Dormant Wallet Tied to HashFlare Fraud Moves 10,600 ETH Worth $18.5M

An Ethereum address linked to the HashFlare cloud-mining fraud transferred 10,600 ETH worth about $18.5 million on Monday morning after sitting idle for roughly three and a half years. Blockchain investigator ZachXBT flagged the movement, the first activity tied to the address since the long-running Ponzi scheme collapsed.

The funds left wallet 0xff575a22975cc413771825eb84c163189a4d5d22 in a single transaction and split across two new recipient addresses, according to ZachXBT's Telegram post early Monday. ETH traded around $1,754 at the time of the move, per CoinGecko. The investigator credited security firm Cyvers with first flagging the unusual flow.

The Movement

After the initial transfer, the operator began converting ETH to Bitcoin through cross-chain swap services, including Near Intents, that route trades without requiring an exchange account. ZachXBT described the path as routing the ether through "two instant exchanges" before reaching Bitcoin. That conversion pattern, ETH bridged to BTC via instant swaps, is the same flow ZachXBT documented in several recent laundering runs, including the KelpDAO exploit aftermath and a $120 million USDT trace earlier this month.

The address had received its ETH balance in late 2022 and held it through the entire prosecution arc, including the founders' February 2025 guilty pleas and August 2025 sentencings. Onchain trackers had publicly labeled it for years without intervention from law enforcement.

The Underlying Case

HashFlare marketed itself as one of the largest cryptocurrency cloud-mining operators in the world between 2015 and 2019, selling contracts that promised customers a share of bitcoin and other coins purportedly mined by company hardware. Sales totaled more than $577 million, according to the U.S. Department of Justice. The company in fact lacked the computing capacity to mine the vast majority of what its dashboards reported, and the displayed mining returns were falsified.

Estonian nationals Sergei Potapenko and Ivan Turõgin, both 40, pleaded guilty on February 12, 2025 to one count each of conspiracy to commit wire fraud in the U.S. District Court for the Western District of Washington. The pair were extradited from Estonia in 2024 after a multi-year investigation by the FBI Seattle Field Office, with assistance from the Cybercrime Bureau of the Estonian Police and Border Guard.

The Forfeiture Order

As part of the plea deal, Potapenko and Turõgin agreed to forfeit cryptocurrency, real estate, luxury vehicles, and mining hardware valued at more than $450 million, the U.S. Attorney's Office for the Western District of Washington said in its August 12, 2025 sentencing announcement. U.S. District Judge Robert S. Lasnik sentenced each defendant to 16 months in prison, time already served in pretrial custody, plus a $25,000 fine and 360 hours of community service.

Prosecutors had asked for 10-year terms, and the Justice Department said it was considering whether to appeal. The forfeited assets are slated for a remission process to compensate victims, with details "to be announced at a later date," per the same release. The FBI maintains a victim portal at fbi.gov/hashflare.

Why the Wallet Was Still Active

The address that moved on Monday does not appear in the publicly disclosed forfeiture inventory tied to the case. The DOJ has not publicly identified every wallet associated with the defendants. Wallets that were never named in the plea agreement, or that prosecutors could not locate, remained operational with their private keys still controlled by whoever held them when the case wound down.

Whether the 10,600 ETH belongs to Potapenko or Turõgin personally, to a co-conspirator, to a victim who held HashFlare credentials, or to a third party that gained access during the dormant period is not established by the onchain trace alone. ZachXBT labeled the wallet as linked to the scam without asserting which of those scenarios applies.

Where the ETH Could Go

The use of instant cross-chain swap services points toward an effort to obscure the trail. Such services aggregate liquidity across chains and complete swaps without the KYC checks an exchange imposes, complicating asset-freezing requests. The operator's choice to move ETH to Bitcoin rather than directly to a centralized exchange or a stablecoin tracks with recent laundering patterns the same investigator has documented this year.

Bitcoin destinations are harder for issuers to freeze than USDT or USDC, which have been used aggressively by Tether to lock down illicit flows. Tether froze $72 million tied to a separate ZachXBT trace earlier in June. No comparable freeze action against the HashFlare-linked addresses has been publicly disclosed as of Monday afternoon.

Implications for Victim Recovery

The reactivation complicates the DOJ's remission timetable. Funds that move out of identifiable wallets and through instant-swap routes become substantially harder to trace, and any portion the government had implicitly counted on for forfeiture would require new mutual-legal-assistance work to locate and seize. The $450 million figure that anchored the plea deal was calculated against assets the U.S. had already restrained.

The Western District of Washington U.S. Attorney's Office and the FBI Seattle Field Office, which led the original case, have not issued a public statement on the wallet movement. The DOJ's Money Laundering and Asset Recovery Section, which is handling forfeiture in the matter, has also made no public statement on the new flow.