Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
ZachXBT Profile picture
@zachxbt
Sep 19, 2024 17 tweets 9 min read Read on X
Scrolly
1/ An investigation into how Greavys (Malone Iam), Wiz (Veer Chetal), and Box (Jeandiel Serrano) stole $243M from a single person last month in a highly sophisticated social engineering attack and my efforts which have helped lead to multiple arrests and millions frozen. Image
Image
2/ Incident Summary: On August 19, 2024 the threat actors targeted a single Genesis creditor by:

1) Calling as Google Support via spoofed number to compromise personal accounts
2) Calling after as Gemini support claiming account is hacked
3) Social engineered victim into resetting 2FA and sending Gemini funds to compromised wallet
4) Got victim to use AnyDesk to share screen and leaked private keys from Bitcoin core.

Gemini txn hash
59.34 BTC - Aug 19 at 1:48 am UTC
e747b963a463334c164b0a8fff844f73693272bb2b331adbe2147d70ec196360
14.88 BTC - Aug 19 at 2:30 am UTC
7c7ebed785f0b4d4335d559b14b8215862fbe29db329e3ee0f2a7e64a16ce9e3Image
Image
Image
3/ Here is a private video recording showing the live reaction by multiple of the threat actors to receiving $238M.

Theft txn hash
4064 BTC - Aug 19 at 4:05 am UTC
4b277ba298830ea538086114803b9487558bb093b5083e383e94db687fbe9090
4/ An initial tracing showed $243M split multiple ways between each party before funds quickly peeled off to 15+ exchanges immediately swapping back and forth between Bitcoin, Litecoin, Ethereum, and Monero. Image
5/ Wiz (Veer) received a large % cut from theft and slipped up during screenshare by leaking his full name during the theft.

Additional comfort was gained as throughout multiple recordings accomplices referred to him as Veer on audio and in chats.

$34.5M of his funds sit here
0x3c7a5f2795e73d2b94a9120a643f608cfc45c935Image
Image
6/ Wiz’s friend Light/Dark (Aakaash) helped launder the funds for him using eXch and Thorswap.

Similar to Wiz he also leaked his name during screen share.

Wiz TC Destination address confirmed in video
0xa212d7441fed6db9ab666ba34e8c440c565f4af8
7/ Greavys (Malone) lives a flashy lifestyle with the stolen funds having purchased 10+ cars and going out to clubs in LA and Miami with friends spending $250K-500K / night and giving out Birkin bags to girls.

During video clips and in chats multiple people refer to him as Malone and was flexing stolen funds on Discord.

Currently $3.5M tied to Greavys sits here
0x21d7d256be564191a43553e574c06a4d0e629767Image
Image
Image
8/ Greavys was located via OSINT in LA/Miami due to friends/girls posting his location on social media each night.

He also has an Instagram account where he posted photos of himself using his name earlier this year. Image
Image
9/ Box (Jeandiel/John) played a role by calling the victim as the Gemini exchange rep.

On Discord, Telegram, and other platform Box reuses the same pfp.

Currently $18M tied to Box sits here
0x98b0811e2cc7530380caf1a17440b18f71f51f4e

Danny Trauma (Danish) was active in the inner Telegram chat as Meech although it’s not immediately clear his exact role although it is known he has access to multiple bankruptcy dbs.

His ex-gf leaked all of his photos on social media however so his info has been public.Image
Image
10/ A cluster of eth addresses tied to both Box/Wiz received $41M+ from two exchanges over the past few weeks primarily flowing to luxury goods brokers to purchase cars, watches, jewelry, and designer clothes.

This is also backed up by what was said in chats about spending the funds.Image
Image
11/ While most of the funds were converted to XMR both Box and Wiz accidentally linked the laundered funds with the dirty funds on multiple instances.

a) Wiz during screenshare showed an address he sent funds to for designer clothes which had millions in exposure to the cluster above.

0xb98b8ac004cea6617adcf3e94106d0eec1792bd9

b) Box linked the dirty funds with the cleans funds by accidentally reusing a deposit address.

0x6d865235ebb2504d3478fc1dd839100d210144dfImage
Image
12/ With the assistance of @CFInvestigators @zeroshadow_io and the Binance Security Team more than $9M+ has been frozen and $500K+ has already been returned back after working closely with the victim to investigate the incident.
13/ As a result of the investigation Box and Greavys were arrested yesterday evening in Miami and LA.

I would expect law enforcement seized additional funds during the arrests due to large transfers around that period of time. Image
Image
14/ My post will be updated as the legal case progresses.

In the meantime mint a free collectible to commemorate the investigation of the stolen $243M below on Zora.

zora.co/collect/base:0…
Update: Box (Jeandiel) and Greavys (Malone) just had the indictment for the case unsealed

justice.gov/usao-dc/pr/ind…Image
Update: Wiz (Veer Chetal) was arrested by US Marshall’s and here is his mug shot. Image
Update: Today twelve people were charged for the $243M Genesis creditor theft.

Aakaash Anand was featured in the clip on 6/ laundering funds for Veer/Wiz. Image
Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ZachXBT

ZachXBT Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @zachxbt

ZachXBT Profile picture
Jan 25
In case you are curious how John Daghita (Lick) was able to steal $40M+ from US government seizure addresses.

John’s dad owns CMDSS, which currently has an active IT government contract in Virginia.

CMMDS was awarded a contract to assist the USMS in managing/disposing of seized/forfeited crypto assets.

It still remains unclear at this point how John obtained access from his dad.Image
Image
Image
Update: The CMDSS company X account, website, & LinkedIn were all just deactivated Image
Image
Image
Update: John Daghita (Lick) began trolling again on Telegram shortly after my post Image
Image
Read 4 tweets
ZachXBT Profile picture
Jan 23
1/ Meet the threat actor John (Lick), who was caught flexing $23M in a wallet address directly tied to $90M+ in suspected thefts from the US Government in 2024 and multiple other unidentified victims from Nov 2025 to Dec 2025. Image
Image
Image
2/ Earlier today John got into a heated argument with another threat actor known as Dritan Kapplani Jr. in a group chat to see who had more funds in crypto wallets.

In 'The Com' this is known as a band for band (b4b).

However the entire interaction was fully recorded.

Image
3/ In part 1 of the recording Dritan mocks John however John screenshares Exodus Wallet which shows the Tron address below with $2.3M:
TMrWCLMS3ibDbKLcnNYhLggohRuLUSoHJg
Read 13 tweets
ZachXBT Profile picture
Dec 29, 2025
1/ Meet Haby (Havard), a Canadian threat actor who has stolen $2M+ via Coinbase support impersonation social engineering scams in the past year blowing the funds on rare social media usernames, bottle service, & gambling. Image
Image
2/ On Dec 30, 2024 Haby posted a screenshot in a group chat showing off a 21K XRP ($44K) theft from a Coinbase user.

rN7ddvk4DrGHZUrBfNARJEEAbPkky9Mwcz Image
Image
3/ On Jan 3, 2025 Haby posted a screenshot from his Exodus wallet showing his Telegram & IG accounts.

I matched up the historical balances to the screenshot and found the XRP address linked to two other Coinbase user thefts for ~$500K total.

rfA8MiWkRb6xjveQGKfJpdr8h1Kb4c83Rb Image
Image
Read 12 tweets
ZachXBT Profile picture
Oct 19, 2025
1/ A video went viral on YT this week after a US based victim lost $3.05M (1.2M XRP) from their Ellipal wallet.

Here’s the tracing of where the stolen funds ended up and the biggest takeaways for similar thefts. Image
2/ Although the victim did not directly share the theft address after watching the video I found it by reviewing the date and amount.

r3cf5mgj5qEcj9n4Th28Es7NVRnXGJjkzc

The victim seems inexperienced and does not provide enough details to determine how the Ellipal wallet became compromised besides it being user error.
3/ The attacker created 120+ Ripple -> Tron orders via Bridgers on Oct 12, 2025.

On block explorers the transactions show as Binance since Bridgers (formerly SWFT) uses them for liquidity. Image
Read 9 tweets
ZachXBT Profile picture
Oct 15, 2025
1/ An investigation into how I identified one of suspects tied to the $28M Bittensor hack from 2024 by identifying anime NFT wash trades linked to a former employee and earned a whitehat bounty for my efforts. Image
Image
2/ 32 $TAO holders experienced unauthorized transfers in excess of $28M from May to July 2024 and the Bittensor network was temporarily halted on July 2, 2024.

A post-mortem published by the team revealed the thefts were the result of a supply chain attack after a malicious PyPi package was uploaded in late May 2024

Victims who downloaded the package and performed specific operations accidentally compromised private keys.Image
3/ I began tracing the stolen funds from two initial theft addresses, TAO was bridged to Ethereum via Bittensor native bridge, and then transferred to instant exchanges where the attackers swapped to XMR.

Victims:
$400K: 5ENiTXL63DRMKytjaDRBLnorwd6qURKcCVgsgpu8UQxgptQN
$13M: 5DnXm2tBGAD57ySJv5SfpTfLcsQbSKKp6xZKFWABw3cYUgqgImage
Read 12 tweets
ZachXBT Profile picture
Aug 13, 2025
1/ An unnamed source recently compromised a DPRK IT worker device which provided insights into how a small team of five ITWs operated 30+ fake identities with government IDs and purchased Upwork/LinkedIn accounts to obtain developer jobs at projects. Image
Image
2/ An export of their Google Drive, Chrome profiles, and screenshots from their devices was obtained.

Google products were extensively used by them to organize their team’s schedules, tasks, and budgets with communications primarily in English. Image
3/ Another spreadsheet shows weekly reports for team members from 2025 which provides insight into how they operate and what they think about.

“I can't understand job requirement, and don't know what I need to do”

“Solution / fix: Put enough efforts in heart” Image
Image
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(