Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
ZachXBT Profile picture
@zachxbt
Jul 18, 2024 6 tweets 3 min read Read on X
Scrolly
1/ So I began tracing the $230M+ WazirX hack back from the original exploiter address and was able to make some interesting observations.
Image
2/ The theft address I will start from is 0x6ee which was doing test transactions on July 10th from 0x09b multisig with SHIB and was funded with 6 X 0.1 ETH from Tornado.

0x6eedf92fb92dd68a270c3205e96dccc527728066

A technical breakdown of the attack by Mudit can be found below

Image
Image
3/ With the 6 X 0.1 ETH withdrawals from Tornado Cash on July 10th I was able to demix this and find 6 X 0.1 ETH matching deposits made the day before.

0xc6873ce725229099caf5ac6078f30f48ec6c7e2e

The demix is accurate as 0xc68 was also doing tests with 0x304 multisig on July 9th with SHIB.Image
4/ 0xc68 was funded with 1 ETH from Tornado cash on July 8th at 3:03 PM UTC
0xe3b4cf64e0fc25fafb10d226984b18addc038879ed77f730abbed4737db6a5fc

The matching 1 ETH deposit was made 9 hrs before
0x87c01ca1f56ef3663651b05cd8ebcf133281c5fdd0ef1016f83a16a862c4a235

Both 0xc687 & 0xc891 transferred to each other on July 9th breaking the privacy benefits Tornado provides.Image
5/ If I trace back from 0xc891 can see it was funded in two txns with 0.36 ETH and 0.66 ETH on July 8th from an exchange

0xc2fdc27f98cf02c2da2a180fa35824dc365c63795e7a7ce12ba88c1e06edd4f7
0xa62685d8a8b39920e957e0aaf56d527aec6d65bc9323d3d219e11f44e150e224

By performing a timing analysis we can see it was funded from Bitcoin

53795dd1629026c2f92a87d5cd2447736f1afc9cae71262f3af9e62a4ac83b92
ddfd189125ce88c622ec2453b2e9f2dbe5c5c0931f16e3389eac4976c757e5b9Image
6/ This is where my tracing ends as the BTC appears to come from an unknown service making it difficult to trace.

All I can say is the WazirX hack has the potential markings of a Lazarus Group attack (yet again)

Hopefully the WazirX team will be transparent with their findings.

I solved the Arkham bounty where I identified a KYC exchange deposit made by the WazirX hacker

Unfortunately this is probably not super helpful as KYC verified accounts can be easily purchased online for any exchange.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ZachXBT

ZachXBT Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @zachxbt

ZachXBT Profile picture
May 5
1/ The $150M+ DSJ Exchange (DSJEX) / BG Wealth Sharing Ponzi scheme collapsed last week. From April 27 – May 3, illicit actors laundered $92M+ across chains to obscure the trail.

I helped lead an initiative with @Tether_to, @Binance Security Team, @OKX, & US law enforcement that has since frozen $41.5M+.Image
2/ DSJ / BG has been running since 2025, advertising 1.3% - 2.6% daily returns with referral commissions and rank-based bonuses.
DSJ = fake trading platform
BG = investment group

A fictitious CEO named Stephen Beard fronted the platform, while domains and hot wallets rotated regularly to evade law enforcement.

Recruitment and fake trading signals was pushed through a group on BonChat (Hong Kong messaging app).

h/t @dehek & BehindMLM for early coverage of the investment fraud.Image
Image
Image
Image
3/ Thirteen regulators across five continents issued fraud warnings publicly about DSJ & BG.

US law enforcement seized one of the BG domains on April 23, 2026. (Bgwealthsharing[.]com). Image
Image
Read 8 tweets
ZachXBT Profile picture
Apr 8
1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions.

I spent long hours going through all of it, none of which has ever been publicly released.

It revealed an intricate ~$1M/month scheme of fraudulent identities, forged legal documents, and crypto-to-fiat conversion.

Enjoy the findings!Image
2/ A DPRK IT worker had their device compromised via infostealer. Extracted data included IPMsg chat logs, fake identities, and browser history.

Digging through the IPMsg logs revealed this site being discussed:
luckyguys[.]site

An internal payment remittance platform, essentially a Discord-style messenger used by DPRK IT workers to report payments back to their handlers.Image
Image
3/ The site's default password was 123456, which remained unchanged for ten users.

The user list included roles, Korean names, cities, and coded group names consistent with DPRK IT worker operations.

Three companies which appeared are currently OFAC sanctioned: Sobaeksu, Saenal, & Songkwang.Image
Image
Image
Read 12 tweets
ZachXBT Profile picture
Apr 3
1/ Welcome to the Circle $USDC files.

$420M+ in alleged compliance failures since 2022, including fifteen cases of the US-regulated stablecoin issuer taking minimal action against illicit funds. Image
2/ Circle operates USDC, a centralized stablecoin pegged 1:1 to USD, marketed as a regulated company with a robust compliance program.

Its token contract includes a freeze/blacklist function, and its terms of service explicitly state it reserves the right to restrict access for suspected illicit actors "in its sole discretion".

The company is incorporated in the US, currently headquartered in New York City, and subject to US federal / state financial regulations.Image
Image
3/ On April 1, 2026, Drift Protocol was exploited for $280M.

The exploiter used CCTP to bridge 232M+ USDC from Solana to Ethereum across 100+ transactions over six consecutive hours. 10+ additional DeFi protocols across the Solana ecosystem were indirectly impacted.

Despite the attacker laundering funds over six consecutive hours across Circle's own native bridge, no USDC was frozen.

The attacker has been linked to DPRK by Elliptic.

Theft address:
HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES
Read 18 tweets
ZachXBT Profile picture
Mar 23
1/ I uncovered a coordinated network of 10+ accounts manufacturing viral panic about war and politics to drive traffic to crypto scams.

Strategy:
>Purchase accounts with followers
>Doompost multiple times per day
>Repost content from alt accounts
>Promote fake giveaway or scam
>Change usernameImage
2/ Example: @wanglaurentceo

They started by purchasing an account with followers and use AI to create a fake Asian version of Mario Nawfal.

(User ID 1804235884826333184) Image
Image
Image
3/ Here’s related accounts reposting to boost the reach of posts about exaggerated or fake news.

This causes them to go viral each day with millions of views and thousands of likes / replies. Image
Image
Image
Read 7 tweets
ZachXBT Profile picture
Feb 26
1/ Meet @WheresBroox (Broox Bauer), one of the multiple @AxiomExchange employees allegedly abusing the lack of access controls for internal tools to lookup sensitive user details to insider trade by tracking private wallet activity since early 2025. Image
Image
Image
2/ Axiom is a crypto trading platform founded by Mist & Cal in 2024. After going through Y-Combinator's Winter 2025 batch, it quickly became one of the most profitable companies in the space, generating $390M+ in revenue to date.

I was retained to investigate allegations of misconduct at Axiom after receiving reports.Image
Image
3/ Broox is a current Axiom senior BD employee based in New York.

In the clip Broox states he can track any Axiom user via ref code, wallet, or UID and claims he can "find out anything to do with that person".

He also describe researching 10-20 wallets initially and slowly increasing over time "so it does not look that suspicious"

In a separate clip from the same recording, Broox sets ground rules for how to request lookups from him and then says he'll send the full list of wallets.

The full recording is a private call of the group members strategizing.
Read 10 tweets
ZachXBT Profile picture
Jan 25
In case you are curious how John Daghita (Lick) was able to steal $40M+ from US government seizure addresses.

John’s dad owns CMDSS, which currently has an active IT government contract in Virginia.

CMMDS was awarded a contract to assist the USMS in managing/disposing of seized/forfeited crypto assets.

It still remains unclear at this point how John obtained access from his dad.Image
Image
Image
Update: The CMDSS company X account, website, & LinkedIn were all just deactivated Image
Image
Image
Update: John Daghita (Lick) began trolling again on Telegram shortly after my post Image
Image
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(