ZachXBT Profile picture
Scam survivor turned 2D investigator
30 subscribers
Nov 20 9 tweets 4 min read
1/ An investigation into the social engineering scammer Ronaldd (Ronald Spektor) who allegedly helped steal $6.5M last month from a single victim by impersonating Coinbase support. Image
Image
Image
2/ A US based victim sent me a DM on Oct 7, 2024 after receiving a call from a spoofed number impersonating Coinbase support where they were coerced in to using a phishing site.

Theft address
bc1qra7s4wl8z2el335k40sdnaka04c2sdwjx5hs6q
0x730082b1847e1cef889ea6dce57641c96c104f2d

Phishing site: https(:)//19960018-coinbase(.)comImage
Nov 3 7 tweets 5 min read
1/ Time to share how SCALE, NTD, TPU, & OPSEC projects were all tied to the same person Zopp0 to farm naive traders using numerous influencers shown in leaked messages. Image
Image
2/ While paying others to be the face of OPSEC behind the scenes he was involved with key decisions as the owner in private Telegram chats.

Here is him talking about the lack of technical research.

I then confronted him over DM about this in March 2024 which he downplayed.

Then in a leaked private chat here is him chatting about me obtaining this screenshot.Image
Image
Image
Image
Oct 23 11 tweets 6 min read
1/ Meet Yicong Wang (王逸聪), a Chinese OTC trader who has helped Lazarus Group convert tens of millions of stolen crypto to cash from various hacks via bank transfers since 2022. Image
Image
Image
2/ A follower reached out to me a few months ago after having their exchange account frozen after completing a P2P transaction with Yicong Wang an OTC who has used pseudonyms like Seawang, Greatdtrader, & BestRhea977 Image
Oct 20 7 tweets 5 min read
1/ A short story about how the influencer @0xjaypeg got caught lying to the community three times this weekend about an allocation for a project all for $2.2K. Image 2/ A project reached out to Jaypeg who agreed to promote a meme coin for 2% of the supply.

8jpz1pDotD7NVBWuYQgfSNX2CAVTp6wyD5Jgg7d5515B

After sending his wallet address in the chat Jaypeg deleted his message and lied saying he never received tokens and claimed it was not his wallet.Image
Image
Image
Sep 19 15 tweets 8 min read
1/ An investigation into how Greavys (Malone Iam), Wiz (Veer Chetal), and Box (Jeandiel Serrano) stole $243M from a single person last month in a highly sophisticated social engineering attack and my efforts which have helped lead to multiple arrests and millions frozen. Image
Image
2/ Incident Summary: On August 19, 2024 the threat actors targeted a single Genesis creditor by:

1) Calling as Google Support via spoofed number to compromise personal accounts
2) Calling after as Gemini support claiming account is hacked
3) Social engineered victim into resetting 2FA and sending Gemini funds to compromised wallet
4) Got victim to use AnyDesk to share screen and leaked private keys from Bitcoin core.

Gemini txn hash
59.34 BTC - Aug 19 at 1:48 am UTC
e747b963a463334c164b0a8fff844f73693272bb2b331adbe2147d70ec196360
14.88 BTC - Aug 19 at 2:30 am UTC
7c7ebed785f0b4d4335d559b14b8215862fbe29db329e3ee0f2a7e64a16ce9e3Image
Image
Image
Aug 15 7 tweets 4 min read
1/ Recently a team reached out to me for assistance after $1.3M was stolen from the treasury after malicious code had been pushed.

Unbeknownst to the team they had hired multiple DPRK IT workers as devs who were using fake identities.

I then uncovered 25+ crypto projects with related devs that have been active since June 2024.Image
Image
2/ The laundering path for the incident can be described as:

1) Transfer $1.3M to theft address
2) Bridge $1.3M from Solana to Etheruem via deBridge
3) Deposit 50.2 ETH to Tornado
4) Transfer 16.5 ETH to two exchanges

Theft address
6USfQ9BX33LNvuR44TXr8XKzyEgervPcF4QtZZfWMnet Image
Jul 18 6 tweets 3 min read
1/ So I began tracing the $230M+ WazirX hack back from the original exploiter address and was able to make some interesting observations.
Image 2/ The theft address I will start from is 0x6ee which was doing test transactions on July 10th from 0x09b multisig with SHIB and was funded with 6 X 0.1 ETH from Tornado.

0x6eedf92fb92dd68a270c3205e96dccc527728066

A technical breakdown of the attack by Mudit can be found below

Image
Image
Jun 19 4 tweets 4 min read
For those who are confused and need additional context.

Earlier today Arkham announced a $150K bounty for the identity of the DJT creator

11:49 pm UTC I reply to Arkham saying I submitted for the bounty
11:57 pm UTC Martin Shkreli panic DM’s me
12:27 am UTC Martin Shkreli creates a spaces and announces he is the creator of DJTImage
Image
Image
One of the large DJT insiders verso.sol dumping $832K worth of DJT and then depositing USDC to CEX ~1 hr ago

Coincidentally also a large holder on Martin’s other project Shoggoth

5cPzLzLQjt2oc8X6rGannrh7HmVJNAMFJKq21DdZRuHP


Image
Image
Image
Jun 12 7 tweets 4 min read
1/ Here is an overview of one of the better executed scams I have seen in recent times so I figured I would share with the community as a cautionary tale.

A few weeks ago I received a DM from a follower who lost $245K after accidentally downloading malware onto their computer.
Image
Image
2/ It started as an account purporting to be Peter Lauten from a16z, messaging a team to inquire about a potential podcast partnership.

Image
Image
Image
May 27 9 tweets 5 min read
1/ An investigation into how the @sol ($CAT) meme coin team is connected to the @GCRClassic hack from last night.

Minutes before the hack an address tied to them opened $2.3M ORDI & $1M ETHFI longs on Hyperliquid.

Let’s dive in.
Image
Image
2/ The @sol team sniped their own launch to control 63% of the supply selling $5M+ of $CAT before transferring the profits to multiple wallets.
Image
Apr 29 7 tweets 3 min read
1/ How Lazarus Group laundered $200M from 25+ crypto hacks to fiat from 2020 - 2023

zachxbt.mirror.xyz/B0-UJtxN41cJhp… 2/ Traced 25+ connected hacks across multiple blockchains and through mixers to centralized exchanges.
Image
Image
Apr 16 9 tweets 6 min read
1/ An investigation into the alleged $11.1M @PrismaFi exploiter 0x77 (Trung) and the multiple other exploits they are connected to. Image 2/ On March 28, 2024 the Prisma team observed a series of transactions on the MigrateTroveZap contract which resulted in a loss of 3257 ETH ($11.1M)

Exploiter address
0x7e39e3b3ff7adef2613d5cc49558eab74b9a4202

A comprehensive post-morten of the incident can be found below:
Image
Mar 21 8 tweets 5 min read
1/ An investigation into the French dev Jolan Lacroix who recently stole $900K from the TICKER presale on Base before spending the funds on meme coins and Milady NFTs. Image
Image
2/ TICKER launched a presale on March 16 raising a total of 877 ETH ($3.19M) via Party App on Base.

The token distribution was supposed to be: 24% LP, 71% presale/airdrops, 1% early contributors, 4% reserved for errors.

The team was fully anon.
Image
Image
Feb 28 8 tweets 4 min read
1/ An investigation into the phishing scammer Ultra (Nicolas) who has stolen millions through Discord compromises such as MetaKey and X/Twitter spam just to spend it all gambling on Stake, rare usernames, and Roblox items.
Image
Image
2/ In Feb 2023 the Dead Army Skeleton Discord was compromised
after an admin was phished.

The attacker spammed phishing links in the announcements channel with funds ending up at offtherip.eth and Monkey Drainer.

Image
Image
Feb 22 8 tweets 5 min read
1/ Some time has passed but there is now evidence to share how Tyronejkd is connected to the $1M 0xCrystals/0xCube scam and @3PEACEART account.

Let’s jump in.
Image 2/ Last bull run this account popped up engagement farming with fake giveaways, stolen posts, & stolen punk pfp

They launched an NFT project they claimed was free with a limited supply. When people minted the actual price was 0.25 ETH & not free

When called out for the scheme they would delete posts & change usernamesImage
Image
Image
Feb 20 10 tweets 6 min read
1/ An investigation into how the influencer Crypto Rover ghosted a project he was paid to promote, mislead followers about his trading positions, and also his shills for pump and dump meme coins. Image 2/ In May 2023 Rover was connected with a project was connected to help promote it.

During negotiations Rover said he can “pump projects from 1/2m to 10m easy”

They agreed on $10K + 1% of the supply for payment

Rover address
0x4472d6969c0750dd7ba8e387d2b007a80794802f
Image
Image
Jan 31 9 tweets 6 min read
1/ It’s 2024 and we are still seeing far too many teams getting SIM swapped or phished on a regular basis resulting in millions stolen.

So here are some tips EVERY team should follow to secure their X (Twitter) account and what to prioritize if an account becomes compromised.



Image
Image
Image
Image
2/ If you are subscribed or want to purchase X Premium you are required to attach a phone number to receive a check mark.

Once you apply for the check mark you can immediately remove the phone number after.

If you do not remove the phone number YOU WILL likely be SIM swapped at some point and the scammer would be able to gain access to your X account.

(US cell carriers are primarily being targeted but have seen Canada/EU as well)Image
Dec 7, 2023 9 tweets 4 min read
1/ Throughout this year I have been monitoring someone who has withdrawn 11,200+ ETH ($25M) from Tornado Cash and spent the majority of it on Magic The Gathering (MTG) trading cards.

Here’s my analysis of where the funds went and what the potential source of funds could be. 2/ This person has withdrawn 110 X 100 ETH from Tornado to 11 addresses.

After they would:
1) Wrap the ETH
2) Transfer WETH to new address
3) Unwrap the WETH
4) Transfer USDC to MTG broker

(this is a strategy used to trick KYT at exchanges) Image
Oct 25, 2023 12 tweets 8 min read
1/ An investigation into the Canadian scammer known as Yahya for their involvement in 17+ SIM swaps which resulted in more than $4.5M stolen.
Image
Image
2/ Yahya’s job was to do lookups on X/Twitter accounts using his panel so the scammer Skenkir could get US targets for SIM swaps.

As compensation for his work Yahya would receive a % of the proceeds stolen from each attack.

EX: Here is screenshots of Yahya showing off tools

Image
Image
Image
Oct 10, 2023 9 tweets 4 min read
1/ What happened to the funds from the @slope_finance $4M hack?

Here’s my analysis tracing the latest movements in 2023 and where the stolen funds ended up going. Image 2/ TLDR: Slope Wallet (founded by Leal Cheung) was hacked in August 2022. After the hack their entire team disappeared.

Multiple Solana community members I reached out to confirmed this.

In May 2023 whoever ran the account fell for a prank and accidentally made a tweet.
Image
Sep 10, 2023 12 tweets 6 min read
1/ Part 2 of a breakdown into how @trader1sz @Trader_XO @TraderNJ1 @PetaByteCapital pump and dumped 6 figures of PAAL on their followers.
Image 2/ While XO & SZ both made PR statements placing all the blame on PetaByte & NJ for CBOT while both were actively involved with another one of their promotions for PAAL

Thankfully NJ/PB connected their wallet addresses from CBOT & BABYSHIB shills to PAAL making it easy to find
Image
Image