Статистика Избранное

Investigations by ZachXBT

@investigations @zachxbt

Гео и язык канала: Весь мир, Английский

Категория: Криптовалюты

Reports, news, & insights shared by ZachXBT
Donation address
EVM
0x9D727911B54C455B0071A7B682FcF4Bc444B5596
SOL
investigations.sol

Связанные каналы | Похожие каналы

Гео и язык канала

Весь мир, Английский

Категория

Криптовалюты

Статистика

Избранное

Фильтр публикаций

Скрывать удаленные

Скрывать репосты

Investigations by ZachXBT

18 Jun, 10:11

Update: The pro-Israel hacker group known as Gonjeshke Darande (Predatory Sparrow) takes credit for the attack on Nobitex.

27.4k 9 462 731

Investigations by ZachXBT

18 Jun, 09:54

The Iranian crypto exchange ‘Nobitex’ appears to have been exploited for $48.65M on Tron after suspicious outflows were observed from many wallets linked to them.

The attacker used the vanity address TKFuckiRGCTerroristsNoBiTEXy2r7mNX

37k 81 782 705

Investigations by ZachXBT

2 Jun, 08:48

The Taiwanese crypto exchange 'BitoPro' was likely exploited for ~$11.5M on May 8, 2025.

Hot wallets on Tron, Ethereum, Solana, Polygon, etc saw suspicious outflows where assets where market sold via DEX. The stolen funds were then deposited to Tornado or bridged to Bitcoin via Thorchain and deposited to Wasabi.

BitoPro has yet to formally disclose the incident on X or Telegram and told users the exchange was just offline for "maintenance"

Theft address
0x2453933c98b6e55397103f7c1081626e0a02d2c9
0x454cf3892a949c94569ab2663090ecdca811a6f0
TRoLEoNiiod5m8TSdmSR4iW17yQCfc2YJV
G1bdPViZztqV5ptH3mVyXdAKYRm1jBhGiGvdDx9LmaCd
bc1qcwzxklr3tr7zjhvql7pqtg57rkvm55vcz8ydul

48.9k 46 215 523

Investigations by ZachXBT

27 May, 13:48

A victim is suspected of being hacked by DPRK due to malware for $5.2M+ on May 24th after the victim's wallets saw outflows from various multisig, EOAs, and exchange accounts where assets were market sold. Yesterday 1000 ETH was deposited to Tornado Cash.

Theft address
0x9d42a049f88f1db4b304441081aff7c40d857bea
0x4be5023ad49573a544a9a4109e4f1880a32fe5c3
0x31088345396d0cf00a81a3e3b8e8c5bb8ec768a3

53.1k 2 168 645

Investigations by ZachXBT

22 May, 02:59

The threat actor who stole $300M+ from Coinbase users by paying customer support just began trolling me onchain with this message after swapping $42.5M+ from BTC -> ETH via Thorchain today.

Transaction hash
0x18c909a8438d94e88a434521ee9fc143c8777452fbecb09b034b8fd049d6477f

76.6k 34 717 1.6k

Investigations by ZachXBT

16 May, 00:19

68.3k 2 141 525

Investigations by ZachXBT

16 May, 00:19

Update: 12 people were just charged in the $243M Genesis Creditor theft from Aug 2024.

59.4k 3 348 555

Investigations by ZachXBT

9 May, 09:22

A press release just posted from the Frankfurt prosecutors office revealed the instant exchange 'eXch' had 34M euros and infrastructure for the platform seized by law enforcement.

eXch was used to launder hundreds of millions from the Bybit hack, Multisig hack, FixedFloat exploit, $243M Genesis Creditor theft, and countless phishing drainer services over the past few years with refusal to block addresses and freeze orders.

63.4k 18 276 768

Investigations by ZachXBT

8 May, 15:02

May have to temporarily turn off my DMs again bc many people do not respect your time.

EX: Someone spamming me about a 0.0367 SOL theft

Still unsure how to best filter out these type of people from being able to contact me.

50.8k 2 187 1.9k

Investigations by ZachXBT

7 May, 18:47

Another $45M+ was stolen from Coinbase users via social engineering scams in just the last week.

Theft addresses
bc1qksulmw0scf9en4w22hzh3hvarnrfflyh52mydz
bc1qjpepgf7nfkm3mlumdru8lgjmsca8cc982f08xd
bc1qfmc6pkq3u63dzt6w28yxd28fhluqdzcyjfngy2
bc1q7x2fexw0fcufym04ug7kdk2r6pzfeg00g6xfjk
bc1qv9p9gcng7u9k8qxcqee5fhxnm8y6zwd4lal3lv
bc1qm6u4d4a0d6dnlwr22ywwlgzayvtgx6h45v4dln
bc1qel8as46edjk4h750kem4z280l09294ewj458qk
bc1qw3ggh8vdjtry04w790pz2w0synz3ewtpfc9rdj
0xaDEFbB6082F98BE8f0f7F0323af19eCD216f13B9
0x75B09e181a8bCfC4e05DB22B673d92bc55Fee150

h/t tanuki42 for the assistance

Over the past few months I have reported on nine figures stolen from Coinbase users via similar social engineering scams.

Interestingly no other major exchange has the same problem.

58.4k 35 698 885

Investigations by ZachXBT

3 May, 21:04

No the NY Post does not want to interview you on Telegram. If you received this DM earlier today on X it’s simply a scam.

Seems a threat actor gained access to the NY Post X account and is sending DMs to people from CT.

Scammer TG ID: 7524587720

The other week a scam message with a similar script was sent to people via DM from TheDefiant.

54.1k 3 115 913

Investigations by ZachXBT

3 May, 14:14

Auto blocking all people who send a DM with zero context or cannot formulate a basic sentence.

Only send messages with 3-4 short sentences including the theft address/txn hash, date of theft, size of theft, type of theft (if you know).

Due to the number of DMs I receive I can only guarantee a reply if the theft size is large or if your message stands out about an ongoing incident / provides intel (though I read all DMs)

50.8k 2 59 1.1k

Investigations by ZachXBT

2 May, 21:29

So far there's multiple suspects in the $330M (3520 BTC) social engineering theft from April 27, 2025. Both have since deleted social media accounts.

-Nina/Mo: Somali who operates a call scam centre in Camden, UK
-W0rk: Assisted with the site/call

54.5k 15 589 821

Investigations by ZachXBT

28 Mar, 15:58

It is suspected a Coinbase user was scammed yesterday for $34.9M (400.099 BTC).

Theft address
bc1qvlustvxhqzee9tgqers4tfungrg6c0fs4u76jf

After uncovering this theft I noticed multiple other suspected thefts from Coinbase users in the past two weeks bringing the total stolen this month to $46M+. Funds from each theft were bridged from Bitcoin to Ethereum via Thorchain / Chainfllip and swapped for DAI.

60.164 BTC - Mar 26
bc1qhc72zfqwqh3e6lns5ay084k29tmqlgw75jsxec

46.147 BTC - Mar 25
bc1qd6v3220v49j0xgmycksze59z90gru46dlxg8ff

20.028 BTC - Mar 16
bc1qd59e296yyr8x4gyr53xt4yjmmgukwemetalcuf

Coinbase has not flagged any of the theft addresses from these victims in compliance tools.

Last month I posted an investigation on X about how $65M was stolen from Coinbase users in December 2024 - January 2025 and talked about how Coinbase has quietly been facing a $300M / yr social engineering scam problem affecting its users.

52.7k 88 819 1.1k

Investigations by ZachXBT

27 Mar, 15:56

Community Alert: As Token 2049 approaches be careful of sponsors as little due diligence is done on them for conferences (just because someone is a title or platinum sponsor does not mean they are credible)

Title sponsor
-Spacecoin (botted project)

Platinum sponsor
-Bitunix (sketchy exchange)
-JuCoin (sketchy exchange)
-WEEX (sketchy exchange)
-Auros (sketchy market maker)
-DWF (sketchy market maker)

Note: These are the only teams I have on my radar and I suspect more would make the list

One of the easiest due diligence hacks for a centralized exchange to check if they are sketchy or not is to verify if the team is public and has prior work history in the space. Bitunix, JuCoin, & WEEX all fail this test.

Example: In late 2023 a sketchy exchange JPEX was a Platinum sponsor for Token 2049 and the team was flagged by Honk Kong government during the conference for "suspicous features" and was later arrested after 1400 reports by victims to law enforcement and $100M+ was suspected stolen.

47.2k 16 343 822

Investigations by ZachXBT

27 Mar, 00:11

Five addresses linked to the entity who manipulated JELLY on Hyperliquid still hold ~10% of the JELLY supply on Solana ($1.9M+). All JELLY was purchased since March 22, 2025.

Hc8gNSMaQiahiRiGjUfTaW8AXudRJHeGoeGpAn8WRcwq
GffAXdcDqi8gTXEsNBMyck3DMPkaJRY1Ng2chdSRFUDC
DWr1VNg6Lsn2sANVhtWVSHMgJTNU5W4kGutDP3KyBZgA
6Ld2XDxwXcwJ4bjayeP2TAY1MepTP1zEdBVsDo3Nzmoo
G2WrQENBmsKJciQCrxce5NbWw6sEGgQMjJrFXH7MYTsv

This entity sold JELLY in the last hour from two addresses
Gm35VHcLqnpow5PCHeLMvG2krJ2deGANKfc2xAuQmept
CWvCD7EfuMu3QMTPtFb4rCF663HsD35GuW5G1xjSuaHD

47.6k 5 191 492

Investigations by ZachXBT

25 Mar, 20:04

Update: Veer Chetal (Wiz) was arrested as part of his involvement in the $243M Genesis creditor theft.

Here’s his mug shot:

46.8k 6 463 981

Investigations by ZachXBT

25 Mar, 11:27

I regularly have people ask me about tools I use in my investigations so here’s a comprehensive list:

Cielo - Wallet Tracking (EVM, Bitcoin, Solana, Tron, etc)
TRM - Create graphs for addresses/transactions
MetaSuites - Chrome extension that adds additional data on block explorers
OSINT Industries - email/username/phone lookups
LeakPeek - db lookups
Snusbase - db lookups
Intelx - db lookups
Spur - IP lookups
Cavalier (Hudson Rock) - Infostealer lookups
Impersonator - Chrome extension to spoof login to dApps
MetaSleuth - Similiar to TRM but intended for retail users
Arkham - Multichain block explorer, entity labels, create graphs, alerts
Obsidian - Create flow charts / diagrams
Wayback Machine - archive web pages
Archive Today - archive web pages
Etherscan/Solscan - block explorer for EVM / Solana
Blockchair - bitcoin block explorer
Range - CCTP bridge explorer
Pulsy - bridge explorer aggregator
Socketscan - EVM bridge explorer
Dune - Analytics platform to query blockchain data
Mugetsu - X/Twitter username history & meme coin lookups
TelegramDB Search Bot - Basic Telegram OSINT
Discord[.]ID - Basic Discord account info
CryptoTaxCalculator -Track PNL for an address

Note: I am not paid by these platforms to mention them and do not have referral links to share

74.8k 34 3.4k 3.3k

Investigations by ZachXBT

23 Mar, 14:24

Please stop trying to invite me as a speaker for conferences, podcasts, or interviews as the answer will be no.

Majority of the time they are only beneficial if you have something new to promote or can get exposure to a different audience.

You should always be skeptical of the projects who spend more time attending conferences or making podcast appearances rather than actually building their products

51.6k 2 99 1.9k

Investigations by ZachXBT

18 Mar, 13:33

Spending long hours helping freeze funds for the Bybit hack has been eye opening.

This industry is unbelievably cooked when it comes to exploits/hacks and sadly idk if the industry is going to fix this itself unless the government forcibly passes regulations that hurt our entire industry.

Several “decentralized” protocols have recently had nearly 100% of their monthly volume/fees derived from DPRK and refuse to take any accountability.

Centralized exchanges end up being worse as when illicit funds flow through them a few take multiple hours to respond when it only takes minutes to launder.

KYT is completely flawed and easily evadable

KYC is just a honeypot for regular users bc of breaches/insiders and is useless in majority of cases due to purchased accounts.

DPRK laundering $1.4B from the recent hack has only exposed how broken it is.

72.3k 68 550 2.1k

Показано 20 последних публикаций.

77 139

подписчиков

Статистика канала

Популярное в канале

The threat actor who stole $300M+ from Coinbase users by paying customer support just began troll...

A victim is suspected of being hacked by DPRK due to malware for $5.2M+ on May 24th after the vic...

The Taiwanese crypto exchange 'BitoPro' was likely exploited for ~$11.5M on May 8, 2025. Hot wa...

The Iranian crypto exchange ‘Nobitex’ appears to have been exploited for $48.65M on Tron after su...

Update: The pro-Israel hacker group known as Gonjeshke Darande (Predatory Sparrow) takes credit f...