Original Title: Meet ZachXBT, the Masked Vigilante Tracking Down Billions in Crypto Scams and Thefts

Author: Andy Greenberg

Translation: Ismay, BlockBeats

Editor's Note: Many readers have likely heard the name ZachXBT frequently in recent times, from confronting Ansem, revealing Murad's address, exposing U business king Yicong Wang, to disclosing the project deck of SHAR. Since 2021, on-chain detective ZachXBT has helped victims of scams and theft recover nearly $500 million. Last month, he cracked a $243 million theft case, the largest theft ever targeting an individual. From tracking down crimes deep within the blockchain to revealing the massive flow of funds behind luxurious lifestyles, ZachXBT has helped recover hundreds of millions of stolen funds in just a few years with his intelligence and persistence. This article from Wired will take you into the mysterious world of this cryptocurrency "faceless detective," revealing how he battles against crypto crime and the lesser-known stories behind the scenes.

The following is the original content:

On August 19, a young man in his twenties, known online as ZachXBT, was preparing to board a flight home. He was unwilling to disclose which airport, his real name, or where he lived.

At that moment, his phone pinged with an alert: a sum of Bitcoin was transferred to a small cryptocurrency exchange. This was one of many exchanges he had been monitoring for a long time, primarily to look for fund flows related to criminal money laundering. This alert caught his attention: the transaction amount was about $600,000, far exceeding the exchange's daily trading volume by ten times.

As he reached the boarding gate, his phone buzzed again with a new alert: another transaction over $1 million occurred on the same exchange. Then came a $2 million transaction.

As ZachXBT queued to board, he quickly tracked these funds on his phone, backtracking the Bitcoin addresses and marking suspicious funds, trying to determine the source of the funds before the internet cut off half an hour after the plane took off.

Before the plane ascended, he had already identified that the funds came from a large Bitcoin wallet that had not been used since 2012, totaling hundreds of millions of dollars. Now, this nine-figure sum was being hastily cashed out, paying high transaction fees, a practice clearly not acceptable to an investor who had held coins for over a decade.

In ZachXBT's view, this flow of funds was clearly a massive theft.

Upon further verification, he discovered that someone had stolen approximately $243 million worth of Bitcoin from a victim, possibly the largest cryptocurrency theft ever targeting an individual. "This is really an extraordinarily large amount, stolen from one person," ZachXBT told Wired, "I had to confirm that I wasn't seeing things."

When the plane climbed above 10,000 feet and the Wi-Fi was restored, ZachXBT began tracking the flow of more stolen funds.

These funds were transferred through one exchange after another and through various trading platforms. Over the next few hours, he accelerated the mapping of these fund flows, discovering that the hacker was trying to hide the funds' trail through dozens of platforms.

As he traced back to the owner of the Bitcoin, ZachXBT found that part of the funds originally came from the now-defunct Genesis cryptocurrency exchange. He DM'd the exchange's administrators on X (formerly Twitter), asking them to contact the victim, who eventually hired him to trace the stolen funds.

By the time he reached his destination, ZachXBT had already identified that the stolen funds had split into three main flows, pointing to what he believed were three suspects. He also posted a message to his over 650,000 followers on X, indicating that a theft was occurring on the blockchain.

Soon after, he received a tip from an informant claiming to have information about the hacker's identity.

In the following week, ZachXBT worked day and night, sleeping only four to five hours a day, regularly sharing his findings with law enforcement. He ultimately identified the suspects involved in the theft—two young hackers in their twenties named Malone Lam and Jeandiel Serrano. ZachXBT also confirmed another suspected hacker, but Wired chose not to disclose his name as he had not yet been arrested or charged.

He even obtained a video showing one of them celebrating the successful theft of the massive wealth. In his rapid investigation, ZachXBT even tracked down the suspects' Instagram and TikTok accounts, seeing one of them flaunting millions of dollars, buying luxury cars, flying on private jets, and spending up to $500,000 in nightclubs in a single night.

Less than a month after receiving that alert on the plane, two of the three suspects were arrested and faced criminal charges.

When ZachXBT finally saw a mugshot of one of the hackers, he felt a brief rush of adrenaline but quickly regained his composure. "I didn't feel a particular sense of accomplishment," ZachXBT said, "I just treated it as another ordinary case."

Investigation Results of the Bitcoin Theft Case | ZachXBT's Pinned Tweet

A Cryptocurrency Private Detective Serving the Public

If tracking a $250 million theft case feels like a typical day online for ZachXBT, it may be because he has become the world's most active independent cryptocurrency detective over the past three years.

Since starting as an amateur investigator in 2021, he has tracked down billions of dollars in stolen funds and scam cases. According to a table he provided to Wired, his hundreds of investigations have directly led to the recovery of about $210 million in criminal cryptocurrency funds, with another approximately $225 million recovered for victims with his indirect assistance.

He has exposed influencers promoting tokens through pump-and-dump schemes, tracked down the cybercriminals behind major cryptocurrency thefts, and uncovered dozens of incidents involving North Korean hackers infiltrating crypto companies, even posing as employees.

Throughout this process, he has relied almost entirely on cryptocurrency donations to fund his work, including grants from cryptocurrency organizations and contributions sent by strangers to the address listed in his social media profile, totaling about $1.3 million since 2021. "He is a new generation of investigator serving the public," said Joe McGill, an analyst with the U.S. Secret Service who has worked with ZachXBT, "His success entirely depends on the success of his investigations."

In his pursuit of becoming a cryptocurrency "justice police," ZachXBT has been careful to maintain his anonymity. Online, he only appears as his avatar—a cartoon platypus wearing a detective's trench coat or sometimes a hoodie. To avoid retaliation from cryptocurrency criminals and scammers, he has never revealed his true appearance, name, or specific age, and he only agreed to an interview with Wired on the condition that they would not pursue his personal identity information.

ZachXBT's Twitter Profile

Secret Service analyst McGill recalled that during their early phone meetings, ZachXBT not only turned off his camera but even used voice modulation software, sometimes sounding like a high-pitched character from South Park; other times, he lowered his voice to sound like a character from a horror movie. "It was indeed quite strange at first," McGill, who was then working at the crypto tracking company TRM Labs, said, "but I respect his privacy because this anonymous person is doing outstanding work."

Cryptocurrency investigator and founder of Five I's, Nick Bax, stated that ZachXBT reveals numerous cryptocurrency scams and thefts almost every week, often much faster than law enforcement actions. Bax half-jokingly said he even suspects ZachXBT might be a robot.

"He’s like a machine," Bax said.

In an investigation last year, they collaborated to track a $60 million theft in the 2021 AnubisDAO crypto project. Bax gave ZachXBT a list of 500 transactions on a Saturday night, each requiring manual analysis, along with the associated blockchain addresses. "I thought this would keep him busy for at least a few days," however, by the next afternoon, ZachXBT had completed the analysis of all transactions and identified which were related to the theft. "I was very shocked," Bax said, "he must have been sitting at the computer for 12 hours straight."

Many of ZachXBT's investigation results are published on his X account without any ceremony.

However, over time, his investigations have increasingly attracted the attention of law enforcement—now, he often shares his findings with these agencies before public release, and the targets of his detective work are facing increasingly serious consequences.

"As Zach's influence grows, these cases bring financial and legal repercussions," said Taylor Monahan, a security researcher at the crypto company MetaMask, who is one of ZachXBT's closest investigative partners and participated in the $243 million theft investigation. "If Zach posts about someone now and exposes them accurately, that person is very likely to be arrested."

From Victim to Whistleblower

So how has ZachXBT managed to track the flow of funds faster and more accurately than even law enforcement's cryptocurrency investigators, without formal training or organizational support?

He himself is not quite sure. "That's a tough question; I don't know why I'm so good at it," ZachXBT told Wired in a phone interview. He believes it has to do with his willingness to work day and night—after all, the cryptocurrency market never closes—and the experience he has accumulated from years of deep research into cryptocurrency blockchains. "The more blockchains you look at, when you're eating, sleeping, or even breathing while studying it, over time, everything starts to become clearer," he said. "You begin to notice those connections. I can look at a wallet and determine in seconds whether it's a bad actor."

ZachXBT stated that his familiarity with blockchains comes from his years as a cryptocurrency enthusiast and trader—and that he himself has been a victim of many traps in the crypto economy.

Around 2017, he naively spent thousands of dollars buying various crypto tokens, but these tokens ultimately depreciated significantly—often due to so-called rug pulls, where the creators of the tokens suddenly sell off their holdings, rendering the assets worthless for other investors. "At the time, I thought, 'This is going to change the world.' I bought in and held on, never selling," ZachXBT said, resulting in him becoming "the one who got scammed."

By 2018, not only had all his investments shrunk dramatically, but the Electrum wallet he used was hacked due to a malware update, causing him to lose nearly $15,000.

It was only then that he decided to take a step back and rethink his strategy. He no longer simply bought and held tokens; instead, he began analyzing cryptocurrency blockchains—almost all blockchains are publicly visible, and anyone who can interpret the owners of different addresses can view them. Through this method, he observed how larger, more successful investors traded tokens and Bitcoin, attempting to mimic their operations.

Through these blockchain analyses, by 2020, he had become quite familiar with tracking cryptocurrency transactions, able to spot ongoing scams that ordinary investors could not see.

He noticed some influencers publicly promoting a certain crypto asset to their thousands of followers, driving up its price, and then traced their funds through the blockchain, discovering that they were actually selling off their holdings immediately after promoting it, which is often a typical "pump and dump" scheme.

"It felt more like a whistleblower role," ZachXBT said. "When I noticed these activities, I thought, 'This reminds me of my experiences getting scammed in 2017 and 2018; why not post to expose it?' Then it started to gain widespread attention."

When the NFT craze emerged, ZachXBT also began scrutinizing NFT projects like Bored Bunny and Billionaire Dogs Club, revealing the true flow of funds. These NFT sellers could raise millions of dollars with just a few cartoon images, claiming that these NFTs would grant privileges like access to exclusive events or clubs.

However, through blockchain analysis, ZachXBT discovered that these sellers were merely pocketing the funds. Sometimes, he even found that certain NFT sellers were actually "repackaged" versions of previously proven scam projects.

In some cases, the posts ZachXBT published about NFT sellers did deter buyers, preventing some suspicious NFT sellers from continuing to sell their products. But over time, he grew weary of continuously exposing these transparent, repetitive scams and felt frustrated by the lack of more substantive results: none of the NFT projects he exposed faced criminal charges.

By early 2022, ZachXBT began noticing a group of hackers infiltrating the Twitter accounts of some well-known cryptocurrency users, posting phishing links that led to Ethereum smart contracts designed to drain users' wallets, resulting in tens of millions of dollars in theft.

Whenever a victim painfully posted about their savings being stolen, ZachXBT would proactively reach out to them and carefully track their lost funds. He combined these blockchain clues with sources he developed in Discord and Telegram channels frequented by young cryptocurrency thieves, ultimately identifying several online nicknames that might be related to the phishing activity, who boasted about the large wealth they had stolen online.

At this point, ZachXBT had already gained significant notoriety in the underground world of cryptocurrency, even as one person he believed to be a suspect posted on Twitter, boasting about purchasing a diamond-encrusted Audemars Piguet watch while mockingly mentioning "mr xbt."

ZachXBT tracked down the seller of the watch through a luxury watch Discord channel, successfully persuading the seller to provide the shipping address and real name of the teenager who purchased the nearly $50,000 watch.

There are no public records indicating whether these so-called thieves were arrested—possibly because the suspects were minors, and the charges were either sealed or never filed. However, ZachXBT found a forfeiture notice showing that in October 2022, a month after he published his investigation results on X, the FBI seized over $200,000 in crypto assets and that diamond watch from the teenage suspect he identified.

That same year, using similar techniques, ZachXBT tracked down $2.5 million worth of NFTs stolen in another phishing scheme, targeting a pair of French hackers. Months later, French prosecutors arrested five suspects, with AFP reporting that they specifically mentioned that ZachXBT's posts on X helped in the investigation of the two main suspects. "Seeing law enforcement take action based on the information I shared gives me a great sense of accomplishment," ZachXBT said. "It made me realize that maybe what I'm doing is really making a difference."

Since first attracting the attention of law enforcement two years ago, the scale of ZachXBT's investigations—and the results in certain cases—have dramatically expanded.

In February 2023, he tracked down nearly $9 million stolen from the crypto project Platypus and identified one of the suspects within just a few hours; just over a week later, French police arrested two suspects. Although the charges against the two were eventually dropped, the police successfully recovered millions of dollars, and Platypus expressed gratitude to ZachXBT in a tweet.

That same year, he tracked down $25 million stolen from the crypto company Uranium Finance, most of which appeared to have been laundered through the purchase of rare Magic: The Gathering cards. When the notorious cybercrime group "Scattered Spider" launched a ransomware attack against Caesars Entertainment in Las Vegas, extorting $15 million from the company, ZachXBT helped trace and recover $12 million of that amount, as revealed by others involved in the investigation.

Around the same time, ZachXBT published a significant investigation revealing 25 cryptocurrency thefts carried out by North Korean hackers, totaling over $200 million, with about $7 million frozen with his assistance. About half of these hacking activities had never been publicly disclosed before.

He then followed up with an investigation that exposed a network of about 30 North Korean IT workers who infiltrated tech companies and were compensated in cryptocurrency. In one case, a suspected technician linked to North Korea was hired by the NFT company Munchables and successfully stole $62 million in crypto assets. After ZachXBT helped identify and tag the funds, the thief was ultimately forced to return them due to the difficulty of easily cashing out.

"Do you know how much that is?"

Returning to the earlier theft case, when ZachXBT received the alert at the airport and discovered the clue about a single victim being robbed of $243 million on August 19, it was one of the largest thefts he had tracked.

After returning home from an international flight, he spent several days tracking these dispersed fund flows while monitoring the movements of three suspects on social media, two of whom used the online names Greavys and Box. Particularly, Greavys, whose real name is Malone Lam, seemed to be in Miami. His online posts and photos showed him surrounded by luxury properties, diamond watches, private jets, and luxury cars, including a Lamborghini Revuelto and a Pagani Huayra, the latter typically priced over $3 million.

ZachXBT also discovered that Greavys had gifted influencers Birkin and Hermès bags worth $30,000 to $50,000 and appeared in nightclubs with waitstaff holding electronic signs reading "WHO WANT A BIRK," marking his name.

"It looks like they do nothing but party and steal money," ZachXBT said.

Within days, ZachXBT persuaded an informant who had first DM'd him during his flight to provide a screen-sharing video among three suspected hackers involved in the theft. The hackers were unaware, and one suspect shared his screen with another group of friends, one of whom seemed to have recorded the video.

In the 90-minute video, ZachXBT noted that the three hackers repeatedly referred to each other by their names. In another segment, one of the men briefly displayed his Windows home screen, inadvertently revealing his last name.

The video even captured the moment these hackers celebrated their successful heist. "Oh my God! Oh my God! $243 million! This is amazing!" one of them shouted in the video, "I'm going crazy! We did it, we did it. I'm about to explode. Do you know how much that is?"

Later in the afternoon of September 18, less than a month after ZachXBT began his investigation, Lam was arrested at a beachfront rental property in Miami, for which he paid $68,000 a month. Box—whose real name is Jeandiel Serrano—was arrested at Los Angeles airport while returning from a vacation in the Maldives with his girlfriend. According to prosecutors, he was wearing a $500,000 watch at the time of his arrest, renting a property near Los Angeles for over $40,000 a month, and had spent $1 million on luxury cars.

The next day, wire fraud and money laundering charges against Lam and Serrano were unsealed, and according to court documents, both hackers admitted to law enforcement investigators their involvement in multiple cryptocurrency thefts. Lam specifically acknowledged that the proceeds from these crimes had allowed him to purchase no less than 31 high-end cars.

So far, $79 million of the $243 million has been seized or frozen, and ZachXBT hopes to find more stolen funds. Prosecutors stated that even after the suspects' spending spree, over $100 million remains unaccounted for.

The third suspect of ZachXBT, currently shown in public records as possibly residing in Connecticut, has not yet been charged with any crime. However, journalist Brian Krebs pointed out a criminal complaint describing a group of men who allegedly robbed a couple in their fifties in Connecticut just four days after the $243 million theft, briefly kidnapping them because the robbers "believed the victims' son had access to a large amount of digital currency," suggesting that the victims might be the parents of the third suspected recipient of funds tracked by ZachXBT.

For ZachXBT, this investigation could be a turning point. It was the first time he was hired and compensated by a victim, rather than working as a volunteer relying on donations. He indicated that he might engage in more paid work like this in the future and is even considering starting his own investigation company.

But ZachXBT insists that he is not in it for wealth by exposing these events. "Seeing funds being seized, returned to victims, and suspects being arrested—that's my goal, and it was my original purpose," ZachXBT said. "Seeing these things help people is where I derive my sense of fulfillment."

His partner, Taylor Monahan from the crypto wallet company MetaMask, has now collaborated with him on dozens of investigations. She believes ZachXBT is still primarily driven by a sense of justice—this sense of justice stems from his own experiences as a victim in the cryptocurrency world, wanting to prevent others from facing the same fate.

"He shares the same experience as many in this field, where bad things happen, and people around just say, 'That's unfortunate,'" Monahan said. "He instinctively refuses to accept that experience and wants to change it all."

Monahan said, "He shares the same experience as many in this field: when unfortunate things happen, people around just say, 'That's unfortunate,' but he instinctively refuses to accept that helpless response and is determined to change it all."

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。