Post

How to get URL link on X (Twitter) App

On the Twitter thread, click on or icon on the bottom
Click again on or Share Via icon
Click on Copy Link to Tweet
Paste it above and click "Unroll Thread"!
More info at Twitter Help

ZachXBT

@zachxbt

Dec 7, 2023 • 9 tweets • 4 min read • Read on X

Scrolly

1/ Throughout this year I have been monitoring someone who has withdrawn 11,200+ ETH ($25M) from Tornado Cash and spent the majority of it on Magic The Gathering (MTG) trading cards.

Here’s my analysis of where the funds went and what the potential source of funds could be.

2/ This person has withdrawn 110 X 100 ETH from Tornado to 11 addresses.

After they would:
1) Wrap the ETH
2) Transfer WETH to new address
3) Unwrap the WETH
4) Transfer USDC to MTG broker

(this is a strategy used to trick KYT at exchanges)

3/ After USDC was sent to a MTG US based broker that accepts crypto

How did I find the broker used?

1) Instagram username was same as on OpenSea

2) Directly contacted a few MTG sellers the broker interacted w/ on-chain

Broker address
0x80462101b56cb4125c645ff299d3e20c1d908c02

4/ After contacting MTG sellers were where things became interesting.

-buyer was spending millions on starter decks, alpha sets, sealed boxes

-buyer seemed to be overpaying by 5-10%

-buyer sent crypto up front and broker met up IRL with seller

-buyer was unknown to seller

-said the broker has limited crypto knowledge (likely does not know about Tornado)

*seller names will be kept private for their safety*

5/ The funds also go to various deposit addresses at Kraken, Bitpay, and Coinbase.

0x34e158883efc81c5d92fde785fba48db738711ee
0x3a43ac6baf1fa6bdbc966dbdfe26cf545131898e
0x85cb90db50608a950858e023509d6a7fa289e212
0xbfe6def287c402114d39d0156e17fda79efff4d2

6/ Where do I think these funds could have originated from?

To start I began looking at the top Tornado depositors who were active throughout the past year using a Dune query created by @bax1337

-Anubis (12400 ETH)
-Cashio (11500 ETH)
-Uranium (11303 ETH)

Using timing and multi denomination reveal heuristics I arrived at the thesis that the funds potentially originated from the $50M Uranium Finance hack that occurred in April 2021.

Anubis had previously potentially been solved however and Casino did not deposit enough ETH earlier in the year to match the withdrawals of this person.

7/ Here’s some of my rationale behind it being the Uranium hacker:

Oct 4, 2022 the Uranium hacker deposited 5.01 ETH total to Aztec (privacy tool) at 22:03 UTC

0xd332be2c39de1f4ecd4ef6ce23ae826906a8a144ebbfefb9cf2a74c7d320f563

Just 2 hours later at 00:15 UTC on Oct 5 this person received 2.7 ETH from Aztec

0x2b8745157bd13cb7aa76444af67e7de0bf0b288bff50886b599942a17e0e298c

8/ In March 2023 the Uranium hacker deposited 52 X 100 ETH to Tornado & this person received 52 X 100 ETH

March 6 & 14: Uranium Hacker deposits 52 X 100 ETH to Tornado

March 7 & 15: Our person withdrew huge volumes from Tornado

After they finished the Uranium hacker deposits more in May

9/ While my analysis could be incorrect I find it very suspicious that this person:

-spends 8 figures on MTG
-is overpaying for MTG
-shields identity through broker who likely does not know what Tornado is
-receives $13.2M from Tornado post OFAC while in the US
-uses WETH method to obfuscate source

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @zachxbt

ZachXBT

@zachxbt

May 12

1/ Meet Dritan Kapllani Jr, a US based threat actor tied to $19M from social engineering thefts targeting crypto holders.

Dritan flexes luxury cars, watches, private jets, & clubs all over social media.

Recently he was recorded on a call showing off a wallet with stolen funds.

2/ Dritan was caught flexing $3.68M on his Exodus wallet during a band 4 band (B4B) on a Discord call on April 23, 2026, trying to prove he had more money than another threat actor.

Dritan's ETH address: 0x4487db847db2fc99372a985743a26f46e0b2bba6
Discord ID: 1485730459483902103

3/ I traced 0x4487 back to a 185 BTC ($13M) social engineering theft on March 14, 2026.

Theft address: bc1qc07ytw5eh32khhvhtlw63kc5yfypvezru6gnue

Dritan's Exodus wallet received $5.3M from this theft on March 15. By the B4B six weeks later, $1.6M had already been spent or laundered.

Read 8 tweets

ZachXBT

@zachxbt

May 5

1/ The $150M+ DSJ Exchange (DSJEX) / BG Wealth Sharing Ponzi scheme collapsed last week. From April 27 – May 3, illicit actors laundered $92M+ across chains to obscure the trail.

I helped lead an initiative with @Tether_to, @Binance Security Team, @OKX, & US law enforcement that has since frozen $41.5M+.

2/ DSJ / BG has been running since 2025, advertising 1.3% - 2.6% daily returns with referral commissions and rank-based bonuses.
DSJ = fake trading platform
BG = investment group

A fictitious CEO named Stephen Beard fronted the platform, while domains and hot wallets rotated regularly to evade law enforcement.

Recruitment and fake trading signals was pushed through a group on BonChat (Hong Kong messaging app).

h/t @dehek & BehindMLM for early coverage of the investment fraud.

3/ Thirteen regulators across five continents issued fraud warnings publicly about DSJ & BG.

US law enforcement seized one of the BG domains on April 23, 2026. (Bgwealthsharing[.]com).

Read 8 tweets

ZachXBT

@zachxbt

Apr 8

1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions.

I spent long hours going through all of it, none of which has ever been publicly released.

It revealed an intricate ~$1M/month scheme of fraudulent identities, forged legal documents, and crypto-to-fiat conversion.

Enjoy the findings!

2/ A DPRK IT worker had their device compromised via infostealer. Extracted data included IPMsg chat logs, fake identities, and browser history.

Digging through the IPMsg logs revealed this site being discussed:
luckyguys[.]site

An internal payment remittance platform, essentially a Discord-style messenger used by DPRK IT workers to report payments back to their handlers.

3/ The site's default password was 123456, which remained unchanged for ten users.

The user list included roles, Korean names, cities, and coded group names consistent with DPRK IT worker operations.

Three companies which appeared are currently OFAC sanctioned: Sobaeksu, Saenal, & Songkwang.

Read 12 tweets

ZachXBT

@zachxbt

Apr 3

1/ Welcome to the Circle $USDC files.

$420M+ in alleged compliance failures since 2022, including fifteen cases of the US-regulated stablecoin issuer taking minimal action against illicit funds.

2/ Circle operates USDC, a centralized stablecoin pegged 1:1 to USD, marketed as a regulated company with a robust compliance program.

Its token contract includes a freeze/blacklist function, and its terms of service explicitly state it reserves the right to restrict access for suspected illicit actors "in its sole discretion".

The company is incorporated in the US, currently headquartered in New York City, and subject to US federal / state financial regulations.

https://x.com/zachxbt/status/2039566991858794981

3/ On April 1, 2026, Drift Protocol was exploited for $280M.

The exploiter used CCTP to bridge 232M+ USDC from Solana to Ethereum across 100+ transactions over six consecutive hours. 10+ additional DeFi protocols across the Solana ecosystem were indirectly impacted.

Despite the attacker laundering funds over six consecutive hours across Circle's own native bridge, no USDC was frozen.

The attacker has been linked to DPRK by Elliptic.

Theft address:
HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES

https://x.com/zachxbt/status/2039566991858794981

Read 18 tweets

ZachXBT

@zachxbt

Mar 23

1/ I uncovered a coordinated network of 10+ accounts manufacturing viral panic about war and politics to drive traffic to crypto scams.

Strategy:
>Purchase accounts with followers
>Doompost multiple times per day
>Repost content from alt accounts
>Promote fake giveaway or scam
>Change username

2/ Example: @wanglaurentceo

They started by purchasing an account with followers and use AI to create a fake Asian version of Mario Nawfal.

(User ID 1804235884826333184)

3/ Here’s related accounts reposting to boost the reach of posts about exaggerated or fake news.

This causes them to go viral each day with millions of views and thousands of likes / replies.

Read 7 tweets

ZachXBT

@zachxbt

Feb 26

1/ Meet @WheresBroox (Broox Bauer), one of the multiple @AxiomExchange employees allegedly abusing the lack of access controls for internal tools to lookup sensitive user details to insider trade by tracking private wallet activity since early 2025.

2/ Axiom is a crypto trading platform founded by Mist & Cal in 2024. After going through Y-Combinator's Winter 2025 batch, it quickly became one of the most profitable companies in the space, generating $390M+ in revenue to date.

I was retained to investigate allegations of misconduct at Axiom after receiving reports.

3/ Broox is a current Axiom senior BD employee based in New York.

In the clip Broox states he can track any Axiom user via ref code, wallet, or UID and claims he can "find out anything to do with that person".

He also describe researching 10-20 wallets initially and slowly increasing over time "so it does not look that suspicious"

In a separate clip from the same recording, Broox sets ground rules for how to request lookups from him and then says he'll send the full list of wallets.

The full recording is a private call of the group members strategizing.