1/ An investigation into how Greavys (Malone Iam), Wiz (Veer Chetal), and Box (Jeandiel Serrano) stole $243M from a single person last month in a highly sophisticated social engineering attack and my efforts which have helped lead to multiple arrests and millions frozen.

2/ Incident Summary: On August 19, 2024 the threat actors targeted a single Genesis creditor by:

1) Calling as Google Support via spoofed number to compromise personal accounts
2) Calling after as Gemini support claiming account is hacked
3) Social engineered victim into resetting 2FA and sending Gemini funds to compromised wallet
4) Got victim to use AnyDesk to share screen and leaked private keys from Bitcoin core.

Gemini txn hash
59.34 BTC - Aug 19 at 1:48 am UTC
e747b963a463334c164b0a8fff844f73693272bb2b331adbe2147d70ec196360
14.88 BTC - Aug 19 at 2:30 am UTC
7c7ebed785f0b4d4335d559b14b8215862fbe29db329e3ee0f2a7e64a16ce9e3

3/ Here is a private video recording showing the live reaction by multiple of the threat actors to receiving $238M.

Theft txn hash
4064 BTC - Aug 19 at 4:05 am UTC
4b277ba298830ea538086114803b9487558bb093b5083e383e94db687fbe9090

1/ Recently a team reached out to me for assistance after $1.3M was stolen from the treasury after malicious code had been pushed.

Unbeknownst to the team they had hired multiple DPRK IT workers as devs who were using fake identities.

I then uncovered 25+ crypto projects with related devs that have been active since June 2024.

2/ The laundering path for the incident can be described as:

1) Transfer $1.3M to theft address
2) Bridge $1.3M from Solana to Etheruem via deBridge
3) Deposit 50.2 ETH to Tornado
4) Transfer 16.5 ETH to two exchanges

Theft address
6USfQ9BX33LNvuR44TXr8XKzyEgervPcF4QtZZfWMnet

3/ Using multiple payment addresses for 21 devs I was able to map out a cluster with the most recent batch of payments for ~$375K over the last month.

0xb721adfc3d9fe01e9b3332183665a503447b1d35

In the past week you may have seen me tagging projects telling them to DM me.

1/ So I began tracing the $230M+ WazirX hack back from the original exploiter address and was able to make some interesting observations.

https://twitter.com/WazirXIndia/status/1813843289940058446

2/ The theft address I will start from is 0x6ee which was doing test transactions on July 10th from 0x09b multisig with SHIB and was funded with 6 X 0.1 ETH from Tornado.

0x6eedf92fb92dd68a270c3205e96dccc527728066

A technical breakdown of the attack by Mudit can be found below

https://twitter.com/mudit__gupta/status/1813881385800913327

3/ With the 6 X 0.1 ETH withdrawals from Tornado Cash on July 10th I was able to demix this and find 6 X 0.1 ETH matching deposits made the day before.

0xc6873ce725229099caf5ac6078f30f48ec6c7e2e

The demix is accurate as 0xc68 was also doing tests with 0x304 multisig on July 9th with SHIB.

For those who are confused and need additional context.

Earlier today Arkham announced a $150K bounty for the identity of the DJT creator

11:49 pm UTC I reply to Arkham saying I submitted for the bounty
11:57 pm UTC Martin Shkreli panic DM’s me
12:27 am UTC Martin Shkreli creates a spaces and announces he is the creator of DJT

One of the large DJT insiders verso.sol dumping $832K worth of DJT and then depositing USDC to CEX ~1 hr ago

Coincidentally also a large holder on Martin’s other project Shoggoth

5cPzLzLQjt2oc8X6rGannrh7HmVJNAMFJKq21DdZRuHP

https://twitter.com/zachxbt/status/1803231125734826382

Who else was potentially involved with DJT?

An account named CWR was the admin of the Telegram group for the DJT token.

CWR is also very active in Martin Shkrehli’s public Discord server with 1K+ messages.

CWR’s Discord username is ‘cameronrox’ and refers to his alleged real name Cameron Roxborough multiple times.

He boasts about going to school with Barron Trump in multiple messages in the main-chat channel.

Are they actually close friends or is he larping? That part remains unclear.

Last night CWR left both the Telegram group and Discord server. Luckily at the time of this post his messages remain in the Discord server.

Discord ID: 294231685665521664

1/ Here is an overview of one of the better executed scams I have seen in recent times so I figured I would share with the community as a cautionary tale.

A few weeks ago I received a DM from a follower who lost $245K after accidentally downloading malware onto their computer.

2/ It started as an account purporting to be Peter Lauten from a16z, messaging a team to inquire about a potential podcast partnership.

3/ The attacker noticed that the real Peter Lauten had changed his X (Twitter) username from ‘peter_lauten’
to ‘lauten’ at a point in time and then had claimed his old username.

1/ An investigation into how the @sol ($CAT) meme coin team is connected to the @GCRClassic hack from last night.

Minutes before the hack an address tied to them opened $2.3M ORDI & $1M ETHFI longs on Hyperliquid.

Let’s dive in.

2/ The @sol team sniped their own launch to control 63% of the supply selling $5M+ of $CAT before transferring the profits to multiple wallets.

https://twitter.com/lookonchain/status/1794231282454626615

3/ 6M54x received ~15K SOL ($2.5M) from the CAT sold and began depositing funds to Kucoin (4.8K SOL) and MEXC (4.8K SOL & 1.4M USDC) on May 25th.

6M54xEUamVAQVWPzThWnCtGZ7qznomtbHTqSaMEsUHPF