Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
ZachXBT Profile picture
@zachxbt
Jan 23 13 tweets 6 min read Read on X
Scrolly
1/ Meet the threat actor John (Lick), who was caught flexing $23M in a wallet address directly tied to $90M+ in suspected thefts from the US Government in 2024 and multiple other unidentified victims from Nov 2025 to Dec 2025. Image
Image
Image
2/ Earlier today John got into a heated argument with another threat actor known as Dritan Kapplani Jr. in a group chat to see who had more funds in crypto wallets.

In 'The Com' this is known as a band for band (b4b).

However the entire interaction was fully recorded.

Image
3/ In part 1 of the recording Dritan mocks John however John screenshares Exodus Wallet which shows the Tron address below with $2.3M:
TMrWCLMS3ibDbKLcnNYhLggohRuLUSoHJg
4/ In part 2 of the recording Dritan continues to mock John while another $6.7M worth of ETH is moved into the wallet address below:
0xd8bc7ea538c2e9f178a18cc148892ae914a55d08
5/ After the B4B was done John had moved ~$23M total to 0xd8bc.

The recording captures that John clearly controls both addresses.

Additional addresses can likely be found in the recordings.

I then began tracing backwards to verify the source of funds. Image
Image
Image
6/ 0xd8bc receives from 0x8924 which in the recording John confirms owning.

0x8924 received 1066 WETH from 0xc7a2 on Nov 20, 2025 in the following txn.

0x76c6e92c4cefda209263a214241f1b47b9cff0123e9d292d613aea3447466dd0 Image
7/ 0xc7a2 received $24.9M from a US Government address in March 2024 related to the Bitfinex hack seizure which is a theft from the USG I previously reported about in Oct 2024.

$18.5M currently sits at
0xc7A253fD3C61CF69d043e6184c107dF4E29475B5 Image
8/ 0xd8bc is tied to $63M+ inflows from suspected victims and government seizure addresses in Q4 2025.

Dec 2025
$13.5M
0x77a722bf33787c3512d0f4fc36412140057f4223
$15.4M
0xf51b044f998277b17467cd713d72b403e16fad48
Nov 2025
$3M
TACZPnbg2Fi2ppC3cGxQxZb95SqwAZVAw9
$1M
6tMdWb3w3UaVq4JRSm1qa2s8mVwj2MYFAveJEL6S93UaImage
9/ Another 4.17K ETH ($12.4M) was received from MEXC earlier today flowing to 0xd8bc

0xe0f7a45a491d53f9361d35b4ef9908986d3b37b7

John has an extensive message history on Telegram flaunting his networth and calling others broke.

TG ID: 8269661864 Image
Image
Image
10/ Rumors circulating from cybercrime Telegram channels indicate John could be John Daghitia who was previously arrested in Sep 2025.

Though more research is needed to fully confirm. Image
Image
11/ Threat actors only continue to showing off stolen funds in leaked recordings rather than simply just staying quiet after an alleged theft from the US Government.

In this case John was ragebaited by Dritan into going band for band and the proof of ownership for these wallets makes it an easy future case for law enforcement.Image
Update: John quickly removed all of the NFT usernames from his Telegram account and change his screenname after my post. Image
Update: John dusted my public address zachxbt.eth from one of the theft addresses.

Transaction hash
0x25d3b02b17ccf5f0867bfbaa86c4cb918766d2b79e30cdcb7847298febfa2d15 Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ZachXBT

ZachXBT Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @zachxbt

ZachXBT Profile picture
Apr 3
1/ Welcome to the Circle $USDC files.

$420M+ in alleged compliance failures since 2022, including fifteen cases of the US-regulated stablecoin issuer taking minimal action against illicit funds. Image
2/ Circle operates USDC, a centralized stablecoin pegged 1:1 to USD, marketed as a regulated company with a robust compliance program.

Its token contract includes a freeze/blacklist function, and its terms of service explicitly state it reserves the right to restrict access for suspected illicit actors "in its sole discretion".

The company is incorporated in the US, currently headquartered in New York City, and subject to US federal / state financial regulations.Image
Image
3/ On April 1, 2026, Drift Protocol was exploited for $280M.

The exploiter used CCTP to bridge 232M+ USDC from Solana to Ethereum across 100+ transactions over six consecutive hours. 10+ additional DeFi protocols across the Solana ecosystem were indirectly impacted.

Despite the attacker laundering funds over six consecutive hours across Circle's own native bridge, no USDC was frozen.

The attacker has been linked to DPRK by Elliptic.

Theft address:
HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES
Read 18 tweets
ZachXBT Profile picture
Mar 23
1/ I uncovered a coordinated network of 10+ accounts manufacturing viral panic about war and politics to drive traffic to crypto scams.

Strategy:
>Purchase accounts with followers
>Doompost multiple times per day
>Repost content from alt accounts
>Promote fake giveaway or scam
>Change usernameImage
2/ Example: @wanglaurentceo

They started by purchasing an account with followers and use AI to create a fake Asian version of Mario Nawfal.

(User ID 1804235884826333184) Image
Image
Image
3/ Here’s related accounts reposting to boost the reach of posts about exaggerated or fake news.

This causes them to go viral each day with millions of views and thousands of likes / replies. Image
Image
Image
Read 7 tweets
ZachXBT Profile picture
Feb 26
1/ Meet @WheresBroox (Broox Bauer), one of the multiple @AxiomExchange employees allegedly abusing the lack of access controls for internal tools to lookup sensitive user details to insider trade by tracking private wallet activity since early 2025. Image
Image
Image
2/ Axiom is a crypto trading platform founded by Mist & Cal in 2024. After going through Y-Combinator's Winter 2025 batch, it quickly became one of the most profitable companies in the space, generating $390M+ in revenue to date.

I was retained to investigate allegations of misconduct at Axiom after receiving reports.Image
Image
3/ Broox is a current Axiom senior BD employee based in New York.

In the clip Broox states he can track any Axiom user via ref code, wallet, or UID and claims he can "find out anything to do with that person".

He also describe researching 10-20 wallets initially and slowly increasing over time "so it does not look that suspicious"

In a separate clip from the same recording, Broox sets ground rules for how to request lookups from him and then says he'll send the full list of wallets.

The full recording is a private call of the group members strategizing.
Read 10 tweets
ZachXBT Profile picture
Jan 25
In case you are curious how John Daghita (Lick) was able to steal $40M+ from US government seizure addresses.

John’s dad owns CMDSS, which currently has an active IT government contract in Virginia.

CMMDS was awarded a contract to assist the USMS in managing/disposing of seized/forfeited crypto assets.

It still remains unclear at this point how John obtained access from his dad.Image
Image
Image
Update: The CMDSS company X account, website, & LinkedIn were all just deactivated Image
Image
Image
Update: John Daghita (Lick) began trolling again on Telegram shortly after my post Image
Image
Read 4 tweets
ZachXBT Profile picture
Dec 29, 2025
1/ Meet Haby (Havard), a Canadian threat actor who has stolen $2M+ via Coinbase support impersonation social engineering scams in the past year blowing the funds on rare social media usernames, bottle service, & gambling. Image
Image
2/ On Dec 30, 2024 Haby posted a screenshot in a group chat showing off a 21K XRP ($44K) theft from a Coinbase user.

rN7ddvk4DrGHZUrBfNARJEEAbPkky9Mwcz Image
Image
3/ On Jan 3, 2025 Haby posted a screenshot from his Exodus wallet showing his Telegram & IG accounts.

I matched up the historical balances to the screenshot and found the XRP address linked to two other Coinbase user thefts for ~$500K total.

rfA8MiWkRb6xjveQGKfJpdr8h1Kb4c83Rb Image
Image
Read 12 tweets
ZachXBT Profile picture
Oct 19, 2025
1/ A video went viral on YT this week after a US based victim lost $3.05M (1.2M XRP) from their Ellipal wallet.

Here’s the tracing of where the stolen funds ended up and the biggest takeaways for similar thefts. Image
2/ Although the victim did not directly share the theft address after watching the video I found it by reviewing the date and amount.

r3cf5mgj5qEcj9n4Th28Es7NVRnXGJjkzc

The victim seems inexperienced and does not provide enough details to determine how the Ellipal wallet became compromised besides it being user error.
3/ The attacker created 120+ Ripple -> Tron orders via Bridgers on Oct 12, 2025.

On block explorers the transactions show as Binance since Bridgers (formerly SWFT) uses them for liquidity. Image
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(