Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
ZachXBT Profile picture
@zachxbt
Apr 28 1 tweets 1 min read Read on X
Nine hours ago a suspicious transfer was made from a potential victim for 3520 BTC ($330.7M)

Theft address
bc1qcrypchnrdx87jnal5e5m849fw460t4gk7vz55g

Shortly after the funds began to be laundered via 6+ instant exchanges and was swapped for XMR causing the XMR price to spike 50%.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ZachXBT

ZachXBT Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @zachxbt

ZachXBT Profile picture
Aug 13
1/ An unnamed source recently compromised a DPRK IT worker device which provided insights into how a small team of five ITWs operated 30+ fake identities with government IDs and purchased Upwork/LinkedIn accounts to obtain developer jobs at projects. Image
Image
2/ An export of their Google Drive, Chrome profiles, and screenshots from their devices was obtained.

Google products were extensively used by them to organize their team’s schedules, tasks, and budgets with communications primarily in English. Image
3/ Another spreadsheet shows weekly reports for team members from 2025 which provides insight into how they operate and what they think about.

“I can't understand job requirement, and don't know what I need to do”

“Solution / fix: Put enough efforts in heart” Image
Image
Read 11 tweets
ZachXBT Profile picture
Jul 22
1/ An investigation into how @cryptobeastreal scammed followers by lying they were not behind the $190M -> $3M $ALT market cap crash where 45+ connected insider wallets sold $11M+ on July 14, 2025. Image
Image
2/ Earlier this month Crypto Beast began aggressively promoting $ALT on X and TG.

On July 14, 2025 ALT crashed from 0.19 to 0.003 after insiders sold a large percent of the total supply.

All of these posts promoting the token. have since been deleted. Image
Image
Image
Image
3/ Crypto Beast previously shared a public wallet on X & TG in now deleted posts.

Ledzo5cdS1RYfX4h391fYC8TF6xkwAC8U77F2pCaH4L Image
Image
Read 12 tweets
ZachXBT Profile picture
Jul 2
1/ My recent investigation uncovered more than $16.58M in payments since January 1, 2025 or $2.76M per month has been sent to North Korean IT workers hired as developers at various projects & companies.

To put this in perspective payments range from $3K-8K per month meaning they have infiltrated 345 jobs on the low end or 920 jobs on the high end.Image
Image
2/ Here’s a look into one of the six clusters I have been monitoring and was able to attribute 8 different DPRK ITWs that obtained roles at 12+ projects.

I traced out the payment addresses from the table to two consolidation addresses.

0x58225fed0714e5b9b235642eba7dae3714090a2d
0xa7f9555c34626eb81b64774356a40ca1a6a794caImage
3/ Sandy Nguyen (@bullishgopher) a DPRK ITW from this cluster was spotted via OSINT next to the North Korea flag at an event in Russia.

A small group of people still believe North Korean devs are just a conspiracy despite all of the IOCs, research, etc widely available. Image
Image
Image
Read 10 tweets
ZachXBT Profile picture
Jun 27
1/ Multiple projects tied to Pepe creator Matt Furie & ChainSaw as well as another project Favrr were exploited in the past week which resulted in ~$1M stolen

My analysis links both attacks to the same cluster of DPRK IT workers who were likely accidentally hired as developers. Image
Image
2/ On Jun 18, 2025 at 4:25 am UTC ownership for ‘Replicandy’ from Matt Furie & ChainSaw was transferred to a new EOA 0x9Fca.

Jun 18, 2025
6:20 pm UTC: 0x9Fca withdrew mint proceeds from the contract
Jun 19, 2025
5:11 am UTC: 0x9Fca unpauses the mint

The attacker then minted NFTs and sold into bids causing the floor price to fall to zero.Image
Image
Image
3/ On Jun 23, 2025 the attacker transferred ownership from the ChainSaw deployer to 0x9Fca for Peplicator, Hedz, Zogz.

Similarly the attacker minted NFTs and sold them into bids causing the floor price to fall to zero.

0x9Fca3AC75cd66f3c62bea8231886513b9fe191BD Image
Read 12 tweets
ZachXBT Profile picture
Jun 23
1/ An investigation into how the New York based social engineering scammer Daytwo/PawsOnHips (Christian Nieves) stole $4M+ from Coinbase users by impersonating customer support, bought luxury goods, and lost most of the funds gambling at casinos. Image
Image
Image
2/ Daytwo operates a small call centre group and also works as a caller.

His group primarily coerced targets into setting up Coinbase wallet with a compromised seed on phishing sites.

Below is a video of his panel used and a sample of his voice when calling.
3/ In Nov 2024 $240K was stolen from an elderly victim with Daytwo’s worker Paranoia (Justin).

A private recording of the theft exists and was obtained (see part 1 below)

Theft address
bc1q35tw4f5qrfxrjy2v8g8d3majtujv28audm6yvp
AJU5yh4kDahLak4uq5n4ehJDVs2w2Lbhw9UHoseaBwV7
Read 11 tweets
ZachXBT Profile picture
May 9
1/ In late 2023 a former Yuga Labs security researcher was stopped at the airport after law enforcement mistakenly linked them to a $1.1M phishing theft from a Bored Ape owner.

Here’s an investigation into where the stolen funds went and who’s actually responsible. Image
Image
Image
2/ In Dec 2022, a victim had 14 X BAYC NFTs phished in a social engineering scheme where purchased X accounts were used to convince the victim they wanted to license the IP rights for a film.

The scammer directed the victim to a phishing site where they had them sign a message draining their assets.

Theft address
0x9335da37d37bc5d46850eaee48f8b9ccbe94d9a2Image
Image
Image
3/ In Sep 2023, Sam Curry a well known whitehat and former Yuga Labs security engineer was detained at the airport by law enforcement for questioning and was served with a grand jury subpoena (later dropped).

In reality as part of his security work at Yuga, he had been investigating the theft and used a private key put in the JavaScript of the website by the threat actor.

LE then had mistakenly reviewed logs from OpenSea which included his home IP address and used this to incorrectly link him as the suspect.Image
Image
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(