On August 19, a twentysomething man who goes by the online handle ZachXBT was walking into
an airport to board a flight home—which airport, his real name, where home is, he’d rather
not say—when he saw an alert on his phone. A sum of bitcoins had just been transferred to a
small cryptocurrency exchange, one of many whose transactions he constantly monitors on
Bitcoin’s blockchain for signs of criminal money laundering. The alert piqued his interest:
This transaction was worth around $600,000, a cash-out of funds that was easily 10 times
bigger than the typical trade on that service.
When he reached his gate, another ping alerted him to a second transaction on the same
exchange worth more than $1 million. Then one for $2 million. As he stood in line to board
his plane, ZachXBT hurriedly traced the money on his phone, following it backward in time
from one Bitcoin address to another, flagging the suspicious funds and racing to find their
origin before the half hour of internet blackout between wheels-up and the plane's Wi-Fi
coming online. Before he was in the air, he had determined that the money had come from a
crypto wallet that had held hundreds of millions of dollars worth of Bitcoin that hadn't
moved since 2012—and that this nine-figure mountain of money was now being hurriedly
liquidated at exchanges with high transaction costs that no patient, decade-plus Bitcoin
investor would accept.
To ZachXBT, the flow of funds immediately looked instead like a giant theft. In fact, as he
double-checked his findings, it appeared that someone had stolen around $243 million worth
of Bitcoin from one unlucky victim, perhaps the biggest known crypto heist ever to target an
individual. “It was such an abnormally large amount stolen from a single person,” ZachXBT
tells WIRED. “I had to make sure I wasn't crazy.”
Once he was above 10,000 feet with working Wi-Fi, ZachXBT began to trace more outflows of
the stolen funds as they were passed through one exchange and coin-swapping service after
another. Over the next hours, he raced to graph out the branching money movements as the
thieves transferred the coins through more than a dozen of those platforms in an apparent
attempt at obfuscating their path.
As he followed that trail back to whoever had lost the bitcoins, ZachXBT could see that a
portion of the funds had originally come from the now-defunct Genesis cryptocurrency
exchange. He direct-messaged the exchange's administrators on X and asked them to put him in
touch with the victim, who would ultimately hire him to hunt for the stolen money.
By the time his flight had landed, ZachXBT had come to see that there were three main
threads of the stolen funds—going to what he believed were three likely culprits. He had
also posted a message to his more than 650,000 followers on X, pointing out the theft in
progress on the blockchain. He would soon be rewarded with a message from a source who
claimed to have clues of the thieves' identities.
Over the next week, working on the case day and night, sleeping no more than four or five
hours at a time, and periodically sharing his findings with law enforcement agencies,
ZachXBT would identify the alleged suspects behind the theft—two young hackers named Malone
Lam and Jeandiel Serrano, both in their early twenties. (ZachXBT also identified another
alleged hacker whom WIRED has chosen not to publicly name because the individual hasn't been
arrested or charged.) He even obtained a video recording that he says shows one of their
screens as the theft was completed and they celebrated their enormous windfall. In his
whirlwind investigation, ZachXBT went so far as to track the alleged suspects on Instagram
and TikTok, watching one of them blow millions on cars, private jets, and clubs where the
alleged culprit spent as much as $500,000 a night.
Less than a month after the alert pinged ZachXBT's phone on the plane, two out of three
suspected thieves would be arrested and criminally charged.
When ZachXBT finally saw the mug shot of one of the alleged hackers, he says he felt a brief
rush of adrenaline. But it passed quickly. “I didn't really feel any special sense of
accomplishment,” ZachXBT says. “I was just treating it as any other case.”
A Crypto Private Eye for the People
If tracing a quarter-billion-dollar theft feels to ZachXBT like just another day on the
internet, that's perhaps because he has distinguished himself over the past three years as
the most prolific independent crypto-focused detective in the world. Since he began his work
as an amateur investigator in 2021, he has traced billions of dollars in stolen funds and
scams. By his own count—which he broke down for WIRED in a spreadsheet—his hundreds of
investigations have directly led to the recovery of around $210 million worth of criminal
crypto proceeds, as well as another $225 million in seized funds he had at least some
less-direct hand in helping to claw back for victims. He has called out influencers
promoting coins in pump-and-dump schemes, hunted down cybercriminals behind massive crypto
heists, and revealed dozens of incidents of North Korean hackers breaching crypto firms or
even infiltrating those companies as employees.
Throughout all of it, he has been funded almost entirely by cryptocurrency donations in the
forms of grants from cryptocurrency organizations and payments from strangers who send
contributions to an address he lists in his social media profiles, adding up to around $1.3
million since 2021. “He's a new generation of investigator. He works for the people,” says
Joe McGill, an analyst at the Secret Service who has collaborated with ZachXBT. “His success
is completely tied to the success of his investigations.”
As ZachXBT has pursued that career as a crypto vigilante, he has also kept his mask firmly
in place. Online, he appears only as his avatar, a kind of platypus cartoon figure in a
detective's trench coat or sometimes a hoodie. To avoid retaliation from his many enemies in
the world of crypto criminals and con artists, he has never publicly shown his face nor
revealed his real name or exact age and would only speak to WIRED on the condition that I
not try to dig up those identifying details.
On some of their early conference calls, McGill says, ZachXBT would not only keep his camera
off but even use a voice-changer application, sometimes sounding like a high-pitched “South
Park character,” as McGill puts it, or on other occasions deepening his voice's pitch until
it reminded him of something out of a horror film. “It was very odd, initially,” says
McGill, who at the time worked at the crypto-tracing firm TRM Labs. “But I respected his
privacy, because this anonymous guy was doing really great work.”
ZachXBT exposes so many crypto criminal scams and thefts on a near-weekly basis, often
working far faster than law enforcement agencies, says Nick Bax, a cryptocurrency
investigator and founder of the firm Five I's, that Bax has wondered half-jokingly if he
might be some kind of bot.
“He is a machine,” Bax says.
As part of one investigation last year where they collaborated to trace a $60 million theft
from a crypto project called AnubisDAO in 2021, Bax gave ZachXBT a list of 500 transactions
on a Saturday night, each of which needed to be manually analyzed along with all its
connected blockchain addresses. “I figured that would keep him busy for at least a few
days,” Bax says. Instead, by early the next afternoon, ZachXBT had gone through every
transaction and identified which ones were tied to the theft. “I was shocked,” Bax says. “He
definitely had to have been on his computer for 12 hours straight.”
Many of the results of ZachXBT's investigations are unceremoniously posted to his account on
X. Over time, however, his findings have increasingly gained attention from law enforcement
agencies—several of which he now often shares his findings with prior to publication. The
result has been real and growing consequences for the targets of that detective work. “As
Zach has gotten bigger, there have been financial repercussions and legal repercussions,”
says Taylor Monahan, a security researcher at crypto firm MetaMask and one of ZachXBT's
closest collaborators on investigations, including the $243 million theft case. “If Zach
posts a thread about someone now, and it's a good one, that person is going to get
arrested.”
From Victim to Whistleblower
So how has ZachXBT managed to outrace and out-trace even law enforcement's crypto
investigators, despite having no formal training or organizational support? Even he isn't
entirely sure. “That's a tough question. I don't know why I'm good,” ZachXBT tells WIRED in
a phone interview. He chalks it up to a willingness to work around the clock—crypto markets
never close, after all—and a familiarity with analyzing cryptocurrency blockchains that
comes from years of poring over those vast ledgers of transactions. “The more you look at
the blockchain, like when you eat, sleep, and breathe it, it starts to make more sense over
time,” he says. “You can just start to pick up on those connections. I can look at a wallet,
and I can profile it and tell you if it's a bad actor within seconds.”
ZachXBT says that familiarity with blockchains comes from his years of experience as a
crypto enthusiast and trader—and as a victim himself of some of the crypto economy's many
traps for unwary investors. Around 2017, he says, he was naively buying thousands of dollars
worth of crypto tokens that would all eventually tank in value—often due to so-called “rug
pulls,” when a crypto token's creator sells off their holdings and all the other investors
are left with a worthless asset. “I was buying in like, ‘This is going to change the world.'
I just held it and never sold,” ZachXBT says. As a result, he says, “I was the person
getting scammed.”
By 2018, not only had all those investments cratered, but an Electrum crypto wallet that
ZachXBT used was hacked with a malicious software update. He lost close to $15,000 more.
Only at that point did he decide to take a step back and rethink his approach. Instead of
simply buying and holding tokens, he began analyzing cryptocurrencies' blockchains—almost
all of which are publicly visible to anyone who can decipher the owner of different
addresses—to see how larger, more successful investors were trading tokens and coins, then
to try to emulate their moves.
As a result of that blockchain analysis, he was familiar enough by 2020 with tracing crypto
transactions to be able to spot scams in progress that weren't visible to the average
investor. He'd see an influencer publicly promoting a crypto asset to their hundreds of
thousands of followers, boosting its price, and then follow their funds on a blockchain to
see that they were actually selling their own holdings immediately afterward in what often
seemed to be a classic pump-and-dump scheme. “It was more like being a whistleblower,”
ZachXBT says. “I'd notice that activity and think, ‘This kind of reminds me of what I fell
for back in 2017 and 2018. Why not make a post about it?’ And that started to blow up.”
When the NFT craze kicked off later that year, ZachXBT began similarly scrutinizing NFT
projects like Bored Bunny and Billionaire Dogs Club to show where the money flowing into
them was really going. Some of those NFT sellers would raise millions with little more than
cartoon .jpg images, promising that the NFTs created from them would confer perks like entry
to exclusive events or clubs. Instead, ZachXBT could see through blockchain analysis that
the sellers were simply dividing and pocketing the funds. Sometimes, he'd even discover
through crypto tracing that an NFT seller was, in fact, a rebrand of an earlier project that
had already proven to be a scam.
In some of those instances, ZachXBT's posts about NFT sellers did manage to scare off buyers
and prevent shady NFT dealers from selling their wares. But over time, he grew bored of
uncovering the same often transparent hustles run again and again, and frustrated with the
lack of more concrete results: No one linked to the NFT projects he exposed faced criminal
charges.
Then, in early 2022, he began to notice that a group of hackers were taking over the Twitter
accounts of high-profile crypto users and posting phishing links to Ethereum smart contracts
designed to drain users' wallets, resulting in tens of millions of dollars in thefts.
Whenever a devastated victim posted that their savings had been stolen, ZachXBT would make
contact with them and then meticulously trace out the funds they'd lost. He combined those
blockchain clues with sources he'd begun to develop in the Discord and Telegram channels
frequented by young crypto thieves, which led him to a few online handles of teenagers who
seemed to be behind the phishing campaign and were bragging about their massive scores.
By this point, ZachXBT had become notorious enough in the crypto underworld that one person
he believed to be a suspect had even included an apparent taunt about “mr xbt” in a Twitter
post boasting about a diamond-encrusted Audemars Piguet wristwatch he'd bought. ZachXBT
tracked down the watch seller in a luxury watch Discord channel and convinced the vendor,
who had sold the timepiece for close to $50,000, to turn over the teenager's shipping
address and real name.
No public records appear to document whether the alleged thieves' were arrested—possibly
because the suspects were minors and the charges have either been sealed or were never
filed. But ZachXBT found a forfeiture notice showing that in October of 2022, a month after
ZachXBT posted his findings on X, the FBI seized more than $200,000 worth of crypto assets
from the teen suspect he’d identified—and the diamond watch.
That same year, ZachXBT used similar techniques to trace another $2.5 million worth of NFTs
stolen through a different phishing campaign to an alleged pair of French hackers. In that
case, French prosecutors arrested five suspects a couple of months later and, according to
Agence France-Presse, specifically credited ZachXBT's thread posted to X for aiding in their
investigation into the two alleged ringleaders. “To see law enforcement acting on something
I'd shared, that was very fulfilling,” ZachXBT says. “It made me think maybe I was actually
onto something with what I'd been doing.”
In the two years since first gaining law enforcement's attention, the scale—and, in some
cases, the consequences—of ZachXBT's investigations has exploded. In February of 2023, he
tracked down nearly $9 million in funds stolen from the crypto project Platypus, identifying
one of the alleged thieves in a matter of hours; French police arrested two suspects just
over a week later. Though the charges against the pair would ultimately be dropped, police
recovered several million dollars in funds, and Platypus thanked ZachXBT in a tweet. Later
that year, he traced a $25 million theft from crypto firm Uranium Finance, much of which
appeared to have been laundered through the purchase of rare Magic: The Gathering cards.
When the cybercriminal group known as Scattered Spider carried out a ransomware attack
against Caesar's Entertainment in Las Vegas that extorted $15 million from the company,
ZachXBT helped to trace and recover $12 million of the funds, according to other
investigators who worked on the case and spoke with WIRED.
Around the same time, ZachXBT published the results of a massive collection of
investigations into 25 crypto thefts carried out by North Korea hackers totaling more than
$200 million, about $7 million of which he'd helped to freeze. Around half of the hacks had
never before been publicly revealed. He followed up that investigation with another that
exposed a web of around 30 North Korean IT workers who had infiltrated tech companies and
were being paid in cryptocurrency. In one case, one of those tech workers who seemed to be
linked to North Korea had gotten hired at the NFT firm Munchables and had managed to steal
$62 million in crypto assets from the company. When ZachXBT helped to identify and flag the
funds, the spotlight on the thief made the money so hard to liquidate that they simply gave
it back.
“Do You Know How Much Money That Is?”
Even so, when ZachXBT got the text alerts in the airport that put him onto the trail of $243
million taken from a single victim on August 19, it was one of the biggest thefts he'd ever
chased.
When he got back home from his international flight, he continued to follow those branching
funds for days while monitoring social media for signs of his three suspects, two of whom
went by the handles Greavys and Box. Greavys in particular—whose real name was Malone Lam
and who appeared to be in Miami—was posting and appearing in photos of luxury real estate,
diamond watches, jets, and sports cars including a Lamborghini Revuelto and a Pagani Huayra,
the latter of which typically sells for more than $3 million. ZachXBT found posts from
influencers to whom Greavys had gifted Birkin and Hermès purses worth between $30,000 and
$50,000 each, and pictures of electric signs in a nightclub carried by servers that read,
“WHO WANT A BIRK,” tagged with his name.
“It seemed like all they did was just party and steal money,” ZachXBT says.
Within a few days, he'd persuaded the source who'd first DMed him during his flight to send
him a video of a screenshare among the three hackers who appeared to be involved in the
theft. Unbeknownst to them, one of the alleged hackers had re-shared his screen during that
screenshare with another group of friends—and one of them appears to have recorded it.
Several times in the 90-minute video, ZachXBT says, the three hackers refer to each other by
their first names. At another point, one of the three men also briefly flashed his Windows
home screen, revealing his last name, too.
The video even captures the moment of the alleged hackers’ delirious reaction to pulling off
a nine-figure theft. “Oh my god! Oh my god! 243 million dollars! Yes!” one of them says in
the recording. “I’m going to spaz out! Yo! We’re done. We’re done. I'm spazzing out. Do you
know how much money that is?”
Late in the afternoon on September 18, just shy of a month after ZachXBT's investigation
began, Lam was arrested in Miami at a waterfront rental property for which he was paying
$68,000 a month. Box—whose real name is Jeandiel Serrano—was taken into custody in the Los
Angeles airport while flying home from a vacation in the Maldives with his girlfriend.
According to prosecutors, he was wearing a $500,000 watch at the time of his arrest, was
renting a house near LA for more than $40,000 a month, and had spent $1 million on luxury
cars. The next day, wire fraud and money laundering charges against both Lam and Serrano
were unsealed. According to court documents, both hackers had confessed to law enforcement
investigators that they participated in multiple crypto thefts. Lam specifically admitted
that the profits from them had funded his purchases of no fewer than 31 high-end cars.
So far, $79 million of the $243 million they allegedly stole has been seized or frozen.
ZachXBT is hopeful that more of the money will still be found. Prosecutors say that more
than $100 million remains unaccounted for, even after the alleged hackers’ spending spree.
ZachXBT’s third suspect, who appears to live in Connecticut, based on public records, has
yet to be charged with any crime. Reporter Brian Krebs has pointed to a criminal complaint,
however, that describes how a group of men allegedly carjacked a Connecticut couple in their
fifties in a Lamborghini four days after the $243 million theft in late August and briefly
kidnapped them because the carjackers “believed the victims’ son had access to significant
amounts of digital currency”—suggesting that the victims may have been the parents of the
third alleged recipient of the funds ZachXBT had traced.
For ZachXBT, the investigation may be a kind of turning point. For the first time, he was
retained by the victim in the case and was paid for his skills rather than working as a
volunteer for donations. He says he may transition to doing more of that paid work or even
start his own investigations firm.
But he maintains that he's still not out to get rich from his exposés. “I see money seized,
money returned to victims, people arrested, and that's my goal. That's what I set out to
do,” ZachXBT says. “To see that it's benefiting people. That's what I get my gratification
from.”
His collaborator, Taylor Monahan of crypto wallet firm MetaMask, who has now worked with him
on dozens of investigations, says she believes ZachXBT is still driven largely by a sense of
justice—the kind that comes from once having been a victim of the crypto world's cruelty
himself, and wanting to prevent that same outcome for others.
“He had the same experience that so many people in this space have had, which is that
something bad happens, and everyone around you says, ‘Sucks for you,’” Monahan says. “He
viscerally rejects that experience. And he wants to change it.”
2024-10-24 09:00:00
read
more
