Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
ZachXBT Profile picture
@zachxbt
Oct 23, 2024 11 tweets 6 min read Read on X
Scrolly
1/ Meet Yicong Wang (王逸聪), a Chinese OTC trader who has helped Lazarus Group convert tens of millions of stolen crypto to cash from various hacks via bank transfers since 2022. Image
Image
Image
2/ A follower reached out to me a few months ago after having their exchange account frozen after completing a P2P transaction with Yicong Wang an OTC who has used pseudonyms like Seawang, Greatdtrader, & BestRhea977 Image
3/ They then shared one of Yicong Wang’s Tron wallet addresses with me from a screenshot of their WeChat conversation.

THsSCBGazjjho7u2BQQsmrpbDv1Q237FL4 Image
4/ Recently they reached back out after having been approached by Yicong Wang for a larger USDT -> CNY order on August 13, 2024 involving ~1.5M USDT at a rate much lower than the market rate.

THjaAygUNkzoXufwEoKCzbUZHpsehL9rAZ Image
5/ When reviewing blockchain data tied to Yicong Wang you will notice high illicit fund exposure from the Alex Labs, Irys co-founder, and a consolidation of other hacks (EasyFi, Bondly, Maverick co-founder, etc). Image
6/ $17M from 25+ Lazarus Group hacks consolidated to 0x5018cf5f48a09c46b4833890cc2cf0df2533d16a where 374K USDT was blacklisted by Tether in Nov 2023

After the blacklist the remaining funds were deposited to Tornado. Within days after the deposits 13 X 100 ETH was withdrawn and consolidated at 0x81a

In Dec 2023 $45K was bridged to Tron and transferred to multiple addresses tied to Yicong.

Read my investigation below for detailed tracing of the 25+ hacks.Image
Image
7/ Alex Labs was hacked for ~$4.5M in May 2024 by Lazarus Group.

One of the theft addresses deposited 470 ETH to a privacy protocol on June 16, 2024
0xc0a0ec4dbf170611cc76f31a9df910ad79bc2266

Matching amounts were withdrawn the same day to two addresses
0x9fc1350f80734044b7189fe7b8f288396f76feb5
0x21c926a1a328a4906feeb18664d00f3d85df1aed

Another theft address deposited 449 ETH from June 27-28th
0x1871bb6257b1f622548ef64a12ae5149eb208bd8
Shortly after a matching amount was withdrawn commingling with the Irys co-founder stolen funds.
0xddb2e9feaf0a122b43be14bc085cf713703ce45c

On August 13th funds were bridged from Ethereum to Tron address tied to Yicon.Image
8/ Irys co-founder was hacked for ~$1.3M in July 2024 by Lazarus Group via email spear phishing campaign.

From the theft address 70.8 ETH was deposited to a privacy protocol and another 338 ETH shortly after on July 31st.
0x600cd901d0407753c212ed17d8c6cae014ee300e

By performing a timing analysis matching amounts were found hours after the deposits to two addresses.
0xff87a4df67068464e5f4e3b546f556b2dffb6dfb
0xa81eac50c0b17aee3132f40f7398087e457ca054

Funds were then commingled with the Alex hack and bridged to Tron addresses tied to Yicong on August 13th.
TG3dqSzpH3V2kEqTdJAYQrtZq1TQxysUkHImage
Image
9/ An Ethereum address blacklisted by Tether in August 2024 with 948K is also directly tied to Yicong.

On Aug 13th 746K USDT was transferred to an address tied to Yicong
THjaAygUNkzoXufwEoKCzbUZHpsehL9rAZ

Shortly before the funds had been bridged over from Ethereum linking the blacklisted address
0x84d9ad5e6fdf7ca4de37684a1f7df371837e9a9cImage
Image
Image
10/ While Yicong Wang has been banned from Paxful and Noones on multiple accounts (Seawang/Greatdtrader/BestRhea977) for laundering funds he has since moved to conducting business offsite.

It’s apparent from on-chain he has still been actively helping Lazarus Group within the past couple weeks.

Hopefully at some point in the future Yicong Wang will be held accountable for his actions.Image
Image
Image
Image
Update: Yicong Wang made his X account private and deleted a lot of the posts where he had asked exchange support for help unbanning his exchange accounts. Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ZachXBT

ZachXBT Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @zachxbt

ZachXBT Profile picture
Jan 25
In case you are curious how John Daghita (Lick) was able to steal $40M+ from US government seizure addresses.

John’s dad owns CMDSS, which currently has an active IT government contract in Virginia.

CMMDS was awarded a contract to assist the USMS in managing/disposing of seized/forfeited crypto assets.

It still remains unclear at this point how John obtained access from his dad.Image
Image
Image
Update: The CMDSS company X account, website, & LinkedIn were all just deactivated Image
Image
Image
Update: John Daghita (Lick) began trolling again on Telegram shortly after my post Image
Image
Read 4 tweets
ZachXBT Profile picture
Jan 23
1/ Meet the threat actor John (Lick), who was caught flexing $23M in a wallet address directly tied to $90M+ in suspected thefts from the US Government in 2024 and multiple other unidentified victims from Nov 2025 to Dec 2025. Image
Image
Image
2/ Earlier today John got into a heated argument with another threat actor known as Dritan Kapplani Jr. in a group chat to see who had more funds in crypto wallets.

In 'The Com' this is known as a band for band (b4b).

However the entire interaction was fully recorded.

Image
3/ In part 1 of the recording Dritan mocks John however John screenshares Exodus Wallet which shows the Tron address below with $2.3M:
TMrWCLMS3ibDbKLcnNYhLggohRuLUSoHJg
Read 13 tweets
ZachXBT Profile picture
Dec 29, 2025
1/ Meet Haby (Havard), a Canadian threat actor who has stolen $2M+ via Coinbase support impersonation social engineering scams in the past year blowing the funds on rare social media usernames, bottle service, & gambling. Image
Image
2/ On Dec 30, 2024 Haby posted a screenshot in a group chat showing off a 21K XRP ($44K) theft from a Coinbase user.

rN7ddvk4DrGHZUrBfNARJEEAbPkky9Mwcz Image
Image
3/ On Jan 3, 2025 Haby posted a screenshot from his Exodus wallet showing his Telegram & IG accounts.

I matched up the historical balances to the screenshot and found the XRP address linked to two other Coinbase user thefts for ~$500K total.

rfA8MiWkRb6xjveQGKfJpdr8h1Kb4c83Rb Image
Image
Read 12 tweets
ZachXBT Profile picture
Oct 19, 2025
1/ A video went viral on YT this week after a US based victim lost $3.05M (1.2M XRP) from their Ellipal wallet.

Here’s the tracing of where the stolen funds ended up and the biggest takeaways for similar thefts. Image
2/ Although the victim did not directly share the theft address after watching the video I found it by reviewing the date and amount.

r3cf5mgj5qEcj9n4Th28Es7NVRnXGJjkzc

The victim seems inexperienced and does not provide enough details to determine how the Ellipal wallet became compromised besides it being user error.
3/ The attacker created 120+ Ripple -> Tron orders via Bridgers on Oct 12, 2025.

On block explorers the transactions show as Binance since Bridgers (formerly SWFT) uses them for liquidity. Image
Read 9 tweets
ZachXBT Profile picture
Oct 15, 2025
1/ An investigation into how I identified one of suspects tied to the $28M Bittensor hack from 2024 by identifying anime NFT wash trades linked to a former employee and earned a whitehat bounty for my efforts. Image
Image
2/ 32 $TAO holders experienced unauthorized transfers in excess of $28M from May to July 2024 and the Bittensor network was temporarily halted on July 2, 2024.

A post-mortem published by the team revealed the thefts were the result of a supply chain attack after a malicious PyPi package was uploaded in late May 2024

Victims who downloaded the package and performed specific operations accidentally compromised private keys.Image
3/ I began tracing the stolen funds from two initial theft addresses, TAO was bridged to Ethereum via Bittensor native bridge, and then transferred to instant exchanges where the attackers swapped to XMR.

Victims:
$400K: 5ENiTXL63DRMKytjaDRBLnorwd6qURKcCVgsgpu8UQxgptQN
$13M: 5DnXm2tBGAD57ySJv5SfpTfLcsQbSKKp6xZKFWABw3cYUgqgImage
Read 12 tweets
ZachXBT Profile picture
Aug 13, 2025
1/ An unnamed source recently compromised a DPRK IT worker device which provided insights into how a small team of five ITWs operated 30+ fake identities with government IDs and purchased Upwork/LinkedIn accounts to obtain developer jobs at projects. Image
Image
2/ An export of their Google Drive, Chrome profiles, and screenshots from their devices was obtained.

Google products were extensively used by them to organize their team’s schedules, tasks, and budgets with communications primarily in English. Image
3/ Another spreadsheet shows weekly reports for team members from 2025 which provides insight into how they operate and what they think about.

“I can't understand job requirement, and don't know what I need to do”

“Solution / fix: Put enough efforts in heart” Image
Image
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(