Editor’s note: I believe that many readers have heard the name ZachXBT frequently recently, including the confrontation with Ansem, the announcement of Murad’s address, the exposure of U businessman Wang Yicong, and the revelation of $SHAR’s project deck. Since 2021, on-chain detective ZachXBT has helped victims of scams and theft recover nearly $500 million. Last month, he uncovered a $243 million theft, the largest theft ever committed against an individual. From tracking crimes deep within the blockchain to uncovering the huge financial flows behind luxury lifestyles, ZachXBT has used his wisdom and persistence to help recover hundreds of millions of dollars in stolen funds in just a few years. This article in (Wired) magazine will take you into the mysterious world of this cryptocurrency "faceless detective", revealing how he battles wits with crypto crimes, as well as the little-known behind-the-scenes stories.
The following is the original content:
On August 19, a young man in his twenties, online alias ZachXBT, was preparing to board a flight home. He was unwilling to disclose which airport, his real name, or where he lived.
His phone then popped up an alert: a Bitcoin was transferred to a small cryptocurrency exchange. This was one of many exchanges he had been monitoring for a long time, mainly to look for fund flows related to criminal money laundering. The alert caught his attention: the transaction amount was approximately $600,000, far exceeding the exchange's normal transaction scale by ten times.
When he arrived at the boarding gate, his phone buzzed with a new alert: another transaction exceeding $1 million occurred on the same exchange. Shortly after, another transaction of $2 million.
As ZachXBT queued to board, he quickly tracked these funds on his phone, backtracking these Bitcoin addresses and marking suspicious funds, trying to determine the source of the funds before the half-hour internet blackout after the plane took off.
Before the plane took off, he had identified that the funds came from a large Bitcoin wallet that had not been touched since 2012, totaling hundreds of millions of dollars. And now, this nine-figure fortune was being liquidated urgently, paying high transaction fees, a practice clearly not acceptable to an investor holding for over a decade.
In ZachXBT's view, this flow of funds was clearly a major theft.
After further verification, he discovered that someone had stolen approximately $243 million worth of Bitcoin from a victim, possibly the largest individual cryptocurrency theft in history. "This is truly an extraordinarily large amount to have been stolen from one person," ZachXBT told (Connection) magazine, "I had to confirm that I wasn't seeing things."
As the plane ascended above 10,000 feet and Wi-Fi resumed working, ZachXBT began to trace the flow of more stolen funds.
These funds were transferred through one exchange after another and through cryptocurrency swap services. Over the following hours, he accelerated the mapping of these fund flows, discovering that the hackers attempted to obscure the source of the funds across a dozen platforms.
As he traced this lead back to the owner of the Bitcoin, ZachXBT discovered that part of the funds initially came from the now-defunct Genesis cryptocurrency exchange. He messaged the exchange's administrators via the X platform (formerly Twitter), asking them to contact the victim, who ultimately hired him to track down the stolen funds.
When he reached his destination, ZachXBT had already discovered that the stolen funds were split into three main flows, pointing to what he believed were three suspects. He also posted a message to his over 650,000 followers on the X platform, indicating the ongoing theft activity on the blockchain.
Soon after, he received a tip from an informant claiming to have information about the hackers' identities.
In the following week, ZachXBT worked day and night, sleeping only four to five hours a day, regularly sharing his findings with law enforcement agencies. He ultimately identified the suspects in the theft—two young hackers in their twenties named Malone Lam and Jeandiel Serrano. ZachXBT also confirmed another suspected hacker, but (Connection) magazine chose not to disclose his name as he had not yet been arrested or charged.
He even obtained a video showing one of them celebrating the acquisition of this massive wealth after completing the theft. In his rapid investigation, ZachXBT even tracked the suspects' Instagram and TikTok accounts, seeing one of them flaunting millions of dollars, buying luxury cars, flying on private jets, and spending up to $500,000 in nightclubs in a single night.
Since receiving that alert on the plane, within a month, two of the three suspects were arrested and faced criminal charges.
When ZachXBT finally saw the booking photo of one of the hackers, he felt a brief surge of adrenaline but quickly returned to calm. "I didn't feel a particular sense of achievement," ZachXBT said, "I just treated it as another ordinary case."
Image source: ZachXBT Bitcoin theft investigation results
Private detective for the public in cryptocurrency
If tracking a $250 million theft feels like a typical day online for ZachXBT, it may be because he has become one of the most active independent cryptocurrency detectives in the world over the past three years.
Since starting to work as an amateur investigator in 2021, he has traced billions of dollars in stolen funds and fraud cases. According to a chart he provided to (Connection) magazine, his hundreds of investigations have directly led to about $210 million worth of criminal cryptocurrency being recovered, with another approximately $225 million being recovered for victims with his indirect assistance.
He exposed influencers who promoted tokens through pump-and-dump schemes, traced the networks of cybercriminals behind major cryptocurrency thefts, and uncovered dozens of incidents of North Korean hackers infiltrating cryptocurrency companies, even posing as employees.
Throughout the process, he relied almost entirely on cryptocurrency donations to fund his work, including grants from cryptocurrency organizations and contributions sent by strangers through the address listed in his social media profile, totaling about $1.3 million since 2021. "He is a new generation of investigator, serving the public," said Joe McGill, a U.S. Secret Service analyst who has worked with ZachXBT, "his success is entirely dependent on the success of his investigations."
In his pursuit of becoming a cryptocurrency 'justice cop,' ZachXBT has been careful to maintain his anonymity. Online, he only appears as his avatar—a cartoon platypus in a detective trench coat or sometimes a hoodie. To avoid retaliation from cryptocurrency criminals and scammers, he has never revealed his true appearance, name, or specific age, and he only agreed to an interview with (Connection) magazine on the condition that they would not pursue this personal identification information.
Image source: Twitter ZachXBT's Twitter homepage
Secret Service analyst McGill recalled that during their early phone meetings, ZachXBT not only turned off his camera but also used voice-changing software, sometimes sounding like a high-pitched character from (South Park); at other times, his voice was lowered, resembling a character from a horror movie. "It was indeed quite strange at first," McGill, who was working at the crypto tracking company TRM Labs at the time, said, "but I respected his privacy because this anonymous individual was indeed doing outstanding work."
Cryptocurrency investigator and founder of Five I's company Nick Bax stated that ZachXBT reveals many cryptocurrency crimes and thefts almost every week, usually much faster than law enforcement's actions. Bax jokingly said he even suspects ZachXBT might be a robot.
"He’s like a machine," Bax said.
In an investigation last year, they worked together to track a $60 million theft in the 2021 AnubisDAO cryptocurrency project. Bax provided ZachXBT with a list of 500 transactions on Saturday night, each requiring manual analysis, along with associated blockchain addresses. "I thought this would keep him busy for at least a few days," however, by the next afternoon, ZachXBT had already completed the analysis of all transactions and identified those related to the theft. "I was shocked," Bax said, "He must have sat at the computer non-stop for 12 hours straight."
Many of ZachXBT's investigation results are published without ceremony on his X platform account.
However, over time, his investigations have increasingly attracted the attention of law enforcement—now, he frequently shares his findings with these agencies before public release, and the targets of these detective works are facing increasingly serious consequences.
"As Zach's influence continues to grow, these cases bring financial and legal consequences," said Taylor Monahan, a security researcher at the cryptocurrency company MetaMask, who is one of ZachXBT's closest investigation partners and participated in the investigation of the $243 million theft. "If Zach posts about someone now and exposes it well, that person is very likely to be arrested."
From victim to whistleblower
So how did ZachXBT manage to trace the flow of funds faster and more accurately than law enforcement's cryptocurrency investigators, even without formal training or organizational support?
To this, he himself is not quite sure. "This question is quite difficult, and I don't know why I'm so good at it," ZachXBT told (Connection) magazine in a phone interview. He believes it has to do with his willingness to work tirelessly—after all, the cryptocurrency market never closes—and the years of experience accumulated from deeply researching cryptocurrency blockchains. "The more blockchains you look at, when you are eating, sleeping, or even breathing, researching it, over time, everything starts to become clearer," he said. "You begin to spot those connections. I can look at a wallet and determine in seconds whether it's a bad actor."
ZachXBT stated that his familiarity with blockchain comes from his years of experience as a cryptocurrency enthusiast and trader—and that he himself was also one of many victims in the cryptocurrency economy's numerous traps.
Around 2017, he naively spent thousands of dollars on various cryptocurrencies, but these tokens ultimately lost significant value—often due to so-called rug pulls, where the token creators suddenly sold off their tokens, rendering the assets of other investors worthless. "At the time, I thought, 'This is going to change the world.' I bought in and held on, never selling," ZachXBT said, resulting in, "I became the one who was scammed."
By 2018, not only had all his investments significantly depreciated, but the Electrum cryptocurrency wallet he used was hacked due to a malicious software update, causing him to lose nearly $15,000.
It wasn't until then that he decided to step back and rethink his strategy. He no longer simply bought and held tokens; instead, he began analyzing cryptocurrency blockchains—almost all blockchains are publicly visible, and anyone who can interpret the owners of different addresses can view them—through this approach, he observed how some larger, more successful investors traded tokens and Bitcoin, attempting to mimic their actions.
Through these blockchain analyses, by 2020, he had become quite familiar with tracking cryptocurrency transactions, able to discover ongoing scams that ordinary investors could not see.
He saw some influencers promoting a cryptocurrency to thousands of fans, driving up its price, and then tracked their funds through the blockchain, discovering that they were actually selling off their tokens immediately after the promotion, which is often a typical 'pump and dump' scheme.
"It’s more like a whistleblower role," ZachXBT said. "When I notice these activities, I think, 'This reminds me of my experiences being scammed in 2017 and 2018, why not post something to expose it?' Then this started gaining widespread attention."
When the NFT craze rose, ZachXBT also began to scrutinize NFT projects like Bored Bunny and Billionaire Dogs Club, revealing the real flow of funds. These NFT sellers managed to raise millions of dollars based solely on a few cartoon images, claiming that these NFTs would grant privileges like attending exclusive events or clubs.
However, ZachXBT discovered through blockchain analysis that these sellers were merely dispersing the funds and pocketing them. Sometimes, he even found through cryptocurrency tracking that certain NFT sellers were actually 'repackaging' a previously proven scam project.
In some cases, ZachXBT's posts about NFT sellers did scare off buyers, preventing some suspicious NFT sellers from continuing to sell their products. However, over time, he grew tired of constantly exposing these high-transparency, repetitive scams while also feeling frustrated by the lack of more substantive outcomes: none of the NFT projects he exposed resulted in criminal charges.
Time moved to early 2022, and ZachXBT began to notice a group of hackers invading the Twitter accounts of some well-known cryptocurrency users, posting phishing links that pointed to Ethereum smart contracts used to drain users' wallets, resulting in tens of millions of dollars in theft.
Whenever a victim posts despairingly about their savings being stolen, ZachXBT proactively contacts them and carefully tracks their lost funds. He combines these blockchain leads with sources developed in Discord and Telegram channels frequented by young cryptocurrency thieves, ultimately identifying several possible online aliases of teenagers boasting about their large stolen wealth.
At this point, ZachXBT had already gained significant notoriety in the underground world of cryptocurrency, even as a person he suspected boasted on Twitter about buying a diamond-studded Audemars Piguet watch, mockingly referencing "mr xbt."
ZachXBT tracked down the seller of this luxury watch through a Discord channel and successfully persuaded the seller to provide the shipping address and real name of the teenager who purchased the nearly $50,000 watch.
No public records indicate whether the alleged thieves were arrested—possibly because the suspects are minors, and the charges were either sealed or never filed. However, ZachXBT found a forfeiture notice showing that in October 2022, a month after he published his findings on the X platform, the FBI seized over $200,000 worth of cryptocurrency and that diamond watch from the teenage suspect he identified.
In the same year, ZachXBT used similar techniques to trace $2.5 million worth of NFTs stolen in another phishing scheme, targeting a pair of French hackers. Months later, French prosecutors arrested five suspects, explicitly mentioning that the posts ZachXBT made on the X platform helped in the investigation of the two main suspects. "Seeing law enforcement take action based on the information I shared gave me a great sense of accomplishment," ZachXBT said. "It made me realize that maybe what I am doing is actually effective."
Since first drawing law enforcement's attention two years ago, the scale of ZachXBT's investigations—and in some cases, the results—has dramatically expanded.
In February 2023, he traced nearly $9 million of stolen funds from the cryptocurrency project Platypus and identified one of the suspects within just a few hours; just over a week later, French police arrested two suspects. Although the charges against the two were ultimately dropped, police successfully recovered millions of dollars in funds, and Platypus expressed gratitude to ZachXBT in a post.
That same year, he traced $25 million stolen from the cryptocurrency company Uranium Finance, most of which appeared to be laundered through the purchase of rare Magic: The Gathering cards. When the notorious cybercrime group Scattered Spider carried out a ransomware attack against Caesars Entertainment in Las Vegas, extorting $15 million from the company, ZachXBT helped track and recover $12 million of that amount, as revealed by others involved in the investigation.
Around the same time, ZachXBT announced a significant investigation result, revealing 25 cryptocurrency thefts carried out by North Korean hackers, totaling over $200 million, of which about $7 million was frozen with his assistance. About half of these hacker actions had never been publicly disclosed before.
He subsequently followed up on an investigation that revealed a network of about 30 North Korean IT workers who infiltrated tech companies and were compensated in cryptocurrencies. In one case, a technician suspected of being linked to North Korea was hired by the NFT company Munchables, successfully stealing $62 million in crypto assets. After ZachXBT helped identify and tag this fund, the thieves were eventually forced to return the money because they could not easily liquidate it.
"Do you know how much that is?"
Returning to the initial theft case, when ZachXBT received a tip at the airport revealing that a single victim had been stolen from on August 19 for $243 million, it was one of the largest theft cases he had tracked.
After returning home from an international flight, he spent several days tracking the dispersed flows of funds while monitoring the movements of the three suspects on social media, two of whom used the aliases Greavys and Box. Notably, Greavys, whose real name is Malone Lam, appeared to be in Miami. His online posts and photos showed him surrounded by luxury properties, diamond watches, private jets, and luxury cars, including a Lamborghini Revuelto and a Pagani Huayra, the latter typically priced over $3 million.
ZachXBT also discovered that Greavys had gifted influencers with Birkin and Hermès bags worth $30,000 to $50,000, and in nightclubs, waiters appeared holding electronic signs reading "WHO WANT A BIRK" marked with his name.
"It seems like they do nothing but party and steal money," ZachXBT said.
Within days, ZachXBT persuaded the informant who first messaged him during his flight to provide a screen-sharing video of three suspected hackers involved in the theft. The hackers were unaware, and one of the suspects shared his screen while sharing with another group of friends, and one of those friends seemed to have recorded the video.
In this 90-minute video, ZachXBT indicated that the three hackers frequently referred to each other by their names. In another clip, one of the men briefly showcased his Windows desktop, inadvertently revealing his last name.
The video even captured the moment when the hackers were ecstatic after their successful heist. "Oh my god! Oh my god! $243 million! Amazing!" one of them shouted in the video, "I’m going crazy! We did it, we did it. I’m about to explode. Do you know how much that is?"
Later that afternoon on September 18, less than a month after ZachXBT began his investigation, Lam was arrested at a beachfront rental property in Miami, for which he paid $68,000 a month. Box—whose real name is Jeandiel Serrano—was arrested at Los Angeles International Airport while returning from a vacation in the Maldives with his girlfriend. According to prosecutors, he was wearing a $500,000 watch at the time of his arrest, renting a property near Los Angeles for over $40,000 a month, and had spent $1 million on luxury cars.
The next day, the wire fraud and money laundering charges against Lam and Serrano were unsealed. According to court documents, both hackers admitted to law enforcement investigators their involvement in multiple cryptocurrency thefts. Lam specifically acknowledged that the criminal proceeds enabled him to purchase no less than 31 luxury cars.
So far, $79 million of the $243 million has been seized or frozen, and ZachXBT hopes to find more stolen funds. Prosecutors indicate that even after the suspects have splurged, over $100 million remains unaccounted for.
ZachXBT's third suspect, who is currently indicated in public records as possibly residing in Connecticut, has not yet been charged with any crime. However, journalist Brian Krebs pointed out a criminal complaint describing a group of men who allegedly robbed a couple in their fifties and briefly kidnapped them just four days after the $243 million theft occurred, as the robbers "believed the victim's son had access to a large amount of digital currency," suggesting the victims might be the parents of the third suspected fund recipient tracked by ZachXBT.
For ZachXBT, this investigation could be a turning point. This was the first time he was hired and compensated by a victim, rather than working as a volunteer relying on donations. He mentioned that he might do more paid work like this in the future, even considering starting his own investigation company.
But ZachXBT insists he is not trying to get rich by exposing these events. "I see funds being seized, returned to victims, and suspects being arrested; that is my goal, and it was my original intention," ZachXBT said. "Seeing these things help people is the source of my fulfillment."
His partner, Taylor Monahan, from the cryptocurrency wallet company MetaMask, has collaborated with him on dozens of investigations. She believes ZachXBT is primarily driven by a sense of justice—this sense of justice stems from his own experience as a victim in the cryptocurrency world, wanting to prevent others from facing the same fate.
"He shares the same experience as many people in this industry, which is that bad things happen, and those around him just say 'that's too bad,'" Monahan said. "He instinctively rejects this experience and wants to change it all."
Monahan said, "He shares the same experience as many people in this industry: when something unfortunate happens, those around him just say 'that's too bad,' but he instinctively rejects that helpless response and is determined to change it all."
[Disclaimer] Markets carry risks, and investments should be made cautiously. This article does not constitute investment advice, and users should consider whether any opinions, views, or conclusions in this article align with their specific circumstances. Invest at your own risk.
This article is republished with permission from: (Rhythm Blockbeats)
Original author: Andy Greenberg
