I’m also somehow missing much more information about what happened when.
They still claim that only 16 million ADA were affected.
But I can see at least three addresses/accounts of the original attacker on 21st June:
https://adastat.net/accounts/52838a79eea0044f271721cd0fe5bbace5f97951a7195439336497c5: stake1u9fg8znea6sqgne8zusu6rl9hwkwt7te2xn3j4pexdjf03g4kw9uq/addr1q9j7f598x988unr4zhjulft205jqnn9ewgwkhes5smf2sr6jsw98nm4qq38jw9epe587twavuhuhj5d8r92rjvmyjlzs9lqc3x
https://adastat.net/accounts/1dde43d25831dd355bcdb5107d4718cd82a5a6c48e660e11dd2ab60c: 1dde43d25831dd355bcdb5107d4718cd82a5a6c48e660e11dd2ab60c/addr1q82jlp2u0ezv2hsf6f40fkrv49hd72yv442nmrr5qeultpqamepaykp3m564hnd4zp75wxxds2j6d3ywvc8prhf2kcxqn6nql3
https://adastat.net/accounts/8bd0c0f7889c00b3c77a856200b6d88f410d30195e99c15b6afe292f: stake1ux9aps8h3zwqpv7802zkyq9kmz85zrfsr90fns2mdtlzjtcm7jj8p/addr1q9wudkfeelzwev427yvapkmqexmet8q4vl303m7a4eerwtvt6rq00zyuqzeuw759vgqtdky0gyxnqx27n8q4k6h79yhsqelma8
All three became active in the exact same block at 2026-06-21 20:29:41 UTC, all three show the same pattern of emptying victim addresses, exchanging ADA for USDCx, and finally funneling those USDCx out.
As far as I can see, more than 16 million ADA went through these three addresses.
Then, there is this address/account:
https://adastat.net/accounts/15379180b22573b8397a7e576cead9af6a36cf2902ac8aa4b2f35161: stake1uy2n0yvqkgjh8wpe0fl9wm82mxhk5dk09yp2ez4ykte4zcgg2e9m5/addr1q8g8cgwqw98q2mrzrwgcy3wectdxwem8a8zp9r2mn6wjy7q4x7gcpv39wwurj7n72akw4kd0dgmv72gz4j92fvhn29ss7vuz99
First used 2026-06-22 17:34:04 UTC, around 130 million ADA were transferred through this one. Most plausible is that this is the one where Emurgo claims that they “rescued” user funds.
Interesting is that they then have to have known pretty exactly what the problem was already at that time, 12 hours before they posted this:
And it wouldn’t make much sense why they would give a different reason (web wallet generation) a couple of hours later then:
Finally, there is also this address which seems to have drained some vulnerable addresses, but never moved the 4 million ADA further:
https://adastat.net/accounts/2391d456761f8f76bc3a1743273d755468cf47ad2ed03b2aa9ed5405: stake1uy3er4zkwc0c7a4u8gt5xfeaw42x3n6845hdqwe248k4gpgdq4da5/addr1q8m5wdncq7rwum73r5cyyr82qx2xjem5k4ehapl3wy36aaerj829vasl3amtcwshgvnn6a25dr850tfw6qaj420d2szsslkku6
Only used from 2026-06-23 05:20:53 UTC until 2026-06-23 06:53:23 UTC. Maybe a copycat?