Post

How to get URL link on X (Twitter) App

On the Twitter thread, click on or icon on the bottom
Click again on or Share Via icon
Click on Copy Link to Tweet
Paste it above and click "Unroll Thread"!
More info at Twitter Help

ZachXBT

@zachxbt

Jun 30, 2021 • 15 tweets • 7 min read • Read on X

Scrolly

1/ Welcome to the bull run of 2020/2021. It’s up only (was), valuations are at ATH, and your favorite influencer can be a VC.

New funds pop up on a weekly basis yet at the same time invest/incubate a billion projects at once. How are they so efficient you might ask?

👇👇👇

2/ Let me introduce you to Moonrock Capital.

In 2018 Johnathon Habicht & Simon Dedic founded Blockfyre; a blockchain advisory firm based in Germany. In 2020 this was acquired by Tixl. In between that period in 2019 Moonrock Capital was formed by them.

3/ After the Scott Melker incident someone close to the team at Moonrock & Blockfyre messaged me about the firm and all that went on.

Let’s dive into two of the projects ($POLK & $PMON) incubated by Moon Rock Capital a bit deeper to see if they did set the “standard”.

4/ Polkamon ($PMON)

As one of the largest marketing failures this bull run the chart exemplified suspicious activity.

In doing so I reviewed the entire transaction history from launch to June. Below is a brief summary of my findings.

5/ It’s clear the only thing that MoonRock helped them succeed with was pump investors/insiders funds and dump on retail.

Below is the typical lifecycle of the “Moon Rock incubation standard”.

6/ Polkamarkets ($POLK)

As another incubation you might think $PMON was a one time event.

Below is a graph with all of the largest (cumulative) sells in the first 4 weeks. Many of the wallets received tokens from other IDO’s as well.

7/ Now you’re starting to see the pattern? If you’re still not convinced here are some other projects that they invested in.

I’ve included the investment announcement date, token launch date, and ATH date in the chart.

($KYL, $DAFI, $LKR, $CGG)

8/ All your favorite CT influencers work with the VC’s and Marketing firms for a collective shilling campaign. Many do not disclose they were compensated in some capacity. They are placed into groupchats organized by people like Danny Les (for $PMON & $POLK)

9/

Perhaps you think that the teams at $PMON & $POLK were taken advantage of. A couple of the founders on the $POLK & $PMON team worked at Tixl which Blockfyre was acquired by. All of who Moon Rock worked closely with previously.

10/ Other VC’s have sprung up and do the exact same thing.

The larping VC model includes: little to no vesting period, shilling campaign, use noob friendly buzzwords, ponzi tokenomics designed to benefit VC’s at launch.

11/ Here are possible solutions that hopefully more VC’s should follow.

⁃Dont share the cap table with larping VC’s that dump instantly
⁃Make transparency status quo
⁃Regulation

This will help wash out the bad actors that give the crypto space a bad name.

12/ Follow for more threads in the future!

@LedgerQL

13/

A huge thanks to the team at @LedgerQL for providing me with the entire history of DEX trades for $POLK & $PMON. Can’t wait for the fully functioning site to be live.

Also a thanks to @mathieu_ouioui for helping give me a second eye by reviewing my analysis .

14/ Sources:

Refer to the files below for data dumps for Polychain Monster (Polkamon) & Polkamarkets.

drive.google.com/file/d/1MfinJ9…

drive.google.com/file/d/1tB8GTr…

There goes one of them…

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @zachxbt

ZachXBT

@zachxbt

Apr 8

1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions.

I spent long hours going through all of it, none of which has ever been publicly released.

It revealed an intricate ~$1M/month scheme of fraudulent identities, forged legal documents, and crypto-to-fiat conversion.

Enjoy the findings!

2/ A DPRK IT worker had their device compromised via infostealer. Extracted data included IPMsg chat logs, fake identities, and browser history.

Digging through the IPMsg logs revealed this site being discussed:
luckyguys[.]site

An internal payment remittance platform, essentially a Discord-style messenger used by DPRK IT workers to report payments back to their handlers.

3/ The site's default password was 123456, which remained unchanged for ten users.

The user list included roles, Korean names, cities, and coded group names consistent with DPRK IT worker operations.

Three companies which appeared are currently OFAC sanctioned: Sobaeksu, Saenal, & Songkwang.

Read 12 tweets

ZachXBT

@zachxbt

Apr 3

1/ Welcome to the Circle $USDC files.

$420M+ in alleged compliance failures since 2022, including fifteen cases of the US-regulated stablecoin issuer taking minimal action against illicit funds.

2/ Circle operates USDC, a centralized stablecoin pegged 1:1 to USD, marketed as a regulated company with a robust compliance program.

Its token contract includes a freeze/blacklist function, and its terms of service explicitly state it reserves the right to restrict access for suspected illicit actors "in its sole discretion".

The company is incorporated in the US, currently headquartered in New York City, and subject to US federal / state financial regulations.

https://x.com/zachxbt/status/2039566991858794981

3/ On April 1, 2026, Drift Protocol was exploited for $280M.

The exploiter used CCTP to bridge 232M+ USDC from Solana to Ethereum across 100+ transactions over six consecutive hours. 10+ additional DeFi protocols across the Solana ecosystem were indirectly impacted.

Despite the attacker laundering funds over six consecutive hours across Circle's own native bridge, no USDC was frozen.

The attacker has been linked to DPRK by Elliptic.

Theft address:
HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES

https://x.com/zachxbt/status/2039566991858794981

Read 18 tweets

ZachXBT

@zachxbt

Mar 23

1/ I uncovered a coordinated network of 10+ accounts manufacturing viral panic about war and politics to drive traffic to crypto scams.

Strategy:
>Purchase accounts with followers
>Doompost multiple times per day
>Repost content from alt accounts
>Promote fake giveaway or scam
>Change username

2/ Example: @wanglaurentceo

They started by purchasing an account with followers and use AI to create a fake Asian version of Mario Nawfal.

(User ID 1804235884826333184)

3/ Here’s related accounts reposting to boost the reach of posts about exaggerated or fake news.

This causes them to go viral each day with millions of views and thousands of likes / replies.

Read 7 tweets

ZachXBT

@zachxbt

Feb 26

1/ Meet @WheresBroox (Broox Bauer), one of the multiple @AxiomExchange employees allegedly abusing the lack of access controls for internal tools to lookup sensitive user details to insider trade by tracking private wallet activity since early 2025.

2/ Axiom is a crypto trading platform founded by Mist & Cal in 2024. After going through Y-Combinator's Winter 2025 batch, it quickly became one of the most profitable companies in the space, generating $390M+ in revenue to date.

I was retained to investigate allegations of misconduct at Axiom after receiving reports.

3/ Broox is a current Axiom senior BD employee based in New York.

In the clip Broox states he can track any Axiom user via ref code, wallet, or UID and claims he can "find out anything to do with that person".

He also describe researching 10-20 wallets initially and slowly increasing over time "so it does not look that suspicious"

In a separate clip from the same recording, Broox sets ground rules for how to request lookups from him and then says he'll send the full list of wallets.

The full recording is a private call of the group members strategizing.

Read 10 tweets

ZachXBT

@zachxbt

Jan 25

https://x.com/zachxbt/status/2014685263327351116

In case you are curious how John Daghita (Lick) was able to steal $40M+ from US government seizure addresses.

John’s dad owns CMDSS, which currently has an active IT government contract in Virginia.

CMMDS was awarded a contract to assist the USMS in managing/disposing of seized/forfeited crypto assets.

It still remains unclear at this point how John obtained access from his dad.

https://x.com/zachxbt/status/2014685263327351116

Update: The CMDSS company X account, website, & LinkedIn were all just deactivated

Update: John Daghita (Lick) began trolling again on Telegram shortly after my post

Read 4 tweets

ZachXBT

@zachxbt

Jan 23

1/ Meet the threat actor John (Lick), who was caught flexing $23M in a wallet address directly tied to $90M+ in suspected thefts from the US Government in 2024 and multiple other unidentified victims from Nov 2025 to Dec 2025.

https://x.com/zachxbt/status/1931216174903398723

2/ Earlier today John got into a heated argument with another threat actor known as Dritan Kapplani Jr. in a group chat to see who had more funds in crypto wallets.

In 'The Com' this is known as a band for band (b4b).

However the entire interaction was fully recorded.

https://x.com/zachxbt/status/1931216174903398723

3/ In part 1 of the recording Dritan mocks John however John screenshares Exodus Wallet which shows the Tron address below with $2.3M:
TMrWCLMS3ibDbKLcnNYhLggohRuLUSoHJg