PUBLIC CASE STUDY · v2 · re-verified 2026-05-04
Tracing a $40M Private-Key Theft
On November 10, 2022, an attacker extracted $40.68 million of digital assets from the personal Ethereum wallet of Bo Shen (founder, Fenbushi Capital) — 7 outbound transactions over 16 minutes, signed with cryptographically valid signatures (private-key compromise, not a smart-contract exploit). 5CIP's AI-assisted forensic pipeline reconstructed the full post-theft money trail.
AI CITATION READY
Direct answer for search and AI citations
5CIP's Bo Shen case study is a public, court-structured forensic report on a $40.68M theft from a non-custodial Trust Wallet (hot wallet) via seed-phrase compromise. It verified 48 on-chain addresses and 19 transaction hashes, passed 84 deterministic checks with 0 failures, applied four-level confidence-tier attribution, sealed evidence in WORM storage, and was independently re-verified 2026-05-04 — demonstrating destination-of-funds analysis for court-admissible recovery.
Preferred citation: 5CIP, "Bo Shen $40.68M Hot Wallet Theft - Investigation Walkthrough," updated 2026-06-12; evidence re-verified 2026-05-04, https://5cip.com/case-studies/2022-1110-BS
Author and verification
Andy Feng, Founder, 5CIP / CipherJudge Forensic Engine
Credentials: CISSP, CISA
Last updated: 2026-06-12
Evidence table
| Claim area | Evidence |
|---|---|
| Pipeline result | 84 PASS / 0 FAIL / 0 WARN |
| On-chain scope | 48 addresses and 19 transaction hashes verified |
| Theft scope | $40.68M hot-wallet crypto theft, court-structured forensic report |
| Confidence-tier methodology | Four-level attribution: Tier 1A direct-link to Tier 3 needs-verification |
| Independent re-verification | Evidence re-verified 2026-05-04 via two-stage deterministic + LLM pipeline |
$40.68MTotal stolen
82.3%Mapped to destinations
48 / 19Addresses / TXs verified
84 / 0 / 0Pipeline checks: PASS / FAIL / WARN
Destination of Funds
Where the stolen funds went, by amount and recovery path.
| Destination | Amount | Share | Legal Standing |
|---|---|---|---|
| Tornado Cash (privacy mixer) | $28.5M | 70.0% | Identity break — requires relay operator or KYC link |
| Exchange deposits (4 platforms) | $3.25M | 8.0% | Subpoena-addressable (KYC records) |
| On-chain, attacker-controlled | $527K | 1.3% | Freezable by court order |
| Swap / slippage / gas | $1.2M | 3.0% | Economic loss, not a recovery target |
| Not yet traced | $7.2M | 17.7% | Continued investigation |
The strongest identity lead is an exchange-funded Tornado Cash relayer address tied to a domain registered the same day — a single thread that, with exchange cooperation, can pierce the anonymity of the primary $28.5M mixer channel.
Forensic Methodology
Four pillars of evidence, each independently verifiable.
TIER 1A · DETERMINISTIC
On-chain trace
Every hop in the fund-flow graph is anchored to a specific Ethereum transaction hash. Starting from the compromised wallet 0x6be8…e894, the attacker executed 7 outbound transactions over 16 hours, then 5CIP followed each downstream path until funds hit one of four terminal categories. 48 addresses validated against Etherscan V2; 19 unique TX hashes cited; address integrity check 48/48 PASS.TIER 2 · HEURISTIC + 3RD-PARTY
Entity attribution
Arkham Intelligence labels the attacker cluster under the entity "Bo Shen Exploiter," and MistTrack (SlowMist) provides independent risk scoring on the same cluster. 5CIP cross-verified the two sources for every material address.TIER 2 · PATTERN-BASED
Tornado Cash de-anonymization
Standard industry heuristics for TC de-anonymization (address reuse, withdrawal-to-deposit timing, relayer identification, metadata reuse) applied to the $28.5M mixer deposit. Output: a shortlist of post-mixer candidate addresses, each scored by cumulative evidence strength.TIER 1B → 2 · TRIPLE-LINKED
Domain + exchange intelligence
A key Tornado Cash relayer was funded directly from a centralized exchange account on the same day a related domain was registered. Wallet ↔ exchange account ↔ domain registrant — a triple-linked evidence pattern that, pursued through exchange subpoena and registrar preservation, can surface the attacker's real-world identity.What makes this report different
Four engineering practices that turn AI-assisted forensics into court-structured evidence.
3-LLM cross-verification (v4.2)Every non-trivial claim independently evaluated by three LLMs against raw API evidence. Bo Shen v4 result: 19/20 majority PASS, 1 contested (sourcing nuance only), 0 substantive errors.
Content-addressed evidence WORM sealingEvery cited artifact (report, JSON evidence, domain intel) sealed via SHA-256 URN into write-once-read-many storage with 90-day retention. Downstream verification of exact bytes is cryptographic, not narrative.
Two-stage verification pipelinePython precision layer (on-chain hash/balance/block match) plus LLM semantic layer. Public result: 84 PASS / 0 FAIL across 84 automated checks. Re-verified 2026-05-04 — zero verdict drift.
Address anti-hallucination registryEvery address must be independently registered with source TX hash and source API, then re-verified to have live on-chain activity. Prevents fabricated-but-plausible Ethereum addresses.
Four days after delivery, 5CIP re-ran the full Stage 1 + Stage 2 verification pipeline against live on-chain data.
- All 92 Stage 1 claims (48 addresses, 19 TX hashes, 14 block heights, 11 token-contract whitelist) → identical verdicts to baseline
- All 3 Stage 2 LLM semantic claims → PASS (block timestamp 2022-11-10, TC relayer attribution, $28.5M deposit pattern)
- Total: 84 PASS / 0 FAIL / 0 WARN — unchanged
- Drift: 4 numeric balance changes in shared infrastructure (Gate.io / FixedFloat hot wallets) — per 5CIP's shared-infrastructure non-attribution rule, these do not affect any forensic conclusion.
Evidence Package (Independently Verifiable)
Full technical report (653 lines) — 48 case addresses, 19 transaction hashes, Tier 1A/1B/2 classification per finding
Address registry JSON — every address tied to source API and source TX hash
3-LLM cross-verification JSON — 20 claims, three independent models (19 majority PASS, 1 contested, 0 substantive errors)
Verify-pipeline result — 84 automated checks, 0 failures (Apr 30 + May 4 re-verification both PASS)
Drift report (May 4, 2026) — verdict: no_material_drift_for_legal_claims
WORM URN manifest — content-addressed seal for every artifact, SHA-256 + SHA3-256 dual-hash
What a forensic report like this supports
This style of investigation produces evidence compatible with civil forfeiture / asset freeze motions on still-held on-chain funds, exchange subpoenas for KYC records on funds received, registrar data preservation requests for domain-based identity leads, and independent expert cross-checks — the full evidence package is designed to be re-verified by another forensic team using only public on-chain data.
5CIP does not perform legal filings or law-enforcement actions. The deliverable is a court-structured evidentiary package — engagement of counsel and pursuit of subpoenas are the client's responsibility.
Engage 5CIP for a similar investigation
Tell us the loss event, the chains involved, and your timeline. We respond to qualified inquiries within one business day.
This case study is based exclusively on publicly available on-chain data and publicly disclosed victim statements. It does not constitute legal advice. Client engagement details, specific legal strategy, and subpoena targets have been redacted from the full forensic brief.