1/ An investigation into the social engineering scammer Ronaldd (Ronald Spektor) who allegedly helped steal $6.5M last month from a single victim by impersonating Coinbase support.
2/ A US based victim sent me a DM on Oct 7, 2024 after receiving a call from a spoofed number impersonating Coinbase support where they were coerced in to using a phishing site.
3/ An initial tracing of the theft saw all of the stolen funds flow to eXch on Ethereum and Bitcoin where funds were converted to Litecoin and transferred to numerous services.
4/ However just days after the theft Ronald began flexing his Ledger Live via Discord screenshare showing $3.1M received on October 8th, 2024.
Discord ID: 367190432507232257
5/ Further strengthening the connection to Ronald, a now deleted Telegram channel in his bio associated with fraud shared screenshots of a wallet address only one hop from the $6.5M theft.
6/ When reviewing the TON address which owns Ronald’s Telegram number you can see it was funded from multiple exchanges.
You can perform a timing analysis to trace through the exchange and find the funding address.
That address is tied to multiple other Coinbase withdrawals indicating more potential victims from impersonation scams.
TON source address
EQC7hYcQ_54HWpPhhT_i3gExFeCKspqdJmwGrZYBGTB09Ot4
ETH destination address
0x09d51a41434149b2f85358e518631f7004b0ae68
7/ Multiple databreaches have publicly exposed Ronald’s information such as the Flipd/OG User breaches leaking his email and New York IPs which link to other breaches containing his alleged full name.
8/ Unfortunately this case does not have a happy ending as the victim deleted his X account after receiving bad advice from a friend to not trust people who online.
It still remains uncertain who Ronald’s accomplices were for the theft as the Ledger screenshots only shows $3.1M out of the $6.5M that was stolen.
Update: Ronald just deleted his Telegram account.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
1/ Time to share how SCALE, NTD, TPU, & OPSEC projects were all tied to the same person Zopp0 to farm naive traders using numerous influencers shown in leaked messages.
2/ While paying others to be the face of OPSEC behind the scenes he was involved with key decisions as the owner in private Telegram chats.
Here is him talking about the lack of technical research.
I then confronted him over DM about this in March 2024 which he downplayed.
Then in a leaked private chat here is him chatting about me obtaining this screenshot.
3/ Zopp0 and his friend SZB discuss how they messed up bundling for NTD/TPU and worry it will trace back to them.
No posts have been made from @NTensorDynamics @tensorspace_ai since April.
1/ Meet Yicong Wang (王逸聪), a Chinese OTC trader who has helped Lazarus Group convert tens of millions of stolen crypto to cash from various hacks via bank transfers since 2022.
2/ A follower reached out to me a few months ago after having their exchange account frozen after completing a P2P transaction with Yicong Wang an OTC who has used pseudonyms like Seawang, Greatdtrader, & BestRhea977
3/ They then shared one of Yicong Wang’s Tron wallet addresses with me from a screenshot of their WeChat conversation.
1/ A short story about how the influencer @0xjaypeg got caught lying to the community three times this weekend about an allocation for a project all for $2.2K.
2/ A project reached out to Jaypeg who agreed to promote a meme coin for 2% of the supply.
8jpz1pDotD7NVBWuYQgfSNX2CAVTp6wyD5Jgg7d5515B
After sending his wallet address in the chat Jaypeg deleted his message and lied saying he never received tokens and claimed it was not his wallet.
1/ An investigation into how Greavys (Malone Iam), Wiz (Veer Chetal), and Box (Jeandiel Serrano) stole $243M from a single person last month in a highly sophisticated social engineering attack and my efforts which have helped lead to multiple arrests and millions frozen.
2/ Incident Summary: On August 19, 2024 the threat actors targeted a single Genesis creditor by:
1) Calling as Google Support via spoofed number to compromise personal accounts 2) Calling after as Gemini support claiming account is hacked 3) Social engineered victim into resetting 2FA and sending Gemini funds to compromised wallet 4) Got victim to use AnyDesk to share screen and leaked private keys from Bitcoin core.
Gemini txn hash
59.34 BTC - Aug 19 at 1:48 am UTC
e747b963a463334c164b0a8fff844f73693272bb2b331adbe2147d70ec196360
14.88 BTC - Aug 19 at 2:30 am UTC
7c7ebed785f0b4d4335d559b14b8215862fbe29db329e3ee0f2a7e64a16ce9e3
3/ Here is a private video recording showing the live reaction by multiple of the threat actors to receiving $238M.
Theft txn hash
4064 BTC - Aug 19 at 4:05 am UTC
4b277ba298830ea538086114803b9487558bb093b5083e383e94db687fbe9090
1/ Recently a team reached out to me for assistance after $1.3M was stolen from the treasury after malicious code had been pushed.
Unbeknownst to the team they had hired multiple DPRK IT workers as devs who were using fake identities.
I then uncovered 25+ crypto projects with related devs that have been active since June 2024.
2/ The laundering path for the incident can be described as:
1) Transfer $1.3M to theft address 2) Bridge $1.3M from Solana to Etheruem via deBridge 3) Deposit 50.2 ETH to Tornado 4) Transfer 16.5 ETH to two exchanges
2/ The theft address I will start from is 0x6ee which was doing test transactions on July 10th from 0x09b multisig with SHIB and was funded with 6 X 0.1 ETH from Tornado.
0x6eedf92fb92dd68a270c3205e96dccc527728066
A technical breakdown of the attack by Mudit can be found below
3/ With the 6 X 0.1 ETH withdrawals from Tornado Cash on July 10th I was able to demix this and find 6 X 0.1 ETH matching deposits made the day before.
0xc6873ce725229099caf5ac6078f30f48ec6c7e2e
The demix is accurate as 0xc68 was also doing tests with 0x304 multisig on July 9th with SHIB.