Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
ZachXBT Profile picture
@zachxbt
Aug 24, 2022 22 tweets 15 min read Read on X
Scrolly
1/ Cameron Redman is the alleged person responsible for the hacked NFT Twitter accounts over the past few months

Does the name ring any bells? Well it should bc in February 2020 he SIM swapped a single person for $37 million worth of Bitcoin & Bitcoin Cash

Time for a thread ImageImageImage
2/ On February 22, 2020 Josh Jones was sim swapped for ~60k BCH & 1547 BTC

BCH victim address
qzumak2rvxksjgkjuxe2fe5jxatktlsnhy5sthr5p7

BTC victim address 1
bc1qd0hveqwqu9h3x8flfq560hlyk9mptf3j2p89gg

BTC victim address 2
bc1qrwhh74sv88gzq6qgpz5u55u00w2lqprw30ke94 ImageImage
3/ Immediately following the attack the Redman laundered the 60k BCH with hundreds of transactions in small amounts to centralized exchanges (CEX).

This chart visualizes the movement of the 60k BCH with the majority ending up at two exchanges. Image
4/ With the 1547 BTC stolen, a small portion was sent to CEXs but the majority was deposited into both Chip Mixer and Crypto Mixer. Image
5/ On Nov 17 2021 Hamilton Police (Ontario, CA) formally charged Redman for the attack after working with FBI & US Secret Service

They seized $5.4m worth of crypto. The rest of the $31.5m still remains missing to this day

(he was underage at the time)
hamiltonpolice.on.ca/news/arrest-ma…
6/ Since May 2022 we’ve seen popular NFT Twitter accounts hacked such as @beeple @jenkinsthevalet @nounsdao @deekaymotion @Zeneca_33 @frankdegods @KeyboardMonkey3 @franklinisbored & more

The majority of these accounts all had 2FA on leaving people confused how this might happen. ImageImageImage
7/ The hacked Twitter accounts lead to millions of dollars worth of crypto stolen in total.

This table shows a rough estimate for the amount of crypto stolen with each account in the Tweet above. Image
8/ This lead to a post on the forum marketplace SWAPD by the user “Antihero” advertising a Twitter panel.

The prices to use the panel varied from $30k to $300k paid in crypto. ImageImageImage
9/ On Twitter at July 29th 2022 antihero emerged with the name “Cam” on an account inactive for 14 yrs.

On Instagram he obtained the same username too. ImageImageImageImage
10/ On Instagram Redman posted a selfie of himself posing in front of mirror and also outside of a shopping center. ImageImage
11/ I zoom in and then look up the location of “Sunway Dental”

What do you know it happens to be in Missauga, ON very close to the Hamilton Police station in the city where Redman had been previously arrested in Nov 2021. ImageImageImage
12/ If you’re still not convinced here’s more messages of him referencing Canada.

Prior to being charged for the SIM swap Redman had been also known by the aliases “Cream” “4k” “lucky” and for leaking unreleased Juice WRLD songs. ImageImageImage
13/ Here’s two more posts Cam/Antihero made on SWAPD. Another person refers to the seller for the panel as Cam.

Archive:
archive.ph/ABvZy ImageImageImageImage
14/ Remember in Tweet 9 Redman began to eventually resell access to the panel.

On June 26 2022 Cam received a 230 ETH + 20 ETH payment for lifetime access to the Twitter panel.

0x0214ee97e9d828e1e6aa49a85b89982a7dceacc7 ImageImage
15/ Just a few hours after the payment @nounsdao Twitter was hacked.

The scammers address had direct exposure to the JRNY club Twitter hacker, Nansen discord attack, and other Discord attacks.

Source:
chainabuse.com/search/address… ImageImage
16/ Who bought the Twitter panel access from Redman? Well it was the scammers known as HZ/Chase and Popbob. Here’s HZ flexing panel access to @Serpent (a security researcher) ImageImageImage
17/ HZ + Popbob flexing Franklin and Deekay being hacked. ImageImageImageImage
18/ It’s still unclear as to how Redman gained access to the panel to make elevated requests & reset passwords. As of now it appears the method stopped working

It’s wild someone can SIM swap a person for $37m, only return $5.4m, & go back to their old ways w/o serious jail time
19/ Thanks for making it this far. Feel free to share this thread with others.
Update: seems they’re upset with this thread ImageImage
If you appreciate my research/work please consider donating to my ENS or Gitcoin.

ZachXBT.ETH

0x9D727911B54C455B0071A7B682FcF4Bc444B5596

bc1qrshu8d42ffq3jtrmzmujmmlh6swpw22a0qqt07l5u60n5efgazhqm5e4nk

gitcoin.co/grants/5039/za…
Update: Cam deleted his SWAPD account and went private with the username on a fresh Instagram account. ImageImage

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ZachXBT

ZachXBT Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @zachxbt

ZachXBT Profile picture
Jan 25
In case you are curious how John Daghita (Lick) was able to steal $40M+ from US government seizure addresses.

John’s dad owns CMDSS, which currently has an active IT government contract in Virginia.

CMMDS was awarded a contract to assist the USMS in managing/disposing of seized/forfeited crypto assets.

It still remains unclear at this point how John obtained access from his dad.Image
Image
Image
Update: The CMDSS company X account, website, & LinkedIn were all just deactivated Image
Image
Image
Update: John Daghita (Lick) began trolling again on Telegram shortly after my post Image
Image
Read 4 tweets
ZachXBT Profile picture
Jan 23
1/ Meet the threat actor John (Lick), who was caught flexing $23M in a wallet address directly tied to $90M+ in suspected thefts from the US Government in 2024 and multiple other unidentified victims from Nov 2025 to Dec 2025. Image
Image
Image
2/ Earlier today John got into a heated argument with another threat actor known as Dritan Kapplani Jr. in a group chat to see who had more funds in crypto wallets.

In 'The Com' this is known as a band for band (b4b).

However the entire interaction was fully recorded.

Image
3/ In part 1 of the recording Dritan mocks John however John screenshares Exodus Wallet which shows the Tron address below with $2.3M:
TMrWCLMS3ibDbKLcnNYhLggohRuLUSoHJg
Read 13 tweets
ZachXBT Profile picture
Dec 29, 2025
1/ Meet Haby (Havard), a Canadian threat actor who has stolen $2M+ via Coinbase support impersonation social engineering scams in the past year blowing the funds on rare social media usernames, bottle service, & gambling. Image
Image
2/ On Dec 30, 2024 Haby posted a screenshot in a group chat showing off a 21K XRP ($44K) theft from a Coinbase user.

rN7ddvk4DrGHZUrBfNARJEEAbPkky9Mwcz Image
Image
3/ On Jan 3, 2025 Haby posted a screenshot from his Exodus wallet showing his Telegram & IG accounts.

I matched up the historical balances to the screenshot and found the XRP address linked to two other Coinbase user thefts for ~$500K total.

rfA8MiWkRb6xjveQGKfJpdr8h1Kb4c83Rb Image
Image
Read 12 tweets
ZachXBT Profile picture
Oct 19, 2025
1/ A video went viral on YT this week after a US based victim lost $3.05M (1.2M XRP) from their Ellipal wallet.

Here’s the tracing of where the stolen funds ended up and the biggest takeaways for similar thefts. Image
2/ Although the victim did not directly share the theft address after watching the video I found it by reviewing the date and amount.

r3cf5mgj5qEcj9n4Th28Es7NVRnXGJjkzc

The victim seems inexperienced and does not provide enough details to determine how the Ellipal wallet became compromised besides it being user error.
3/ The attacker created 120+ Ripple -> Tron orders via Bridgers on Oct 12, 2025.

On block explorers the transactions show as Binance since Bridgers (formerly SWFT) uses them for liquidity. Image
Read 9 tweets
ZachXBT Profile picture
Oct 15, 2025
1/ An investigation into how I identified one of suspects tied to the $28M Bittensor hack from 2024 by identifying anime NFT wash trades linked to a former employee and earned a whitehat bounty for my efforts. Image
Image
2/ 32 $TAO holders experienced unauthorized transfers in excess of $28M from May to July 2024 and the Bittensor network was temporarily halted on July 2, 2024.

A post-mortem published by the team revealed the thefts were the result of a supply chain attack after a malicious PyPi package was uploaded in late May 2024

Victims who downloaded the package and performed specific operations accidentally compromised private keys.Image
3/ I began tracing the stolen funds from two initial theft addresses, TAO was bridged to Ethereum via Bittensor native bridge, and then transferred to instant exchanges where the attackers swapped to XMR.

Victims:
$400K: 5ENiTXL63DRMKytjaDRBLnorwd6qURKcCVgsgpu8UQxgptQN
$13M: 5DnXm2tBGAD57ySJv5SfpTfLcsQbSKKp6xZKFWABw3cYUgqgImage
Read 12 tweets
ZachXBT Profile picture
Aug 13, 2025
1/ An unnamed source recently compromised a DPRK IT worker device which provided insights into how a small team of five ITWs operated 30+ fake identities with government IDs and purchased Upwork/LinkedIn accounts to obtain developer jobs at projects. Image
Image
2/ An export of their Google Drive, Chrome profiles, and screenshots from their devices was obtained.

Google products were extensively used by them to organize their team’s schedules, tasks, and budgets with communications primarily in English. Image
3/ Another spreadsheet shows weekly reports for team members from 2025 which provides insight into how they operate and what they think about.

“I can't understand job requirement, and don't know what I need to do”

“Solution / fix: Put enough efforts in heart” Image
Image
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(