A wallet linked to the 2022 Pando Rings exploit swapped about 10 million DAI for 6,243 ETH - with the hacker supposedly "buying the dip".
Author: Sahil Thakur
Steady attention without excessive speculation.
June 6 – A wallet linked to the 2022 Pando Rings exploit swapped about 10 million DAI for 6,243 ETH. The trade priced ETH near $1,602, a total worth around $10 million. It landed during a sharp ETH dip, so analysts quickly framed it as a hacker buying the bottom.
High Signal Summary For A Quick Glance
On-chain analytics firm Lookonchain broke the swap early on June 6. Its post carried a simple line: even the hacker is buying the ETH dip. Within an hour, that framing spread fast across crypto social feeds.
The swap happened at roughly 21:57 UTC on June 5, according to Lookonchain. The wallet moved about 10 million DAI into 6,243 ETH at an average price near $1,602.
The setup started hours earlier. First, the wallet approved its DAI for spending, then it fired the swap. That sequence is normal for large on-chain trades.
The trade did not run through one venue. Instead, it routed across DEX aggregators, namely 1inch and CoW Protocol. Those tools split large orders to limit price impact.
After the swap, the wallet held about 6,243 ETH plus roughly 9.5 million DAI. Together, that adds up to a net worth near $19 million at prevailing prices.
Lookonchain pointed to a single Ethereum address, 0x303D0A175CeEC14DD7B3d4F60CABE6CEc06a3d9F. Trackers including Arkham Intelligence label that wallet as a Pando Rings exploiter.
The attribution rests on fund-flow analysis, not cryptographic proof. In other words, trackers follow the money trail from the 2022 hack to this address. So the link is strong, yet not absolute.
The swap details are public on Etherscan. CoW Protocol settlements delivered the ETH in two chunks, near 3,120 and 3,123 ETH, which sum to the 6,243 ETH total.
Src: Lookonchain
Pando Rings was a decentralized lending and borrowing protocol. It ran inside the Pando ecosystem on Mixin Network and the 4swap automated market maker.
On November 5, 2022, an attacker manipulated the price oracle for the sBTC-WBTC liquidity provider token. By inflating that token’s value, the attacker borrowed far more than the collateral justified.
As a result, about $21.88 million in ETH, EOS, and BTC drained from the protocol. Reports put the attempted theft closer to $70 million before partial freezes kicked in.
The next day, Pando halted services and moved to reimburse users. According to its post-mortem, the team froze part of the funds with help from Mixin. The protocol has stayed dormant since then.
Some assets were recovered at the time. Pando froze about $2.36 million in EOS and clawed back more value through Mixin. Even so, a large ETH slice slipped away and stayed on the move.
The “buying the dip” label is catchy, but it may not be the full story. The swap also fits a laundering pattern, since it turns a traceable stablecoin into volatile ETH.
DAI is issued by MakerDAO, and issuers can sometimes flag or freeze stablecoin flows. ETH carries no such central control. So the move could be obfuscation as much as speculation.
There is a market read too. By holding ETH, the wallet now bets on price upside rather than sitting in a stable asset. Both readings can be true at once.
Shortly after the swap, the wallet routed about 100 ETH through Tornado Cash. That mixer breaks the on-chain trail, which points toward laundering intent for at least part of the stash.
The timing of the buy was notable as well. ETH had slid below $1,600 on June 5, with a 24-hour range near $1,590 to $1,770. So the wallet bought into clear weakness.
Still, the size stays modest against the broader market. A $10 million swap barely registers next to ETH’s daily trading volume. As a signal, though, it caught plenty of attention.
The story broke through monitoring, not a leak. Lookonchain flagged the swap within hours, then linked it to the Arkham label for the wallet. Soon after, outlets like PANews picked it up.
That speed matters for crypto crime. Because every transfer is public, dormant exploit wallets cannot move quietly. As a result, stolen funds draw eyes the moment they shift.
For exchanges and compliance teams, that visibility is useful. Flagged ETH becomes harder to cash out, since many venues screen incoming deposits against known hacker addresses.
Pando has not commented on the 2026 swap, and the protocol remains dormant. No major outlet had confirmed the move beyond on-chain trackers as of June 6.
For now, most of the ETH still sits in the wallet, while a slice has already been mixed. Analysts will likely watch the address for further transfers or more Tornado Cash hops.
The episode shows how fast on-chain sleuths surface dormant exploit wallets. The moment stolen funds move, trackers like Lookonchain and Arkham tend to notice within hours.
This article is for information only and is not financial advice. Always do your own research before making any investment decision.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
