From victim to whistleblower: The story of ZachXBT, the most powerful detective in the cryptocurrency world

By Andy Greenberg, Wired

Compiled by: Yangz, Techub News

On August 19, a man in his twenties who goes by the name ZachXBT walked into the airport to board a flight home. He was reluctant to say which airport, his real name, or where his home was. At this time, he received an on-chain alert on his phone that a bitcoin had just been transferred to a small cryptocurrency exchange. This was one of the many transactions he had been monitoring recently, and the alert successfully aroused his interest because it was a transaction worth about $600,000, and the cash-out amount was 10 times the normal transaction amount of the exchange.

As ZachXBT arrived at the gate, another alert popped up, indicating that the second transaction on the same exchange was worth more than $1 million, followed by another transaction of $2 million. So ZachXBT hurriedly used his phone to track from one Bitcoin address to another, marking suspicious funds and scrambling to find the source of the funds in the half hour before the plane took off and the Wi-Fi was cut off. Before takeoff, he determined that the funds came from the same wallet, which held hundreds of millions of dollars worth of Bitcoin that had not been moved since 2012. Now these nine-digit funds are being hastily cashed out at transaction costs that any Bitcoin Hodler of more than 10 years cannot accept.

To ZachXBT, the rapid movement of funds looked like a huge theft. In fact, when he carefully checked the above information, ZachXBT suspected that someone stole about $243 million worth of Bitcoin from the victim, which may be the largest known cryptocurrency robbery against an individual in history. ZachXBT told WIRED: "I can't believe that this was stolen from an individual."

As the plane flew above 10,000 feet, ZachXBT connected to Wi-Fi and continued to track the flow of more stolen funds. Although the thieves tried to obfuscate their tracks through more than a dozen platforms, ZachXBT successfully mapped the branching flow of funds over the next few hours.

As he followed the trail to the victims of the lost Bitcoin, ZachXBT discovered that some of the funds originally came from the now-defunct cryptocurrency exchange Genesis. He then sent a direct message to the exchange administrators on X, asking them to help contact the victims, who eventually asked ZachXBT to help them recover the stolen funds.

After the flight landed, ZachXBT discovered three main lines of stolen funds that he believed pointed to three possible culprits. He also posted a message to his more than 650,000 followers on X, pointing out the theft that was taking place. Soon, he received a message from a source who said they had a clue to the identity of the thief.

Over the next week, ZachXBT worked around the clock (with no more than four or five hours of sleep at a time) to investigate the case, and regularly shared his findings with law enforcement agencies, eventually identifying the suspects behind the theft, including two young hackers in their early twenties, Malone Lam and Jeandiel Serrano. (ZachXBT also identified another alleged hacker, but WIRED is not publishing the person's name because he has not yet been arrested or charged). In addition, ZachXBT even obtained a video of the hacker celebrating after completing the theft. According to ZachXBT's investigation on Instagram and TikTok, one of the suspects spent millions of dollars on cars, private jets, and spent up to $500,000 a night in clubs after the successful theft.

Less than a month after ZachXBT received the alert on his phone, two of the three suspects were arrested and charged with criminal offenses . When he saw the photo of one of the hackers, ZachXBT said he felt a surge of adrenaline, but the feeling soon passed. "I didn't feel any special sense of accomplishment," ZachXBT said, "I just treated it as a similar case."

The People’s Cryptocurrency Private Investigator

If tracking a $250 million theft seems like just another day on the internet for ZachXBT, that’s probably because he’s spent the past three years establishing himself as the world’s most prolific independent crypto-focused detective. Since starting out as an amateur investigator in 2021, he’s tracked billions of dollars in funds and scams. By his own count, his hundreds of investigations have directly helped recover about $210 million worth of crypto crime funds, and indirectly helped victims recover an additional $225 million in stolen funds. ZachXBT has called out influencers who promote various tokens in pump-and-dump schemes, hunted down cybercriminals behind massive crypto thefts, and uncovered dozens of instances of North Korean hackers breaking into crypto companies and even infiltrating them as employees.

Throughout all the tracking, ZachXBT received "compensation" almost entirely from cryptocurrency donations, in the form of grants from cryptocurrency organizations and strangers sending money to addresses listed in his social media profiles, about $1.3 million since 2021. "He's a new generation of investigator. He works for the people," said Joe McGill, a Secret Service analyst who has worked with ZachXBT. "His success is entirely related to his own abilities."

Yet as ZachXBT works as a crypto vigilante, he also keeps a mask on. Online, he appears only as a cartoon platypus wearing a detective trench coat or hoodie. To avoid retaliation from his many enemies and scammers in the crypto world, he never appears in public, does not reveal his real name or exact age, and is only willing to be interviewed on the condition that I do not try to dig up those identifying details.

McGill recalled that in some of their early conference calls, ZachXBT would not only turn off his camera, but even use voice-changing software, sometimes sounding like a high-pitched "South Park character" and sometimes deepening his voice to sound like something from a horror movie. "It felt weird at first," said McGill, who was then working at cryptocurrency security firm TRM Labs, "but I respected his privacy because this anonymous person was doing such a great job."

In addition, Nick Bax, a cryptocurrency investigator and founder of Five I's, said that ZachXBT uncovers many cryptocurrency criminal scams and thefts almost every week, and his work speed often far exceeds that of law enforcement agencies, so much so that Bax once half-jokingly commented: "He is a machine."

As part of an investigation last year, they collaborated to track the 2021 theft of $60 million from a cryptocurrency project called AnubisDAO. On a Saturday night, Bax gave ZachXBT a list of 500 transactions, each of which required manual analysis along with all the associated blockchain addresses. “I figured that would keep him busy for at least a few days,” Bax said. But the next afternoon, ZachXBT had gone through every transaction and determined which ones were related to the theft. “I was shocked,” Bax said. “He must have been hunched over his computer for 12 hours straight.”

Many of ZachXBT’s findings are posted unreservedly to his X account . Over time, however, his findings have come increasingly to the attention of law enforcement agencies (some of whom he now often shares his findings with before publishing). “As Zach has become more powerful, there have been financial and legal consequences,” says Taylor Monahan, a security researcher at the cryptocurrency company MetaMask and one of ZachXBT’s closest collaborators on the investigation. “If Zach posts about someone now, and it’s highly likely to be accurate, that person will be arrested.”

From victim to whistleblower

So how did ZachXBT manage to outsmart even professional cryptocurrency investigators in law enforcement without any formal training or organizational support? In fact, even he himself is not quite sure. "It's a hard question to answer. I don't know why I am so good," ZachXBT said in a phone interview with WIRED. He believes it is because he is willing to work day and night. After all, the cryptocurrency market never closes, and he has been studying these huge transaction ledgers for many years, so he is very familiar with analyzing cryptocurrency blockchains. "The more you pay attention to the blockchain, even eat, sleep, and breathe it, then, over time, you become more and more observant," he said. "You can start to see these connections, you can look at a wallet and dissect it in seconds and determine whether it is a bad actor."

ZachXBT said that his familiarity with blockchain comes from his years of experience as a cryptocurrency enthusiast and trader, and that he himself has been a victim of some of the traps in the cryptocurrency economy. ZachXBT said that around 2017, he naively bought thousands of dollars worth of tokens, which eventually became worthless due to the "Rug Pull". ZachXBT said, "When I bought it, I thought, 'This will change my life.' Then, I held on firmly and never sold it," but the result was, "I was the one who was deceived."

By 2018, all of ZachXBT’s invested tokens had collapsed, and the cryptocurrency wallet Electrum he used was attacked by hackers with malware, resulting in an additional loss of nearly $15,000.

At this point, ZachXBT decided to take a step back and rethink his approach. Instead of simply buying and holding tokens, he began analyzing on-chain data to understand how larger, more successful investors were trading tokens and trying to emulate that.

By 2020, ZachXBT had become familiar enough with tracking cryptocurrency transactions to spot scams going on that the average investor couldn’t see. He’d see influencers publicly promote an asset to their hundreds of thousands of followers, pump up the price, and then sell their holdings right after. “It was more like a whistleblower,” ZachXBT said. “I’d notice the activity and think, ‘This reminds me of what I got scammed on in 2017 and 2018. Why not post about it?’ And then it just kept going.”

Later that year, when the NFT craze took off, ZachXBT also began to conduct similar audits on NFT projects such as Bored Bunny and Billionaire Dogs Club to show where the funds flowing into these projects were really going. Some of these NFT sellers raised millions of dollars with just cartoon .jpg images, and promised that NFTs created from these images could gain privileges such as access to exclusive events or clubs. However, ZachXBT could find through blockchain analysis that these sellers were just dividing up and pocketing the funds. Sometimes, some new NFT projects are actually just another mask for an earlier project that has been proven to be a scam.

To a certain extent, ZachXBT's posts about NFT projects did help some buyers shut down. But over time, ZachXBT became tired of exposing the same, often transparent scams over and over again, and became frustrated with the lack of more concrete results. After he exposed these NFT scams, no one faced criminal charges.

Then, in early 2022, he began to notice hackers taking over Twitter accounts of well-known cryptocurrency users and posting phishing links, resulting in the theft of tens of millions of dollars. Every time a distraught victim posted that their deposits had been stolen, ZachXBT would contact them and then meticulously track down their lost funds. He combined these blockchain clues with his sources in Discord and Telegram channels frequented by young hackers, and found several accounts of teenagers who often boasted about their huge wealth.

At this time, ZachXBT had been targeted by the cryptocurrency underworld, and a young hacker even publicly mocked him in a Twitter post, boasting that he had bought an Audemars Piguet diamond watch. ZachXBT did not tolerate it, and then found the watch seller in a luxury watch Discord channel and persuaded the seller to hand over the teenager's delivery address and real name.

However, there seems to be no public record showing whether these alleged suspects were arrested. Perhaps for the protection of minors, the charges may have been sealed, or they may never have been filed. But a seizure notice found by ZachXBT shows that in October 2022, a month after ZachXBT posted his findings on X, the FBI seized more than $200,000 worth of crypto assets from the juvenile suspect he identified, and of course the diamond watch.

In the same year, ZachXBT used similar technology to track down a $2.5 million NFT phishing theft, and all the evidence pointed to a pair of French hackers . In this case, French prosecutors arrested five suspects a few months later, and according to AFP , French prosecutors specifically thanked ZachXBT for his contribution. "It's been very fulfilling to see law enforcement take action based on the information I shared," ZachXBT said. "It makes me feel that maybe what I've been doing is really meaningful."

In the two years since he first gained the attention of law enforcement, ZachXBT's investigations have exploded in size and yielded impressive results. In February 2023, he tracked down nearly $9 million in stolen funds from the cryptocurrency project Platypus and identified one of the thieves within hours; more than a week later, French police arrested two suspects. Although the charges against the two were eventually dropped, the police recovered millions of dollars in funds, and Platypus thanked ZachXBT on Twitter.

Later that year, he tracked a $25 million theft from cryptocurrency firm Uranium Finance, much of which appeared to have been laundered through the purchase of rare Magic: The Gathering cards. And when a cybercriminal gang called Scattered Spider launched a ransomware attack on Las Vegas-based Caesar's Entertainment, demanding $15 million, ZachXBT helped track and recover $12 million of the proceeds, according to other investigators involved in the case and who spoke to WIRED.

Around the same time, ZachXBT also released a massive investigation into 25 cryptocurrency thefts perpetrated by North Korean hackers, totaling more than $200 million in stolen funds, of which about $7 million he helped freeze, and about half of those hacks had never been publicly disclosed. This investigation was followed by another one that revealed a network of about 30 North Korean IT personnel who infiltrated tech companies and were paid in cryptocurrency. In one case, a technician who appeared to be associated with North Korea was employed by the NFT company Munchables and managed to steal $62 million in cryptocurrency assets from the company. When ZachXBT helped identify and mark the funds, the hacker simply returned the money because it was difficult to cash out.

"Do you know how much that is?"

Even so, ZachXBT’s August 19th heist of $243 million from a single victim was one of the largest heists he had ever tracked. When he got home on an international flight, he continued to track the branch funds for several days while monitoring social media for signs of three suspects, two of whom went by the names Greavys and Box. Greavys, in particular, whose real name is Malone Lam and who appears to live in Miami, posted and appeared in many photos of luxury real estate, diamond watches, private jets, and sports cars, including a Lamborghini Revuelto and a Pagani Huayra, the latter of which often sells for more than $3 million. In addition, ZachXBT found posts from influencers claiming that Greavys had given them Hermès Birkin bags (each worth between $30,000 and $50,000). The pictures accompanying the posts showed waiters in a nightclub holding light signs that read “WHO WANT A BIRK” and tagged Greavys’ name.

Within days, ZachXBT convinced the source who first messaged him during the flight to send him a video of a screen share of three hackers who appeared to be involved in the theft. Unbeknownst to them, one of the alleged hackers had re-shared his screen with another group of friends during the screen share, and one of them appeared to have recorded the video. ZachXBT said that during the 90-minute video, the three hackers called each other by name several times. At another point, one of the three briefly cut back to his Windows home screen, showing his last name.

The video even captures the hackers' frantic reactions after completing the nine-digit theft. "OMG! OMG! $243 million! Yes!" one of them said in the recording . "We did it! We did it! I can't believe it, do you know how much money that is?"

On the late afternoon of September 18, less than a month after ZachXBT began its investigation, Lam was arrested at a luxury beachfront rental in Miami that cost $68,000 a month. Box, whose real name is Jeandiel Serrano, was detained at the Los Angeles airport as he and his girlfriend flew home from a vacation in the Maldives. According to prosecutors, he was wearing a $500,000 watch when he was arrested, rented a house near Los Angeles for more than $40,000 a month, and spent $1 million on luxury cars. The next day, wire fraud and money laundering charges were unsealed against Lam and Serrano. According to court documents, both hackers confessed to law enforcement investigators that they were involved in multiple cryptocurrency thefts. Lam admitted that the profits they made helped him buy no fewer than 31 luxury cars.

So far, $79 million of the $243 million they allegedly stole has been seized or frozen. ZachXBT hopes to find more money. Prosecutors say more than $100 million is still unaccounted for even after the hackers’ spending spree.

The third suspect ZachXBT found appears to live in Connecticut, according to public records, but has not been charged with any crime. However, journalist Brian Krebs noted that a criminal complaint described a group of men who allegedly hijacked a Lamborghini sports car and briefly kidnapped a couple in their 50s in Connecticut four days after the $243 million theft in late August, planning to steal a large amount of cryptocurrency assets from their son. In other words, the son is likely the third recipient of the funds tracked by ZachXBT.

For ZachXBT, this investigation may be a turning point in his career. This is the first time he has been hired by a victim and paid, rather than conducting investigations as a volunteer with donations. He said he might transition to doing more paid work or even start his own investigation company. But he insisted that he would not conduct investigations for wealth. "What I want to see is that the stolen funds are confiscated and returned, and the thieves are arrested. This is my goal and what I intend to do," ZachXBT said. "Seeing people benefit from it is the source of my happiness."

Taylor Monahan, who has worked with ZachXBT on dozens of investigations, said ZachXBT was largely driven by a sense of justice that came from his own experience as a victim of cruelty in the cryptocurrency world and a desire to help others avoid the same fate. "He had the same bad experience as many people in this space, and everyone around him would think they were unlucky," Monahan said, "but he rejected this experience from the bottom of his heart. He wanted to change this situation."