← back to the article

Dossier

capstack.eth

aka ENS operator 0x3fB0...7558, Safe creator

Coordinated Extraction Infrastructure Operator

Charges

What this defendant knew

Capstack.eth created Safe 0x0f28...b6363 exactly 2 months post-exploit (Apr 27, 2025) and operated it until shutdown. They possessed direct knowledge of: (1) the protocol's insolvent state, (2) the team's coordination (funded via Binance 14 KYC address that matches team operational wallets), (3) the timing strategy of waiting 112 days between Safe creation and shutdown announcement.

Intent indicators

On-chain attribution

capstack.eth (Safe creator):0x3fB00C...7558
Base extraction Safe:0x0f2876...b6363
Safe executor:0x40308a...b63ec

On-chain: Binance 14 KYC wallet funded capstack.eth operator. Extracted $54K (0.766 LBTC) via Chainlink CCIP 2025-06-22. ENS avatar at metadata.ens.domains/mainnet/avatar/capstack.eth (visual ID). 165 on-chain transactions as of Jun 2026, but zero ZERO token receipts — this operator was paid in other assets, further evidence of coordination outside normal protocol flow.

Public identity traces

Prosecution's theory

Capstack.eth is the extraction specialist within the conspiracy. The prosecution will show this was not an independent opportunist but a coordinated actor: (1) Safe creation timing (2 months post-exploit) demonstrates calculated delay for attention decay, (2) Funding source (Binance 14 KYC) matches team operational wallets — the same account that funded other team activities, (3) Extraction pattern (Gelato-automated, methodical CCIP bridges) indicates professional coordination with the team, not amateur opportunism. Capstack.eth's role was to provide plausible deniability: if discovered, the team could blame "a random Safe operator" while the same person held the keys.

Incriminating exhibits

Proofs & Evidence Collection

The following evidentiary items are preserved in this repository. Each item is timestamped, verifiable on public block explorers or web archives, and subpoena-ready for law enforcement. File paths reference the local evidence archive; URLs link to live public sources.

Gnosis Safe ownership analysis

Forensic analysis of Gnosis Safe 0x0f2876396a71fe09a175d97f83744377be9b6363 ownership structure. Documents Safe creation (Apr 27, 2025 — exactly 2 months post-exploit), signer configuration, and transaction authorization patterns. Establishes that capstack.eth was the Safe creator and maintained signing authority throughout the extraction period.

📁 team/forensic-gnosis-safe-owners.json

CCIP bridge investigation

Complete investigation of Chainlink CCIP bridge usage by capstack.eth's Safe. Documents every cross-chain transfer of LBTC from Base to destination chains, including amounts, timestamps, Gelato automation configuration, and final destination addresses. The extraction pattern was automated, systematic, and continued post-shutdown.

📁 team/forensic-ccip-bridge-investigation.md

Safe CCIP destinations

Mapping of all destination addresses for CCIP bridge transactions originating from capstack.eth's Safe. Tracks extracted funds across multiple chains to final settlement addresses, demonstrating a coordinated multi-chain extraction strategy.

📁 team/forensic-safe-ccip-destinations.json

Safe ZeroLinea receipts

Transaction receipts for all Linea-related Safe operations. Documents the flow of ZERO tokens through the Linea bridge infrastructure controlled by capstack.eth, including receipt verification and settlement timing.

📁 team/forensic-safe-zerolinea-receipts.json

Team ZeroLinea receipts

Cross-referenced receipts for all team-associated Linea bridge transactions. Establishes coordination between capstack.eth's Safe operations and other team-controlled wallets — the extraction was not a solo operation but part of a coordinated team effort.

📁 team/forensic-team-zerolinea-receipts.json

CoWSwap solver identity

Investigation of CoWSwap solver identity and transaction patterns associated with capstack.eth. Documents MEV and swap routing that facilitated extraction while minimizing slippage and on-chain footprint.

📁 team/forensic-cowswap-solver-identity.json

Hyperliquid deposits

Complete log of Hyperliquid deposits originating from capstack.eth-controlled addresses. Documents the flow of extracted funds into Hyperliquid for obfuscation and potential off-ramp — a deliberate step to break the on-chain trail.

📁 team/forensic-hyperliquid-deposits.json

Binance 14 KYC funding trail

On-chain trace of the Binance 14 KYC account that funded capstack.eth's operator wallet. This is the single highest-value lead for law enforcement — it connects capstack.eth's extraction infrastructure to a verified identity through Binance's KYC records.

📁 team/forensic-money-trail-priority-summary.json

ENS wallet clustering

ENS reverse-resolution and wallet clustering confirming capstack.eth identity across multiple chains. Documents ENS registration metadata, avatar hash, and transaction correlation linking pseudonymous operations to a consistent operator profile.

📁 team/forensic-ens-wallet-clustering.json

Attacker fund trace

Complete tracing of attacker funds from the Feb 23, 2025 exploit through Aerodrome, Across, and into Hyperliquid. Establishes the full path of stolen funds and demonstrates that the extraction infrastructure (capstack.eth's Safe) was deployed after the attack, not before — suggesting coordination with the attacker or opportunistic exploitation of the same vulnerability.

📁 team/forensic-attacker-fund-trace.json

Attacker funding sources

Analysis of attacker wallet funding sources including Railgun privacy pool and Pendle/Odos swaps. Documents how 38.81 ETH entered the attacker wallet on the morning of Feb 23, 2025, routed through privacy-preserving infrastructure.

📁 team/forensic-attacker-funding-sources.json