Getting to Know ZachXBT: The Strongest Detective in the Crypto World, How Did He Solve a $243 Million Theft Case Alone?

Original Title: Meet ZachXBT, the Masked Vigilante Tracking Down Billions in Crypto Scams and Thefts

Author: Andy Greenberg

Compiled by: Ismay, BlockBeats

Editor's Note: Many readers have likely heard the name ZachXBT frequently in recent times, from confronting Ansem, revealing Murad's address, exposing U business mogul Wang Yicong, to disclosing the project team's deck for SHAR. Since 2021, on-chain detective ZachXBT has helped victims of scams and theft recover nearly $500 million. Last month, he solved a $243 million theft case, the largest theft ever targeting an individual. From tracking crimes deep within the blockchain to revealing the massive flow of funds behind luxurious lifestyles, ZachXBT has helped recover hundreds of millions of stolen funds in just a few years through his intelligence and persistence. This article from Wired will take you into the mysterious world of this cryptocurrency "faceless detective," revealing how he battles against crypto crime and the lesser-known stories behind the scenes.

The following is the original content:

On August 19, a young man in his twenties, known online as ZachXBT, was preparing to board a flight home. He was unwilling to disclose which airport, his real name, or where he lived.

At that moment, his phone buzzed with an alert: a large amount of Bitcoin had been transferred to a small cryptocurrency exchange. This was one of many exchanges he had been monitoring for a long time, primarily to look for funds related to criminal money laundering. The alert caught his attention: the transaction amount was about $600,000, far exceeding the exchange's daily trading volume by ten times.

When he reached the boarding gate, his phone buzzed again with a new alert: another transaction exceeding $1 million occurred on the same exchange. Soon after, there was another transaction for $2 million.

As ZachXBT queued to board, he quickly tracked the flow of these funds on his phone, backtracking the Bitcoin addresses and marking suspicious funds, trying to determine the source of the funds before the internet connection was cut off half an hour after the plane took off.

Before the plane ascended, he had already identified that the funds came from a large Bitcoin wallet that had not been used since 2012, totaling hundreds of millions of dollars. Now, this nine-figure sum was being hastily cashed out, paying high transaction fees, a practice clearly not acceptable for an investor who had held coins for over a decade.

In ZachXBT's view, this flow of funds was clearly indicative of a massive theft.

Upon further verification, he discovered that someone had stolen approximately $243 million worth of Bitcoin from a victim, possibly the largest cryptocurrency theft ever targeting an individual. "This is really an extraordinarily large amount, stolen from one person," ZachXBT told Wired, "I had to confirm that I wasn't mistaken."

Once the plane climbed above 10,000 feet and Wi-Fi was restored, ZachXBT began tracking the flow of more stolen funds.

These funds were transferred through one exchange after another and various trading platforms. Over the next few hours, he accelerated the mapping of these fund flows, discovering that the hacker was attempting to hide the funds' trail across dozens of platforms.

As he traced back to the owner of the Bitcoin, ZachXBT found that part of the funds initially came from the now-defunct Genesis cryptocurrency exchange. He privately messaged the exchange's administrator on X (formerly Twitter), asking them to contact the victim, who eventually hired him to trace the stolen funds.

By the time he reached his destination, ZachXBT had identified that the stolen funds had split into three main flows, pointing to what he believed were three suspects. He also posted a message to his over 650,000 followers on X, highlighting the ongoing theft activity on the blockchain.

Shortly after, he received a message from an informant claiming to have leads on the hacker's identity.

In the following week, ZachXBT worked day and night, sleeping only four to five hours a day, regularly sharing his findings with law enforcement. He ultimately identified the suspects involved in the theft—two young hackers in their twenties named Malone Lam and Jeandiel Serrano. ZachXBT also confirmed another suspected hacker, but Wired chose not to disclose his name as he had not yet been arrested or charged.

He even obtained a video showing one of the suspects celebrating the successful theft of the large sum. In his rapid investigation, ZachXBT tracked down the suspects' Instagram and TikTok accounts, seeing one of them flaunting millions of dollars, buying luxury cars, flying on private jets, and spending up to $500,000 in nightclubs in a single night.

Less than a month after receiving that alert on the plane, two of the three suspects were arrested and faced criminal charges.

When ZachXBT finally saw a mugshot of one of the hackers, he felt a brief rush of adrenaline but quickly regained his composure. "I didn't feel any particular sense of accomplishment," ZachXBT said, "I just treated it like another ordinary case."

Investigation Results of the Bitcoin Theft Case | ZachXBT's Pinned Tweet

A Private Detective for the Public in Cryptocurrency

If tracking a $250 million theft feels like a typical day online for ZachXBT, it may be because he has become the world's most active independent cryptocurrency detective over the past three years.

Since starting as an amateur investigator in 2021, he has tracked down billions of dollars in stolen funds and scam cases. According to a table he provided to Wired, his hundreds of investigations have directly led to the recovery of about $210 million in criminal cryptocurrency funds, with another approximately $225 million recovered for victims with his indirect assistance.

He has exposed influencers promoting tokens through pump-and-dump schemes, tracked down the cybercriminals behind major cryptocurrency thefts, and revealed dozens of incidents of North Korean hackers infiltrating crypto companies or even posing as employees.

Throughout this process, he has relied almost entirely on cryptocurrency donations to fund his work, including grants from cryptocurrency organizations and contributions sent by strangers to the address listed in his social media profile, totaling about $1.3 million since 2021. "He is a new generation of investigator serving the public," said Joe McGill, an analyst with the U.S. Secret Service who has worked with ZachXBT, "His success is entirely dependent on the success of his investigations."

In his pursuit of becoming a "justice cop" in cryptocurrency, ZachXBT has always carefully maintained his anonymity. Online, he only appears as his avatar—a cartoon platypus wearing a detective coat or sometimes a hoodie. To avoid retaliation from cryptocurrency criminals and scammers, he has never revealed his true appearance, name, or specific age, and he only agreed to an interview with Wired on the condition that they would not pursue his personal identity information.

ZachXBT's Twitter Profile

Secret Service analyst McGill recalled that during their early phone meetings, ZachXBT not only turned off his camera but also used voice-changing software, sometimes sounding like a high-pitched character from South Park; other times, he lowered his voice to sound like a character from a horror movie. "It was definitely strange at first," McGill, who was then working at the crypto tracking company TRM Labs, said, "but I respected his privacy because this anonymous person was doing exceptional work."

Cryptocurrency investigator and founder of Five I's, Nick Bax, stated that ZachXBT exposes numerous cryptocurrency scams and thefts almost every week, often much faster than law enforcement agencies. Bax jokingly said he even suspected ZachXBT might be a robot.

"He’s like a machine," Bax said.

In an investigation last year, they collaborated to track a $60 million theft in the 2021 AnubisDAO crypto project. Bax provided ZachXBT with a list of 500 transactions on a Saturday night, each requiring manual analysis, along with associated blockchain addresses. "I thought this would keep him busy for at least a few days," however, by the next afternoon, ZachXBT had completed the analysis of all transactions and identified which were related to the theft. "I was shocked," Bax said, "he must have sat at his computer for 12 hours straight."

Many of ZachXBT's investigation results are published on his X account without any ceremony.

However, over time, his investigations have increasingly attracted the attention of law enforcement—now he often shares his findings with these agencies before making them public, and the targets of his detective work are facing increasingly serious consequences.

"As Zach's influence has grown, these cases have brought financial and legal repercussions," said Taylor Monahan, a security researcher at the crypto company MetaMask, who is one of ZachXBT's closest investigative partners and participated in the investigation of the $243 million theft. "If Zach posts about someone now and exposes them thoroughly, that person is very likely to be arrested."

From Victim to Whistleblower

So how has ZachXBT managed to track the flow of funds faster and more accurately than law enforcement's cryptocurrency investigators, even without formal training or organizational support?

He himself is not quite sure. "That's a tough question; I don't know why I'm so good at it," ZachXBT told Wired in a phone interview. He believes it has to do with his willingness to work around the clock—after all, the cryptocurrency market never closes—and the experience he has accumulated from years of deep research into cryptocurrency blockchains. "The more blockchains you look at, when you're eating, sleeping, or even breathing while studying it, over time, everything starts to become clearer," he said. "You begin to notice those connections. I can look at a wallet and determine in seconds whether it's a bad actor."

ZachXBT stated that his familiarity with blockchains comes from his years as a cryptocurrency enthusiast and trader—and he himself was also a victim of many traps in the crypto economy.

Around 2017, he naively spent thousands of dollars buying various crypto tokens, only for those tokens to depreciate significantly—often due to so-called rug pulls, where the token creators suddenly sell off their tokens, rendering the assets worthless for other investors. "When I bought in, I thought, 'This is going to change the world.' I held onto it without ever selling," ZachXBT said, and the result was, "I became the person who got scammed."

By 2018, not only had all his investments significantly shrunk, but the Electrum wallet he used was also hacked due to a malware update, causing him to lose nearly $15,000.

It was only then that he decided to take a step back and rethink his strategy. He stopped simply buying and holding tokens and began analyzing cryptocurrency blockchains—almost all blockchains are publicly visible, and anyone who can interpret the owners of different addresses can view them—through this method, he observed how larger, more successful investors traded tokens and Bitcoin, trying to mimic their actions.

Through these blockchain analyses, by 2020, he had become quite familiar with tracking cryptocurrency transactions, able to spot ongoing scams that ordinary investors could not see.

He saw influencers publicly promoting a certain crypto asset to their thousands of followers, driving up its price, and then tracked their funds through the blockchain, discovering they were actually selling off their tokens immediately after promoting them, which is often a typical "pump and dump" scheme.

"It felt more like a whistleblower role," ZachXBT said. "When I noticed these activities, I thought, 'This reminds me of my experiences of being scammed in 2017 and 2018; why not post to expose it?' And then it started to gain widespread attention."

When the NFT craze emerged, ZachXBT also began to scrutinize NFT projects like Bored Bunny and Billionaire Dogs Club, revealing the true flow of funds. These NFT sellers could raise millions of dollars with just a few cartoon images, claiming these NFTs would provide privileges like access to exclusive events or clubs.

However, through blockchain analysis, ZachXBT discovered that these sellers were merely siphoning off the funds into their own pockets. Sometimes, he even found that certain NFT sellers were actually "repackaged" from a previous project that had been proven to be a scam.

In some cases, posts ZachXBT published about NFT sellers did deter buyers, preventing some suspicious NFT sellers from continuing to sell their products. But over time, he grew weary of continuously exposing these transparent, repetitive scams and felt frustrated by the lack of more substantive outcomes: none of the NFT projects he exposed faced criminal charges.

By early 2022, ZachXBT began to notice a group of hackers infiltrating the Twitter accounts of some well-known cryptocurrency users, posting phishing links that pointed to Ethereum smart contracts designed to drain users' wallets, resulting in tens of millions of dollars in theft.

Whenever a victim painfully posted about their savings being stolen, ZachXBT would proactively reach out to them and carefully track their lost funds. He combined these blockchain clues with sources he developed in Discord and Telegram channels where young cryptocurrency thieves often hung out, ultimately identifying several online nicknames that might be related to the phishing activity, who were flaunting their stolen wealth online.

At this point, ZachXBT had already gained significant notoriety in the underground world of cryptocurrency, even with one person he believed to be a suspect posting on Twitter about purchasing a diamond-encrusted Audemars Piguet watch, mockingly mentioning "mr xbt."

ZachXBT tracked down the seller of the watch through a luxury watch Discord channel and successfully persuaded the seller to provide the shipping address and real name of the teenager who purchased the nearly $50,000 watch.

No public records indicate whether these so-called thieves were arrested—possibly because the suspects were minors, and the charges were either sealed or never filed. However, ZachXBT found a seizure notice showing that in October 2022, a month after he posted his investigation results on X, the FBI seized over $200,000 in crypto assets and that diamond watch from the identified teenage suspect.

That same year, ZachXBT used similar techniques to track down $2.5 million worth of NFTs stolen in another phishing operation, targeting a pair of French hackers. Months later, French prosecutors arrested five suspects, and according to AFP, they explicitly mentioned that ZachXBT's posts on X helped the investigation of the two main suspects. "Seeing law enforcement take action based on the information I shared gives me a great sense of accomplishment," ZachXBT said. "It makes me realize that maybe what I'm doing is really making a difference."

Since first attracting the attention of law enforcement two years ago, the scale of ZachXBT's investigations—and the outcomes in certain cases—has dramatically expanded.

In February 2023, he tracked down nearly $9 million stolen from the crypto project Platypus and identified one of the suspects within just a few hours; just over a week later, French police arrested two suspects. Although the charges against the two were eventually dropped, the police successfully recovered millions of dollars, and Platypus expressed gratitude to ZachXBT in a tweet.

That same year, he tracked down $25 million stolen from the crypto company Uranium Finance, most of which appeared to have been laundered through the purchase of rare Magic: The Gathering cards. When the notorious cybercrime organization "Scattered Spider" launched a ransomware attack against Caesars Entertainment in Las Vegas, extorting $15 million from the company, ZachXBT helped track and recover $12 million of that amount, as revealed by others involved in the investigation.

Around the same time, ZachXBT published a significant investigation revealing 25 cryptocurrency thefts carried out by North Korean hackers, totaling over $200 million, with about $7 million frozen with his assistance. About half of these hacking actions had never been publicly disclosed before.

He subsequently followed up with an investigation revealing a network of about 30 North Korean IT workers who infiltrated tech companies and were compensated in cryptocurrency. In one case, a technician suspected of being linked to North Korea was hired by the NFT company Munchables and successfully stole $62 million in crypto assets. After ZachXBT helped identify and tag the funds, the thief was ultimately forced to return them as they could not easily cash out.

"Do you know how much that is?"

Returning to the earlier theft case, when ZachXBT received the alert at the airport and discovered the clue about the $243 million stolen from a single victim on August 19, it was one of the largest thefts he had tracked.

After returning home from an international flight, he spent several days tracking the dispersed flow of funds while monitoring the movements of the three suspects on social media, two of whom used the online aliases Greavys and Box. In particular, Greavys, whose real name is Malone Lam, appeared to be located in Miami. His online posts and photos showed him surrounded by luxury properties, diamond watches, private jets, and luxury cars, including a Lamborghini Revuelto and a Pagani Huayra, the latter typically priced over $3 million.

ZachXBT also discovered that Greavys had gifted influencers Birkin and Hermès bags worth $30,000 to $50,000 and appeared in nightclubs where waiters held electronic signs reading "WHO WANT A BIRK," marking his name.

"It looks like they do nothing but party and steal money," ZachXBT said.

Within days, ZachXBT persuaded an informant who had first messaged him during his flight to provide a screen-sharing video of the three hackers suspected of being involved in the theft. Unbeknownst to the hackers, one of the suspects shared his screen with a group of friends, and one of those friends seemed to have recorded the video.

In the 90-minute video, ZachXBT noted that the three hackers repeatedly referred to each other by their names. In another segment, one of the men briefly displayed his Windows home screen, inadvertently revealing his last name.

The video even captured the moment the hackers celebrated their successful heist. "Oh my god! Oh my god! $243 million! This is amazing!" one of them shouted in the video, "I'm going crazy! We did it, we did it. I'm about to explode. Do you know how much that is?"

Later that afternoon on September 18, less than a month after ZachXBT began his investigation, Lam was arrested at a waterfront rental property in Miami, for which he paid $68,000 a month. Box—whose real name is Jeandiel Serrano—was arrested at Los Angeles airport while returning from a vacation in the Maldives with his girlfriend. According to prosecutors, he was wearing a $500,000 watch at the time of his arrest, renting a property near Los Angeles for over $40,000 a month, and had spent $1 million on luxury cars.

The next day, wire fraud and money laundering charges against Lam and Serrano were unsealed, and according to court documents, both hackers admitted to participating in multiple cryptocurrency thefts. Lam specifically acknowledged that the proceeds from these crimes had allowed him to purchase no less than 31 luxury cars.

So far, $79 million of the $243 million has been seized or frozen, and ZachXBT hopes to find more stolen funds. Prosecutors stated that even after the suspects had splurged, over $100 million remains unaccounted for.

The third suspect of ZachXBT, currently indicated in public records as possibly residing in Connecticut, has not yet been charged with any crime. However, journalist Brian Krebs pointed out a criminal complaint describing a group of men who allegedly robbed a couple in their fifties in Connecticut four days after the $243 million theft, briefly kidnapping them because the robbers "believed the victims' son had access to a large amount of digital currency," suggesting that the victims might be the parents of the third suspected recipient of funds tracked by ZachXBT.

For ZachXBT, this investigation could be a turning point. It was the first time he was hired and compensated by a victim, rather than working as a volunteer relying on donations. He stated that he might engage in more paid work like this in the future and is even considering starting his own investigation company.

But ZachXBT insists that he is not doing this to get rich by exposing these events. "I see funds being seized, returned to victims, and suspects being arrested; that's my goal, and it was my original purpose," ZachXBT said. "Seeing these things help people is where I derive my satisfaction."

His partner Taylor Monahan from the crypto wallet company MetaMask has collaborated with him on dozens of investigations. She believes ZachXBT remains primarily driven by a sense of justice—a sense of justice stemming from his own experiences as a victim in the cryptocurrency world, wanting to prevent others from facing the same fate.

"He shares the same experiences as many people in this field, where bad things happen, and those around them just say, 'That's unfortunate,'" Monahan said. "He instinctively refuses to accept that experience and wants to change it all."

Monahan said, "He shares the same experiences as many people in this field: when unfortunate things happen, the people around just say, 'That's unfortunate,' but he instinctively refuses to accept that helpless response and is determined to change it all."