By Andy Greenberg
Compiled by: Ismay, BlockBeats
Editor's note: I believe many readers have heard the name ZachXBT frequently recently, such as confronting Ansem, publishing Murad's address, exposing U-seller Wang Yicong, and disclosing SHAR's project deck. Since 2021, on-chain detective ZachXBT has helped victims of fraud and theft recover nearly $500 million. Last month, he uncovered a $243 million theft, the largest theft against an individual in history. From tracking crimes in the depths of the blockchain to revealing the huge flow of funds behind luxurious life, ZachXBT has helped recover hundreds of millions of dollars in stolen funds in just a few years with his wisdom and persistence. This article in Wired magazine will take you into the mysterious world of this "faceless detective" of cryptocurrency, revealing how he fights wits and courage with crypto crimes, and those little-known behind-the-scenes stories.
The following is the original content:
On August 19, a young man in his twenties who goes by the online name ZachXBT was about to board a flight home. He would not reveal which airport, his real name, or where he lived.
At this time, an alert popped up on his phone: a bitcoin was transferred to a small cryptocurrency exchange. This is one of the many exchanges he has been monitoring for a long time, mainly for the purpose of finding capital flows related to criminal money laundering. The alert caught his attention: the transaction amount was about $600,000, far more than 10 times the daily transaction size of the exchange.
When he arrived at the gate, his phone buzzed with a new alert: another trade of more than $1 million had taken place on the same exchange. Then another trade of $2 million followed.
As ZachXBT waited in line to board his flight, he quickly tracked the funds on his phone, backtracking through the Bitcoin addresses and flagging suspicious funds in an attempt to identify the source of the funds before the internet went out half an hour after takeoff.
Before the plane took off, he had confirmed that the funds came from a large Bitcoin wallet that had not been used since 2012, with a total amount of hundreds of millions of dollars. Now, this huge sum of money worth nine figures is being cashed out in a hurry, and high transaction fees are paid. This practice is obviously not acceptable to an investor who has held the currency for more than ten years.
In ZachXBT's view, this flow of funds was clearly a massive theft.
After further verification, he found that someone had stolen about $243 million worth of Bitcoin from a victim, which may be the largest cryptocurrency theft from an individual in history. "This is really an unusual amount of money that was stolen from one person," ZachXBT told Wired magazine, "I had to make sure I was not mistaken."
Once the plane climbed above 10,000 feet and the Wi-Fi was working again, ZachXBT began tracking the movement of more of the stolen funds.
The funds were transferred through one exchange and currency exchange service platform after another. In the next few hours, he accelerated the branching diagram of the flow of these funds and found that the hackers tried to hide the traces of the funds through more than a dozen platforms.
As he followed the trail back to the owner of the lost Bitcoin, ZachXBT discovered that some of the funds originally came from the defunct Genesis cryptocurrency exchange. He sent a private message to the administrator of the exchange through the X platform (formerly Twitter) and asked them to contact the victim, who eventually hired him to track down the stolen funds.
By the time he arrived at his destination, ZachXBT had discovered that the stolen funds had been split into three main streams that pointed to what he believed to be three suspects. He also posted a message to his more than 650,000 followers on the X platform, noting the ongoing theft on the blockchain.
Soon after, he received a message from an informant who claimed to have clues to the hacker's identity.
For the next week, ZachXBT worked day and night, sleeping only four to five hours a day, and regularly shared his findings with law enforcement agencies. He eventually identified the suspects involved in the theft - two young hackers in their early twenties named Malone Lam and Jeandiel Serrano. ZachXBT also identified another suspected hacker, but Wired chose not to publish his name because the person has not yet been arrested or charged.
He even obtained a video showing one of them celebrating the huge fortune after completing the theft. During his quick investigation, ZachXBT even tracked down the suspects' Instagram and TikTok and saw one of them squandering millions of dollars, buying luxury cars, taking private jets, and spending up to $500,000 a night in nightclubs.
Less than a month after that alert was received on the plane, two of the three suspects were arrested and face criminal charges.
When ZachXBT finally saw the arrest photo of one of the hackers, he said he felt a brief adrenaline rush, but soon calmed down. "I didn't feel any special sense of accomplishment," ZachXBT said. "I just treated it as another ordinary case."
Bitcoin theft investigation results | ZachXBT's pinned tweet
Cryptocurrency Private Investigators for the Masses
If tracking a $250 million heist seems like a typical day online for ZachXBT, that’s probably because over the past three years he’s become the world’s most active independent cryptocurrency detective.
Since he began working as an amateur investigator in 2021, he has tracked billions of dollars in stolen funds and fraud cases. According to a table he provided to Wired magazine, his hundreds of investigations have directly led to the recovery of about $210 million in criminal cryptocurrency funds, and another about $225 million has been recovered for victims with his indirect help.
He has exposed influencers promoting tokens through pump and dump scams, tracked down cybercriminals behind major cryptocurrency thefts, and uncovered dozens of cases of North Korean hackers breaking into crypto companies and even infiltrating them as employees.
Throughout, he has relied almost entirely on cryptocurrency donations to fund his work, including grants from cryptocurrency organizations and contributions sent by strangers through addresses listed on his social media profiles, totaling about $1.3 million since 2021. "He is a new generation of investigator, and he serves the public," said Joe McGill, a U.S. Secret Service analyst who has worked with ZachXBT. "His success is entirely dependent on the success of his investigations."
In his pursuit of becoming a cryptocurrency "justice police", ZachXBT has always been careful to remain anonymous. Online, he only appears as his avatar image - a cartoon image of a platypus wearing a detective windbreaker or sometimes a hoodie. To avoid retaliation from cryptocurrency criminals and scammers, he has never disclosed his real face, name or specific age, and he is willing to be interviewed only if Wired magazine agrees not to pursue this personal identification information.
ZachXBT's Twitter page
Secret Service analyst McGill recalled that in their early conference calls, ZachXBT not only turned off the camera, but also used voice-changing software, sometimes sounding like a screaming character in "South Park"; at other times, he turned his voice down to a depth that seemed like a character from a horror movie. "It was really weird at first," said McGill, who was working at crypto tracking company TRM Labs at the time, "but I respected his privacy because this anonymous person was doing a really good job."
Nick Bax, a cryptocurrency investigator and founder of Five I's, said ZachXBT uncovers many cryptocurrency crime scams and thefts almost every week, often much faster than law enforcement agencies. Bax half-jokingly said he even wondered if ZachXBT was a robot.
“He was like a machine,” Bax said.
In an investigation last year, they collaborated to track the $60 million theft from the AnubisDAO crypto project in 2021. Bax gave ZachXBT a list of 500 transactions on Saturday night, each of which needed to be manually analyzed, along with the associated blockchain addresses. "I thought this would keep him busy for at least a few days," but by the next afternoon, ZachXBT had finished analyzing all the transactions and determined which ones were related to the theft. "I was shocked," Bax said. "He must have been sitting in front of his computer for 12 hours straight."
Many of ZachXBT's findings are published without ceremony on his X platform account.
Over time, however, his investigations have increasingly attracted the attention of law enforcement agencies — with whom he now often shares his findings before releasing them publicly, and the targets of those detectives’ work are facing increasingly serious consequences.
"As Zach's influence continues to grow, these cases have financial and legal consequences," said Taylor Monahan, a security researcher at the crypto company MetaMask, who was one of ZachXBT's closest investigative partners during the investigation of the $243 million theft. "If Zach posts about someone now and the revelation is good, there's a good chance that person will be arrested."
From Victim to Whistleblower
So how exactly did ZachXBT manage to track money flows faster and more accurately than even law enforcement crypto investigators, with no formal training or organizational support?
He himself is not so sure about this. "This is a hard question, and I don't know why I'm so good at it," ZachXBT told Wired magazine in a phone interview. He believes it has to do with his willingness to work day and night - after all, the cryptocurrency market never closes - and the experience he has accumulated from years of in-depth research on cryptocurrency blockchains. "The more you look at the blockchain, when you eat, sleep and even breathe studying it, everything starts to become clearer over time," he said. "You can start to see those connections. I can look at a wallet and tell in a few seconds whether it is a bad guy."
ZachXBT said his familiarity with blockchain stems from his years as a cryptocurrency enthusiast and trader — and from his own experience as a victim of one of the crypto economy’s many pitfalls.
Around 2017, he naively spent thousands of dollars on various crypto tokens, which eventually lost value—usually because of so-called rug pulls, in which the token’s creator suddenly sells off their holdings, leaving other investors with assets worthless. “I bought in thinking, ‘This is going to change the world.’ I bought it and held on to it and never sold it,” ZachXBT said. As a result, “I became the one who got scammed.”
By 2018, not only had all of his investments shrunk significantly, but the Electrum crypto wallet ZachXBT used was hacked due to a malware update, and he lost nearly another $15,000.
Only then did he decide to take a step back and rethink his strategy. Instead of simply buying and holding tokens, he began analyzing cryptocurrency blockchains — nearly all of which are publicly visible to anyone who can decipher who owns different addresses — and observed how some of the bigger, more successful investors were trading tokens and bitcoin, and tried to emulate their moves.
Through these blockchain analyses, by 2020 he had become quite familiar with tracking cryptocurrency transactions, able to spot ongoing scams that ordinary investors would not see.
He saw some influencers publicly promote a crypto asset to thousands of fans, pushing up its price, and then tracking their funds through the blockchain to find that they actually sold the tokens they held immediately after the promotion, which is often a typical "pump and dump" scam.
“It was more of a whistleblower role,” ZachXBT said. “I noticed some of this activity and thought, ‘This reminds me of how I got scammed in 2017 and 2018, why not post about it?’ Then it started to gain traction.”
When the NFT craze began, ZachXBT also began to scrutinize NFT projects like Bored Bunny and Billionaire Dogs Club to reveal where the money was really going. These NFT sellers were able to raise millions of dollars with just a few cartoon images, claiming that these NFTs would bring privileges such as participation in exclusive events or clubs.
However, ZachXBT found through blockchain analysis that these sellers simply dispersed the funds and put them into their own pockets. Sometimes, he even found through cryptocurrency tracking that some NFT sellers were actually "repackaging" of a previous project that had been proven to be a scam.
In some cases, ZachXBT’s posts about NFT sellers did scare off buyers and prevent some suspicious NFT sellers from continuing to sell their products. But over time, he grew tired of constantly exposing these highly transparent, recurring scams, and also frustrated by the lack of more substantial results: No one from the NFT projects he exposed faced criminal charges.
At the beginning of 2022, ZachXBT began to notice that a group of hackers were invading the Twitter accounts of some well-known cryptocurrency users and posting phishing links pointing to Ethereum smart contracts used to empty user wallets, resulting in the theft of tens of millions of dollars.
ZachXBT reached out to victims whenever they posted in agony that their savings had been stolen, then carefully tracked down their lost funds. He combined those blockchain clues with sources he had developed in Discord and Telegram channels frequented by young cryptocurrency thieves, eventually finding several online nicknames of teenagers who might be connected to the phishing operation, bragging about their stolen fortunes online.
By this time, ZachXBT had become so well-known in the cryptocurrency underground that a person he considered a suspect even posted on Twitter to show off his purchase of a diamond-encrusted Audemars Piguet watch, mockingly mentioning "mr xbt."
ZachXBT tracked down the seller of the watch through a luxury watch Discord channel and was able to convince the seller to hand over the shipping address and real name of the teenager who purchased the watch, which is worth nearly $50,000.
There are no public records showing whether the alleged thieves were ever arrested — possibly because the suspects were minors and charges were either sealed or never filed. But ZachXBT found a forfeiture notice showing that in October 2022, a month after he posted his findings on Platform X, the FBI seized more than $200,000 worth of crypto assets, as well as the diamond watch, from the teenage suspects he identified.
That same year, ZachXBT used similar techniques to track down $2.5 million worth of NFTs stolen in another phishing campaign, targeting a pair of French hackers. A few months later, French prosecutors arrested five suspects, and according to AFP, they explicitly mentioned that ZachXBT's posts on the X platform helped the investigation of the two main suspects. "It's very fulfilling to see law enforcement take action based on the information I shared," ZachXBT said. "It made me realize that maybe what I'm doing is actually having some effect."
Since first coming to the attention of law enforcement two years ago, the scale of ZachXBT’s investigations — and in some cases the results — have expanded dramatically.
In February 2023, he tracked down nearly $9 million in funds stolen from the crypto project Platypus and identified one of the suspects in just a few hours; just over a week later, French police arrested two suspects. Although the charges against the two were eventually dropped, the police successfully recovered millions of dollars in funds, and Platypus also expressed its gratitude to ZachXBT in a tweet.
That same year, he tracked down $25 million stolen from crypto company Uranium Finance, much of which appeared to have been laundered through the purchase of rare Magic: The Gathering cards. When the notorious cybercrime group “Scattered Spider” launched a ransomware attack on Caesars Entertainment in Las Vegas and extorted $15 million from the company, ZachXBT helped track down and recover $12 million of that money, others involved in the investigation told WIRED.
Around the same time, ZachXBT published a major investigation that revealed 25 cryptocurrency thefts by North Korean hackers totaling more than $200 million, of which about $7 million was frozen with his help. About half of these hacks had never been made public before.
He then followed up with an investigation that revealed a network of about 30 North Korean IT workers who infiltrated tech companies and were paid in cryptocurrency. In one case, a technician suspected of being linked to North Korea was hired by NFT company Munchables to successfully steal $62 million in crypto assets. When ZachXBT helped identify and mark the funds, the thieves were eventually forced to return the money because they could not easily cash it out.
"Do you know how much that is?"
Back to the theft at the beginning, when ZachXBT received a tip at the airport about the theft of $243 million from a single victim on August 19, it was one of the largest thefts he had ever tracked.
After returning home from an international flight, he spent days tracking these dispersed flows of money while monitoring the social media movements of three suspects, two of whom used the usernames Greavys and Box. Greavys in particular, whose real name is Malone Lam, appeared to be in Miami. His online posts and photos showed him surrounded by luxury properties, diamond watches, private jets and luxury cars, including a Lamborghini Revuelto and a Pagani Huayra, the latter of which often sells for more than $3 million.
ZachXBT also found that Greavys had given some influencers Birkin and Hermès bags worth $30,000 to $50,000, and waiters appeared in nightclubs holding electronic signs that read "WHO WANT A BIRK" with his name on them.
“It looked like they were doing nothing but partying and stealing money,” ZachXBT said.
Within days, ZachXBT convinced the informant, who had first messaged him during his flight, to provide him with a screen-sharing video of three suspected hackers involved in the theft. Unbeknownst to the hackers, one of the suspects had shared his screen with another group of friends, one of whom appeared to have recorded the video.
In the 90-minute video, ZachXBT said the three hackers repeatedly called each other by their first names, and in another clip, one of the men briefly showed his Windows home screen, accidentally revealing his last name.
The video even captured the moment of excitement and ecstasy after the hackers succeeded. "Oh my God! Oh my God! $243 million! Awesome!" One of them shouted in the video, "I'm going crazy! We got it, we got it. I'm going to explode. Do you know how much money that is?"
On the late afternoon of Sept. 18, less than a month after ZachXBT began its investigation, Lam was arrested at a beachfront rental property in Miami for which he was paying $68,000 a month. Box — whose real name is Jeandiel Serrano — was arrested at the Los Angeles airport as he and his girlfriend returned from a vacation in the Maldives. At the time of his arrest, he was wearing a $500,000 watch, renting a property near Los Angeles for more than $40,000 a month, and spending $1 million on luxury cars, according to prosecutors.
The next day, wire fraud and money laundering charges were unsealed against Lam and Serrano, and according to court documents, both hackers admitted to law enforcement investigators that they were involved in multiple cryptocurrency thefts. Lam specifically admitted that the proceeds of the crimes allowed him to purchase no fewer than 31 high-end cars.
So far, $79 million of the $243 million has been seized or frozen, and ZachXBT hopes to find more of the stolen funds. Prosecutors say that even after the suspects squandered some of the money, more than $100 million is still unaccounted for.
ZachXBT’s third suspect, who currently appears to live in Connecticut according to public records, has not yet been charged with any crime. However, journalist Brian Krebs pointed to a criminal complaint describing a group of men who allegedly robbed and briefly kidnapped a couple in their 50s in Connecticut four days after the $243 million theft in late August because the robbers “believed the victim’s son had access to a large amount of digital currency,” suggesting the victims could be the parents of the third alleged recipient of funds tracked by ZachXBT.
For ZachXBT, this investigation may be a turning point. This is the first time he has been hired and paid by a victim, rather than working as a volunteer on donations. He said he may do more paid work like this in the future and even consider starting his own investigation company.
But ZachXBT insists that he is not trying to get rich by exposing these incidents. "I see the funds seized, returned to the victims, and the suspects arrested. This is my goal and my original purpose," ZachXBT said. "Seeing these things help people is where my satisfaction comes from."
His partner, Taylor Monahan, from crypto wallet company MetaMask, who has worked with him on dozens of investigations, believes ZachXBT is still primarily driven by a sense of justice — a sense of justice that stems from the fact that he was once a victim in the cryptocurrency world and wants to prevent others from suffering the same fate.
“He had the same experience that a lot of people in this field had, which is that bad things happened and people around him just said, ‘That’s unfortunate,’ ” Monahan said. “He instinctively refused to accept that and wanted to change that.”
Monahan said, "He had the same experience as many people in this field: when something bad happened, people around him would just say 'what bad luck', but he instinctively refused to accept this helpless response and was determined to change all this."
