On January 10, 2026 at around 11 pm UTC a victim lost $282M+ worth of LTC & BTC due to a hardware wallet social engineering scam.
The attacker began converting the stolen LTC & BTC to Monero via multiple instant exchanges causing the XMR price to sharply increase.
BTC was also bridged to Ethereum, Ripple, & Litecoin via Thorchain.
Theft addresses (2.05M LTC, 1459 BTC):
bc1qluxw46r55wf3dnk9c652vrt4duadm3hpuktf86
bc1qpsmh26ja0fzzf286zulmt9eywujc2pggj40wzm
ltc1qly43c2prj4c2e85dcspzpjd36jnapnenldnr70
The attacker began converting the stolen LTC & BTC to Monero via multiple instant exchanges causing the XMR price to sharply increase.
BTC was also bridged to Ethereum, Ripple, & Litecoin via Thorchain.
Theft addresses (2.05M LTC, 1459 BTC):
bc1qluxw46r55wf3dnk9c652vrt4duadm3hpuktf86
bc1qpsmh26ja0fzzf286zulmt9eywujc2pggj40wzm
ltc1qly43c2prj4c2e85dcspzpjd36jnapnenldnr70
π820π±293π€―155πΎ98β€83π65π’35πΏ27π€·ββ22π21π11
A special thanks to Hyperliquid for their recent generous donation.
Here's the updated all time leaderboard for my top 10 largest donors by amount:
1). Optimism
2). Hyperliquid
3). Octant
4). The White Whale
5). Arbitrum
6). BNB Chain
7). Unipcs
8). Nouns
9). CL207
10). High Stakes Capital
Here's the updated all time leaderboard for my top 10 largest donors by amount:
1). Optimism
2). Hyperliquid
3). Octant
4). The White Whale
5). Arbitrum
6). BNB Chain
7). Unipcs
8). Nouns
9). CL207
10). High Stakes Capital
β€1.46Kπ₯422π195π€52π44π38π€¬26π23π21β19π16
BREAKING: Circle froze the USDC balance of 16 hot wallets for various businesses late yesterday.
I spoke with one of the affected businesses directly and they stated it was due to an ongoing US civil case whose details are not yet disclosed.
I reviewed the onchain activity and the exchanges, casinos, forex businesses do not appear to be related at all to each other.
Why was the request not properly reviewed by Circle?
For those unfamiliar a crypto business has a hot wallet to process the bulk of transactions for its users.
An analyst with basic tools could have identified within minutes that these were operational business wallets from the thousands of transactions they process.
Now their business operations have been negatively impacted by Circle, Lawyer, Forensics firm, & Judge
Rain[.]gg
Clash[.]gg
Whale[.]io
Goated[.]com
500 Casino
Finrax
Herofx
Unknown service hot wallets
I spoke with one of the affected businesses directly and they stated it was due to an ongoing US civil case whose details are not yet disclosed.
I reviewed the onchain activity and the exchanges, casinos, forex businesses do not appear to be related at all to each other.
Why was the request not properly reviewed by Circle?
For those unfamiliar a crypto business has a hot wallet to process the bulk of transactions for its users.
An analyst with basic tools could have identified within minutes that these were operational business wallets from the thousands of transactions they process.
Now their business operations have been negatively impacted by Circle, Lawyer, Forensics firm, & Judge
Rain[.]gg
0x87d18ee84e8f4f5709cbf3500179a4c601da12ceClash[.]gg
0x9e2a58d257963a276452fff1be94c0eb7e2775ccWhale[.]io
0x4bd282c083d9ec35aa6c3e0f366d79f12f3a1630Goated[.]com
0x61f08d119974a3d9915f06765d83fe1aa677e543500 Casino
0x68416debc20d13e5ef694cdcac9506f4c1a20184Finrax
0x258494a21d9ea90fcbcb9e22bd57c6899de0d995Herofx
0x2704ba2d5d3544e6292d9aca536b6bbbfebd80e9
Coinsbuy
0x5f9acf4e85aa7283e0c16dd94cbc942f9d6251510x22face80f43b857141e9752c3bae8c3309fcdd0fUnknown service hot wallets
0xfb3a175ce3cb33d9f464a3c5ea0b834dae2aaaf6
0xb25ea1d493b49a1ded42ac5b1208cc618f9a9b80
0x090aac31fca0d19f91e30e02ec8217098a3a4446
0xbfca3e2097baa1eb354e9d915180707dde1027f2
0x3b848ac300b9e0d260e812b628b87a03d278db95
0x00e84a0b678cd4584a9a377d334c810025970873
0xf9e83020cccbd1a95f0f257a5a9e3d58149762f8π±237π€£129β€82π33π€―27πΏ18π’16π15π11π₯8π―6
It appears the Iranian exchange Wallex[.]ir had one of its wallet addresses frozen by both Circle & Tether.
A few hours ago Wallex began consolidating crypto assets from different hot wallets on Tron and Ethereum to BSC via multiple bridges.
$2.49M currently sits dormant at
0x6926408f55c4f322ebe1a3cc7e4fff380c5543dfA few hours ago Wallex began consolidating crypto assets from different hot wallets on Tron and Ethereum to BSC via multiple bridges.
$2.49M currently sits dormant at
0xf945c7566f4204ad286a0c3ff1d8a72183e6ccddπ231π81β€52π€¬50π33π₯28π’22π±20π19π16π¨βπ»7
Investigations by ZachXBT
BREAKING: Circle froze the USDC balance of 16 hot wallets for various businesses late yesterday. I spoke with one of the affected businesses directly and they stated it was due to an ongoing US civil case whose details are not yet disclosed. I reviewedβ¦
Circle unfroze the USDC for the Goated hot wallet a few minutes ago.
I expect more hot wallets to be unfrozen in the near future.
Update 1: 500 Casino & Whale were unfrozen
Update 2: ckUSDC (Dfinity bridge) & unknown service 0x00e were unfrozen
Still no public information about why the overreach ever occurred to begin with.
0x61f08d119974a3d9915f06765d83fe1aa677e543I expect more hot wallets to be unfrozen in the near future.
Update 1: 500 Casino & Whale were unfrozen
Update 2: ckUSDC (Dfinity bridge) & unknown service 0x00e were unfrozen
Still no public information about why the overreach ever occurred to begin with.
π₯157β€78π47π€£46π€¨22π16π8π¦8π6π5π4
An unknown Kraken user lost $18.2M due to a suspected social engineering scam.
The threat actor began bridging 45 minutes ago from Ethereum to Bitcoin via THORChain with SafePal wallet.
Theft address
The threat actor began bridging 45 minutes ago from Ethereum to Bitcoin via THORChain with SafePal wallet.
Theft address
0xC55149BbD560435a9FbEabFdcF9711cf928acA21
1D8f8956EEFLXN28AHfioEx4ywVbxCz8KNπ418π±103β€53π€£43π29π’28π15π15π14π13π€12
On April 6, 2026 BitcoinDepot (BTM) disclosed in an SEC 8K filing it uncovered an incident on March 23, 2026 which resulted in 50.9 BTC ($3.6M) stolen.
However the report did not include theft addresses so I manually traced out the incident onchain and found 19 high confidence theft addresses from March 20.
This means it took three days for BitcoinDepot to notice the funds were missing from its business.
A delta of 3.55 BTC (54.45 BTC total) vs 50.9 BTC reported was found indicating other employee personal accounts may have also been impacted.
54 BTC ($3.7M) flowed to KuCoin, a crypto exchange increasingly used by illicit actors.
At the time of my post the theft addresses still have not been reported in any compliance tools I use.
Suspected theft addresses:
However the report did not include theft addresses so I manually traced out the incident onchain and found 19 high confidence theft addresses from March 20.
This means it took three days for BitcoinDepot to notice the funds were missing from its business.
A delta of 3.55 BTC (54.45 BTC total) vs 50.9 BTC reported was found indicating other employee personal accounts may have also been impacted.
54 BTC ($3.7M) flowed to KuCoin, a crypto exchange increasingly used by illicit actors.
At the time of my post the theft addresses still have not been reported in any compliance tools I use.
Suspected theft addresses:
bc1qqt65qe94rm5kh7srhpp2u5cd5gtcc3peyesfmz
bc1q9mppvhrrmdw9d05tvtvacgk87muvwstpxt59ce
bc1qg4evf89vlnd5escw5lf3pksftljkj8hczwed3k
bc1qzjt0l0tutwrqgq7ftv9l405qqu5gvsh0j8en0z
bc1qmx2sunxc76kdpsdhtnt7gdwcdhz6zptypy60tj
bc1qqnnh38wu4clderxu6x8fanqtekjehhvd9n0m4d
bc1qegrffryc6s80u7jcehyqzw2c30rzwhweq8x33k
bc1qt6cc729nz2pu5mjlmj36ajxn9put8372s3dshk
bc1qyym7sqe95h4003c6fk0p8r2q4vdzm2hx64hazz
bc1q4ut9geva75wyeh78vx7tm4lehlkl77z6w5vksp
bc1q4vjezx6rf9xkpcassmmlpd3678593q5lk3lg7p
bc1qp989gkepg255ngkntd4sppnzzg6fcx997tjz79
bc1qyzqsnn4msw4a2ar0397da7xe4f2r8wt4fn2l9c
bc1qaqkk0sdp7mmjpr5ax7dphuxt7wv8qtkgu6pevd
bc1qfhafkxq388k3adlvn8qaqf7y486u3rauaqg75y
bc1qq6cy97pyhmnw52p6906uupyca02uq563ndy9r6
bc1qsrxf2cmmausfdkyq34mcluluvmlr0e5s7c8n7s
bc1qc3py8la4y4864wkvjpjwvq6690u7uxse0lgrzs
bc1q5aes997chagmc6h8z4nlq0nk2waj8ff370hnluβ€221π84π«‘65π±39π₯27π€17π8π6π4πΏ4π€2
If you gamble I advise caution for the new casino Spartans Bet if you are an influencer, player, or work in the industry.
Have been made aware by a few people of them offering unrealistic amounts of funds to influencers / players.
Ownership is tied to Gurhan Kiziloz who is behind a sketchy project called Blockdag Network.
Blockdag raised $300M+ from unsophisticated retail investors via social media ads which stated unsustainable returns and misleading partnerships.
Iβve had 10+ investors DM or tag me claiming to have lost money on it with the product not functional and the token presale has been ongoing for 2+ years.
When you search his name online it is mostly paid PR articles.
I would avoid any business that is connected to Gurhan Kiziloz.
Source 1: https://www.dlnews.com/articles/defi/inside-crypto-project-blockdag-442-million-usd-maze/
Source 2: https://www.businessinsider.com/lanistar-uk-regulator-scam-instagram-warning-2020-11
Have been made aware by a few people of them offering unrealistic amounts of funds to influencers / players.
Ownership is tied to Gurhan Kiziloz who is behind a sketchy project called Blockdag Network.
Blockdag raised $300M+ from unsophisticated retail investors via social media ads which stated unsustainable returns and misleading partnerships.
Iβve had 10+ investors DM or tag me claiming to have lost money on it with the product not functional and the token presale has been ongoing for 2+ years.
When you search his name online it is mostly paid PR articles.
I would avoid any business that is connected to Gurhan Kiziloz.
Source 1: https://www.dlnews.com/articles/defi/inside-crypto-project-blockdag-442-million-usd-maze/
Source 2: https://www.businessinsider.com/lanistar-uk-regulator-scam-instagram-warning-2020-11
β€349π150π39π₯33β21π€18π€―17π7π³5π€5π4
Community alert: A fake Ledger Live app on the Apple App Store is tied to $9.5M stolen from 50+ suspected victims between April 7β13 across Bitcoin, EVM, Tron, Solana, & Ripple.
Stolen funds were laundered via 150+ KuCoin deposit addresses tied to AudiA6, a centralized mixing service that charges high fees to launder illicit funds.
Theft addresses
Kucoin has seen a sharp increase in illicit activity over the past year. Kucoin was banned from onboarding new EU users by Austrian regulators in February 2026 after only receiving its MiCA permit in November 2025. Kucoin previously paid fines of $300M+ to the US government to settle its case for violating AML laws in January 2025.
I'd be curious to see if this presents grounds for a class action against Apple.
The fake app was removed by Apple yesterday. The three largest victims lost seven figures each.
Apr 9 Victim: $3.23M (3.23M USDT)
TFsLWCYxj4aVUdjKg6Vnz5RtDe1AFWzmYK
Apr 11 Victim: $2.079M (2.079M USDC)
GZWb4arrwVPzdEDrK5MwTNN5zsXNpKUK2yeYu9SA5S18
Apr 8 Victim: $1.95M total (20.64 BTC, 211 stETH, 70 ETH)
96ccf116c95d9ad0065ec2529dd1761eb93dd504cbf2ac9298c60bf7b5984b4b
0x98bc748eb4451417f7259190675ea565dbd5ed85
Stolen funds were laundered via 150+ KuCoin deposit addresses tied to AudiA6, a centralized mixing service that charges high fees to launder illicit funds.
Theft addresses
bc1qf7wdsx03xdwkqxznjzfhz2q98law46yyje5rvy
bc1q34u3g5r0m00a9dk6trhj6e69vgzvdaw8xnt6dl
0x6876e75730125618d09df064091a1094275bda39
0x2cddfc496c9ba7765955773f4dcc5920cc147d72
TLPgiPEniadnUNKMApu4oGZynwzvUbUUTs
2bmPSvwCYnQAeJW115vuLDgKSdf5Nn3sBqgYTpTwxKiV
FCPwCE4TNuQKwLwPJrfvSTfSdhN6a7Nc6mtHi8yuFt7p
rnrQZFpVCUcNgi9dBrSd7BcEnLNooGcBUQKucoin has seen a sharp increase in illicit activity over the past year. Kucoin was banned from onboarding new EU users by Austrian regulators in February 2026 after only receiving its MiCA permit in November 2025. Kucoin previously paid fines of $300M+ to the US government to settle its case for violating AML laws in January 2025.
I'd be curious to see if this presents grounds for a class action against Apple.
The fake app was removed by Apple yesterday. The three largest victims lost seven figures each.
Apr 9 Victim: $3.23M (3.23M USDT)
TFsLWCYxj4aVUdjKg6Vnz5RtDe1AFWzmYK
Apr 11 Victim: $2.079M (2.079M USDC)
GZWb4arrwVPzdEDrK5MwTNN5zsXNpKUK2yeYu9SA5S18
Apr 8 Victim: $1.95M total (20.64 BTC, 211 stETH, 70 ETH)
96ccf116c95d9ad0065ec2529dd1761eb93dd504cbf2ac9298c60bf7b5984b4b
0x98bc748eb4451417f7259190675ea565dbd5ed85
π±324π148β€96π35π€£30π₯΄21π’19π11π10π7β€βπ₯5
KelpDAO appears to have had $280M+ stolen one hour ago on Ethereum and Arbitrum.
The attack addresses were funded via Tornado Cash.
Theft addresses
(Edited to update the victim later identified as KelpDAO)
The attack addresses were funded via Tornado Cash.
Theft addresses
0x5d3919F12bCc35c26Eee5F8226A9bee90c257Ccc|
0xBb6A6006Eb71205e977eCeb19FCaD1C8d631C787
0x1F4C1c2e610f089D6914c4448E6F21Cb0db3adeF
0xeBA786C9517a4823A5cFD9c72e4E80BF8168129B
0xCBb24A6B4DAfaAA1a759A2F413eA0eB6AE1455CC
0x8d11AeAC74267DD5C56D371bf4AE1AFA174C2d49(Edited to update the victim later identified as KelpDAO)
π459π€―130π’57π±45π€£39π26π22π₯22π13π11π9
Just hit 1M followers on X (Twitter) and it's been an insane ride from May 2021 to now.
I don't usually post about this type of stuff, but I cannot say I anticipated ever reaching this follower milestone.
Thanks to everyone who has supported my work over the years.
I don't usually post about this type of stuff, but I cannot say I anticipated ever reaching this follower milestone.
Thanks to everyone who has supported my work over the years.
β€2.05Kπ₯532π179π₯°85β€βπ₯66π57π21π€·ββ18β16π16π12
Investigations by ZachXBT
KelpDAO appears to have had $280M+ stolen one hour ago on Ethereum and Arbitrum. The attack addresses were funded via Tornado Cash. Theft addresses 0x5d3919F12bCc35c26Eee5F8226A9bee90c257Ccc| 0xBb6A6006Eb71205e977eCeb19FCaD1C8d631C787 0x1F4C1c2e610f089Dβ¦
Update: DPRK began laundering $1.5M from the $290M KelpDAO/LZ exploit from Ethereum mainnet to Bitcoin via Thorchain and another $78K via Umbra
Thorchain transactions:
Umbra transactions:
Thorchain transactions:
0x99e09424a28873145f0f4d2ad2cedaebe788df5fab25ba87a06057c457ac31ef
0x171b08024347b5cb7399761b1d6836649f9cbfaf8e94bcbb42625874db5dc206
0x2909e93741e9fe32286dafc8769be5089de0bad4cfcc9ad4b715124f50307171
Umbra transactions:
0xa2a6cc54afd2dd487ea052cd712ed0e1889f2886d857d46c266014173caa7509π’210β€84π₯43π29π23π€£18π«‘16π12πΏ12π8π€ͺ6
If you enjoy my research please consider participating in the current TheDAO Γ Giveth 500 ETH matching round and voting for me if you enjoy the pulic goods research I publish regularly on X (Twitter) & Telegram.
It's quadratic funding, so smaller contributions are worth considerably more thanks to the matching pool.
Example: Currently a $10 crypto donation = >$3K matched
Link to donation to my future research projects:
https://qf.giveth.io/project/zachxbt?roundId=16
I also want to highlight four other projects deserving of your donations:
1). Tanuki42 - DPRK IT worker research
https://qf.giveth.io/project/tanuki42?roundId=16
2). dobs - Pig butchering and human trafficking research
https://qf.giveth.io/project/fight-human-trafficking-and-crypto-fraud-with-dobs?roundId=16
3). Pcaversaccio - Safe multisig transaction hash verification
https://qf.giveth.io/project/safe-multisig-transaction-hashes?roundId=16
4). Spectre - Threat intel & onchain insights
https://qf.giveth.io/project/specter-on-chain-security-research-and-investigator?roundId=16
It's quadratic funding, so smaller contributions are worth considerably more thanks to the matching pool.
Example: Currently a $10 crypto donation = >$3K matched
Link to donation to my future research projects:
https://qf.giveth.io/project/zachxbt?roundId=16
I also want to highlight four other projects deserving of your donations:
1). Tanuki42 - DPRK IT worker research
https://qf.giveth.io/project/tanuki42?roundId=16
2). dobs - Pig butchering and human trafficking research
https://qf.giveth.io/project/fight-human-trafficking-and-crypto-fraud-with-dobs?roundId=16
3). Pcaversaccio - Safe multisig transaction hash verification
https://qf.giveth.io/project/safe-multisig-transaction-hashes?roundId=16
4). Spectre - Threat intel & onchain insights
https://qf.giveth.io/project/specter-on-chain-security-research-and-investigator?roundId=16
β€460π€£199π87π₯54π35π€·ββ15π€15π12β11π€―9π8
Community alert: It appears Thorchain was likely exploited on Bitcoin, Ethereum, BSC, Base for $10.7M+
The protocol paused trading as a result.
Theft address
Edit 1: Changed amount stolen from $7.4M to $10.7M
The protocol paused trading as a result.
Theft address
bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37
0x82fc0d5150f3548027e971ec04c065f3c93154eb0xd477b69551f49c0519f9b18c55030676138890bdEdit 1: Changed amount stolen from $7.4M to $10.7M
π203π174β€80π₯46πΏ38π28π’22π―10π³9π₯°8π7π6
Earlier today the threat actor 'Dritan Kapllani Jr' transferred $2.59M (1.99M DAI, 259 ETH) three hops from:
to:
On May 12 I published my investigation on X (Twitter) detailing Dritan's involvement with Trenton (Trent) Johnson in a 185 BTC ($13M) social engineering theft.
You can read my investigation below:
https://x.com/zachxbt/status/2054170002945987029
0x4487db847db2fc99372a985743a26f46e0b2bba6 to:
0x67ec1d405e53ed13a19eb77a9db19186723d125d where stolen funds currently sit dormant.On May 12 I published my investigation on X (Twitter) detailing Dritan's involvement with Trenton (Trent) Johnson in a 185 BTC ($13M) social engineering theft.
You can read my investigation below:
https://x.com/zachxbt/status/2054170002945987029
π305β€97π₯63π49π37π23π‘12π11πΎ11π€·5π¦3
Offering up to $10K bounty for intel about the Hong Kong market maker Heisenberg Guru aka HSBG linked to multiple CEX market manipulation incidents such as $RIVER.
Sion & Chao are two core team members.
Chat logs, contracts, internal comms, etc are the types of evidence I will consider rewarding.
Send me a DM on X (Twitter) if you can assist: x.com/zachxbt
Sion & Chao are two core team members.
Chat logs, contracts, internal comms, etc are the types of evidence I will consider rewarding.
Send me a DM on X (Twitter) if you can assist: x.com/zachxbt
β€304π147π₯88π43π42π34π28π¨βπ»16π―8π€¬7π΄3
Investigations by ZachXBT
If you gamble I advise caution for the new casino Spartans Bet if you are an influencer, player, or work in the industry. Have been made aware by a few people of them offering unrealistic amounts of funds to influencers / players. Ownership is tied to Gurhanβ¦
Update: Following up on my earlier warnings about Gurhan Kiziloz, I completed onchain tracing which demonstrates commingling of at least $25M of presale funds between two investment schemes linked to him, which were then used to pay KOL streamers for his casino Spartans[.]com.
I have not seen any disclosure in the original BlockDAG Network or ZKP presale materials indicating that funds would be used to promote a separate venture, and retail investors continue to publish complaints on social media.
This is another red flag on top of the issues outlined in my earlier post. I advise everyone to stay away from BlockDAG, ZKP, and Spartans.
Spartans KOL payment address
Blockdag presale address
ZKP presale address
See attached for my forensics graph: BlockDAG & ZKP presale wallets β consolidation β bridge from Ethereum to Tron β CEX deposits and withdrawals (HTX, BTSE) β Spartans hot wallet and KOL payment address.
I have not seen any disclosure in the original BlockDAG Network or ZKP presale materials indicating that funds would be used to promote a separate venture, and retail investors continue to publish complaints on social media.
This is another red flag on top of the issues outlined in my earlier post. I advise everyone to stay away from BlockDAG, ZKP, and Spartans.
Spartans KOL payment address
TRa9KjECpmmBBr1GKTwEWmskdiEKyLnf3C
0xb8e55a329536f3e981c63567b7b1156533d1855aBlockdag presale address
0x4c39ed0438d5e8913acf423db6d56cce78b2d367
Blockdag consolidation TZENvWXqdkqQYT2om6yLC731Cphu57yKkYZKP presale address
0x3b224a7a5a7ee682a2597eaf2b1f61d153424f4bSee attached for my forensics graph: BlockDAG & ZKP presale wallets β consolidation β bridge from Ethereum to Tron β CEX deposits and withdrawals (HTX, BTSE) β Spartans hot wallet and KOL payment address.
β€192π41π29π―22π15π10π8π€8π€ͺ7π5π‘2
Investigations by ZachXBT
Update: Following up on my earlier warnings about Gurhan Kiziloz, I completed onchain tracing which demonstrates commingling of at least $25M of presale funds between two investment schemes linked to him, which were then used to pay KOL streamers for his casinoβ¦
Update: The Spartans team immediately blocked me on X (Twitter) and hid my reply after I replied to their post asking for clarification.
π353π₯104π45π€ͺ29β€22π€·ββ20π18π‘8π±6π4π₯°1
It has come to my attention there are new accounts impersonating me and they are gaining views / engagement on Instagram & YouTube.
Reminder my only two official accounts are x.com/zachxbt on X (Twitter) @investigations on Telegram.
Do not get scammed by these larps.
Reminder my only two official accounts are x.com/zachxbt on X (Twitter) @investigations on Telegram.
Do not get scammed by these larps.
β€267π120π59π«‘21π19π10π‘7π5π€¬5π₯΄5π¦4
An unknown victim lost ~231 BTC ($18.8M) on May 14, 2026 due to private key compromise.
Social engineering threat actors from 'The Com' have tried taking credit for the theft however it appears they're larping due to unrelated Russian indicators on the laundering movements.
Theft address
Social engineering threat actors from 'The Com' have tried taking credit for the theft however it appears they're larping due to unrelated Russian indicators on the laundering movements.
Theft address
bc1qmmfyekpkkuxryezpup7nw2x9qvr5avlfj3vvpc
bc1qrf02hgf9e3lypt8wm025g4waee47wjwz2at9azπ279π±90π31β€29π26π11π‘11πΏ10π€6π5π»5