An attacker exploited an exposed recovery phrase tied to a Robinhood co-founder's self-custody wallet to pump a memecoin called '$1' from a $500,000 market cap to $14 million in approximately two hours on July 13, according to Michael, Chief Business Officer of TokenPocket wallet. The mnemonic phrase was accidentally exposed during a live broadcast, allowing the attacker to import the wallet, which held approximately $1.5 million at the time. Thousands of traders who monitor high-value wallets interpreted the attacker's purchases as a deliberate investment by the Robinhood co-founder and copied the trade, driving the token's market cap up by nearly 28 times before the price collapsed. The token accumulated more than $20 million in trading volume. The incident demonstrates how wallet-tracking tools used by traders can be weaponized when the tracked wallet is compromised.
Michael detailed the sequence in a series of posts on X. The mnemonic phrase, a sequence of words used to access a non-custodial wallet, was accidentally exposed during a live broadcast. The attacker imported the wallet and began purchasing the '$1' token from the compromised address. Traders who monitor high-value wallets interpreted the purchases as a deliberate bet by the Robinhood co-founder and copied the trade. Late entrants absorbed the losses when the price reversed.
Robinhood's remote procedure call service blocked the compromised address, preventing further outgoing transactions from the wallet. The block stopped the attacker from draining remaining funds, but did nothing for traders who had already bought the pumped token on decentralized exchanges.
After the block took effect, the attacker moved to the BNB blockchain, created a new token, and engaged in wash trading to inflate its volume before cashing out. Bitcoin was valued near $62,800 and Ether at approximately $1,778 on July 13, both unaffected by the memecoin pump. No regulatory action has been announced in connection with the event. Robinhood's own self-custody security guidelines warn users never to share recovery phrases.
How did the attacker gain access to the Robinhood co-founder's wallet?
The attacker imported the wallet using a mnemonic phrase that was accidentally exposed during a live broadcast. The wallet held approximately $1.5 million at the time of the leak.
What action did Robinhood take after the compromise?
Robinhood's remote procedure call service blocked the compromised address, preventing further outgoing transactions from the wallet. The block stopped the attacker from draining remaining funds.