1/ Over the past few months I imagine you have seen many Coinbase users complain on X about their accounts suddenly being restricted.

This is the result of aggressive risk models and Coinbase’s failure to stop its users losing $300M+ per year to social engineering scams.
2/ Myself and @tanuki42_ spent time reviewing Coinbase withdrawals and gathering data from my DMs for high confidence thefts on various chains.

Below is a table we created which shows $65M stolen from Coinbase users in Dec 2024 - Jan 2025.

Our number is likely much lower than the actual amount stolen as our data was limited to my DMs and thefts we discovered on-chain which does not account for Coinbase support tickets and police reports we do not have access to.

1/ An investigation into how the threat actor Serpent went from a pro Fortnite player to helping steal $3.5M via meme coin scams launched from 9+ account compromises on X & IG and gambling the proceeds away at online casinos.

https://twitter.com/zachxbt/status/1861450263925559399

2/ Serpent (SerpentAU) is a former pro Fortnite player from Australia who was released from the esports organization ‘Overtime’ after being caught allegedly cheating in June 2020.

He then co-founded the NFT project DAPE in March 2022 which later rug pulled.

1/ Over the past few months I have been tracking a series of related compromises for McDonald’s, Usher, Kabosu Owner, Andy Ayrey, Wiz Khalifa, SPX 6900, etc on X & IG which has resulted in an estimated $3.5M+ stolen via launching Pump Fun meme coins. 2/ On Aug 21, 2024 the McDonald’s IG became compromised and a post was made promoting the bundled meme coin GRIMACE and the hacker began trolling after.

$690K+ from the pump and dump was consolidated to two wallets.

4RiNhTwBxYWgb4MSCtt9vXgVk2yuPhoQR3DR9pMVPU1W
2vjnmxwTYNJvTmFhtqxZkPiuCHkaKZK5rcxTLuoC2dPB

1/ An investigation into the social engineering scammer Ronaldd (Ronald Spektor) who allegedly helped steal $6.5M last month from a single victim by impersonating Coinbase support.

2/ A US based victim sent me a DM on Oct 7, 2024 after receiving a call from a spoofed number impersonating Coinbase support where they were coerced in to using a phishing site.

Theft address
bc1qra7s4wl8z2el335k40sdnaka04c2sdwjx5hs6q
0x730082b1847e1cef889ea6dce57641c96c104f2d

Phishing site: https(:)//19960018-coinbase(.)com

1/ Time to share how SCALE, NTD, TPU, & OPSEC projects were all tied to the same person Zopp0 to farm naive traders using numerous influencers shown in leaked messages.
2/ While paying others to be the face of OPSEC behind the scenes he was involved with key decisions as the owner in private Telegram chats.

Here is him talking about the lack of technical research.

I then confronted him over DM about this in March 2024 which he downplayed.

Then in a leaked private chat here is him chatting about me obtaining this screenshot.

1/ Meet Yicong Wang (王逸聪), a Chinese OTC trader who has helped Lazarus Group convert tens of millions of stolen crypto to cash from various hacks via bank transfers since 2022.

2/ A follower reached out to me a few months ago after having their exchange account frozen after completing a P2P transaction with Yicong Wang an OTC who has used pseudonyms like Seawang, Greatdtrader, & BestRhea977

1/ A short story about how the influencer @0xjaypeg got caught lying to the community three times this weekend about an allocation for a project all for $2.2K. 2/ A project reached out to Jaypeg who agreed to promote a meme coin for 2% of the supply.

8jpz1pDotD7NVBWuYQgfSNX2CAVTp6wyD5Jgg7d5515B

After sending his wallet address in the chat Jaypeg deleted his message and lied saying he never received tokens and claimed it was not his wallet.

1/ An investigation into how Greavys (Malone Iam), Wiz (Veer Chetal), and Box (Jeandiel Serrano) stole $243M from a single person last month in a highly sophisticated social engineering attack and my efforts which have helped lead to multiple arrests and millions frozen.
2/ Incident Summary: On August 19, 2024 the threat actors targeted a single Genesis creditor by:

1) Calling as Google Support via spoofed number to compromise personal accounts
2) Calling after as Gemini support claiming account is hacked
3) Social engineered victim into resetting 2FA and sending Gemini funds to compromised wallet
4) Got victim to use AnyDesk to share screen and leaked private keys from Bitcoin core.

Gemini txn hash
59.34 BTC - Aug 19 at 1:48 am UTC
e747b963a463334c164b0a8fff844f73693272bb2b331adbe2147d70ec196360
14.88 BTC - Aug 19 at 2:30 am UTC
7c7ebed785f0b4d4335d559b14b8215862fbe29db329e3ee0f2a7e64a16ce9e3

1/ Recently a team reached out to me for assistance after $1.3M was stolen from the treasury after malicious code had been pushed.

Unbeknownst to the team they had hired multiple DPRK IT workers as devs who were using fake identities.

I then uncovered 25+ crypto projects with related devs that have been active since June 2024.
2/ The laundering path for the incident can be described as:

1) Transfer $1.3M to theft address
2) Bridge $1.3M from Solana to Etheruem via deBridge
3) Deposit 50.2 ETH to Tornado
4) Transfer 16.5 ETH to two exchanges

Theft address
6USfQ9BX33LNvuR44TXr8XKzyEgervPcF4QtZZfWMnet

1/ So I began tracing the $230M+ WazirX hack back from the original exploiter address and was able to make some interesting observations.

https://twitter.com/WazirXIndia/status/1813843289940058446

2/ The theft address I will start from is 0x6ee which was doing test transactions on July 10th from 0x09b multisig with SHIB and was funded with 6 X 0.1 ETH from Tornado.

0x6eedf92fb92dd68a270c3205e96dccc527728066

A technical breakdown of the attack by Mudit can be found below

https://twitter.com/mudit__gupta/status/1813881385800913327

For those who are confused and need additional context.

Earlier today Arkham announced a $150K bounty for the identity of the DJT creator

11:49 pm UTC I reply to Arkham saying I submitted for the bounty
11:57 pm UTC Martin Shkreli panic DM’s me
12:27 am UTC Martin Shkreli creates a spaces and announces he is the creator of DJT

One of the large DJT insiders verso.sol dumping $832K worth of DJT and then depositing USDC to CEX ~1 hr ago

Coincidentally also a large holder on Martin’s other project Shoggoth

5cPzLzLQjt2oc8X6rGannrh7HmVJNAMFJKq21DdZRuHP

https://twitter.com/zachxbt/status/1803231125734826382

1/ Here is an overview of one of the better executed scams I have seen in recent times so I figured I would share with the community as a cautionary tale.

A few weeks ago I received a DM from a follower who lost $245K after accidentally downloading malware onto their computer.

2/ It started as an account purporting to be Peter Lauten from a16z, messaging a team to inquire about a potential podcast partnership.

1/ An investigation into how the @sol ($CAT) meme coin team is connected to the @GCRClassic hack from last night.

Minutes before the hack an address tied to them opened $2.3M ORDI & $1M ETHFI longs on Hyperliquid.

Let’s dive in.

2/ The @sol team sniped their own launch to control 63% of the supply selling $5M+ of $CAT before transferring the profits to multiple wallets.

https://twitter.com/lookonchain/status/1794231282454626615

1/ How Lazarus Group laundered $200M from 25+ crypto hacks to fiat from 2020 - 2023

zachxbt.mirror.xyz/B0-UJtxN41cJhp… 2/ Traced 25+ connected hacks across multiple blockchains and through mixers to centralized exchanges.

1/ An investigation into the alleged $11.1M @PrismaFi exploiter 0x77 (Trung) and the multiple other exploits they are connected to. 2/ On March 28, 2024 the Prisma team observed a series of transactions on the MigrateTroveZap contract which resulted in a loss of 3257 ETH ($11.1M)

Exploiter address
0x7e39e3b3ff7adef2613d5cc49558eab74b9a4202

A comprehensive post-morten of the incident can be found below:

https://twitter.com/prismafi/status/1773726224952480049

1/ An investigation into the French dev Jolan Lacroix who recently stole $900K from the TICKER presale on Base before spending the funds on meme coins and Milady NFTs.
2/ TICKER launched a presale on March 16 raising a total of 877 ETH ($3.19M) via Party App on Base.

The token distribution was supposed to be: 24% LP, 71% presale/airdrops, 1% early contributors, 4% reserved for errors.

The team was fully anon.

1/ An investigation into the phishing scammer Ultra (Nicolas) who has stolen millions through Discord compromises such as MetaKey and X/Twitter spam just to spend it all gambling on Stake, rare usernames, and Roblox items.

2/ In Feb 2023 the Dead Army Skeleton Discord was compromised
after an admin was phished.

The attacker spammed phishing links in the announcements channel with funds ending up at offtherip.eth and Monkey Drainer.

https://twitter.com/jadulover23/status/1629928107166814209

1/ Some time has passed but there is now evidence to share how Tyronejkd is connected to the $1M 0xCrystals/0xCube scam and @3PEACEART account.

Let’s jump in.

https://twitter.com/zachxbt/status/1550153291019034624

2/ Last bull run this account popped up engagement farming with fake giveaways, stolen posts, & stolen punk pfp

They launched an NFT project they claimed was free with a limited supply. When people minted the actual price was 0.25 ETH & not free

When called out for the scheme they would delete posts & change usernames

1/ An investigation into how the influencer Crypto Rover ghosted a project he was paid to promote, mislead followers about his trading positions, and also his shills for pump and dump meme coins. 2/ In May 2023 Rover was connected with a project was connected to help promote it.

During negotiations Rover said he can “pump projects from 1/2m to 10m easy”

They agreed on $10K + 1% of the supply for payment

Rover address
0x4472d6969c0750dd7ba8e387d2b007a80794802f

1/ It’s 2024 and we are still seeing far too many teams getting SIM swapped or phished on a regular basis resulting in millions stolen.

So here are some tips EVERY team should follow to secure their X (Twitter) account and what to prioritize if an account becomes compromised.

https://twitter.com/zachxbt/status/1694326221511794706

2/ If you are subscribed or want to purchase X Premium you are required to attach a phone number to receive a check mark.

Once you apply for the check mark you can immediately remove the phone number after.

If you do not remove the phone number YOU WILL likely be SIM swapped at some point and the scammer would be able to gain access to your X account.

(US cell carriers are primarily being targeted but have seen Canada/EU as well)

1/ Throughout this year I have been monitoring someone who has withdrawn 11,200+ ETH ($25M) from Tornado Cash and spent the majority of it on Magic The Gathering (MTG) trading cards.

Here’s my analysis of where the funds went and what the potential source of funds could be. 2/ This person has withdrawn 110 X 100 ETH from Tornado to 11 addresses.

After they would:
1) Wrap the ETH
2) Transfer WETH to new address
3) Unwrap the WETH
4) Transfer USDC to MTG broker

(this is a strategy used to trick KYT at exchanges)