Uncovering ZachXBT: The Man Who Races with the Devil
This article comes from: Wired; original author: Andy Greenberg
Compiled by: Odaily Planet Daily ( @OdailyChina ); Translated by: Azuma ( @azuma_eth )
Editor’s Note: ZachXBT is probably one of the biggest names in the cryptocurrency world right now.
Over the past few years, ZachXBT has uncovered numerous security incidents through personal investigations, directly recovered hundreds of millions of dollars in funds, and exposed countless shady operations and insider scams.
The most recent case happened the day before yesterday. After the Meme project SHAR unexpectedly became popular, ZachXBT disclosed that the project was suspected of conspiracy and KOL manipulation. Soon after, SHARs true colors were exposed, and the manipulators behind it directly smashed the market value of the token from 40 million US dollars to 3 million US dollars.
During his years of investigation, ZachXBT also attracted a lot of hostility. Some people hated him for exposing their beloved positions, thinking that without him, the market makers might not have harvested so early; some people had been plotting for a long time, but were exposed by him when they succeeded; some people had already stolen hundreds of millions of funds and were spending money like water and enjoying an extravagant life, but were sent to the police station in a blink of an eye because of ZachXBTs investigation.
Out of concern for potential retaliation, ZachXBT has hidden his name on the Internet. No one knows what he looks like, what his name is, how old he is, where he lives, but there is almost a general consensus in the industry that when disaster strikes, this four-eyed platypus (ZachXBTs social media avatar) is like an angel covered with holy light.
Recently, ZachXBT accepted an interview with the well-known media Wired. In the interview, ZachXBT even mentioned some personal information that would not expose his identity. The following is the original content of the interview with Wired, compiled by Odaily Planet Daily.
On August 19, a man in his 20s who goes by the online name ZachXBT was walking into an airport to catch a flight home — he wouldn’t say which airport, his real name, or where he lived — when he saw an alert pop up on his phone. A sum of bitcoin had just been transferred to a small exchange, one of many he monitors daily for any signs of crime or money laundering. The alert piqued ZachXBT’s interest; the total value of the transfer was about $600,000, about 10 times the amount the small exchange normally transfers.
When ZachXBT arrived at the gate, another alert sounded, a second transfer of more than $1 million occurred on the same exchange, and then another $2 million... As ZachXBT lined up to board the plane, he quickly tracked these transactions on his phone, tracing back from one Bitcoin address to another, marking suspicious funds, trying to find the source of suspicious funds before the half-hour Internet outage between takeoff and the start of the onboard Wi-Fi. Before takeoff, ZachXBT had determined that the funds came from an address that had been holding hundreds of millions of dollars worth of Bitcoin since 2012 - now this nine-digit fund is being hastily cashed out regardless of cost, which is impossible for any patient Bitcoin investor who has held a position for more than ten years to do.
To ZachXBT, these unusual transfers were clearly another major theft. When he double-checked his clues, he discovered that someone appeared to have stolen approximately $243 million in Bitcoin from an unfortunate victim, possibly the largest theft from an individual in cryptocurrency history.
Stealing that much money from one person... I had to make sure I wasnt going crazy, ZachXBT told Wired.
As the plane climbed above 10,000 feet and the onboard Wi-Fi was turned on, ZachXBT began to further track the movement of the stolen funds as they were transferred through one exchange and token exchange service platform after another. In the next few hours, ZachXBT accelerated the distribution of the flow of funds - the thieves frequently transferred tokens through more than a dozen platforms in an apparent attempt to obfuscate the transaction path.
When ZachXBT traced the stolen funds back to the owner, he discovered that some of the funds originally came from the now-defunct cryptocurrency exchange Genesis. ZachXBT sent a direct message to the exchanges administrators on X, asking them to help contact the victim, who eventually decided to hire ZachXBT to try to recover the stolen funds.
By the time the flight landed, ZachXBT had discovered three major clues to the theft — three clues pointing to three possible culprits. ZachXBT also sent a message to his 650,000 followers on X, pointing out the theft that was happening on the chain. Soon, he received a message from a source claiming to have a clue to the identity of the thief.
Over the next week, ZachXBT worked around the clock, sleeping no more than four or five hours a night, and regularly shared his findings with law enforcement. Eventually, ZachXBT identified the suspects in the theft—two young hackers named Malone Lam and Jeandiel Serrano, both in their early 20s—and another suspect who Wired chose not to name because he has not yet been arrested or charged.
ZachXBT even found a video recording of the hackers celebrating their huge windfall. During the rapid investigation, ZachXBT even tracked down the thieves Instagram and TikTok accounts, and saw one of them spending millions of dollars on luxury cars, private jets, and nightclubs - the suspect once spent up to $500,000 in a nightclub.
Less than a month passed from the time the alarm went off before boarding the flight to the time two of the three suspects were arrested and criminally charged. ZachXBT mentioned that he felt a brief adrenaline rush when he saw the mugshot of one of the hackers involved, but that feeling quickly passed.
“I didn’t really feel any particular sense of accomplishment, I just treated it like any other case.”
The number one “chain detective”
If tracking a $243 million heist seems like just another day for ZachXBT, that’s probably because over the past three years, he’s become the most prolific and well-known on-chain detective in the cryptocurrency world. Since starting his amateur investigations in 2021, ZachXBT has tracked stolen funds and scams totaling billions of dollars. ZachXBT sent WIRED a spreadsheet that, by his own count, has directly recovered about $210 million in stolen money from hundreds of investigations and indirectly facilitated the seizure of about $225 million. ZachXBT has also uncovered various project and KOL rug scams, tracked down the cybercriminals behind large thefts, and uncovered dozens of cases of North Korean hackers infiltrating certain projects or even infiltrating as employees.
In the process, ZachXBTs income comes almost entirely from donations in the form of cryptocurrency, most of which come from various cryptocurrency organizations or strangers, totaling about $1.3 million since 2021. Joe McGill, a Secret Service analyst who has worked with ZachXBT, said: He is a new generation of investigators. He works for the public, and his success depends entirely on the success of his work.
In the years that ZachXBT has been a cryptocurrency vigilante, he has kept his true identity firmly hidden. On the Internet, his profile picture is his avatar - a platypus wearing a detective windbreaker and a sweatshirt. To avoid retaliation from thieves, scammers and many other potential enemies, ZachXBT has never appeared in public, nor has he revealed his real name or exact age, and only agreed to be interviewed on the condition that Wired would not try to dig up these details.
McGill recalled that in some of their early conference calls, ZachXBT not only turned off the camera, but also used a voice-changing program, sometimes sounding high-pitched, like a character in South Park, and sometimes deepening the tone of the voice, which made people think of the voice in some horror movies. McGill, who was still working at data analysis company TRM Labs at the time, said: It was very strange at first, but I respected his privacy because this anonymous guy was doing really great work.
ZachXBT uncovers multiple cryptocurrency scams and thefts on an almost weekly basis, often much faster than law enforcement agencies can work, to the point where Five Is founder and fellow cryptocurrency investigator Nick Bax half-jokingly suspects he might be some kind of bot.
“He’s a machine,” Bax laughed.
Last year, they worked together to track a theft in which $60 million was stolen from a cryptocurrency project called AnubisDAO in 2021. Bax gave ZachXBT a list of more than 500 transactions on Saturday night, each of which and its associated addresses required detailed manual analysis. Bax thought it would keep ZachXBT busy for at least a few days, but by early afternoon the next day, ZachXBT had finished reviewing every transaction and determined which ones were relevant to the case.
“I was shocked,” Bax said. “He must have been sitting in front of his computer for 12 hours straight.”
Many of ZachXBT’s investigative findings are posted directly on his X account. Over time, his findings have become more and more valued by law enforcement agencies — now he often shares his findings with them before posting them publicly. As a result, the impact of his investigative work is becoming more real and serious.
Taylor Monahan, a security researcher at MetaMask and one of ZachXBT’s closest collaborators in various investigations, including the $243 million theft, said: “As ZachXBT’s influence has grown, his words and actions have had financial and legal consequences. If ZachXBT were to post a post about someone now, if the content was reasonable, that person would be arrested.”
From victim to whistleblower
How does ZachXBT track cryptocurrency security incidents faster and more efficiently than law enforcement agencies without any formal training or organizational support? He himself is not sure: Its hard to answer, and I dont know why Im good at it.
In a phone interview with WIRED, ZachXBT attributed this to his willingness to work 24/7 (blockchain never sleeps, after all) and his familiarity with the blockchain, which comes from studying countless transactions over the years. The more you study the blockchain, like you eat, sleep, and breathe it, it starts to become clearer over time, he said. You start to be able to catch those connections. Now I can just look at an address, give me a few seconds to dissect it, and I can tell you if its a bad actor.
In addition to his years of experience as a cryptocurrency enthusiast, ZachXBT also revealed that he himself had been a victim of some cryptocurrency security incidents. Around 2017, ZachXBT naively purchased thousands of dollars worth of cryptocurrencies, which eventually depreciated sharply due to the general rug. When I bought it, I thought, this has the potential to change the world. So I kept it and never sold it... In the end, I became the one who was deceived.
By 2018, not only did these investments fail, but one of the wallets ZachXBT used, Electrum, was also hacked, and he lost nearly $15,000 more.
Only then did ZachXBT decide to go back and rethink his operations. Instead of simply buying or holding tokens, he began to analyze the on-chain movements of cryptocurrencies - almost all blockchain addresses and transactions are publicly visible - and decided to see how the more successful large investors traded and then try to imitate their operations.
By 2020, ZachXBT was familiar enough with tracking cryptocurrency transactions to discover hidden scams that were invisible to ordinary investors by constantly analyzing on-chain behavior. He saw some KOLs publicly promoting a crypto asset to hundreds of thousands of followers in an attempt to drive up its price, but when ZachXBT tracked their funds on the chain, he found that these KOLs were actually selling their holdings immediately afterwards, which seemed to be a classic pump and dump scam. ZachXBT said: It was a bit like being a whistleblower, but I noticed those activities and thought about what happened to me in 2017 and 2018, so I thought why not post a message to tell everyone? Then these posts started to go viral.
Later that year, the NFT craze officially began, and ZachXBT began to review NFT projects such as Bored Bunny and Billionaire Dogs Club in a similar way to track where the funds that flowed into them actually went. At that time, some NFT projects were able to raise millions of dollars with just a set of small cartoon jpg images, and they would promise to give these NFTs various privileges, such as participation in exclusive events or clubs. However, ZachXBT saw through on-chain analysis that some projects actually just scattered the funds and put them in their own pockets. Sometimes ZachXBT even found that some NFT projects were actually a rebrand of another earlier project, and these earlier projects had been proven to be a scam.
In some cases, ZachXBTs disclosures about some NFT projects can indeed alert potential buyers and deter suspicious project parties. But over time, ZachXBT became tired of exposing the same, obvious scams again and again, and was frustrated by the general outcome of the incident - no one in the NFT scams he exposed faced criminal charges.
By early 2022, ZachXBT noticed that a group of hackers had become active on X and posted various phishing links, and this phishing attack has resulted in the theft of tens of millions of dollars. Every time a grieving victim posted a message that their savings had been stolen, ZachXBT would contact them and then carefully track their lost funds. He combined these on-chain clues with clues he found in Discord and Telegram channels - some young cryptocurrency hackers like to patronize certain channels, and ZachXBT found several teenagers online accounts who are suspected of being behind the phishing activities and bragging about their achievements.
By this time, ZachXBT’s reputation had spread throughout the hacker community, so much so that someone whom ZachXBT considered a suspect had posted a post on X specifically mocking him as “mr xbt” and showing off the diamond-studded Audemars Piguet watch he had just bought. ZachXBT found the seller of the watch in a luxury watch Discord channel and convinced the seller, who sold the watch for nearly $50,000, to hand over the suspect’s shipping address and real name.
There are no public records showing whether the alleged suspect has been arrested — because the suspect is a minor, charges are either being sealed or have never been filed. However, a stolen money forfeiture notice found by ZachXBT shows that in October 2022, a month after ZachXBT announced the investigation on X, the FBI confiscated more than $200,000 worth of crypto assets, including the diamond watch, from the underage suspect he identified.
That same year, ZachXBT also used similar technology to track down another $2.5 million theft of NFTs that were stolen through different phishing campaigns, allegedly by a pair of French hackers. In that case, French prosecutors arrested five suspects a few months later. According to AFP, prosecutors specifically thanked ZachXBT for the clues he posted on X that helped them track down the two suspected masterminds. ZachXBT said: Its been fulfilling to see law enforcement take action based on the information I shared. It makes me feel that maybe what Ive been doing is really meaningful.
Two years after ZachXBT’s investigations first caught the attention of law enforcement, the size (and in some cases, impact) of his investigations have exploded. In February 2023, ZachXBT tracked down nearly $9 million in stolen funds from Platypus, identifying one of the suspects within hours, and a week later, French police arrested two suspects. Although the charges against the couple were ultimately dropped, police recovered several million dollars in stolen money, and Platypus thanked ZachXBT in a post. Later that year, ZachXBT also tracked down a $25 million theft from Uranium Finance, much of which appears to have been laundered through the purchase of rare Magic cards. Later, a cybercrime group called Scattered Spider launched a ransomware attack on Caesar’s Entertainment in Las Vegas, and other investigators involved in the case and interviewed by WIRED recalled that the company was extorted for $15 million, and ZachXBT helped track down and recover $12 million of that.
Around the same time, ZachXBT published the results of a large-scale investigation into 25 cryptocurrency thefts committed by North Korean hackers, involving a total of more than $200 million, and about $7 million has been frozen with its assistance. About half of these hacking attacks have never been publicly disclosed before. Another investigation by ZachXBT revealed a network of about 30 North Korean IT workers who infiltrated various technology companies and accepted cryptocurrency payments. In a case earlier this year, one of the technicians who appeared to be related to North Korea was employed by the NFT project Munchables and successfully stole $62 million worth of crypto assets from the project. When ZachXBT helped identify and mark the funds, the multiple blockades made it difficult for the suspects to cash out, and they finally chose to return the stolen money.
Im going crazy! Do you know how much this is???
Even with all that experience, when ZachXBT received a text alert at the airport that $243 million had been stolen from an individual victim, it was still one of the biggest thefts he had ever pursued.
After returning home from the airport, ZachXBT spent the next few days tracking the dispersed funds while searching social media for traces of three suspects, two of whom went by the names Greavys and Box. Greavys in particular, whose real name is Malone Lam, appeared to live in Miami, judging by the photos he posted of luxury homes, diamond watches, jets, and sports cars (including a Lamborghini Revuelto and a Pagani Huayra that typically sell for more than $3 million). ZachXBT also saw posts from influencers to whom Greavys had given Hermès handbags, each valued at between $30,000 and $50,000. He also found photos of waiters at a nightclub holding up signs that read WHO WANT A BIRK and tagged Greavys.
ZachXBT said: It seems like their daily routine is just partying and stealing money.
A few days later, he convinced the informant who first tipped him off during the flight to send him a video of three hackers who appeared to be involved in the theft sharing their screens. Unbeknownst to them, one of the hackers had also shared his screen with another group of friends during that screen sharing, and was recorded by one of those people. Throughout the 90-minute video, ZachXBT heard the three hackers calling each other by their real names several times, and at one point one of the hackers briefly showed his Windows homepage, which also gave away his last name.
The video even captured the hackers ecstatic reaction after they succeeded: Oh my God! Oh my God! $243 million! Its real! Im going crazy! Ah! Were done! Were done! Im going crazy! Do you know how much money this is???
On the late afternoon of September 18, less than a month after ZachXBT’s investigation began, Lam was arrested at a Miami beachfront mansion for which he paid $68,000 a month in rent. Box, whose real name is Jeandiel Serrano, was arrested at the Los Angeles airport as he and his girlfriend returned from a vacation in the Maldives. According to prosecutors, Serrano was wearing a $500,000 watch when he was arrested, lived in a house near Los Angeles that rented for more than $40,000 a month, and had spent $1 million on luxury cars. The next day, charges of wire fraud and money laundering were announced against Lam and Serrano. According to court documents, both hackers admitted to law enforcement that they were involved in multiple cryptocurrency thefts, and Lam also admitted to using the stolen money to buy no fewer than 31 luxury cars.
So far, $79 million of the $243 million heist has been seized or frozen. ZachXBT hopes to find more funds. Prosecutors say that even after all the hackers spending, more than $100 million is still unaccounted for.
The third suspect ZachXBT identified appears to live in Connecticut, according to public records, but has not been charged with any crime. However, journalist Brian Krebs pointed to a criminal complaint describing a group of men who carjacked a couple in their 50s in Connecticut in late August (four days after the theft) in their Lamborghini and briefly held them hostage because the carjackers “believed the victims’ son had access to large amounts of digital currency” — suggesting the victims could be the parents of ZachXBT’s third suspect.
For ZachXBT personally, this investigation could be a turning point, as it is the first time he has been hired directly by a victim in a case and received compensation for his effective investigation, rather than working as a volunteer relying on donations. He said he may transition to doing more paid work, or even start his own investigation company.
But ZachXBT insists he is not trying to get rich from his investigations: I want to see funds seized, see funds returned to victims, see criminals arrested, thats my goal, thats what Im determined to do. Seeing my work benefit other people, thats where my pride comes from.
Taylor Monahan of MetaMask is ZachXBTs collaborator, and they have conducted dozens of investigations together. She believes that ZachXBTs actions are still mainly out of a sense of justice - this sense of justice comes from the fact that he was once a victim of the chaos in the cryptocurrency world, and he does not want others to have the same experience.
“He, like many in the industry, had a bad experience where everyone around him was telling him he was unlucky, but he instinctively wanted to change that,” Monahan said.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Peanut the Squirrel Token Sparks Controversy After Owner Launches Justice Coin
Will Bitcoin’s Correction Continue or is it a Good Time to Buy?
US stocks head into holiday week with history on their side
Let’s take a look at how US equities typically perform this time of year and what we might see in the coming days
Cardano implements first ZK smart contract
Share link:In this post: Cardano has deployed its first zero-knowledge smart contract on the mainnet through the use of the Halo 2 zkSNARKs. The technology allows for secure and private verification of computations with the help of the network without disclosing sensitive information. ADA recently crossed the $1 level and went as high as $1.15 before a 17% drop.