An exploit-linked wallet has reportedly converted compromised assets into 18,510 ETH and 1,548 BNB, according to an on-chain tracking alert shared by WuBlockchain citing Lookonchain.
According to Lookonchain, the attacker has obtained 18,510 ETH ($30.83 million) and 1,548 BNB ($924,000) by selling H tokens. The attacker still holds 111.36 million H tokens worth about $14 million, which could be sold at any time, though on-chain liquidity has nearly been...
— Wu Blockchain (@WuBlockchain) June 9, 2026
The conversion is notable because post-exploit wallets often move from illiquid or easily traceable tokens into deeper, more liquid assets before attempting to bridge, mix or cash out funds. ETH and BNB both offer deeper liquidity than many smaller exploit tokens, making them common destinations for consolidation.
WuBlockchain reported that the attacker was associated with compromised “H tokens,” although wallet labels and exploit attribution are based on third-party on-chain monitoring rather than a direct law enforcement statement.
Why The Fund Flow Matters
The ETH portion alone was valued at about $30.83 million at the time of the swap, according to the capture notes. The BNB portion totaled 1,548 BNB, worth roughly $924,000 at the time.
Large post-exploit swaps can matter for several reasons. First, they can create pressure on the assets being sold if liquidity is thin. Second, they can signal the attacker’s next step, such as moving funds toward bridges, mixers or centralized exchange deposit addresses. Third, they provide investigators and security researchers with fresh transaction paths to monitor.
The important point is that blockchains make these movements visible, but not always simple to interpret. A wallet can be tracked in real time, while the identity of the controller may remain uncertain.
On-Chain Tracking Is Useful, But Labels Can Change
Readers should treat the figures as a snapshot rather than a final recovery or loss estimate. Exploit-linked wallets can split funds quickly, move assets across chains or use intermediate addresses that complicate tracing.
That is why the best framing is not speculation about who controls the wallet, but a data-focused look at how stolen funds are being consolidated. The conversion into ETH and BNB shows the attacker moving toward more liquid assets, which is a common stage in post-exploit fund movement.
The episode also highlights why on-chain monitoring accounts such as Lookonchain and WuBlockchain remain widely followed during security incidents. They do not replace official incident reports, but they can surface wallet activity before a full forensic investigation is published.
Source / Media Note
Preferred embed: raw X blockquote for the WuBlockchain post, with screenshot fallback.
This report is based on a WuBlockchain post citing Lookonchain on-chain tracking.
Security teams also watch these conversions because they can affect recovery options. Funds that remain in the original exploit tokens may be easier to freeze, blacklist or trace through specific pools. Once the value is converted into highly liquid assets and split across chains, the recovery path can become more difficult and time-sensitive.
