Investigations by ZachXBT
My new post sharing an investigation on a $243M theft from last month which lead to multiple arrests and $9M+ frozen https://x.com/zachxbt/status/1836752923830702392?
Update: 12 people were just charged in the $243M Genesis Creditor theft from Aug 2024.
π253π₯109β€63π€£38π32π30πΏ17π15π’11π€ͺ10π±5
The threat actor who stole $300M+ from Coinbase users by paying customer support just began trolling me onchain with this message after swapping $42.5M+ from BTC -> ETH via Thorchain today.
Transaction hash
0x18c909a8438d94e88a434521ee9fc143c8777452fbecb09b034b8fd049d6477f
Transaction hash
0x18c909a8438d94e88a434521ee9fc143c8777452fbecb09b034b8fd049d6477f
π€£1.29Kπ145π±80β€41π37π33π₯28πΎ25π€24π12π€©6
A victim is suspected of being hacked by DPRK due to malware for $5.2M+ on May 24th after the victim's wallets saw outflows from various multisig, EOAs, and exchange accounts where assets were market sold. Yesterday 1000 ETH was deposited to Tornado Cash.
Theft address
0x9d42a049f88f1db4b304441081aff7c40d857bea
0x4be5023ad49573a544a9a4109e4f1880a32fe5c3
0x31088345396d0cf00a81a3e3b8e8c5bb8ec768a3
Theft address
0x9d42a049f88f1db4b304441081aff7c40d857bea
0x4be5023ad49573a544a9a4109e4f1880a32fe5c3
0x31088345396d0cf00a81a3e3b8e8c5bb8ec768a3
π260π200π€£54β€42π’31π29π17π17π10π₯9π¨βπ»8
The Taiwanese crypto exchange 'BitoPro' was likely exploited for ~$11.5M on May 8, 2025.
Hot wallets on Tron, Ethereum, Solana, Polygon, etc saw suspicious outflows where assets where market sold via DEX. The stolen funds were then deposited to Tornado or bridged to Bitcoin via Thorchain and deposited to Wasabi.
BitoPro has yet to formally disclose the incident on X or Telegram and told users the exchange was just offline for "maintenance"
Update: BitoPro just confirmed my findings about the incident via an announcement on Telegram.
Theft address
0x2453933c98b6e55397103f7c1081626e0a02d2c9
0x454cf3892a949c94569ab2663090ecdca811a6f0
TRoLEoNiiod5m8TSdmSR4iW17yQCfc2YJV
G1bdPViZztqV5ptH3mVyXdAKYRm1jBhGiGvdDx9LmaCd
bc1qcwzxklr3tr7zjhvql7pqtg57rkvm55vcz8ydul
Hot wallets on Tron, Ethereum, Solana, Polygon, etc saw suspicious outflows where assets where market sold via DEX. The stolen funds were then deposited to Tornado or bridged to Bitcoin via Thorchain and deposited to Wasabi.
BitoPro has yet to formally disclose the incident on X or Telegram and told users the exchange was just offline for "maintenance"
Update: BitoPro just confirmed my findings about the incident via an announcement on Telegram.
Theft address
0x2453933c98b6e55397103f7c1081626e0a02d2c9
0x454cf3892a949c94569ab2663090ecdca811a6f0
TRoLEoNiiod5m8TSdmSR4iW17yQCfc2YJV
G1bdPViZztqV5ptH3mVyXdAKYRm1jBhGiGvdDx9LmaCd
bc1qcwzxklr3tr7zjhvql7pqtg57rkvm55vcz8ydul
π168π±124β€71π€£68π₯29π29π25π’22π8π‘8π€¨4
The Iranian crypto exchange βNobitexβ appears to have been exploited for $81.7M on Tron, Bitcoin, Doge, and EVM chains after suspicious outflows were observed from many wallets linked to them.
The attacker used the vanity address TKFuckiRGCTerroristsNoBiTEXy2r7mNX
0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead
1FuckiRGCTerroristsNoBiTEXXXaAovLX
DFuckiRGCTerroristsNoBiTEXXXWLW65t
The funds were essentially burned permanently and cannot be touched unless stablecoin issuers were to reissue the centralized stablecoins.
The attacker used the vanity address TKFuckiRGCTerroristsNoBiTEXy2r7mNX
0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead
1FuckiRGCTerroristsNoBiTEXXXaAovLX
DFuckiRGCTerroristsNoBiTEXXXWLW65t
The funds were essentially burned permanently and cannot be touched unless stablecoin issuers were to reissue the centralized stablecoins.
π€£497π124π€¬70π₯47β€39π€29π’23πΎ18π9π5π₯°2
Investigations by ZachXBT
The Iranian crypto exchange βNobitexβ appears to have been exploited for $81.7M on Tron, Bitcoin, Doge, and EVM chains after suspicious outflows were observed from many wallets linked to them. The attacker used the vanity address TKFuckiRGCTerroristsNoBiTEXy2r7mNXβ¦
Update: The pro-Israel hacker group known as Gonjeshke Darande (Predatory Sparrow) takes credit for the attack on Nobitex.
π€¬364π€£289π₯124β€50πΎ30π±28π23π18π13π9π6
A suspicious address received 193 small withdrawals in a 1.5 hour period from Coinbase for 1.67M USDC total on June 23, 2025 and swapped all funds for ETH and deposited it to Tornado Cash.
0xf43622c9b9cdbb515eced56ac6a5ad60eaa6be6f
0xf43622c9b9cdbb515eced56ac6a5ad60eaa6be6f
π€£255π112π€53β€46π30β26π₯20π17π14π€¨10π6
A victim had multiple addresses drained on Solana for $3.2M on May 16, 2025 in a suspected Lazarus Group attack. The assets were market sold and the stolen funds were bridged from Solana to Ethereum.
On June 25, 2025 400 ETH was deposited to Tornado Cash.
On June 27, 2025 400 ETH was deposited to Tornado Cash.
$1.25M still sits as DAI & ETH at 0xa5f7499804f941335ab72f232cf15c59aaa3d528
Theft addresss
C4WY18k5mecJ6Vu6imUqSCSvCcAyqcL5nPPrNZGve525
On June 25, 2025 400 ETH was deposited to Tornado Cash.
On June 27, 2025 400 ETH was deposited to Tornado Cash.
$1.25M still sits as DAI & ETH at 0xa5f7499804f941335ab72f232cf15c59aaa3d528
Theft addresss
C4WY18k5mecJ6Vu6imUqSCSvCcAyqcL5nPPrNZGve525
π222β€72π€¬48π±21π19π17π15π13π³9π₯8π3
If you send me a message on X/Twitter asking for help I will likely not respond unless itβs a $100K+ theft or adds value to my work (intel, ongoing incident, etc).
Also not interested in taking on pro bono cases unless it connects to an active investigation or research project.
Do not ask me for paid promotions to shill a token for your platform as the answer will always be no.
Only have interest in contract work / advisor roles that rely on my actual skills and not an endorsement to my followers.
Also not interested in taking on pro bono cases unless it connects to an active investigation or research project.
Do not ask me for paid promotions to shill a token for your platform as the answer will always be no.
Only have interest in contract work / advisor roles that rely on my actual skills and not an endorsement to my followers.
β€944π₯±123π€91π69π€54π₯45π34π€·ββ16π15π7π΄6
The recent ~$140M (R$ 800M) cyberattack on the Central Bank of Brazil services provider C&M Software is easily one of the most insane cases from this year.
Six financial institutions experienced unauthorized access to their reserve accounts on June 30, 2025.
Attackers converted fiat to BTC / ETH / USDT via Latam OTCs / exchanges. By my estimate at least $30-40M was converted to crypto.
Brazilian law enforcement has since shared the threat actor paid an employee at C&M only $2.76K (R$ 15K) for his corporate login and password.
I'll publish theft addresses related to the incident that I found when it's ok to share them as I have been helping freeze funds and attributing unlabeled OTCs.
Have not seen much coverage on the incident outside of Brazil.
Six financial institutions experienced unauthorized access to their reserve accounts on June 30, 2025.
Attackers converted fiat to BTC / ETH / USDT via Latam OTCs / exchanges. By my estimate at least $30-40M was converted to crypto.
Brazilian law enforcement has since shared the threat actor paid an employee at C&M only $2.76K (R$ 15K) for his corporate login and password.
I'll publish theft addresses related to the incident that I found when it's ok to share them as I have been helping freeze funds and attributing unlabeled OTCs.
Have not seen much coverage on the incident outside of Brazil.
π₯395π€£249π±110β€78π48π45π37π€ͺ23π19π³12π6
Looks like the India centralized exchange 'CoinDCX' was likely drained for ~$44.2M almost 17 hours ago and has yet to disclose the incident to the community.
The attacker address was funded with 1 ETH from Tornado Cash and later bridged a portion of the stolen funds from Solana to Ethereum.
H/t Cyvers for flagging the withdrawals to me. The affected CoinDCX hot wallet is not publicly tagged or in current proof of reserves so I had to manually attribute it via reviewing counterparties.
Theft address
6peRRbTz28xofaJPJzEkxnpcpR5xhYsQcmJHQFdP22n
3btch8cSVp3Uh2SiY9DeiRNYUBmFiBNHZQzDyecJs7Gu
0xEF0c5b9E0E9643937D75C229648158584A8CD8D2
The attacker address was funded with 1 ETH from Tornado Cash and later bridged a portion of the stolen funds from Solana to Ethereum.
H/t Cyvers for flagging the withdrawals to me. The affected CoinDCX hot wallet is not publicly tagged or in current proof of reserves so I had to manually attribute it via reviewing counterparties.
Theft address
6peRRbTz28xofaJPJzEkxnpcpR5xhYsQcmJHQFdP22n
3btch8cSVp3Uh2SiY9DeiRNYUBmFiBNHZQzDyecJs7Gu
0xEF0c5b9E0E9643937D75C229648158584A8CD8D2
π306π€£128π«‘101β€79π34π₯28π23π22π9π³9π»8
Investigations by ZachXBT
Looks like the India centralized exchange 'CoinDCX' was likely drained for ~$44.2M almost 17 hours ago and has yet to disclose the incident to the community. The attacker address was funded with 1 ETH from Tornado Cash and later bridged a portion of theβ¦
Update: CoinDCX disclosed the incident after my post.
A CoinDCX team member is telling the community on Discord to engage with the CoinDCX co-founder's post thanking him for the "transparency"
A CoinDCX team member is telling the community on Discord to engage with the CoinDCX co-founder's post thanking him for the "transparency"
π€£1.24Kπ162π52β€37π₯΄21π19π€―18π11π³11π10π₯°2
Investigations by ZachXBT
Spending long hours helping freeze funds for the Bybit hack has been eye opening. This industry is unbelievably cooked when it comes to exploits/hacks and sadly idk if the industry is going to fix this itself unless the government forcibly passes regulationsβ¦
For an industry that was founded on principles of independence from the government itβs embarrassing how
reliant we are on them to find a solution for victims.
Thereβs no other industry that has normalized thefts to the same extent.
These are all major problems no one has been able to solve and continue to get worse as bad actors improve their efficiency while nothing changes:
>What happens when >95% of law enforcement (LE) is not competent enough to trace a basic theft and seize frozen funds from centralized platforms?
>What happens when thefts <$100K are never assigned to LE after filing a police report due to lack of resources?
>What happens when a victim is located in one jurisdiction but the perpetrator is in a different uncooperative jurisidiction?
>What happens when the perpetrator is a minor so LE chooses to not pursue further?
>What happens when teams and exchanges are not willing to collaborate with the private sector?
>What happens when a victim cannot pursue litigation to recover frozen funds because retaining a firm costs more than the amount stolen?
>What happens when offshore exchanges have jurisidictional uncertainty due to regulatory arbitrage and refuse to honor court orders?
>What happens when a major publicized incident occurs but a stablecoin issuer requires an impossible ask of a court order within minutes in order to blacklist?
>What happens when founders profit millions in fees from laundering stolen funds and then refuse to return them as they flex record user metrics on X?
>What happens if the government makes KYC mandatory for Defi but companies with breaches of sensitive PII are never held liable?
>What happens when the legal system can be easily abused with incomplete tracing due to outdated laws rather than facts?
reliant we are on them to find a solution for victims.
Thereβs no other industry that has normalized thefts to the same extent.
These are all major problems no one has been able to solve and continue to get worse as bad actors improve their efficiency while nothing changes:
>What happens when >95% of law enforcement (LE) is not competent enough to trace a basic theft and seize frozen funds from centralized platforms?
>What happens when thefts <$100K are never assigned to LE after filing a police report due to lack of resources?
>What happens when a victim is located in one jurisdiction but the perpetrator is in a different uncooperative jurisidiction?
>What happens when the perpetrator is a minor so LE chooses to not pursue further?
>What happens when teams and exchanges are not willing to collaborate with the private sector?
>What happens when a victim cannot pursue litigation to recover frozen funds because retaining a firm costs more than the amount stolen?
>What happens when offshore exchanges have jurisidictional uncertainty due to regulatory arbitrage and refuse to honor court orders?
>What happens when a major publicized incident occurs but a stablecoin issuer requires an impossible ask of a court order within minutes in order to blacklist?
>What happens when founders profit millions in fees from laundering stolen funds and then refuse to return them as they flex record user metrics on X?
>What happens if the government makes KYC mandatory for Defi but companies with breaches of sensitive PII are never held liable?
>What happens when the legal system can be easily abused with incomplete tracing due to outdated laws rather than facts?
π659β€290π―248π80π€£59π₯΄35π23π€¨14π13π13π11
On August 19, 2025 a victim fell for a social engineering scam and lost 783 BTC ($91.4M) after exchange and hardware wallet customer support were impersonated.
The stolen funds began to peel off and multiple deposits to Wasabi were made by the threat actor.
Coincidentally this theft happened on the one year anniversary of the $243M Genesis Creditor theft.
Theft txn hash
da598f2a941ee3c249a3c11e5e171e186a08900012f6aad26e6d11b8e8816457
Theft address
bc1qyxyk4qgyrkx4rjwsuevug04wahdk6uf95mqlej
The stolen funds began to peel off and multiple deposits to Wasabi were made by the threat actor.
Coincidentally this theft happened on the one year anniversary of the $243M Genesis Creditor theft.
Theft txn hash
da598f2a941ee3c249a3c11e5e171e186a08900012f6aad26e6d11b8e8816457
Theft address
bc1qyxyk4qgyrkx4rjwsuevug04wahdk6uf95mqlej
π510π±190β€99π€£57π’52π³26π₯25π€22π16π16π14
It appears the Solana project 'Aqua' has likely rug pulled 21.77K SOL ($4.65M) after being promoted by teams such as Meteora, Quill Audits, Helius, SYMMIO, Dialect, and many influencers.
A few hours ago the funds were split four ways and transferred between intermediary addresses before being sent to multiple instant exchanges.
The team has since turned off replies on X (Twitter) for all posts.
Presale address
A few hours ago the funds were split four ways and transferred between intermediary addresses before being sent to multiple instant exchanges.
The team has since turned off replies on X (Twitter) for all posts.
Presale address
4Ea23VxEGAgfbtauQZz11aKNtzHJwb84ppsg3Cz14u6qπ€£502π158π±86β€71π€¬36π29π22π14π11π₯9π9
SwissBorg experienced an incident a few hours ago and 192.6K SOL ($41.5M) was stolen on Solana
Theft address
Theft address
TYFWG3hvvxWMs2KXEk8cDuJCsXEyKs65eeqpD9P4mK1
Update: Kiln was exploited and SwissBorg was the victimπ’378π120π104π€―72π±57β€27πΏ27π«‘20π‘16π15π₯10
JP (THORChain co-founder & Vultisig co-founder) had a personal wallet drained for $1.35M by DPRK on September 9, 2025 after a meeting call scam on Telegram.
Ironically JP and his products have benefited significantly financially from the laundering of DPRK exploits/hacks such as Bybit in the past.
Theft address
0x37cDB6B40861F350E23AA5733E75755fCBed739F
Currently majority of the stolen funds sit at 0x7abc09ab94d6015053f8f41b01614bb6d1cc7647
Ironically JP and his products have benefited significantly financially from the laundering of DPRK exploits/hacks such as Bybit in the past.
Theft address
0x37cDB6B40861F350E23AA5733E75755fCBed739F
Currently majority of the stolen funds sit at 0x7abc09ab94d6015053f8f41b01614bb6d1cc7647
π€£518π€ͺ69β€60π₯΄25πΏ17π14π12π11π«‘10π9π₯8