Auto blocking all people who send a DM with zero context or cannot formulate a basic sentence.
Only send messages with 3-4 short sentences including the theft address/txn hash, date of theft, size of theft, type of theft (if you know).
Due to the number of DMs I receive I can only guarantee a reply if the theft size is large or if your message stands out about an ongoing incident / provides intel (though I read all DMs)
Only send messages with 3-4 short sentences including the theft address/txn hash, date of theft, size of theft, type of theft (if you know).
Due to the number of DMs I receive I can only guarantee a reply if the theft size is large or if your message stands out about an ongoing incident / provides intel (though I read all DMs)
π€£582π301β€161π27β17π₯17π15π12β‘10π€·ββ6π₯°4
The NY Post does not want to interview you on Telegram. If you received this DM earlier today on X itβs a scam.
Seems a threat actor gained access to the NY Post X account and is sending DMs to people from CT.
Scammer TG ID: 7524587720
I almost did not make a warning post but some of you are 0 iq.
The other week a scam message with a similar script was sent to people via DM from TheDefiant.
Seems a threat actor gained access to the NY Post X account and is sending DMs to people from CT.
Scammer TG ID: 7524587720
I almost did not make a warning post but some of you are 0 iq.
The other week a scam message with a similar script was sent to people via DM from TheDefiant.
π€£690π117β€76π20π10π10π9π€―8π7π€6π±4
Another $45M+ was stolen from Coinbase users via social engineering scams in just the last week.
Theft addresses
bc1qksulmw0scf9en4w22hzh3hvarnrfflyh52mydz
bc1qjpepgf7nfkm3mlumdru8lgjmsca8cc982f08xd
bc1qfmc6pkq3u63dzt6w28yxd28fhluqdzcyjfngy2
bc1q7x2fexw0fcufym04ug7kdk2r6pzfeg00g6xfjk
bc1qv9p9gcng7u9k8qxcqee5fhxnm8y6zwd4lal3lv
bc1qm6u4d4a0d6dnlwr22ywwlgzayvtgx6h45v4dln
bc1qel8as46edjk4h750kem4z280l09294ewj458qk
bc1qw3ggh8vdjtry04w790pz2w0synz3ewtpfc9rdj
0xaDEFbB6082F98BE8f0f7F0323af19eCD216f13B9
0x75B09e181a8bCfC4e05DB22B673d92bc55Fee150
h/t tanuki42 for the assistance
Over the past few months I have reported on nine figures stolen from Coinbase users via similar social engineering scams.
Interestingly no other major exchange has the same problem.
Theft addresses
bc1qksulmw0scf9en4w22hzh3hvarnrfflyh52mydz
bc1qjpepgf7nfkm3mlumdru8lgjmsca8cc982f08xd
bc1qfmc6pkq3u63dzt6w28yxd28fhluqdzcyjfngy2
bc1q7x2fexw0fcufym04ug7kdk2r6pzfeg00g6xfjk
bc1qv9p9gcng7u9k8qxcqee5fhxnm8y6zwd4lal3lv
bc1qm6u4d4a0d6dnlwr22ywwlgzayvtgx6h45v4dln
bc1qel8as46edjk4h750kem4z280l09294ewj458qk
bc1qw3ggh8vdjtry04w790pz2w0synz3ewtpfc9rdj
0xaDEFbB6082F98BE8f0f7F0323af19eCD216f13B9
0x75B09e181a8bCfC4e05DB22B673d92bc55Fee150
h/t tanuki42 for the assistance
Over the past few months I have reported on nine figures stolen from Coinbase users via similar social engineering scams.
Interestingly no other major exchange has the same problem.
π393π€£202π92β€59π’51π41π₯24π16π13π€11π10
Investigations by ZachXBT
Auto blocking all people who send a DM with zero context or cannot formulate a basic sentence. Only send messages with 3-4 short sentences including the theft address/txn hash, date of theft, size of theft, type of theft (if you know). Due to the numberβ¦
May have to temporarily turn off my DMs again bc many people do not respect your time.
EX: Someone spamming me about a 0.0367 SOL theft
Still unsure how to best filter out these type of people from being able to contact me.
EX: Someone spamming me about a 0.0367 SOL theft
Still unsure how to best filter out these type of people from being able to contact me.
π€£1.35Kπ343π53π53β€42π₯΄31π―26π’19π16π13π12
A press release just posted from the Frankfurt prosecutors office revealed the instant exchange 'eXch' had 34M euros and infrastructure for the platform seized by law enforcement.
eXch was used to launder hundreds of millions from the Bybit hack, Multisig hack, FixedFloat exploit, $243M Genesis Creditor theft, and countless phishing drainer services over the past few years with refusal to block addresses and freeze orders.
eXch was used to launder hundreds of millions from the Bybit hack, Multisig hack, FixedFloat exploit, $243M Genesis Creditor theft, and countless phishing drainer services over the past few years with refusal to block addresses and freeze orders.
β€392π153π83π₯43πΏ37π30π19π€―17π’15π9π€©2
Investigations by ZachXBT
My new post sharing an investigation on a $243M theft from last month which lead to multiple arrests and $9M+ frozen https://x.com/zachxbt/status/1836752923830702392?
Update: 12 people were just charged in the $243M Genesis Creditor theft from Aug 2024.
π253π₯109β€63π€£38π32π30πΏ17π15π’11π€ͺ10π±5
The threat actor who stole $300M+ from Coinbase users by paying customer support just began trolling me onchain with this message after swapping $42.5M+ from BTC -> ETH via Thorchain today.
Transaction hash
0x18c909a8438d94e88a434521ee9fc143c8777452fbecb09b034b8fd049d6477f
Transaction hash
0x18c909a8438d94e88a434521ee9fc143c8777452fbecb09b034b8fd049d6477f
π€£1.29Kπ145π±80β€41π37π33π₯28πΎ25π€24π12π€©6
A victim is suspected of being hacked by DPRK due to malware for $5.2M+ on May 24th after the victim's wallets saw outflows from various multisig, EOAs, and exchange accounts where assets were market sold. Yesterday 1000 ETH was deposited to Tornado Cash.
Theft address
0x9d42a049f88f1db4b304441081aff7c40d857bea
0x4be5023ad49573a544a9a4109e4f1880a32fe5c3
0x31088345396d0cf00a81a3e3b8e8c5bb8ec768a3
Theft address
0x9d42a049f88f1db4b304441081aff7c40d857bea
0x4be5023ad49573a544a9a4109e4f1880a32fe5c3
0x31088345396d0cf00a81a3e3b8e8c5bb8ec768a3
π260π200π€£54β€42π’31π29π17π17π10π₯9π¨βπ»8
The Taiwanese crypto exchange 'BitoPro' was likely exploited for ~$11.5M on May 8, 2025.
Hot wallets on Tron, Ethereum, Solana, Polygon, etc saw suspicious outflows where assets where market sold via DEX. The stolen funds were then deposited to Tornado or bridged to Bitcoin via Thorchain and deposited to Wasabi.
BitoPro has yet to formally disclose the incident on X or Telegram and told users the exchange was just offline for "maintenance"
Update: BitoPro just confirmed my findings about the incident via an announcement on Telegram.
Theft address
0x2453933c98b6e55397103f7c1081626e0a02d2c9
0x454cf3892a949c94569ab2663090ecdca811a6f0
TRoLEoNiiod5m8TSdmSR4iW17yQCfc2YJV
G1bdPViZztqV5ptH3mVyXdAKYRm1jBhGiGvdDx9LmaCd
bc1qcwzxklr3tr7zjhvql7pqtg57rkvm55vcz8ydul
Hot wallets on Tron, Ethereum, Solana, Polygon, etc saw suspicious outflows where assets where market sold via DEX. The stolen funds were then deposited to Tornado or bridged to Bitcoin via Thorchain and deposited to Wasabi.
BitoPro has yet to formally disclose the incident on X or Telegram and told users the exchange was just offline for "maintenance"
Update: BitoPro just confirmed my findings about the incident via an announcement on Telegram.
Theft address
0x2453933c98b6e55397103f7c1081626e0a02d2c9
0x454cf3892a949c94569ab2663090ecdca811a6f0
TRoLEoNiiod5m8TSdmSR4iW17yQCfc2YJV
G1bdPViZztqV5ptH3mVyXdAKYRm1jBhGiGvdDx9LmaCd
bc1qcwzxklr3tr7zjhvql7pqtg57rkvm55vcz8ydul
π168π±124β€71π€£68π₯29π29π25π’22π8π‘8π€¨4
The Iranian crypto exchange βNobitexβ appears to have been exploited for $81.7M on Tron, Bitcoin, Doge, and EVM chains after suspicious outflows were observed from many wallets linked to them.
The attacker used the vanity address TKFuckiRGCTerroristsNoBiTEXy2r7mNX
0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead
1FuckiRGCTerroristsNoBiTEXXXaAovLX
DFuckiRGCTerroristsNoBiTEXXXWLW65t
The funds were essentially burned permanently and cannot be touched unless stablecoin issuers were to reissue the centralized stablecoins.
The attacker used the vanity address TKFuckiRGCTerroristsNoBiTEXy2r7mNX
0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead
1FuckiRGCTerroristsNoBiTEXXXaAovLX
DFuckiRGCTerroristsNoBiTEXXXWLW65t
The funds were essentially burned permanently and cannot be touched unless stablecoin issuers were to reissue the centralized stablecoins.
π€£497π124π€¬70π₯47β€39π€29π’23πΎ18π9π5π₯°2
Investigations by ZachXBT
The Iranian crypto exchange βNobitexβ appears to have been exploited for $81.7M on Tron, Bitcoin, Doge, and EVM chains after suspicious outflows were observed from many wallets linked to them. The attacker used the vanity address TKFuckiRGCTerroristsNoBiTEXy2r7mNXβ¦
Update: The pro-Israel hacker group known as Gonjeshke Darande (Predatory Sparrow) takes credit for the attack on Nobitex.
π€¬364π€£289π₯124β€50πΎ30π±28π23π18π13π9π6
A suspicious address received 193 small withdrawals in a 1.5 hour period from Coinbase for 1.67M USDC total on June 23, 2025 and swapped all funds for ETH and deposited it to Tornado Cash.
0xf43622c9b9cdbb515eced56ac6a5ad60eaa6be6f
0xf43622c9b9cdbb515eced56ac6a5ad60eaa6be6f
π€£255π112π€53β€46π30β26π₯20π17π14π€¨10π6
A victim had multiple addresses drained on Solana for $3.2M on May 16, 2025 in a suspected Lazarus Group attack. The assets were market sold and the stolen funds were bridged from Solana to Ethereum.
On June 25, 2025 400 ETH was deposited to Tornado Cash.
On June 27, 2025 400 ETH was deposited to Tornado Cash.
$1.25M still sits as DAI & ETH at 0xa5f7499804f941335ab72f232cf15c59aaa3d528
Theft addresss
C4WY18k5mecJ6Vu6imUqSCSvCcAyqcL5nPPrNZGve525
On June 25, 2025 400 ETH was deposited to Tornado Cash.
On June 27, 2025 400 ETH was deposited to Tornado Cash.
$1.25M still sits as DAI & ETH at 0xa5f7499804f941335ab72f232cf15c59aaa3d528
Theft addresss
C4WY18k5mecJ6Vu6imUqSCSvCcAyqcL5nPPrNZGve525
π222β€72π€¬48π±21π19π17π15π13π³9π₯8π3
If you send me a message on X/Twitter asking for help I will likely not respond unless itβs a $100K+ theft or adds value to my work (intel, ongoing incident, etc).
Also not interested in taking on pro bono cases unless it connects to an active investigation or research project.
Do not ask me for paid promotions to shill a token for your platform as the answer will always be no.
Only have interest in contract work / advisor roles that rely on my actual skills and not an endorsement to my followers.
Also not interested in taking on pro bono cases unless it connects to an active investigation or research project.
Do not ask me for paid promotions to shill a token for your platform as the answer will always be no.
Only have interest in contract work / advisor roles that rely on my actual skills and not an endorsement to my followers.
β€944π₯±123π€91π69π€54π₯45π34π€·ββ16π15π7π΄6
The recent ~$140M (R$ 800M) cyberattack on the Central Bank of Brazil services provider C&M Software is easily one of the most insane cases from this year.
Six financial institutions experienced unauthorized access to their reserve accounts on June 30, 2025.
Attackers converted fiat to BTC / ETH / USDT via Latam OTCs / exchanges. By my estimate at least $30-40M was converted to crypto.
Brazilian law enforcement has since shared the threat actor paid an employee at C&M only $2.76K (R$ 15K) for his corporate login and password.
I'll publish theft addresses related to the incident that I found when it's ok to share them as I have been helping freeze funds and attributing unlabeled OTCs.
Have not seen much coverage on the incident outside of Brazil.
Six financial institutions experienced unauthorized access to their reserve accounts on June 30, 2025.
Attackers converted fiat to BTC / ETH / USDT via Latam OTCs / exchanges. By my estimate at least $30-40M was converted to crypto.
Brazilian law enforcement has since shared the threat actor paid an employee at C&M only $2.76K (R$ 15K) for his corporate login and password.
I'll publish theft addresses related to the incident that I found when it's ok to share them as I have been helping freeze funds and attributing unlabeled OTCs.
Have not seen much coverage on the incident outside of Brazil.
π₯395π€£249π±110β€78π48π45π37π€ͺ23π19π³12π6
Looks like the India centralized exchange 'CoinDCX' was likely drained for ~$44.2M almost 17 hours ago and has yet to disclose the incident to the community.
The attacker address was funded with 1 ETH from Tornado Cash and later bridged a portion of the stolen funds from Solana to Ethereum.
H/t Cyvers for flagging the withdrawals to me. The affected CoinDCX hot wallet is not publicly tagged or in current proof of reserves so I had to manually attribute it via reviewing counterparties.
Theft address
6peRRbTz28xofaJPJzEkxnpcpR5xhYsQcmJHQFdP22n
3btch8cSVp3Uh2SiY9DeiRNYUBmFiBNHZQzDyecJs7Gu
0xEF0c5b9E0E9643937D75C229648158584A8CD8D2
The attacker address was funded with 1 ETH from Tornado Cash and later bridged a portion of the stolen funds from Solana to Ethereum.
H/t Cyvers for flagging the withdrawals to me. The affected CoinDCX hot wallet is not publicly tagged or in current proof of reserves so I had to manually attribute it via reviewing counterparties.
Theft address
6peRRbTz28xofaJPJzEkxnpcpR5xhYsQcmJHQFdP22n
3btch8cSVp3Uh2SiY9DeiRNYUBmFiBNHZQzDyecJs7Gu
0xEF0c5b9E0E9643937D75C229648158584A8CD8D2
π306π€£128π«‘101β€79π34π₯28π23π22π9π³9π»8
Investigations by ZachXBT
Looks like the India centralized exchange 'CoinDCX' was likely drained for ~$44.2M almost 17 hours ago and has yet to disclose the incident to the community. The attacker address was funded with 1 ETH from Tornado Cash and later bridged a portion of theβ¦
Update: CoinDCX disclosed the incident after my post.
A CoinDCX team member is telling the community on Discord to engage with the CoinDCX co-founder's post thanking him for the "transparency"
A CoinDCX team member is telling the community on Discord to engage with the CoinDCX co-founder's post thanking him for the "transparency"
π€£1.24Kπ162π52β€37π₯΄21π19π€―18π11π³11π10π₯°2
Investigations by ZachXBT
Spending long hours helping freeze funds for the Bybit hack has been eye opening. This industry is unbelievably cooked when it comes to exploits/hacks and sadly idk if the industry is going to fix this itself unless the government forcibly passes regulationsβ¦
For an industry that was founded on principles of independence from the government itβs embarrassing how
reliant we are on them to find a solution for victims.
Thereβs no other industry that has normalized thefts to the same extent.
These are all major problems no one has been able to solve and continue to get worse as bad actors improve their efficiency while nothing changes:
>What happens when >95% of law enforcement (LE) is not competent enough to trace a basic theft and seize frozen funds from centralized platforms?
>What happens when thefts <$100K are never assigned to LE after filing a police report due to lack of resources?
>What happens when a victim is located in one jurisdiction but the perpetrator is in a different uncooperative jurisidiction?
>What happens when the perpetrator is a minor so LE chooses to not pursue further?
>What happens when teams and exchanges are not willing to collaborate with the private sector?
>What happens when a victim cannot pursue litigation to recover frozen funds because retaining a firm costs more than the amount stolen?
>What happens when offshore exchanges have jurisidictional uncertainty due to regulatory arbitrage and refuse to honor court orders?
>What happens when a major publicized incident occurs but a stablecoin issuer requires an impossible ask of a court order within minutes in order to blacklist?
>What happens when founders profit millions in fees from laundering stolen funds and then refuse to return them as they flex record user metrics on X?
>What happens if the government makes KYC mandatory for Defi but companies with breaches of sensitive PII are never held liable?
>What happens when the legal system can be easily abused with incomplete tracing due to outdated laws rather than facts?
reliant we are on them to find a solution for victims.
Thereβs no other industry that has normalized thefts to the same extent.
These are all major problems no one has been able to solve and continue to get worse as bad actors improve their efficiency while nothing changes:
>What happens when >95% of law enforcement (LE) is not competent enough to trace a basic theft and seize frozen funds from centralized platforms?
>What happens when thefts <$100K are never assigned to LE after filing a police report due to lack of resources?
>What happens when a victim is located in one jurisdiction but the perpetrator is in a different uncooperative jurisidiction?
>What happens when the perpetrator is a minor so LE chooses to not pursue further?
>What happens when teams and exchanges are not willing to collaborate with the private sector?
>What happens when a victim cannot pursue litigation to recover frozen funds because retaining a firm costs more than the amount stolen?
>What happens when offshore exchanges have jurisidictional uncertainty due to regulatory arbitrage and refuse to honor court orders?
>What happens when a major publicized incident occurs but a stablecoin issuer requires an impossible ask of a court order within minutes in order to blacklist?
>What happens when founders profit millions in fees from laundering stolen funds and then refuse to return them as they flex record user metrics on X?
>What happens if the government makes KYC mandatory for Defi but companies with breaches of sensitive PII are never held liable?
>What happens when the legal system can be easily abused with incomplete tracing due to outdated laws rather than facts?
π659β€290π―248π80π€£59π₯΄35π23π€¨14π13π13π11