Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
ZachXBT Profile picture
@zachxbt
Dec 7, 2023 9 tweets 4 min read Read on X
Scrolly
1/ Throughout this year I have been monitoring someone who has withdrawn 11,200+ ETH ($25M) from Tornado Cash and spent the majority of it on Magic The Gathering (MTG) trading cards.

Here’s my analysis of where the funds went and what the potential source of funds could be.
2/ This person has withdrawn 110 X 100 ETH from Tornado to 11 addresses.

After they would:
1) Wrap the ETH
2) Transfer WETH to new address
3) Unwrap the WETH
4) Transfer USDC to MTG broker

(this is a strategy used to trick KYT at exchanges) Image
3/ After USDC was sent to a MTG US based broker that accepts crypto

How did I find the broker used?

1) Instagram username was same as on OpenSea

2) Directly contacted a few MTG sellers the broker interacted w/ on-chain

Broker address
0x80462101b56cb4125c645ff299d3e20c1d908c02
Image
Image
4/ After contacting MTG sellers were where things became interesting.

-buyer was spending millions on starter decks, alpha sets, sealed boxes

-buyer seemed to be overpaying by 5-10%

-buyer sent crypto up front and broker met up IRL with seller

-buyer was unknown to seller

-said the broker has limited crypto knowledge (likely does not know about Tornado)

*seller names will be kept private for their safety*
Image
5/ The funds also go to various deposit addresses at Kraken, Bitpay, and Coinbase.

0x34e158883efc81c5d92fde785fba48db738711ee
0x3a43ac6baf1fa6bdbc966dbdfe26cf545131898e
0x85cb90db50608a950858e023509d6a7fa289e212
0xbfe6def287c402114d39d0156e17fda79efff4d2
6/ Where do I think these funds could have originated from?

To start I began looking at the top Tornado depositors who were active throughout the past year using a Dune query created by @bax1337

-Anubis (12400 ETH)
-Cashio (11500 ETH)
-Uranium (11303 ETH)

Using timing and multi denomination reveal heuristics I arrived at the thesis that the funds potentially originated from the $50M Uranium Finance hack that occurred in April 2021.

Anubis had previously potentially been solved however and Casino did not deposit enough ETH earlier in the year to match the withdrawals of this person.

Image
Image
7/ Here’s some of my rationale behind it being the Uranium hacker:

Oct 4, 2022 the Uranium hacker deposited 5.01 ETH total to Aztec (privacy tool) at 22:03 UTC

0xd332be2c39de1f4ecd4ef6ce23ae826906a8a144ebbfefb9cf2a74c7d320f563

Just 2 hours later at 00:15 UTC on Oct 5 this person received 2.7 ETH from Aztec

0x2b8745157bd13cb7aa76444af67e7de0bf0b288bff50886b599942a17e0e298c
Image
8/ In March 2023 the Uranium hacker deposited 52 X 100 ETH to Tornado & this person received 52 X 100 ETH

March 6 & 14: Uranium Hacker deposits 52 X 100 ETH to Tornado

March 7 & 15: Our person withdrew huge volumes from Tornado

After they finished the Uranium hacker deposits more in May
Image
9/ While my analysis could be incorrect I find it very suspicious that this person:

-spends 8 figures on MTG
-is overpaying for MTG
-shields identity through broker who likely does not know what Tornado is
-receives $13.2M from Tornado post OFAC while in the US
-uses WETH method to obfuscate source

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ZachXBT

ZachXBT Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @zachxbt

ZachXBT Profile picture
Feb 3
1/ Over the past few months I imagine you have seen many Coinbase users complain on X about their accounts suddenly being restricted.

This is the result of aggressive risk models and Coinbase’s failure to stop its users losing $300M+ per year to social engineering scams. Image
Image
2/ Myself and @tanuki42_ spent time reviewing Coinbase withdrawals and gathering data from my DMs for high confidence thefts on various chains.

Below is a table we created which shows $65M stolen from Coinbase users in Dec 2024 - Jan 2025.

Our number is likely much lower than the actual amount stolen as our data was limited to my DMs and thefts we discovered on-chain which does not account for Coinbase support tickets and police reports we do not have access to.Image
3/ Let’s walk through how these Coinbase social engineering scams work.

A victim reached out to me last month after losing ~$850K.

Graphing out this theft lead to a consolidation address with 25+ other victims tied to ‘coinbase-hold.eth’.

Theft address
0xc8234dda2bc3758eb90224d0025871001e8ee7b9
bc1q4ks5gus8uv88vk8yage4r89kv8uxlgwhemz545Image
Read 13 tweets
ZachXBT Profile picture
Nov 27, 2024
1/ An investigation into how the threat actor Serpent went from a pro Fortnite player to helping steal $3.5M via meme coin scams launched from 9+ account compromises on X & IG and gambling the proceeds away at online casinos. Image
Image
Image
2/ Serpent (SerpentAU) is a former pro Fortnite player from Australia who was released from the esports organization ‘Overtime’ after being caught allegedly cheating in June 2020.

He then co-founded the NFT project DAPE in March 2022 which later rug pulled. Image
Image
3/ In March 2024 Serpent launched another project called ERROR which rug pulled and got him banned from X.

Deployer address
0x8233873ee35547097ccb9098adbab955d7120ee8 Image
Image
Read 10 tweets
ZachXBT Profile picture
Nov 26, 2024
1/ Over the past few months I have been tracking a series of related compromises for McDonald’s, Usher, Kabosu Owner, Andy Ayrey, Wiz Khalifa, SPX 6900, etc on X & IG which has resulted in an estimated $3.5M+ stolen via launching Pump Fun meme coins. Image
2/ On Aug 21, 2024 the McDonald’s IG became compromised and a post was made promoting the bundled meme coin GRIMACE and the hacker began trolling after.

$690K+ from the pump and dump was consolidated to two wallets.

4RiNhTwBxYWgb4MSCtt9vXgVk2yuPhoQR3DR9pMVPU1W
2vjnmxwTYNJvTmFhtqxZkPiuCHkaKZK5rcxTLuoC2dPBImage
Image
Image
3/ On Sep 3, 2024 the McDonalds attacker transferred 101.5 SOL to two addresses which deployed and sniped SCHRADER after the Actor Dean Norris had his X account hacked.

4s9Uz9pTBXcEaEtcjs8eg98r2TVte3rq3JUm3rVTFMudfewGbNKmqNyYs9bSAMDUaTbTcuA1v39sWr7GRqkDJ6EM
1gxo1pjTqjbee7rHW4cGvuNffX1qP4F8fP17g6SSC5EYbQrnktDrKSFB1uh4ju7PxQjprWFin37WUsAe225b9c6Image
Image
Read 15 tweets
ZachXBT Profile picture
Nov 20, 2024
1/ An investigation into the social engineering scammer Ronaldd (Ronald Spektor) who allegedly helped steal $6.5M last month from a single victim by impersonating Coinbase support. Image
Image
Image
2/ A US based victim sent me a DM on Oct 7, 2024 after receiving a call from a spoofed number impersonating Coinbase support where they were coerced in to using a phishing site.

Theft address
bc1qra7s4wl8z2el335k40sdnaka04c2sdwjx5hs6q
0x730082b1847e1cef889ea6dce57641c96c104f2d

Phishing site: https(:)//19960018-coinbase(.)comImage
3/ An initial tracing of the theft saw all of the stolen funds flow to eXch on Ethereum and Bitcoin where funds were converted to Litecoin and transferred to numerous services. Image
Read 9 tweets
ZachXBT Profile picture
Nov 3, 2024
1/ Time to share how SCALE, NTD, TPU, & OPSEC projects were all tied to the same person Zopp0 to farm naive traders using numerous influencers shown in leaked messages. Image
Image
2/ While paying others to be the face of OPSEC behind the scenes he was involved with key decisions as the owner in private Telegram chats.

Here is him talking about the lack of technical research.

I then confronted him over DM about this in March 2024 which he downplayed.

Then in a leaked private chat here is him chatting about me obtaining this screenshot.Image
Image
Image
Image
3/ Zopp0 and his friend SZB discuss how they messed up bundling for NTD/TPU and worry it will trace back to them.

No posts have been made from @NTensorDynamics @tensorspace_ai since April. Image
Image
Image
Image
Read 7 tweets
ZachXBT Profile picture
Oct 23, 2024
1/ Meet Yicong Wang (王逸聪), a Chinese OTC trader who has helped Lazarus Group convert tens of millions of stolen crypto to cash from various hacks via bank transfers since 2022. Image
Image
Image
2/ A follower reached out to me a few months ago after having their exchange account frozen after completing a P2P transaction with Yicong Wang an OTC who has used pseudonyms like Seawang, Greatdtrader, & BestRhea977 Image
3/ They then shared one of Yicong Wang’s Tron wallet addresses with me from a screenshot of their WeChat conversation.

THsSCBGazjjho7u2BQQsmrpbDv1Q237FL4 Image
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(