1/ An investigation into how Greavys (Malone Iam), Wiz (Veer Chetal), and Box (Jeandiel Serrano) stole $243M from a single person last month in a highly sophisticated social engineering attack and my efforts which have helped lead to multiple arrests and millions frozen.
2/ Incident Summary: On August 19, 2024 the threat actors targeted a single Genesis creditor by:
1) Calling as Google Support via spoofed number to compromise personal accounts 2) Calling after as Gemini support claiming account is hacked 3) Social engineered victim into resetting 2FA and sending Gemini funds to compromised wallet 4) Got victim to use AnyDesk to share screen and leaked private keys from Bitcoin core.
Gemini txn hash
59.34 BTC - Aug 19 at 1:48 am UTC
e747b963a463334c164b0a8fff844f73693272bb2b331adbe2147d70ec196360
14.88 BTC - Aug 19 at 2:30 am UTC
7c7ebed785f0b4d4335d559b14b8215862fbe29db329e3ee0f2a7e64a16ce9e3
3/ Here is a private video recording showing the live reaction by multiple of the threat actors to receiving $238M.
Theft txn hash
4064 BTC - Aug 19 at 4:05 am UTC
4b277ba298830ea538086114803b9487558bb093b5083e383e94db687fbe9090
4/ An initial tracing showed $243M split multiple ways between each party before funds quickly peeled off to 15+ exchanges immediately swapping back and forth between Bitcoin, Litecoin, Ethereum, and Monero.
5/ Wiz (Veer) received a large % cut from theft and slipped up during screenshare by leaking his full name during the theft.
Additional comfort was gained as throughout multiple recordings accomplices referred to him as Veer on audio and in chats.
$34.5M of his funds sit here
0x3c7a5f2795e73d2b94a9120a643f608cfc45c935
6/ Wiz’s friend Light/Dark (Aakaash) helped launder the funds for him using eXch and Thorswap.
Similar to Wiz he also leaked his name during screen share.
Wiz TC Destination address confirmed in video
0xa212d7441fed6db9ab666ba34e8c440c565f4af8
7/ Greavys (Malone) lives a flashy lifestyle with the stolen funds having purchased 10+ cars and going out to clubs in LA and Miami with friends spending $250K-500K / night and giving out Birkin bags to girls.
During video clips and in chats multiple people refer to him as Malone and was flexing stolen funds on Discord.
Currently $3.5M tied to Greavys sits here
0x21d7d256be564191a43553e574c06a4d0e629767
8/ Greavys was located via OSINT in LA/Miami due to friends/girls posting his location on social media each night.
He also has an Instagram account where he posted photos of himself using his name earlier this year.
9/ Box (Jeandiel/John) played a role by calling the victim as the Gemini exchange rep.
On Discord, Telegram, and other platform Box reuses the same pfp.
Currently $18M tied to Box sits here
0x98b0811e2cc7530380caf1a17440b18f71f51f4e
Danny Trauma (Danish) was active in the inner Telegram chat as Meech although it’s not immediately clear his exact role although it is known he has access to multiple bankruptcy dbs.
His ex-gf leaked all of his photos on social media however so his info has been public.
10/ A cluster of eth addresses tied to both Box/Wiz received $41M+ from two exchanges over the past few weeks primarily flowing to luxury goods brokers to purchase cars, watches, jewelry, and designer clothes.
This is also backed up by what was said in chats about spending the funds.
11/ While most of the funds were converted to XMR both Box and Wiz accidentally linked the laundered funds with the dirty funds on multiple instances.
a) Wiz during screenshare showed an address he sent funds to for designer clothes which had millions in exposure to the cluster above.
0xb98b8ac004cea6617adcf3e94106d0eec1792bd9
b) Box linked the dirty funds with the cleans funds by accidentally reusing a deposit address.
0x6d865235ebb2504d3478fc1dd839100d210144df
12/ With the assistance of @CFInvestigators @zeroshadow_io and the Binance Security Team more than $9M+ has been frozen and $500K+ has already been returned back after working closely with the victim to investigate the incident.
13/ As a result of the investigation Box and Greavys were arrested yesterday evening in Miami and LA.
I would expect law enforcement seized additional funds during the arrests due to large transfers around that period of time.
14/ My post will be updated as the legal case progresses.
In the meantime mint a free collectible to commemorate the investigation of the stolen $243M below on Zora.
1/ Recently a team reached out to me for assistance after $1.3M was stolen from the treasury after malicious code had been pushed.
Unbeknownst to the team they had hired multiple DPRK IT workers as devs who were using fake identities.
I then uncovered 25+ crypto projects with related devs that have been active since June 2024.
2/ The laundering path for the incident can be described as:
1) Transfer $1.3M to theft address 2) Bridge $1.3M from Solana to Etheruem via deBridge 3) Deposit 50.2 ETH to Tornado 4) Transfer 16.5 ETH to two exchanges
2/ The theft address I will start from is 0x6ee which was doing test transactions on July 10th from 0x09b multisig with SHIB and was funded with 6 X 0.1 ETH from Tornado.
0x6eedf92fb92dd68a270c3205e96dccc527728066
A technical breakdown of the attack by Mudit can be found below
3/ With the 6 X 0.1 ETH withdrawals from Tornado Cash on July 10th I was able to demix this and find 6 X 0.1 ETH matching deposits made the day before.
0xc6873ce725229099caf5ac6078f30f48ec6c7e2e
The demix is accurate as 0xc68 was also doing tests with 0x304 multisig on July 9th with SHIB.
For those who are confused and need additional context.
Earlier today Arkham announced a $150K bounty for the identity of the DJT creator
11:49 pm UTC I reply to Arkham saying I submitted for the bounty
11:57 pm UTC Martin Shkreli panic DM’s me
12:27 am UTC Martin Shkreli creates a spaces and announces he is the creator of DJT
One of the large DJT insiders verso.sol dumping $832K worth of DJT and then depositing USDC to CEX ~1 hr ago
Coincidentally also a large holder on Martin’s other project Shoggoth
1/ Here is an overview of one of the better executed scams I have seen in recent times so I figured I would share with the community as a cautionary tale.
A few weeks ago I received a DM from a follower who lost $245K after accidentally downloading malware onto their computer.
2/ It started as an account purporting to be Peter Lauten from a16z, messaging a team to inquire about a potential podcast partnership.
3/ The attacker noticed that the real Peter Lauten had changed his X (Twitter) username from ‘peter_lauten’
to ‘lauten’ at a point in time and then had claimed his old username.