Post

How to get URL link on X (Twitter) App

On the Twitter thread, click on or icon on the bottom
Click again on or Share Via icon
Click on Copy Link to Tweet
Paste it above and click "Unroll Thread"!
More info at Twitter Help

ZachXBT

@zachxbt

Sep 19, 2024 • 17 tweets • 9 min read • Read on X

Scrolly

1/ An investigation into how Greavys (Malone Iam), Wiz (Veer Chetal), and Box (Jeandiel Serrano) stole $243M from a single person last month in a highly sophisticated social engineering attack and my efforts which have helped lead to multiple arrests and millions frozen.

2/ Incident Summary: On August 19, 2024 the threat actors targeted a single Genesis creditor by:

1) Calling as Google Support via spoofed number to compromise personal accounts
2) Calling after as Gemini support claiming account is hacked
3) Social engineered victim into resetting 2FA and sending Gemini funds to compromised wallet
4) Got victim to use AnyDesk to share screen and leaked private keys from Bitcoin core.

Gemini txn hash
59.34 BTC - Aug 19 at 1:48 am UTC
e747b963a463334c164b0a8fff844f73693272bb2b331adbe2147d70ec196360
14.88 BTC - Aug 19 at 2:30 am UTC
7c7ebed785f0b4d4335d559b14b8215862fbe29db329e3ee0f2a7e64a16ce9e3

3/ Here is a private video recording showing the live reaction by multiple of the threat actors to receiving $238M.

Theft txn hash
4064 BTC - Aug 19 at 4:05 am UTC
4b277ba298830ea538086114803b9487558bb093b5083e383e94db687fbe9090

4/ An initial tracing showed $243M split multiple ways between each party before funds quickly peeled off to 15+ exchanges immediately swapping back and forth between Bitcoin, Litecoin, Ethereum, and Monero.

5/ Wiz (Veer) received a large % cut from theft and slipped up during screenshare by leaking his full name during the theft.

Additional comfort was gained as throughout multiple recordings accomplices referred to him as Veer on audio and in chats.

$34.5M of his funds sit here
0x3c7a5f2795e73d2b94a9120a643f608cfc45c935

6/ Wiz’s friend Light/Dark (Aakaash) helped launder the funds for him using eXch and Thorswap.

Similar to Wiz he also leaked his name during screen share.

Wiz TC Destination address confirmed in video
0xa212d7441fed6db9ab666ba34e8c440c565f4af8

7/ Greavys (Malone) lives a flashy lifestyle with the stolen funds having purchased 10+ cars and going out to clubs in LA and Miami with friends spending $250K-500K / night and giving out Birkin bags to girls.

During video clips and in chats multiple people refer to him as Malone and was flexing stolen funds on Discord.

Currently $3.5M tied to Greavys sits here
0x21d7d256be564191a43553e574c06a4d0e629767

8/ Greavys was located via OSINT in LA/Miami due to friends/girls posting his location on social media each night.

He also has an Instagram account where he posted photos of himself using his name earlier this year.

9/ Box (Jeandiel/John) played a role by calling the victim as the Gemini exchange rep.

On Discord, Telegram, and other platform Box reuses the same pfp.

Currently $18M tied to Box sits here
0x98b0811e2cc7530380caf1a17440b18f71f51f4e

Danny Trauma (Danish) was active in the inner Telegram chat as Meech although it’s not immediately clear his exact role although it is known he has access to multiple bankruptcy dbs.

His ex-gf leaked all of his photos on social media however so his info has been public.

10/ A cluster of eth addresses tied to both Box/Wiz received $41M+ from two exchanges over the past few weeks primarily flowing to luxury goods brokers to purchase cars, watches, jewelry, and designer clothes.

This is also backed up by what was said in chats about spending the funds.

11/ While most of the funds were converted to XMR both Box and Wiz accidentally linked the laundered funds with the dirty funds on multiple instances.

a) Wiz during screenshare showed an address he sent funds to for designer clothes which had millions in exposure to the cluster above.

0xb98b8ac004cea6617adcf3e94106d0eec1792bd9

b) Box linked the dirty funds with the cleans funds by accidentally reusing a deposit address.

0x6d865235ebb2504d3478fc1dd839100d210144df

12/ With the assistance of @CFInvestigators @zeroshadow_io and the Binance Security Team more than $9M+ has been frozen and $500K+ has already been returned back after working closely with the victim to investigate the incident.

13/ As a result of the investigation Box and Greavys were arrested yesterday evening in Miami and LA.

I would expect law enforcement seized additional funds during the arrests due to large transfers around that period of time.

14/ My post will be updated as the legal case progresses.

In the meantime mint a free collectible to commemorate the investigation of the stolen $243M below on Zora.

zora.co/collect/base:0…

Update: Box (Jeandiel) and Greavys (Malone) just had the indictment for the case unsealed

justice.gov/usao-dc/pr/ind…

Update: Wiz (Veer Chetal) was arrested by US Marshall’s and here is his mug shot.

Update: Today twelve people were charged for the $243M Genesis creditor theft.

Aakaash Anand was featured in the clip on 6/ laundering funds for Veer/Wiz.

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @zachxbt

ZachXBT

@zachxbt

Apr 8

1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions.

I spent long hours going through all of it, none of which has ever been publicly released.

It revealed an intricate ~$1M/month scheme of fraudulent identities, forged legal documents, and crypto-to-fiat conversion.

Enjoy the findings!

2/ A DPRK IT worker had their device compromised via infostealer. Extracted data included IPMsg chat logs, fake identities, and browser history.

Digging through the IPMsg logs revealed this site being discussed:
luckyguys[.]site

An internal payment remittance platform, essentially a Discord-style messenger used by DPRK IT workers to report payments back to their handlers.

3/ The site's default password was 123456, which remained unchanged for ten users.

The user list included roles, Korean names, cities, and coded group names consistent with DPRK IT worker operations.

Three companies which appeared are currently OFAC sanctioned: Sobaeksu, Saenal, & Songkwang.

Read 11 tweets

ZachXBT

@zachxbt

Apr 3

1/ Welcome to the Circle $USDC files.

$420M+ in alleged compliance failures since 2022, including fifteen cases of the US-regulated stablecoin issuer taking minimal action against illicit funds.

2/ Circle operates USDC, a centralized stablecoin pegged 1:1 to USD, marketed as a regulated company with a robust compliance program.

Its token contract includes a freeze/blacklist function, and its terms of service explicitly state it reserves the right to restrict access for suspected illicit actors "in its sole discretion".

The company is incorporated in the US, currently headquartered in New York City, and subject to US federal / state financial regulations.

https://x.com/zachxbt/status/2039566991858794981

3/ On April 1, 2026, Drift Protocol was exploited for $280M.

The exploiter used CCTP to bridge 232M+ USDC from Solana to Ethereum across 100+ transactions over six consecutive hours. 10+ additional DeFi protocols across the Solana ecosystem were indirectly impacted.

Despite the attacker laundering funds over six consecutive hours across Circle's own native bridge, no USDC was frozen.

The attacker has been linked to DPRK by Elliptic.

Theft address:
HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES

https://x.com/zachxbt/status/2039566991858794981

Read 18 tweets

ZachXBT

@zachxbt

Mar 23

1/ I uncovered a coordinated network of 10+ accounts manufacturing viral panic about war and politics to drive traffic to crypto scams.

Strategy:
>Purchase accounts with followers
>Doompost multiple times per day
>Repost content from alt accounts
>Promote fake giveaway or scam
>Change username

2/ Example: @wanglaurentceo

They started by purchasing an account with followers and use AI to create a fake Asian version of Mario Nawfal.

(User ID 1804235884826333184)

3/ Here’s related accounts reposting to boost the reach of posts about exaggerated or fake news.

This causes them to go viral each day with millions of views and thousands of likes / replies.

Read 7 tweets

ZachXBT

@zachxbt

Feb 26

1/ Meet @WheresBroox (Broox Bauer), one of the multiple @AxiomExchange employees allegedly abusing the lack of access controls for internal tools to lookup sensitive user details to insider trade by tracking private wallet activity since early 2025.

2/ Axiom is a crypto trading platform founded by Mist & Cal in 2024. After going through Y-Combinator's Winter 2025 batch, it quickly became one of the most profitable companies in the space, generating $390M+ in revenue to date.

I was retained to investigate allegations of misconduct at Axiom after receiving reports.

3/ Broox is a current Axiom senior BD employee based in New York.

In the clip Broox states he can track any Axiom user via ref code, wallet, or UID and claims he can "find out anything to do with that person".

He also describe researching 10-20 wallets initially and slowly increasing over time "so it does not look that suspicious"

In a separate clip from the same recording, Broox sets ground rules for how to request lookups from him and then says he'll send the full list of wallets.

The full recording is a private call of the group members strategizing.

Read 10 tweets

ZachXBT

@zachxbt

Jan 25

https://x.com/zachxbt/status/2014685263327351116

In case you are curious how John Daghita (Lick) was able to steal $40M+ from US government seizure addresses.

John’s dad owns CMDSS, which currently has an active IT government contract in Virginia.

CMMDS was awarded a contract to assist the USMS in managing/disposing of seized/forfeited crypto assets.

It still remains unclear at this point how John obtained access from his dad.

https://x.com/zachxbt/status/2014685263327351116

Update: The CMDSS company X account, website, & LinkedIn were all just deactivated

Update: John Daghita (Lick) began trolling again on Telegram shortly after my post

Read 4 tweets

ZachXBT

@zachxbt

Jan 23

1/ Meet the threat actor John (Lick), who was caught flexing $23M in a wallet address directly tied to $90M+ in suspected thefts from the US Government in 2024 and multiple other unidentified victims from Nov 2025 to Dec 2025.

https://x.com/zachxbt/status/1931216174903398723

2/ Earlier today John got into a heated argument with another threat actor known as Dritan Kapplani Jr. in a group chat to see who had more funds in crypto wallets.

In 'The Com' this is known as a band for band (b4b).

However the entire interaction was fully recorded.

https://x.com/zachxbt/status/1931216174903398723

3/ In part 1 of the recording Dritan mocks John however John screenshares Exodus Wallet which shows the Tron address below with $2.3M:
TMrWCLMS3ibDbKLcnNYhLggohRuLUSoHJg