An elderly crypto whale known as “HEX 19” lost nearly $4.5 million in a slow-moving hack that drained his staked HEX (HEX) over multiple years. 

At first, it looked like a HEX whale was cashing out. But it wasn’t long before the community realized he didn’t voluntarily unstake his tokens — he had become a victim of a major exploit.

The cyberattack started in November 2021, touched multiple phishing wallets, and was traced back to an online entity known as “Konpyl,” a threat actor familiar to crypto investigators.

The breach not only shook the token’s price but also exposed a web of fraudulent operations tied to Inferno Drainer and the $1.6-million fake Rabby wallet scam of February 2024.

HEX token price sinks following the HEX19 hack. Source: CoinGecko

HEX hackers and the web of connections

A blockchain investigator who spoke to Cointelegraph on condition of anonymity said, “There’s direct counterparty exposure with wallets used in the fake Rabby app scam as well as the HEX19 victim’s funds flowing directly into wallets used to launder illicit Inferno Drainer phishing scam proceeds.”

The first major batch of outflows from the victim’s wallet occurred in November 2021 and has continued over the years as assets locked away in decade-long stakes continued to unlock, some prematurely closed by the hacker with penalties. 

HEX19 wallet loses almost $4 million on Nov. 21. Source: Arkham Intelligence

Related: THORChain at crossroads: Decentralization clashes with illicit activity

The deeper investigators dug into the wallets tied to the HEX19 hack, the more it became clear that this wasn’t a one-off for the hacker. The same addresses appeared again and again across phishing campaigns, wallet drainers and laundering trails.

Wallets used by the HEX19 hacker, the fake Rabby wallet scam and several schemes related to Inferno Drainer share a common address: Konpyl.

In an October 2024 investigation, Cointelegraph’s Magazine analyzed on- and offchain evidence gathered by an investigator and a US government agency that links Konpyl to Konstantin Pylinskiy, an executive of a Dubai-based investment firm who uses the nickname in his online activities. Pylinskiy has denied any involvement with scams.

The investigator said the attack on HEX19 was possible because the victim had stored his seed phrases in the cloud. Transaction records show that the hackers use victim funds for initial transfers to their illicit accounts, a common trait of Konpyl-linked schemes. 

“The HEX19 hacker follows similar patterns from other scams by ‘Konpyl,’” they said.

In a November 2024 report, Cointelegraph learned that Konpyl-linked wallets had a high number of interactions with scams connected to Inferno Drainer, a scam-as-a-service threat actor.

Fantasy, a forensics specialist and investigations lead at crypto insurance firm Fairside Network, told Cointelegraph that Konpyl may possibly function less as a direct attacker and more as a laundering proxy.

Inside the HEX hack

The first batch of funds started moving out from the wallet on Nov. 21, 2021, but blockchain records show that the wallet may have been compromised as early as Nov. 3, as the victim wallet (0x97E…7a7df) had an outflow to one of the hacker’s wallets.

  • On Nov. 21, HEX19 was drained of nearly $4 million across nine separate transactions. The majority of the losses were in HEX tokens. The primary destination was address 0xcfe…8A11D, which we will call HEX Hacker 1 (HH1).

  • That same day, HH1 began splitting the stolen funds. They sent $2.64 million (12.33 million HEX) to a second wallet, 0xA30…2EA17, or HEX Hacker 2 (HH2).

  • A follow-up transaction on Dec. 10, 2021, sent another 616,700 HEX (worth around $86,700 at the time) from HH1 to HH2.

  • On Feb. 18, 2022, HH1 transferred 5.2 million HEX (worth about $1 million at the time) and some Ether (ETH) to yet another address, 0x719a...4Bd0c, where the funds remain parked to this day.

The HH2 wallet appears central to laundering efforts.

  • From December 2021 to March 2022, HH2 sent over $1 million to Tornado Cash, Ethereum’s best-known anonymizing protocol.

  • HH2 also transferred $106,758 in Dai (DAI) to an intermediary wallet, 0x837…2Ba9B, which was used to interact with decentralized finance (DeFi) platforms like 1inch to further obscure or swap funds.

  • The intermediary interacted with 0x7BF…C4eAa, a wallet that received direct inflows from Konpyl (an online persona that has appeared in numerous phishing and draining operations).

  • HH2’s laundering chain also intersects with a high-risk wallet — 0x909…e4371 — flagged for over 70 suspicious transactions.


  • On May 16, 2024, a third wallet, Hex Hacker (HH3) — 0xdCe…4f0d8 — began withdrawing funds from the compromised HEX19 address.

  • HH3 has received around $108,000 in HEX from the victim’s account. 

  • HH3 connected to 0x87B…53d92, an address Cointelegraph previously identified in a November investigation as part of an Inferno Drainer-linked scam. That same wallet shares a commingling address (0xF2F...6a608) with Konpyl, which connects a March 2024 Inferno-linked scam and the Rabby wallet phishing incident.

Finally, a fourth wallet, 0x7cc…59ee2 — HEX Hacker 4 (HH4) — entered the picture. Beginning on Jan. 12, 2024, HH4 began siphoning funds from the HEX19 wallet through March.

Related: From Sony to Bybit: How Lazarus Group became crypto’s supervillain

This wallet interacted with 0x4E9…c71C2, which is a known address used by the fake Rabby wallet scammer.

Lessons from the HEX19 Hack

HEX19, the retired tech veteran, has been through booms and busts before — just not ones that emptied millions of dollars from his digital wallet in a single day.

He filed police reports, and exchanges couldn’t do much to help, he said. The remaining staked funds, including 10-year HEX locks, became ticking time bombs. He knew the hackers had access and were just waiting to extract more.

Cointelegraph has found at least 180 suspicious transactions from November 2021 to October 2024, totaling over $4.5 million. The victim’s wallet still has nine active stakes remaining, though their values aren’t as significant as those prematurely closed and withdrawn by the thieves.

The active stakes are not as valuable as those closed by hackers. Source: HEXscout

“You have this feeling in the pit of your stomach and you say, ‘Oh my God.’ And then you say, ‘Oh, geez, I gotta tell my family that I’ve screwed up again,’” HEX19, purportedly a retiree in his 80s, said in an interview with HEX community member Mati Allin soon after the exploit. Cointelegraph attempted to get in touch with HEX19 but did not receive a response.

Despite the loss, HEX19 maintains a surprising sense of calm: “We’re retired. We live without debt. We live very simply. We have a great family, awesome daughters, granddaughters,” he said in the 2021 community interview. “There’s more to life than money.”

While he doesn’t expect to recover the funds, he does hope his experience helps others think twice before storing their seed phrases online.

Magazine: Financial nihilism in crypto is over — It’s time to dream big again