ZachXBT Profile picture
Aug 24 22 tweets 15 min read
1/ Cameron Redman is the alleged person responsible for the hacked NFT Twitter accounts over the past few months

Does the name ring any bells? Well it should bc in February 2020 he SIM swapped a single person for $37 million worth of Bitcoin & Bitcoin Cash

Time for a thread ImageImageImage
2/ On February 22, 2020 Josh Jones was sim swapped for ~60k BCH & 1547 BTC

BCH victim address
qzumak2rvxksjgkjuxe2fe5jxatktlsnhy5sthr5p7

BTC victim address 1
bc1qd0hveqwqu9h3x8flfq560hlyk9mptf3j2p89gg

BTC victim address 2
bc1qrwhh74sv88gzq6qgpz5u55u00w2lqprw30ke94 ImageImage
3/ Immediately following the attack the Redman laundered the 60k BCH with hundreds of transactions in small amounts to centralized exchanges (CEX).

This chart visualizes the movement of the 60k BCH with the majority ending up at two exchanges. Image
4/ With the 1547 BTC stolen, a small portion was sent to CEXs but the majority was deposited into both Chip Mixer and Crypto Mixer. Image
5/ On Nov 17 2021 Hamilton Police (Ontario, CA) formally charged Redman for the attack after working with FBI & US Secret Service

They seized $5.4m worth of crypto. The rest of the $31.5m still remains missing to this day

(he was underage at the time)
hamiltonpolice.on.ca/news/arrest-ma…
6/ Since May 2022 we’ve seen popular NFT Twitter accounts hacked such as @beeple @jenkinsthevalet @nounsdao @deekaymotion @Zeneca_33 @frankdegods @KeyboardMonkey3 @franklinisbored & more

The majority of these accounts all had 2FA on leaving people confused how this might happen. ImageImageImage
7/ The hacked Twitter accounts lead to millions of dollars worth of crypto stolen in total.

This table shows a rough estimate for the amount of crypto stolen with each account in the Tweet above. Image
8/ This lead to a post on the forum marketplace SWAPD by the user “Antihero” advertising a Twitter panel.

The prices to use the panel varied from $30k to $300k paid in crypto. ImageImageImage
9/ On Twitter at July 29th 2022 antihero emerged with the name “Cam” on an account inactive for 14 yrs.

On Instagram he obtained the same username too. ImageImageImageImage
10/ On Instagram Redman posted a selfie of himself posing in front of mirror and also outside of a shopping center. ImageImage
11/ I zoom in and then look up the location of “Sunway Dental”

What do you know it happens to be in Missauga, ON very close to the Hamilton Police station in the city where Redman had been previously arrested in Nov 2021. ImageImageImage
12/ If you’re still not convinced here’s more messages of him referencing Canada.

Prior to being charged for the SIM swap Redman had been also known by the aliases “Cream” “4k” “lucky” and for leaking unreleased Juice WRLD songs. ImageImageImage
13/ Here’s two more posts Cam/Antihero made on SWAPD. Another person refers to the seller for the panel as Cam.

Archive:
archive.ph/ABvZy ImageImageImageImage
14/ Remember in Tweet 9 Redman began to eventually resell access to the panel.

On June 26 2022 Cam received a 230 ETH + 20 ETH payment for lifetime access to the Twitter panel.

0x0214ee97e9d828e1e6aa49a85b89982a7dceacc7 ImageImage
15/ Just a few hours after the payment @nounsdao Twitter was hacked.

The scammers address had direct exposure to the JRNY club Twitter hacker, Nansen discord attack, and other Discord attacks.

Source:
chainabuse.com/search/address… ImageImage
16/ Who bought the Twitter panel access from Redman? Well it was the scammers known as HZ/Chase and Popbob. Here’s HZ flexing panel access to @Serpent (a security researcher) ImageImageImage
17/ HZ + Popbob flexing Franklin and Deekay being hacked. ImageImageImageImage
18/ It’s still unclear as to how Redman gained access to the panel to make elevated requests & reset passwords. As of now it appears the method stopped working

It’s wild someone can SIM swap a person for $37m, only return $5.4m, & go back to their old ways w/o serious jail time
19/ Thanks for making it this far. Feel free to share this thread with others.
Update: seems they’re upset with this thread ImageImage
If you appreciate my research/work please consider donating to my ENS or Gitcoin.

ZachXBT.ETH

0x9D727911B54C455B0071A7B682FcF4Bc444B5596

bc1qrshu8d42ffq3jtrmzmujmmlh6swpw22a0qqt07l5u60n5efgazhqm5e4nk

gitcoin.co/grants/5039/za…
Update: Cam deleted his SWAPD account and went private with the username on a fresh Instagram account. ImageImage

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ZachXBT

ZachXBT Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @zachxbt

Nov 29
1/ Myself and @bax1337 spent this past weekend looking into the FTX attacker’s deposits to ChipMixer.

It appears they’ve likely been transferring a portion of the stolen FTX funds to OKX after withdrawing from CM

So far we’ve accounted for at least $4.1m (255 BTC) sent to OKX Image
2/ Here is an example of one of the deposit addresses that received funds from ChipMixer on 11/23.

3QKZuAmHMmx4YikFinUbxDYgvXTCATumcE

Each of the addresses follow a similar pattern:

-withdrawal from CM
-50% peels off
-50% deposited to OKX Image
3/ For those unfamiliar with CM here’s what it looks like when using the mixer. ImageImage
Read 4 tweets
Nov 20
1/ I have seen a ton of misinformation being spread on Twitter and in the news about the FTX event so let me debunk the three most common things I’ve seen

“Bahamian officials are behind the FTX hack”
“Exchanges know who the hacker is”
“FTX hacker is trading meme coins” ImageImageImage
2/ The first clue that 0x59 was a blackhat and neither Bahamian officials or FTX team was when 0x59 began selling tokens for ETH, DAI, and BNB and using a variety of bridges so crypto couldn’t be frozen on 11/12.

Also look at the slippage on some of these swaps ImageImage
3/ The fact 0x59 was dumping tokens and bridging sporadically was very different behavior from the other addresses who withdrew from FTX and instead sent to a multisig on chains like Eth or Tron.
Read 11 tweets
Nov 12
Seems to me there’s two separate groups involved with the FTX/FTX US funds fiasco

BlackHat

0x59ABf3837Fa962d6853b4Cc0a19513AA031fd32b
6sEk1enayZBGFyNvvJMTP7qs5S3uC7KLrQWaEk38hSHH

>first to withdraw
>bridging assets
>swapping altcoins for ETH/DAI/BNB
>took losses from slippage
Whitehat

0xd8019a114e86ad41d71a3eeb6620b19dd166a969
0x97f991971a37D4Ca58064e6a98FC563F03A71E5c
6b4aypBhH337qSzzkbeoHWzTLt4DjG2aG8GkrrTQJfQA
TYoZM8LALfUqm4EXzB7oKmwqusWtXTBhY6
325gSHHe7UGvzEc9kGx43VqPboXUVwa26i

>funds withdrawn later on
>funded via CEX
>funds sent to multisig
Read 7 tweets
Nov 12
Multiple former FTX employees confirmed to me they do not recognize these transfers for ~$383m
Wallets:

Eth:

0x59abf3837fa962d6853b4cc0a19513aa031fd32b

Solana:

6sEk1enayZBGFyNvvJMTP7qs5S3uC7KLrQWaEk38hSHH
Another $89m on BSC

0x59ABf3837Fa962d6853b4Cc0a19513AA031fd32b
Read 12 tweets
Nov 2
1/ A short thread sharing a recent success of mine where I helped @Snarls4651 recover $51k after being phished for 20 NFTs including BAYC, BAKC, Veefriends, XCopy, and more back in September. Image
2/ On September 21st I received an notification about a suspicious sale for BAYC 4651.

I noticed the victim had all their valuable NFTs transferred from their wallet where the scammer began to sell them for ~110 ETH. ImageImage
3/ I monitored the stolen funds & saw they were soon transferred to an exchange. I was then able to reach out directly to the team and share a report of the incident i had created resulting in $51k frozen

Sadly 50% of the stolen funds from the attack had already been moved prior Image
Read 5 tweets
Oct 25
1/ Over the past 24 hrs ~700 ETH ($1m) has been stolen by the phishing scammer known as Monkey Drainer.

They recently surpassed 7300 transactions from their drainer wallet after being around for only a few months. ImageImage
2/ The two largest victims over the past day include 0x02a & 0x626 who collectively lost $370k from signing transactions on malicious phishing sites operated by monkey drainer such as the ones below. ImageImage
3/ Victim 0x02a lost 1 BAYC, 1 CloneX, 36.k USDC, & 12 other NFTs worth in total around $150k.

Here’s a screenshot obtained from inside the scammers group chat and the transaction as well.

Chainabuse report (am advisor):
chainabuse.com/report/87260e3… ImageImageImage
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(