If counterfeiting occurred prior to the fix in Sapling, the attacker could have sold the counterfeit coins to someone directly for bitcoin but it’s more likely that they would have moved them to a transparent address for trading on an exchange if they wanted bitcoin or another crypto since exchanges do not yet implement shielded addresses.
1 Like