ZachXBT Profile picture
Aug 24, 2022 22 tweets 15 min read Read on X
1/ Cameron Redman is the alleged person responsible for the hacked NFT Twitter accounts over the past few months

Does the name ring any bells? Well it should bc in February 2020 he SIM swapped a single person for $37 million worth of Bitcoin & Bitcoin Cash

Time for a thread ImageImageImage
2/ On February 22, 2020 Josh Jones was sim swapped for ~60k BCH & 1547 BTC

BCH victim address
qzumak2rvxksjgkjuxe2fe5jxatktlsnhy5sthr5p7

BTC victim address 1
bc1qd0hveqwqu9h3x8flfq560hlyk9mptf3j2p89gg

BTC victim address 2
bc1qrwhh74sv88gzq6qgpz5u55u00w2lqprw30ke94 ImageImage
3/ Immediately following the attack the Redman laundered the 60k BCH with hundreds of transactions in small amounts to centralized exchanges (CEX).

This chart visualizes the movement of the 60k BCH with the majority ending up at two exchanges. Image
4/ With the 1547 BTC stolen, a small portion was sent to CEXs but the majority was deposited into both Chip Mixer and Crypto Mixer. Image
5/ On Nov 17 2021 Hamilton Police (Ontario, CA) formally charged Redman for the attack after working with FBI & US Secret Service

They seized $5.4m worth of crypto. The rest of the $31.5m still remains missing to this day

(he was underage at the time)
hamiltonpolice.on.ca/news/arrest-ma…
6/ Since May 2022 we’ve seen popular NFT Twitter accounts hacked such as @beeple @jenkinsthevalet @nounsdao @deekaymotion @Zeneca_33 @frankdegods @KeyboardMonkey3 @franklinisbored & more

The majority of these accounts all had 2FA on leaving people confused how this might happen. ImageImageImage
7/ The hacked Twitter accounts lead to millions of dollars worth of crypto stolen in total.

This table shows a rough estimate for the amount of crypto stolen with each account in the Tweet above. Image
8/ This lead to a post on the forum marketplace SWAPD by the user “Antihero” advertising a Twitter panel.

The prices to use the panel varied from $30k to $300k paid in crypto. ImageImageImage
9/ On Twitter at July 29th 2022 antihero emerged with the name “Cam” on an account inactive for 14 yrs.

On Instagram he obtained the same username too. ImageImageImageImage
10/ On Instagram Redman posted a selfie of himself posing in front of mirror and also outside of a shopping center. ImageImage
11/ I zoom in and then look up the location of “Sunway Dental”

What do you know it happens to be in Missauga, ON very close to the Hamilton Police station in the city where Redman had been previously arrested in Nov 2021. ImageImageImage
12/ If you’re still not convinced here’s more messages of him referencing Canada.

Prior to being charged for the SIM swap Redman had been also known by the aliases “Cream” “4k” “lucky” and for leaking unreleased Juice WRLD songs. ImageImageImage
13/ Here’s two more posts Cam/Antihero made on SWAPD. Another person refers to the seller for the panel as Cam.

Archive:
archive.ph/ABvZy ImageImageImageImage
14/ Remember in Tweet 9 Redman began to eventually resell access to the panel.

On June 26 2022 Cam received a 230 ETH + 20 ETH payment for lifetime access to the Twitter panel.

0x0214ee97e9d828e1e6aa49a85b89982a7dceacc7 ImageImage
15/ Just a few hours after the payment @nounsdao Twitter was hacked.

The scammers address had direct exposure to the JRNY club Twitter hacker, Nansen discord attack, and other Discord attacks.

Source:
chainabuse.com/search/address… ImageImage
16/ Who bought the Twitter panel access from Redman? Well it was the scammers known as HZ/Chase and Popbob. Here’s HZ flexing panel access to @Serpent (a security researcher) ImageImageImage
17/ HZ + Popbob flexing Franklin and Deekay being hacked. ImageImageImageImage
18/ It’s still unclear as to how Redman gained access to the panel to make elevated requests & reset passwords. As of now it appears the method stopped working

It’s wild someone can SIM swap a person for $37m, only return $5.4m, & go back to their old ways w/o serious jail time
19/ Thanks for making it this far. Feel free to share this thread with others.
Update: seems they’re upset with this thread ImageImage
If you appreciate my research/work please consider donating to my ENS or Gitcoin.

ZachXBT.ETH

0x9D727911B54C455B0071A7B682FcF4Bc444B5596

bc1qrshu8d42ffq3jtrmzmujmmlh6swpw22a0qqt07l5u60n5efgazhqm5e4nk

gitcoin.co/grants/5039/za…
Update: Cam deleted his SWAPD account and went private with the username on a fresh Instagram account. ImageImage

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ZachXBT

ZachXBT Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @zachxbt

Jul 2
1/ My recent investigation uncovered more than $16.58M in payments since January 1, 2025 or $2.76M per month has been sent to North Korean IT workers hired as developers at various projects & companies.

To put this in perspective payments range from $3K-8K per month meaning they have infiltrated 345 jobs on the low end or 920 jobs on the high end.Image
Image
2/ Here’s a look into one of the six clusters I have been monitoring and was able to attribute 8 different DPRK ITWs that obtained roles at 12+ projects.

I traced out the payment addresses from the table to two consolidation addresses.

0x58225fed0714e5b9b235642eba7dae3714090a2d
0xa7f9555c34626eb81b64774356a40ca1a6a794caImage
3/ Sandy Nguyen (@bullishgopher) a DPRK ITW from this cluster was spotted via OSINT next to the North Korea flag at an event in Russia.

A small group of people still believe North Korean devs are just a conspiracy despite all of the IOCs, research, etc widely available. Image
Image
Image
Read 10 tweets
Jun 27
1/ Multiple projects tied to Pepe creator Matt Furie & ChainSaw as well as another project Favrr were exploited in the past week which resulted in ~$1M stolen

My analysis links both attacks to the same cluster of DPRK IT workers who were likely accidentally hired as developers. Image
Image
2/ On Jun 18, 2025 at 4:25 am UTC ownership for ‘Replicandy’ from Matt Furie & ChainSaw was transferred to a new EOA 0x9Fca.

Jun 18, 2025
6:20 pm UTC: 0x9Fca withdrew mint proceeds from the contract
Jun 19, 2025
5:11 am UTC: 0x9Fca unpauses the mint

The attacker then minted NFTs and sold into bids causing the floor price to fall to zero.Image
Image
Image
3/ On Jun 23, 2025 the attacker transferred ownership from the ChainSaw deployer to 0x9Fca for Peplicator, Hedz, Zogz.

Similarly the attacker minted NFTs and sold them into bids causing the floor price to fall to zero.

0x9Fca3AC75cd66f3c62bea8231886513b9fe191BD Image
Read 12 tweets
Jun 23
1/ An investigation into how the New York based social engineering scammer Daytwo/PawsOnHips (Christian Nieves) stole $4M+ from Coinbase users by impersonating customer support, bought luxury goods, and lost most of the funds gambling at casinos. Image
Image
Image
2/ Daytwo operates a small call centre group and also works as a caller.

His group primarily coerced targets into setting up Coinbase wallet with a compromised seed on phishing sites.

Below is a video of his panel used and a sample of his voice when calling.
3/ In Nov 2024 $240K was stolen from an elderly victim with Daytwo’s worker Paranoia (Justin).

A private recording of the theft exists and was obtained (see part 1 below)

Theft address
bc1q35tw4f5qrfxrjy2v8g8d3majtujv28audm6yvp
AJU5yh4kDahLak4uq5n4ehJDVs2w2Lbhw9UHoseaBwV7
Read 11 tweets
May 9
1/ In late 2023 a former Yuga Labs security researcher was stopped at the airport after law enforcement mistakenly linked them to a $1.1M phishing theft from a Bored Ape owner.

Here’s an investigation into where the stolen funds went and who’s actually responsible. Image
Image
Image
2/ In Dec 2022, a victim had 14 X BAYC NFTs phished in a social engineering scheme where purchased X accounts were used to convince the victim they wanted to license the IP rights for a film.

The scammer directed the victim to a phishing site where they had them sign a message draining their assets.

Theft address
0x9335da37d37bc5d46850eaee48f8b9ccbe94d9a2Image
Image
Image
3/ In Sep 2023, Sam Curry a well known whitehat and former Yuga Labs security engineer was detained at the airport by law enforcement for questioning and was served with a grand jury subpoena (later dropped).

In reality as part of his security work at Yuga, he had been investigating the theft and used a private key put in the JavaScript of the website by the threat actor.

LE then had mistakenly reviewed logs from OpenSea which included his home IP address and used this to incorrectly link him as the suspect.Image
Image
Read 10 tweets
Mar 20
1/ An investigation into the alleged identity of the mysterious Hyperliquid whale tied to illicit activity that profited ~$20M via highly leveraged positions over the past couple weeks. Image
Image
Image
2/ A trader opened multiple highly leveraged positions on Hyperliquid and GMX from Jan - Mar 2025.

They gained lots of attention this month after two onchain trades:

-Large ETH & BTC long position on 50X leverage just before Trump’s crypto reserve announcement by 0xe4d3 ($10M profit)

-Large BTC short position on 40X leverage by 0xf3F4 ($9M profit)Image
Image
Image
3/ I went and identified the main counterparties of 0xf3f:

0x7ab8c59db7b959bb8c3481d5b9836dfbc939af21
0x312f8282f68e17e33b8edde9b52909a77c75d950
0xab3067c58811ade7aa17b58808db3b4c2e86f603
0xe4d31c2541a9ce596419879b1a46ffc7cd202c62

This cluster is to tied to Roobet, Binance, Gamdom, ChangeNOW, Shuffle, Alphapo, BC Game, & Metawin accounts.Image
Read 11 tweets
Feb 3
1/ Over the past few months I imagine you have seen many Coinbase users complain on X about their accounts suddenly being restricted.

This is the result of aggressive risk models and Coinbase’s failure to stop its users losing $300M+ per year to social engineering scams. Image
Image
2/ Myself and @tanuki42_ spent time reviewing Coinbase withdrawals and gathering data from my DMs for high confidence thefts on various chains.

Below is a table we created which shows $65M stolen from Coinbase users in Dec 2024 - Jan 2025.

Our number is likely much lower than the actual amount stolen as our data was limited to my DMs and thefts we discovered on-chain which does not account for Coinbase support tickets and police reports we do not have access to.Image
3/ Let’s walk through how these Coinbase social engineering scams work.

A victim reached out to me last month after losing ~$850K.

Graphing out this theft lead to a consolidation address with 25+ other victims tied to ‘coinbase-hold.eth’.

Theft address
0xc8234dda2bc3758eb90224d0025871001e8ee7b9
bc1q4ks5gus8uv88vk8yage4r89kv8uxlgwhemz545Image
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(