million. The attack exposed deficiencies in transaction validation architecture.

April 2023 - KyberSwap Elastic Pools Attack: A more sophisticated attack targeting the decentralized exchange’s Elastic pools resulted in the theft of nearly $49 million, totaling an estimated $65 million in combined damages.

The Hacker’s Strategy: Wait, Hide, Liquidate

The hacker’s behavior pattern follows a recognizable script in digital criminology of decentralized assets: the “delay and disperse” strategy. After a successful attack, funds remain inactive in cold storage addresses while media attention dissipates and obfuscation tools evolve.

This year of inactivity was not negligence. It was calculation. The hacker allowed regulatory temperatures to cool, enabled the development of new fund-mixing methodologies, and waited for the optimal moment to extract liquidity without raising immediate suspicion.

The recent sale marks a tactical shift: the hacker is beginning to monetize. This could indicate that, from his perspective, risk conditions have normalized enough to justify the move.

On-Chain Forensics: The Permanent Record

Here lies the fundamental paradox of crimes on the blockchain. While pseudonymous anonymity provides initial cover, each transaction creates an immutable and inspectable record.

Security analysts point out that converting stolen cryptocurrencies into usable fiat currency remains the critical bottleneck for criminals. Centralized exchanges have significantly strengthened their compliance protocols, flagging any deposits originating from known blacklisted addresses.

Therefore, the sale of UNI, LINK, CRV, and YFI tokens likely went through decentralized exchanges or cross-chain bridges. These alternative methods leave their own digital footprints: flow patterns, execution times, exit addresses. Each potential contact point is a place where investigators can intercept or trace.

In fact, this visibility could become a disadvantage for the hacker. The movement timeline provides investigators with new coordinates to monitor exit points toward fiat conversion avenues, places where identity verification is typically required.

Pursuit Timeline

The sequence reveals a pattern: while blockchain transactions occur in seconds, criminal investigations operate on a scale of years. But they are relentless. Each activation of a dormant address generates new data points. Each transaction leaves new clues.

What This Means for DeFi Security

This incident reinforces several realities of the current decentralized finance landscape:

First, the critical importance of rigorous smart contract audits. The exploits of Indexed Finance and KyberSwap were not cryptographic breaches but failures in transaction validation logic.

Second, real-time monitoring is not optional. On-chain analysis firms have evolved from technical curiosities to essential operational security tools.

Third, jurisdiction is as important as technical capability. A hacker successfully prosecuted in New York has a deterrent effect globally. Conversely, a fugitive at large remains a persistent threat.

Fourth, true anonymity on blockchain does not exist. Only temporary anonymity does. Competent investigators will eventually identify sources and destinations.

FAQs

What motivated the sudden sale after a year of inactivity?

It is not confirmed, but experts speculate that the hacker assessed the regulatory landscape as sufficiently normalized or needed liquidity for subsequent operations. The move could also be a test of current surveillance defenses.

Can the ongoing sale be intercepted?

Partially. While the funds in tokens are already dispersed, the process of converting them into usable fiat currency is the most critical vulnerability. This is where investigators have the greatest intervention capacity.

What is the likelihood of capture?

International cooperation is slow but effective. Formal charges expand the scope of cooperating jurisdictions. However, capture will depend on whether Medjedovic makes operational mistakes or if an ally betrays him.

Does this case set a precedent for future crypto investigations?

Absolutely. The forensic methodologies developed in this case will be applied to subsequent investigations, continually improving the ability to pursue cross-border crypto crimes.