On-chain sleuth ZachXBT has identified connections between the hack of two Hollywood celebrities’ X accounts — which were used to create meme coin scams — and the convicted UK hacker Gurvinder Bhangu, aka Gurv.
In an X thread today, July 30, well-known anonymous crypto investigator ZachXBT revealed his research into two recent high-profile X account hacks. The compromised accounts of actors Sydney Sweeney and Bob Odenkirk were used to advertise scam meme coins that reportedly generated $530,000 in stolen funds.
According to ZachXBT’s investigation, on July 2, Sweeney’s X account was compromised and posts promoting a Solana-based token dubbed “$SWEENEY” began to appear from the actor’s hacked account. Within two hours, the scam token saw over $10 million in trading volume, causing its price to spike and then crash.
2/ On July 2nd Sydney Sweeney was SIM swapped and a link to a meme coin was posted causing the price to spike and crash. Team wallets from the SWEENEY scam sold $515K+Main team walletsAgySZeAtqM3iSbvMPxv2g94oTd3segx4WdKuFD7M5CErjQEaiiAkRGhFoCDnjxn6mmtrksC4EckF38fxkaNMs1j pic.twitter.com/Vm0txgjl7B
— ZachXBT (@zachxbt) July 30, 2024
The attack coincided with reports that Sweeney’s Verizon phone number was reportedly hijacked. 404 media obtained a Verizon receipt from the same day, indicating a $37.54 payment order, confirming that Sweeney was the victim of a sim-swapping attack.
You might also like: Hackers target OKX customers in suspected SIM swap attack
According to ZachXBT, Gurv — previously convicted in the U.K. for hacking Instagram accounts and blackmailing users — received verification codes for Sweeney’s account via Telegram, strengthening the link between Gurv and the hack.
ZachXBT highlighted that the hacker used the same Telegram user ID to receive the code across multiple groups, discussing his time in prison and linking it to the hacks.
The crypto investigator added that proceeds from the attack were initially transferred as Solana (SOL) to an exchange, where the funds were swapped for Bitcoin (BTC) and Ethereum (ETH) before being dispersed to several addresses. According to ZachXBT, the on-chain activity suggests that there were multiple people involved in the scam.
You might also like: Metallica’s X account hacked to promote Solana token, Sahil Arora blamed
The investigation revealed that on July 9, another 1.5 ETH as sent to an exchange from a wallet connected to the Sweeney SIM swap.
Odenkirk also hacked
The investigator linked the Sweeney hack to another extremely similar attack on actor Bob Odenkirk’s X account, also on July 9. After compromising Odenkirk’s X account, the hacker(s) launched and posted about two scam meme coins, KIRK and SAUL. Possibly because the two coins diverterted attention, this time the scammers ended up stealing fewer funds.
At the time of ZachXBT’s reporting, the wallets connected to both the Sweeney and Odenkirk scams are holding approximately $488,000. The remaining funds “have been transferred to crypto casinos and to purchase gift cards.” ZachXBT concluded the X thread with a call to local law enforcement:
“Hopefully UK law enforcement will be quick to go after Gurv again using the large amount of evidence available.”
The Sweeney and Odenkirck scams are part of a broader trend of celebrities promoting scam meme coins, either via compromised accounts or, in some cases, alleged social engineering scams.