From victim to whistleblower: The story of ZachXBT, the most powerful detective in the cryptocurrency world

Written by Andy Greenberg, Wired Compiled by Yangz, Techub News

On August 19, a man in his twenties who went by the name ZachXBT walked into the airport to board a flight home. He was reluctant to say which airport, his real name, or where his home was. At this time, he received an on-chain alert on his phone that a bitcoin had just been transferred to a small cryptocurrency exchange. This was one of the many transactions he had been monitoring in recent days, and the alert successfully aroused his interest because it was a transaction worth about $600,000, and the cash-out amount was 10 times the normal transaction amount of the exchange.

When ZachXBT arrived at the boarding gate, another alert popped up, indicating that the second transaction on the same exchange was worth more than $1 million, followed by another $2 million transaction. So ZachXBT hurriedly used his phone to track from one Bitcoin address to another, marked suspicious funds, and raced to find the source of the funds in the half hour before the plane took off and the Wi-Fi was interrupted. Before takeoff, he determined that the funds came from the same wallet, which held hundreds of millions of dollars worth of Bitcoin that had never been transferred since 2012. Now these nine-digit funds are being hastily cashed out at transaction costs that any Bitcoin Hodler of more than 10 years cannot accept.

To ZachXBT, the rapid movement of funds looked like a huge theft. In fact, when he carefully checked the above information, ZachXBT suspected that someone had stolen about $243 million worth of Bitcoin from the victims, which may be the largest known cryptocurrency robbery against an individual in history. “I couldn’t believe this was stolen from an individual,” ZachXBT told WIRED.

As the plane flew above 10,000 feet, ZachXBT connected to Wi-Fi and continued to track more of the stolen funds. Despite the thieves’ attempts to obfuscate their tracks through more than a dozen platforms, ZachXBT was able to map out the branching of the funds over the next few hours.

As he followed the trail to the victims of the missing Bitcoin, ZachXBT discovered that some of the funds originally came from the now-defunct cryptocurrency exchange Genesis. So he sent a direct message on X to the exchange administrators, asking them to help contact the victims, who eventually asked ZachXBT to help them recover the stolen funds.

After the flight landed, ZachXBT discovered three main lines of stolen funds that he believed pointed to three possible culprits. He also posted a message to his more than 650,000 followers on X, noting the theft was taking place. Soon, he received a message from a source who claimed to have a clue to the identity of the thief.

Over the next week, ZachXBT worked around the clock (sleeping no more than four or five hours at a time) to investigate the case and regularly shared his findings with law enforcement, eventually identifying suspects behind the theft, including two young hackers in their early twenties, Malone Lam and Jeandiel Serrano. (ZachXBT also identified another accused hacker, but WIRED is not naming that person because he has not yet been arrested or charged). In addition, ZachXBT even obtained a video of the hacker celebrating after completing the theft. According to ZachXBT's investigation on Instagram and TikTok, one of the suspects spent millions of dollars on cars, private jets, and spent up to $500,000 a night in clubs after the successful theft.

Less than a month after ZachXBT received the alert on his phone, two of the three suspects were arrested and criminally charged. When ZachXBT saw the photo of one of the hackers, he said he felt a surge of adrenaline, but the feeling soon passed. "I didn't feel any particular sense of accomplishment," ZachXBT said. "I just treated it as a similar case."

The People's Cryptocurrency Private Investigator

If tracking a $250 million theft was just another day on the internet for ZachXBT, that's perhaps because he has established himself as the world's most prolific independent cryptocurrency-focused detective over the past three years. Since he began working as an amateur investigator in 2021, he has tracked billions of dollars in funds and scams. By his own count, his hundreds of investigations have directly helped recover about $210 million worth of cryptocurrency crime funds, and indirectly helped victims recover $225 million in stolen funds. ZachXBT has rebuked influencers who promote various tokens in pump-and-dump schemes, hunted down cybercriminals behind large-scale cryptocurrency thefts, and uncovered dozens of cases of North Korean hackers breaking into cryptocurrency companies and even infiltrating them as employees.

For all of his tracking, ZachXBT has received "payments" almost entirely from cryptocurrency donations, in the form of grants from cryptocurrency organizations and strangers sending money to addresses listed in his social media profiles, about $1.3 million since 2021. "He's a new generation of investigator. He works for the people," said Joe McGill, a Secret Service analyst who has worked with ZachXBT. "His success is entirely related to his own ability."

Yet as ZachXBT was playing crypto vigilante, he was also wearing a mask. Online, he was known only as a cartoon platypus in a detective trench coat or hoodie. To avoid reprisals from the many enemies and scammers in the crypto world, he never appeared in public, did not reveal his real name or exact age, and would only speak on the condition that I did not try to dig up those identifying details.

McGill recalls that during some of their early conference calls, ZachXBT would not only turn off his camera, but even use voice-changing software, sometimes sounding like a high-pitched "South Park character" and other times deepening his voice to sound like something out of a horror movie. "It felt weird at first," said McGill, who was then working at cryptocurrency security firm TRM Labs, "but I respected his privacy because the anonymous person was doing such a great job."

In addition, Nick Bax, a cryptocurrency investigator and founder of Five I's, said that ZachXBT uncovered many cryptocurrency crime scams and thefts almost every week, often working much faster than law enforcement agencies, so much so that Bax once half-jokingly commented: "He's a machine."

In an investigation last year, they worked together to track the theft of $60 million from a cryptocurrency project called AnubisDAO in 2021. As part of the investigation, Bax gave ZachXBT a list of 500 transactions on a Saturday night, each of which needed to be manually analyzed along with all the associated blockchain addresses. "I thought this would keep him busy for at least a few days," Bax said. But by the next afternoon, ZachXBT had completed every transaction and determined which ones were related to the theft. “I was shocked,” Bax said. “He must have been hunched over his computer for 12 hours straight.”

Many of ZachXBT’s findings were posted unreservedly to his X account. Over time, however, his findings also attracted more and more attention from law enforcement agencies (some of whom he now often shares his findings with before publishing). “As Zach’s power grew, there were financial and legal consequences,” said Taylor Monahan, a security researcher at the cryptocurrency company MetaMask and one of ZachXBT’s closest collaborators on the investigation. “If Zach posted about someone right now and it was accurate, that person would be arrested.”

From Victim to Whistleblower

So how did ZachXBT manage to outsmart even professional cryptocurrency investigators in law enforcement without any formal training or organizational support? In fact, even he himself is not quite sure. "It's a hard question to answer. I don't know why I'm so good at it," ZachXBT said in a phone interview with WIRED. He thinks it's because he's willing to work around the clock, after all, the cryptocurrency market never closes, and he's been studying these huge transaction ledgers for years, so he's very familiar with analyzing cryptocurrency blockchains. "The more you pay attention to the blockchain, and even eat, sleep, and breathe it, then, over time, you become more and more sensitive," he said. "You can start to see these connections, you can look at a wallet and dissect it in seconds and tell if it's a bad actor."

ZachXBT said his familiarity with the blockchain comes from his years of experience as a cryptocurrency enthusiast and trader, and he himself has been a victim of some of the pitfalls in the cryptocurrency economy. ZachXBT said that around 2017, he naively bought thousands of dollars worth of tokens, which eventually became worthless due to "Rug Pulls." ZachXBT said, "I bought it thinking, 'This is going to change my life.' Then I held on and never sold it," but the result was, "I was the one who got scammed."

By 2018, all of ZachXBT's invested tokens had collapsed, and the cryptocurrency wallet he used, Electrum, was hacked with malware, and the loss was nearly $15,000 more.

At this point, ZachXBT decided to take a step back and rethink his approach. Instead of simply buying and holding tokens, he began analyzing on-chain data to understand how larger, more successful investors traded tokens and tried to imitate them.

By 2020, ZachXBT had become familiar enough with tracking cryptocurrency transactions to spot ongoing scams that ordinary investors couldn't see. He would see KOLs publicly promoting an asset to their hundreds of thousands of followers, driving up the price, and then immediately selling their holdings. “It was more like whistleblowing,” ZachXBT said. “I’d notice the activity and think, ‘This reminds me of what I got scammed about in 2017 and 2018. Why not post about it?’ And it just kept going.”

Later that year, as the NFT craze took off, ZachXBT began similar scrutiny of NFT projects like Bored Bunny and Billionaire Dogs Club to show where the money flowing into these projects was really going. Some of these NFT sellers raised millions of dollars with just cartoon .jpg images, promising NFTs created from these images would grant privileges like access to exclusive events or clubs. However, ZachXBT could find through blockchain analysis that these sellers were simply dividing up and pocketing the funds. Sometimes, some new NFT projects are actually just another mask for an earlier project that has been proven to be a scam.

To a certain extent, ZachXBT's posts about NFT projects did help some buyers shut down. But over time, ZachXBT grew tired of exposing the same, often transparent scams over and over again, and became frustrated with the lack of more concrete results. No one faced criminal charges after he exposed these NFT scams.

Then, in early 2022, he began to notice the phenomenon of hackers taking over the Twitter accounts of well-known cryptocurrency users and posting phishing links, resulting in the theft of tens of millions of dollars. Every time a heartbroken victim posted that their deposits had been stolen, ZachXBT would get in touch with them and then meticulously track down their lost funds. He combined these blockchain clues with his sources in Discord and Telegram channels frequented by young hackers, and found several accounts of teenagers who often boasted about their acquisition of huge wealth.

At this time, ZachXBT has been targeted by the cryptocurrency underworld, and a young hacker even publicly mocked him in a Twitter post, boasting that he bought an Audemars Piguet diamond watch. ZachXBT did not tolerate it, and then found the watch seller in a luxury watch Discord channel and persuaded the seller to hand over the teenager's delivery address and real name.

However, there seems to be no public record showing whether the alleged suspects have been arrested. Perhaps for the protection of minors, these charges may have been sealed, or they may never have been prosecuted. But a seizure notice found by ZachXBT shows that in October 2022, a month after ZachXBT posted his findings on X, the FBI confiscated more than $200,000 worth of crypto assets from the teenage suspect he identified, and of course the diamond watch.

In the same year, ZachXBT used similar techniques to track down a $2.5 million NFT phishing theft, and all evidence pointed to a pair of French hackers. In this case, French prosecutors arrested five suspects a few months later, and according to AFP, French prosecutors specifically thanked ZachXBT for his contribution. "It's fulfilling to see law enforcement take action based on the information I shared," ZachXBT said. "It makes me feel that maybe what I've been doing is really meaningful."

In the two years since he first attracted the attention of law enforcement, ZachXBT's investigation has exploded in size and has achieved remarkable results. In February 2023, he tracked down nearly $9 million in funds stolen from the cryptocurrency project Platypus and identified one of the thieves within hours; more than a week later, French police arrested two suspects. While charges against the two men were ultimately dropped, police recovered millions of dollars in funds, and Platypus thanked ZachXBT on Twitter.

Later that year, he tracked down a $25 million theft from cryptocurrency firm Uranium Finance, much of which appeared to have been laundered through the purchase of rare Magic: The Gathering cards. And when a cybercriminal gang called Scattered Spider launched a ransomware attack on Las Vegas-based Caesar's Entertainment, demanding $15 million, ZachXBT helped track and recover $12 million of that money, according to other investigators involved in the case who spoke to WIRED. Around the same time, ZachXBT also published a massive investigation into 25 cryptocurrency thefts perpetrated by North Korean hackers, totaling more than $200 million in stolen funds, of which about $7 million he helped freeze, and about half of those hacks had never been publicly disclosed. This investigation was followed by another one that revealed a network of about 30 North Korean IT personnel who infiltrated tech companies and were paid in cryptocurrency. In one case, a technician who appeared to be associated with North Korea was employed by the NFT company Munchables and managed to steal $62 million in cryptocurrency assets from the company. When ZachXBT helped identify and mark the funds, the hacker simply returned the money because it was difficult to cash out.

“Do you know how much money that is?”

Even so, ZachXBT’s Aug. 19 heist, where $243 million was stolen from a single victim, was one of the largest heists he had ever tracked. When he got home on an international flight, he continued to track the branched funds for several days while monitoring social media for signs of three suspects, two of whom went by the handles Greavys and Box. Greavys, in particular, whose real name is Malone Lam and who appears to live in Miami, posted and appeared in numerous photos of luxury real estate, diamond watches, private jets, and sports cars, including a Lamborghini Revuelto and a Pagani Huayra, the latter of which often sells for more than $3 million. In addition, ZachXBT found posts from influencers claiming that Greavys had gifted them Hermès Birkin bags (each valued at between $30,000 and $50,000). The post was accompanied by a photo of waiters at a nightclub holding light signs that read “WHO WANT A BIRK” and tagged Greavys’ name.

Within a few days, ZachXBT convinced the informant who had first messaged him on the flight to send him a video of a screen share of three hackers who appeared to have participated in the theft. Unbeknownst to them, one of the accused hackers had reshared his screen with another group of friends during the screen share, and one of them appeared to have recorded the video. ZachXBT said that the three hackers repeatedly called each other by name during the 90-minute video. At another point, one of the three briefly cut back to his Windows home screen, showing his last name.

The video even captured the hackers’ frantic reactions after completing the nine-figure heist. “OMG! OMG! $243 million! Yes!” one of them said in the recording. "We did it! We did it! I can't believe it, do you know how much money that is?"

Late in the afternoon of September 18, less than a month after ZachXBT began its investigation, Lam was arrested at a luxury beachfront rental in Miami that cost $68,000 a month. Box, whose real name is Jeandiel Serrano, was detained at the Los Angeles airport as he and his girlfriend flew home from a vacation in the Maldives. According to prosecutors, he was wearing a $500,000 watch when he was arrested, rented a house near Los Angeles for more than $40,000 a month, and spent $1 million on luxury cars. The next day, wire fraud and money laundering charges were unsealed against Lam and Serrano. According to court documents, both hackers had confessed to law enforcement investigators that they had participated in multiple cryptocurrency thefts. Lam admitted that the profits they made helped him buy no fewer than 31 luxury cars.

So far, $79 million of the $243 million they allegedly stole has been seized or frozen. ZachXBT hopes to find more money. Prosecutors say more than $100 million is still unaccounted for even after the hackers’ spending spree.

The third suspect ZachXBT found appears to live in Connecticut, according to public records, but has not been charged with any crime. However, journalist Brian Krebs noted that a criminal complaint describes a group of men who allegedly hijacked a Lamborghini sports car and briefly kidnapped a Connecticut couple in their 50s four days after the $243 million theft in late August, planning to rob their son of a large amount of cryptocurrency assets. In other words, the son is likely the third recipient of the funds ZachXBT tracked down.

For ZachXBT, this investigation could be a turning point in his career. This is the first time he has been hired by a victim and paid, rather than conducting investigations as a volunteer with donations. He said he might transition to doing more paid work or even starting his own investigation company. But he insists that he doesn't conduct investigations for the sake of wealth. "What I want to see is that the stolen funds are confiscated and returned, and the thieves are arrested. That's my goal and what I intend to do," ZachXBT said. "Seeing people benefit from it is the source of my happiness."

Taylor Monahan, who has worked with ZachXBT on dozens of investigations, said ZachXBT is largely driven by a sense of justice, which comes from his own experience as a victim of cruelty in the cryptocurrency world and his desire to help others avoid the same situation. "He and many people in this field have had the same bad experience, and people around them will think they are unlucky," Monahan said, "but he rejects this experience from the heart. He wants to change this situation."