In the pursuit of the career of a cryptocurrency detective, ZachXBT has always remained anonymous.

Written by: Andy Greenberg

Translated by: Wu Says Blockchain

He has just unraveled a Bitcoin theft case worth $243 million, which may be the largest cryptocurrency theft ever targeting a single victim. And he has never shown his face.

On August 19, a man in his twenties, known online as ZachXBT, was walking into an airport preparing to board a flight—he did not want to disclose which airport, his real name, or where he lived—when he saw a notification on his phone. Bitcoin had just been transferred to a small cryptocurrency exchange, one of many he has monitored on the Bitcoin blockchain for signs of illegal money laundering. This alert caught his attention: the transaction was worth about $600,000, far exceeding the typical transaction amount on that service by ten times.

When he reached the boarding gate, a second alert informed him of a transaction exceeding $1 million at the same exchange. Then there was another transaction for $2 million. Standing in the boarding line, ZachXBT quickly tracked these funds on his phone, tracing from one Bitcoin address to another, marking suspicious funds, and racing against time to find the source of these funds, as the internet connection would be cut off for half an hour after the plane took off until the flight Wi-Fi was restored. Before the plane took off, he had already determined that these funds came from a cryptocurrency wallet that had been inactive since 2012—this multi-million dollar Bitcoin was being rapidly liquidated at the exchange, incurring extremely high transaction fees, which was not something a patient Bitcoin investor of over ten years would accept.

To ZachXBT, the flow of funds immediately looked like a massive theft. In fact, after repeated verification, it seemed that someone had stolen approximately $243 million worth of Bitcoin from an unfortunate victim, possibly the largest cryptocurrency theft ever targeting an individual. "This is an unusually large amount stolen from a single victim," ZachXBT told Wired, "I had to confirm that I wasn't mistaken."

Once he flew above 10,000 feet and the Wi-Fi was restored, ZachXBT began tracking the outflow of more stolen funds, which were being transferred through one exchange and currency conversion service after another, seemingly trying to obscure the path of the funds. Over the next few hours, he desperately mapped out the branches of these fund flows, as the thieves transferred the Bitcoin through more than a dozen platforms, clearly attempting to hide their tracks.

As he traced the funds back to the owner of the Bitcoin, ZachXBT discovered that part of the funds originally came from the now-defunct Genesis cryptocurrency exchange. He sent a private message to the exchange's administrators via X, asking them to help contact the victim, and eventually, the victim hired him to trace the stolen funds.

By the time ZachXBT's flight landed, he had identified three main leads on the stolen funds, pointing to what he believed were three suspects. He also posted a message on X to his over 650,000 followers, indicating that a theft was occurring on the blockchain. Soon after, he received a message from someone claiming to have information about the identity of the thief. In the following week, ZachXBT worked tirelessly on the case, sleeping no more than four or five hours at a time, and regularly sharing his findings with law enforcement. He ultimately identified two suspects behind the theft—twenty-something hackers Malone Lam and Jeandiel Serrano. (ZachXBT also identified another suspected hacker, but Wired chose not to disclose his name as he has not yet been arrested or charged.) He even obtained a video that allegedly showed one of the suspects' screens, capturing the moment they completed the theft and celebrated their unexpected windfall. In this lightning-fast investigation, ZachXBT even tracked the suspects' activities on Instagram and TikTok, seeing one of them spend millions on luxury cars, private jets, and even up to $500,000 in a single night at a nightclub. Less than a month after ZachXBT received that alert on the plane, two of the three suspects were arrested and faced criminal charges.

When ZachXBT saw a mugshot of one of the suspects, he said he felt a brief rush of adrenaline. But that feeling quickly faded. "I didn't feel a particular sense of accomplishment," ZachXBT said, "I just treated it like any other case."

A Cryptocurrency Detective Serving the Public

If tracking a $250 million theft feels like just another day for ZachXBT, it may be because over the past three years, he has become one of the most active independent cryptocurrency detectives in the world. Since he began his amateur investigations in 2021, he has tracked billions of dollars in stolen funds and fraud cases. According to spreadsheets he provided to Wired, his hundreds of investigations have directly helped recover about $210 million in criminally obtained cryptocurrency, with another $225 million in seized funds, and he has also indirectly helped victims recover some of their losses. He has exposed influencers promoting tokens through "pump and dump" schemes, tracked down cybercriminals behind large-scale cryptocurrency thefts, and revealed North Korean hackers attacking cryptocurrency companies multiple times, even infiltrating these companies as employees.

Throughout this process, he has relied almost entirely on cryptocurrency donations to sustain his operations, including funding from cryptocurrency organizations and contributions from strangers through the addresses he lists on social media, totaling about $1.3 million since 2021. "He is a new generation of investigator serving the public," said Joe McGill, an analyst with the U.S. Secret Service, who has worked with ZachXBT. "His success is entirely dependent on the success of his investigations."

In pursuing the career of a cryptocurrency detective, ZachXBT has always remained anonymous. Online, he appears only as his avatar—a cartoon platypus dressed in a detective coat or sometimes a hoodie. To avoid retaliation from cryptocurrency criminals and scammers, he has never shown his face, revealed his real name or exact age, and only agreed to an interview with Wired on the condition that they would not investigate his identity. McGill recalled that in their early phone meetings, ZachXBT would not only turn off the camera but would even use a voice changer app, sometimes sounding like a "character from South Park," and at other times his voice would be lowered, sounding like a character from a horror movie. "It felt strange at first," McGill, who was then working at the crypto tracking company TRM Labs, said, "but I respected his privacy because this anonymous guy was doing an outstanding job."

Nick Bax, founder of the cryptocurrency investigation company Five I's, said that ZachXBT frequently exposes cryptocurrency crime schemes and thefts, often faster than law enforcement, to the point where he half-jokingly suspects ZachXBT might be some kind of robot. "He's like a machine." Bax recalled when they collaborated on the investigation of the $60 million theft from the AnubisDAO cryptocurrency project in 2021, he gave ZachXBT a list of 500 transactions on a Saturday night, each of which needed to be manually analyzed and linked to relevant blockchain addresses. "I thought this would keep him busy for at least a few days," Bax said. But by noon the next day, ZachXBT had already sorted through all the transactions and identified which ones were related to the theft. "I was shocked," Bax said, "he must have been sitting in front of the computer for 12 hours straight."

Many of ZachXBT's investigation results are directly published on his X account. However, over time, his investigative findings have increasingly attracted the attention of law enforcement—now he often shares his findings with multiple law enforcement agencies before posting. The result is that more and more criminals are facing real consequences due to his investigative work. "As Zach's influence grows, so do not only the economic consequences but also the legal consequences," said Taylor Monahan, a security researcher at the cryptocurrency company MetaMask, who is one of ZachXBT's closest collaborators, including working together on the $243 million theft case. "If Zach posts an investigation about someone now, and the content is solid, that person is likely to be arrested."

From Victim to Whistleblower

So how has ZachXBT managed to track and expose cryptocurrency crimes faster than law enforcement's crypto investigators, without formal training or organizational support? Even he is not entirely sure. "That's a hard question to answer. I don't know why I'm so good at it," ZachXBT told Wired in a phone interview. He attributes it to his willingness to work around the clock—after all, the cryptocurrency market never closes—and the proficiency he has accumulated over the years by continuously studying cryptocurrency blockchain ledgers. "The more time you spend studying the blockchain, when you're looking at it while eating, sleeping, or even breathing, over time it becomes clearer," he said, "you start to notice those connections. I can look at a wallet and within seconds determine if it's a bad actor."

ZachXBT said his familiarity with the blockchain comes from his years of experience as a cryptocurrency enthusiast and trader—and as an unfortunate investor who has also fallen into the traps of the crypto economy. Around 2017, he naively purchased cryptocurrency tokens worth thousands of dollars, only to see their value plummet—often due to so-called "pump and dump" schemes, where the creators of the tokens sell off their holdings after inflating the price, leaving the remaining investors with worthless assets. "I thought, 'This is going to change the world.' I held onto those tokens and never sold," ZachXBT said. The result was, "I was the one who got scammed."

By 2018, not only had those investments collapsed, but one of the Electrum wallets ZachXBT used was hacked due to a malware update, resulting in a loss of nearly $15,000. At that moment, he decided to take a step back and reassess his strategy. He no longer just bought and held tokens; he began analyzing the blockchain of cryptocurrencies—almost all blockchain transactions are publicly visible to anyone who can interpret the owners of different addresses—to observe how larger, more successful investors traded tokens and currencies, and tried to mimic their actions.

Through this blockchain analysis, by 2020, he had become skilled enough to detect ongoing scams that ordinary investors could not see. He would notice an influencer promoting a certain crypto asset to thousands of followers, inflating the price, and then track their funds on the blockchain, discovering that they were actually selling off their holdings immediately after promoting it, which is typically a "pump and dump" scheme. "It's more like being a whistleblower," ZachXBT said. "I would notice this kind of activity and think, 'This reminds me of when I got scammed in 2017 and 2018. Why not post something to expose it?' As a result, those posts went viral."

When the NFT craze surged later that year, ZachXBT began examining NFT projects like Bored Bunny and Billionaire Dogs Club in a similar manner to reveal where the funds flowing into these projects were actually going. These NFT sellers often raised millions based on just a few cartoon .jpg images, promising buyers perks like access to exclusive events or club memberships. However, through blockchain analysis, ZachXBT found that the sellers were merely pocketing the funds. Sometimes, he even discovered through crypto tracking that an NFT seller was actually a rebranded version of a previously proven scam project.

In the posts ZachXBT published about NFT sellers, there were indeed several instances where he successfully scared off buyers, preventing some unscrupulous NFT vendors from continuing to sell their products. But over time, he grew weary of these repetitive and often obvious scams and felt frustrated by the lack of more substantial outcomes: none of the individuals involved in the NFT projects he exposed faced criminal charges.

Then, in early 2022, he noticed a group of hackers starting to hijack the Twitter accounts of well-known crypto users, posting phishing links to Ethereum smart contracts, resulting in tens of millions of dollars being stolen. Whenever a victim posted about their funds being stolen, ZachXBT would reach out to them and carefully track their lost funds. He combined blockchain clues with sources he developed in Discord and Telegram channels commonly used by young crypto thieves, ultimately identifying the online aliases of some teenagers who seemed to be involved in the phishing activities and were bragging about their huge spoils.

At this point, ZachXBT had gained significant notoriety in the crypto community, to the extent that one person he believed to be a suspect flaunted on Twitter that he had purchased a diamond-encrusted Audemars Piguet watch, deliberately mocking "mr xbt." ZachXBT found the watch seller, who was in a luxury watch Discord channel, and eventually persuaded the seller to provide the teenager's shipping address and real name. There are no public records indicating whether these suspects were arrested, possibly because they were minors, and any related charges may have been sealed or never filed. However, ZachXBT found a seizure notice showing that a month after he posted his findings on X in September 2022, the FBI seized over $200,000 in cryptocurrency assets and that diamond watch from the teenage suspect in October.

That same year, ZachXBT used similar techniques to track down $2.5 million worth of NFTs stolen in another phishing scheme involving two French hackers. Reports indicated that months later, French prosecutors arrested five suspects and specifically thanked ZachXBT for his posts on X that aided the investigation of the two main suspects. "Seeing law enforcement take action based on what I shared gives me a great sense of accomplishment," ZachXBT said, "It makes me feel like what I've been doing actually has some meaning."

Since first catching the attention of law enforcement two years ago, the scale of ZachXBT's investigations—and the consequences in some cases—has rapidly expanded. In February 2023, he tracked nearly $9 million stolen from the crypto project Platypus and identified a suspect within hours; French police arrested two suspects more than a week later. Although the charges against the two were eventually dropped, police recovered millions of dollars, and Platypus thanked ZachXBT on Twitter. Later that year, he tracked down $25 million stolen from the crypto company Uranium Finance, a significant portion of which appeared to have been used to purchase rare Magic: The Gathering cards. When the cybercrime group "Fallen Spider" launched a ransomware attack against Caesars Entertainment in Las Vegas, demanding $15 million from the company, investigators involved in the case who communicated with Wired stated that ZachXBT helped trace and recover $12 million of the funds.

Around the same time, ZachXBT published a series of findings on 25 cryptocurrency thefts conducted by North Korean hackers, totaling over $200 million, with about $7 million of the funds frozen with his assistance. About half of the hacking incidents had never been publicly disclosed before. He then conducted an investigation revealing a network of about 30 North Korean IT workers who infiltrated tech companies and were compensated through cryptocurrency. In one case, a seemingly North Korean-affiliated technician successfully worked at the NFT company Munchables and stole $62 million in crypto assets from the company. When ZachXBT helped identify and tag these funds, the thieves found it difficult to liquidate the assets and ultimately had to return them.

"Do you know how much that is?"

Despite this, when ZachXBT received the alert about the $243 million cryptocurrency theft that occurred on August 19 at the airport, it was still one of the largest thefts he had ever investigated. After returning home from an international flight, he continued to track the flow of these funds for several days while monitoring the social media activities of his three suspects, two of whom used the aliases Greavys and Box. Notably, Greavys—whose real name is Malone Lam—appeared to be active in Miami and frequently posted on social media about luxury real estate, diamond watches, private jets, and high-end cars, including a Lamborghini Revuelto and a Pagani Huayra, both typically priced over $3 million. ZachXBT also discovered Greavys' posts giving away Birkin and Hermès bags valued between $30,000 and $50,000, as well as a nightclub server holding a neon sign with Greavys' name that read "WHO WANT A BIRK." ZachXBT said, "It looks like their lives are just about partying and stealing money."

Within days, ZachXBT persuaded a source who had messaged him on his flight to provide him with screen recordings of the three hackers sharing their screens. During a screen-sharing session with a group of friends, one hacker unknowingly re-shared his screen, and one of his friends seemed to have recorded the video. ZachXBT said that in the 90-minute video, the three hackers repeatedly referred to each other by their real names. In another segment, one of them briefly displayed his Windows home screen, revealing his last name.

The video even captured the moment these hackers reacted frantically after successfully executing a nine-figure theft. "Oh my god! Oh my god! $243 million! Yes!" one of them exclaimed in the recording. "I'm going crazy! We did it! We did it! I'm going crazy. Do you know how much that is?" On the afternoon of September 18, less than a month after ZachXBT began his investigation, Lam was arrested at a $68,000-per-month waterfront rental in Miami. Box—whose real name is Jeandiel Serrano—was arrested at Los Angeles International Airport while returning home from a vacation in the Maldives with his girlfriend. According to prosecutors, Serrano was wearing a $500,000 watch at the time of his arrest, renting a house near Los Angeles for over $40,000 a month, and had spent $1 million on luxury cars. The next day, charges of wire fraud and money laundering were publicly filed against Lam and Serrano. According to court documents, both hackers admitted to law enforcement investigators their involvement in multiple cryptocurrency thefts. Lam specifically acknowledged that the proceeds from these thefts had allowed him to purchase at least 31 high-end cars.

So far, of the $243 million they are accused of stealing, $79 million has been seized or frozen. ZachXBT hopes to find more funds. Prosecutors stated that even after the lavish spending spree of these hackers, over $100 million remains unaccounted for. According to public records, the third suspect identified by ZachXBT appears to reside in Connecticut but has not yet faced any charges. However, journalist Brian Krebs pointed out a criminal complaint describing a group of men who allegedly hijacked a Connecticut couple in their 50s just four days after the $243 million theft occurred, briefly kidnapping them because the hijackers "believed the victims' son had access to a large amount of digital currency"—indicating that the couple may be the parents of the third suspect tracked down by ZachXBT.

For ZachXBT, this investigation could be a turning point. It is the first time he has been hired by a victim in a case and received compensation for his skills, rather than relying on donations as a volunteer as he had in the past. He indicated that he might shift towards more paid work like this, even starting his own investigation company. But he insists that he is not in it to get rich by exposing these cases. "I want to see funds seized, funds returned to victims, and people arrested; that is my goal. That is what I want to achieve," ZachXBT said. "Seeing these things truly benefit people is what gives me satisfaction."

His collaborator, Taylor Monahan from the crypto wallet company MetaMask, who has worked with him on dozens of investigations, believes that ZachXBT is still primarily driven by a sense of justice—one that stems from his own experience as a victim of the harsh realities of the crypto world, wanting to prevent others from falling into the same traps. "He has gone through the same experiences that many people in this field have gone through, which is that bad things happen, and the people around you just say, 'What bad luck,'" Monahan said. "He instinctively rejects that experience; he wants to change it."

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。