Original title: Meet ZachXBT, the Masked Vigilante Tracking Down Billions in Crypto Scams and Thefts

Original author: Andy Greenberg

Original translation: Ismay, BlockBeats

Editor's note: I believe many readers have heard the name ZachXBT frequently recently, confronting Ansem, publishing Murad's address, exposing U-seller Wang Yicong, and disclosing SHAR's project deck. Since 2021, on-chain detective ZachXBT has helped victims of fraud and theft recover nearly $500 million. Last month, he cracked a $243 million theft, the largest theft against an individual in history. From tracking crimes deep in the blockchain to revealing the huge flow of funds behind luxurious lives, ZachXBT has helped recover hundreds of millions of dollars in stolen funds in just a few years with his wisdom and persistence. This article in Wired magazine will take you into the mysterious world of this cryptocurrency "faceless detective", revealing how he fights wits and courage with crypto crimes, and those little-known behind-the-scenes stories.

The following is the original content:

On August 19, a young man in his twenties, nicknamed ZachXBT, was preparing to board a flight home. He would not reveal which airport, his real name, or where he lived.

At this time, an alert popped up on his phone: a Bitcoin was transferred to a small cryptocurrency exchange. This is one of the many exchanges he has been monitoring for a long time, mainly to find fund flows related to criminal money laundering. The alert caught his attention: the transaction amount was about $600,000, far more than 10 times the daily transaction size of the exchange.

When he arrived at the gate, his phone rang with a new alert: another transaction of more than $1 million had occurred on the same exchange. Then another transaction of $2 million followed.

As ZachXBT waited in line to board his flight, he quickly tracked the funds on his phone, backtracked the Bitcoin addresses, and marked the suspicious funds, trying to identify the source of the funds before the Internet was interrupted half an hour after the plane took off.

Before the plane took off, he had determined that the funds came from a large Bitcoin wallet that had not been used since 2012, with a total amount of hundreds of millions of dollars. Now, this huge amount of money worth nine figures is being cashed out in a hurry, and high transaction fees are paid, which is obviously not acceptable to an investor who has held the currency for more than ten years.

In ZachXBT's view, this flow of funds is obviously a huge theft.

After further verification, he found that someone had stolen about $243 million worth of Bitcoin from a victim, which may be the largest cryptocurrency theft against an individual in history. "This is really an unusual amount, and it was stolen from one person," ZachXBT told Wired magazine, "I had to confirm that I was not mistaken."

When the plane rose above 10,000 feet and the Wi-Fi resumed working, ZachXBT began to track the flow of more stolen funds.

The funds were moved through one exchange and coin-to-coin exchange service after another. Over the next few hours, he sped up a branching diagram of the money flows, finding that the hackers had used more than a dozen platforms to try to hide the funds.

As he followed the trail back to the owner of the lost bitcoins, ZachXBT discovered that some of the funds originally came from the now-defunct Genesis cryptocurrency exchange. He privately messaged the exchange's administrators through X Platform (formerly Twitter) and asked them to contact the victim, who eventually hired him to track down the stolen funds.

By the time he arrived at his destination, ZachXBT had discovered that the stolen funds had been divided into three main streams of funds, pointing to three suspects he believed to be responsible. He also posted a message to his more than 650,000 followers on X Platform, pointing out the ongoing theft on the blockchain.

Soon after, he received a message from an informant claiming to have clues about the hacker's identity.

For the next week, ZachXBT worked day and night, sleeping only four to five hours a day, and regularly shared his findings with law enforcement agencies. He eventually identified the suspects involved in the theft - two young hackers in their early twenties named Malone Lam and Jeandiel Serrano. ZachXBT also identified another suspected hacker, but Wired magazine chose not to publish his name because the person has not yet been arrested or charged.

He even obtained a video showing one of them celebrating the huge fortune after completing the theft. During his quick investigation, ZachXBT even tracked down the suspects' Instagram and TikTok, and saw that one of them squandered millions of dollars, buying luxury cars, taking private jets, and spending up to $500,000 a night in nightclubs.

Less than a month after that alert on the plane, two of the three suspects were arrested and facing criminal charges.

When ZachXBT finally saw the arrest photo of one of the hackers, he said he felt a brief adrenaline rush, but soon calmed down. "I didn't feel any particular sense of accomplishment," ZachXBT said. "I just took it as another ordinary case."

Bitcoin Heist Investigation Results | ZachXBT's Pinned Tweet

Crypto Private Investigator for the People

If tracking a $250 million heist looks like a normal day online for ZachXBT, that's probably because over the past three years he has become the world's most active independent cryptocurrency detective.

Since he began working as an amateur investigator in 2021, he has tracked billions of dollars in stolen funds and scams. His hundreds of investigations have directly led to the recovery of about $210 million in criminal cryptocurrency funds, and about $225 million more has been recovered for victims with his indirect help, according to a spreadsheet he provided to WIRED.

He has exposed influencers who promote tokens through pump-and-dump scams, tracked cybercriminals behind large cryptocurrency thefts, and uncovered dozens of cases of North Korean hackers breaking into crypto companies and even infiltrating as employees.

Throughout, he has relied almost entirely on cryptocurrency donations to fund his work, including grants from cryptocurrency organizations and contributions sent by strangers to addresses listed on his social media profiles, totaling about $1.3 million since 2021. "He's a new generation of investigator, and he serves the public," said Joe McGill, a U.S. Secret Service analyst who has worked with ZachXBT. "His success is entirely dependent on the success of his investigations."

In his pursuit of becoming a cryptocurrency "justice policeman," ZachXBT has been careful to remain anonymous. Online, he appears only as his avatar image - a cartoon image of a platypus wearing a detective windbreaker or sometimes a hoodie. To avoid retaliation from cryptocurrency criminals and scammers, he has never disclosed his real face, name or specific age, and he is willing to be interviewed only if Wired magazine agrees not to pursue such personally identifiable information.

ZachXBT's Twitter homepage

Secret Service analyst McGill recalled that in their early conference calls, ZachXBT not only turned off the camera, but also used voice-changing software, sometimes sounding like a screaming character in "South Park"; at other times, he turned his voice so low that it seemed like a character from a horror movie. "It was really weird at first," said McGill, who was working at crypto tracking company TRM Labs at the time, "but I respected his privacy because this anonymous person was really doing an amazing job."

Cryptocurrency investigator and founder of Five I's Nick Bax said that ZachXBT could uncover many cryptocurrency crime scams and thefts almost every week, often much faster than law enforcement agencies. Bax half-jokingly said that he even wondered if ZachXBT was a robot.

“He’s like a machine,” Bax said.

In an investigation last year, they worked together to track the $60 million theft from the AnubisDAO crypto project in 2021. Bax gave ZachXBT a list of 500 transactions on Saturday night, each of which needed to be manually analyzed, along with the associated blockchain address. “I thought this would keep him busy for at least a few days,” but by the next afternoon, ZachXBT had analyzed all the transactions and determined which ones were related to the theft. “I was shocked,” Bax said. “He must have been sitting in front of his computer for 12 hours straight.”

Many of ZachXBT’s findings are posted without ceremony on his X platform account.

Over time, however, his investigations have increasingly attracted the attention of law enforcement agencies — with whom he now often shares his findings before publicly releasing them — and the targets of those detectives’ work are facing increasingly serious consequences.

“As Zach’s influence has grown, these cases have had financial and legal consequences,” says Taylor Monahan, a security researcher at the crypto firm MetaMask who was one of Zach’s closest investigative partners during the probe into the $243 million theft of XBT. “If Zach were to post about someone right now and do a good job of uncovering the truth, there’s a good chance that person would be arrested.”

From Victim to Whistleblower

So how exactly did ZachXBT manage to track money faster and more accurately than even law enforcement crypto investigators, without any formal training or organizational support?

He's not sure. "It's a hard question, and I don't know why I'm so good at it," ZachXBT told Wired in a phone interview. He thinks it has to do with his willingness to work around the clock—the cryptocurrency market never closes, after all—and years of deep research into cryptocurrency blockchains. "The more you look at the blockchain, when you eat, sleep, and even breathe it, over time, everything starts to become clearer," he said. "You start to see those connections. I can look at a wallet and tell in seconds if it's a bad guy or not."

ZachXBT says his familiarity with blockchains stems from his years as a cryptocurrency enthusiast and trader—and from his own experience as a victim of one of the many traps in the crypto economy.

Around 2017, he naively spent thousands of dollars buying various crypto tokens that ultimately lost value — often because of so-called rug pulls, where the token’s creator suddenly dumps their holdings, leaving other investors with assets worthless. “I bought in thinking, ‘This is going to change the world.’ I bought it and held on to it and never sold it,” ZachXBT said. As a result, “I became the one who got scammed.”

By 2018, not only had all his investments shrunk, but the Electrum crypto wallet ZachXBT was using was hacked in a malware update, costing him nearly $15,000.

It was only then that he decided to take a step back and rethink his strategy. Instead of simply buying and holding tokens, he began analyzing cryptocurrency blockchains — nearly all of which are publicly visible to anyone who can decipher who owns different addresses — and in doing so, he observed how some of the larger, more successful investors traded tokens and Bitcoin, and tried to mimic their moves.

Through these blockchain analyses, by 2020 he had become familiar enough with tracking cryptocurrency transactions to spot scams in progress that the average investor couldn’t see.

He watched influencers publicly promote a crypto asset to their thousands of followers, driving up its price, and then traced their funds through the blockchain to find that they were actually selling their tokens right after the promotion, often in a classic “pump and dump” scam.

“It’s more of a whistleblower role,” ZachXBT said. “I noticed these activities and thought, ‘This reminds me of how I got scammed in 2017 and 2018, why not post about it?’ Then it started to attract a lot of attention.”

When the NFT craze started, ZachXBT also began to scrutinize NFT projects like Bored Bunny and Billionaire Dogs Club to reveal where the money was really going. These NFT sellers raised millions of dollars with just a few cartoon pictures, claiming that these NFTs would bring privileges such as participation in exclusive events or clubs.

However, ZachXBT found through blockchain analysis that these sellers were just dispersing the funds and putting them in their own pockets. Sometimes, he even found through cryptocurrency tracking that some NFT sellers were actually “repackaging” of a previous project that had been proven to be a scam.

In some cases, ZachXBT’s posts about NFT sellers did scare off buyers and prevent some suspicious NFT sellers from continuing to sell their products. But over time, he grew tired of constantly exposing such highly transparent, repetitive scams, and was frustrated by the lack of more substantive results: No one in the NFT projects he exposed faced criminal charges.

In early 2022, ZachXBT began to notice that a group of hackers were hacking into the Twitter accounts of some well-known cryptocurrency users and posting phishing links pointing to Ethereum smart contracts used to empty users’ wallets, resulting in the theft of tens of millions of dollars.

Whenever a victim posted in pain that their savings had been stolen, ZachXBT would proactively contact them and then carefully track their lost funds. He combined these blockchain clues with sources he developed in Discord and Telegram channels frequented by young crypto thieves, eventually finding several online nicknames of teenagers who might be associated with the phishing operation, bragging about their stolen fortunes.

By this time, ZachXBT had become so well-known in the cryptocurrency underground that a man he believed to be a suspect even mentioned "mr xbt" in a Twitter post boasting about the purchase of a diamond-encrusted Audemars Piguet watch.

ZachXBT tracked down the seller of the watch through a Discord channel for luxury watches and was able to convince the seller to hand over the delivery address and real name of the teenager who purchased the nearly $50,000 watch.

There are no public records showing whether the alleged thieves were arrested—perhaps because the suspects were minors and charges were either sealed or never filed. But ZachXBT found a forfeiture notice showing that in October 2022, a month after he posted his findings on X, the FBI seized more than $200,000 worth of crypto assets, as well as the diamond watch, from the teenage suspects he identified.

That same year, ZachXBT used similar techniques to track down $2.5 million worth of NFTs stolen in another phishing campaign targeting a pair of French hackers. A few months later, French prosecutors arrested five suspects and, according to AFP, explicitly mentioned that ZachXBT's X posts had helped in the investigation of the two main suspects. "It's very fulfilling to see law enforcement act on the information I shared," ZachXBT said. “It made me realize that maybe what I was doing was actually having some effect.”

Since first coming to the attention of law enforcement two years ago, the scale of ZachXBT’s investigations—and in some cases the results—have expanded dramatically.

In February 2023, he tracked down nearly $9 million in funds stolen from the crypto project Platypus and identified one of the suspects in just a few hours; just over a week later, French police arrested two suspects. Although the charges against the two were ultimately dropped, police were able to recover millions of dollars in funds, and Platypus thanked ZachXBT in a tweet.

That same year, he tracked down $25 million stolen from the crypto company Uranium Finance, much of which appeared to have been laundered through the purchase of rare Magic: The Gathering cards. When the notorious cybercrime group “Scattered Spider” launched a ransomware attack on Caesars Entertainment in Las Vegas and extorted $15 million from the company, ZachXBT helped track down and recover $12 million of that money, others involved in the investigation told WIRED.

Around the same time, ZachXBT released a major investigation that revealed 25 cryptocurrency thefts committed by North Korean hackers, totaling more than $200 million, of which about $7 million was frozen with his help. About half of these hacks had never been made public before.

He then followed up with an investigation that revealed a network of about 30 North Korean IT workers who infiltrated tech companies and were paid in cryptocurrency. In one case, a technician suspected of being linked to North Korea was hired by NFT company Munchables to successfully steal $62 million in crypto assets. Once ZachXBT helped identify and flag the funds, the thieves were ultimately forced to return the money because they could not easily liquidate it.

“Do you know how much money that is?”

Back to the original theft, when ZachXBT got a tip at the airport about the $243 million theft from a single victim on August 19, it was one of the largest heists he had ever tracked.

After returning home from his international flight, he spent days tracking these dispersed flows of money while monitoring the social media movements of three suspects, two of whom used the usernames Greavys and Box. Greavys in particular, whose real name is Malone Lam, appeared to be in Miami. His online posts and photos showed him surrounded by luxury properties, diamond watches, private jets, and luxury cars, including a Lamborghini Revuelto and a Pagani Huayra, the latter of which often sells for more than $3 million.

ZachXBT also discovered that Greavys had gifted influencers Birkin and Hermès bags worth $30,000 to $50,000, and that waiters were seen at nightclubs holding electronic signs that read “WHO WANT A BIRK,” tagged with his name.

“It looked like they were doing nothing but partying and stealing money,” ZachXBT said.

Within a few days, ZachXBT convinced the informant, who had first messaged him during his flight, to provide him with a screen-sharing video of three suspected hackers involved in the theft. Unbeknownst to the hackers, one of the suspects had shared his screen with another group of friends, one of whom appeared to have recorded the video.

In the 90-minute video, ZachXBT said the three hackers repeatedly addressed each other by their first names. In another clip, one of the men briefly shows his Windows home screen, accidentally revealing his last name.

The video even captures the hackers' excitement after their success. "Oh my God! Oh my God! $243 million! That's great!" one of them shouts in the video. "I'm going crazy! We did it, we did it. I'm going to explode. Do you know how much money that is?"

Late in the afternoon of September 18, less than a month after ZachXBT began its investigation, Lam was arrested in a beachfront rental property in Miami for which he paid $68,000 a month. Box - whose real name is Jeandiel Serrano - was arrested at the Los Angeles airport when he returned from a vacation in the Maldives with his girlfriend. According to prosecutors, he was wearing a $500,000 watch when he was arrested, renting a property near Los Angeles for more than $40,000 a month, and spending $1 million on luxury cars.

The next day, wire fraud and money laundering charges were unsealed against Lam and Serrano, and according to court documents, both hackers admitted to law enforcement investigators that they were involved in multiple cryptocurrency thefts. Lam specifically admitted that the proceeds of the crimes allowed him to purchase no fewer than 31 high-end cars.

To date, $79 million of the $243 million has been seized or frozen, and ZachXBT hopes to find more of the stolen funds. Prosecutors say that even after the suspects' spending, more than $100 million is still unaccounted for.

A third ZachXBT suspect, who currently appears to be living in Connecticut based on public records, has not yet been charged with any crime. However, journalist Brian Krebs points to a criminal complaint describing a group of men who allegedly robbed and briefly kidnapped a couple in their 50s in Connecticut four days after the $243 million theft in late August because the robbers "believed the victims' son had access to a large amount of digital currency," suggesting the victims may be the parents of the third alleged recipient of the funds tracked by ZachXBT.

For ZachXBT, this investigation may be a turning point. This is the first time he has been hired and paid by a victim, rather than working as a volunteer on donations. He said he may do more paid work like this in the future and even consider starting his own investigation company.

But ZachXBT insists that he is not trying to get rich by exposing these incidents. "I see the funds seized, returned to the victims, and the suspects arrested. That's my goal. That's my original purpose," ZachXBT said. "Seeing these things help people is where my satisfaction comes from."

His partner, Taylor Monahan, from the crypto wallet company MetaMask, has worked with him on dozens of investigations. She believes that ZachXBT is still mainly driven by a sense of justice - a sense of justice that comes from the fact that he was once a victim in the cryptocurrency world and wants to prevent others from suffering the same fate.

"He has the same experience as many people in this field, that is, bad things happened, and people around him just said "this is unlucky," Monahan said. "He instinctively refuses to accept this experience and wants to change everything."

Monahan said, "He has the same experience as many people in this field: when encountering unfortunate things, people around him just say "this is unlucky," but he instinctively refuses to accept this helpless response and is determined to change everything."

「Original link」

欢迎加入律动 BlockBeats 官方社群：

Telegram 订阅群：https://t.me/theblockbeats

Telegram 交流群：https://t.me/BlockBeats_App

Twitter 官方账号：https://twitter.com/BlockBeatsAsia