NewsTech Reviews

Meet ZachXBT, the Masked Vigilante Tracking Down Billions in Crypto Scams and Thefts

On August 19, a twentysomething man who goes by the online handle ZachXBT was walking into an airport to board a flight home—which airport, his real name, where home is, he’d rather not say—when he saw an alert on his phone. A sum of bitcoins had just been transferred to a small cryptocurrency exchange, one of many whose transactions he constantly monitors on Bitcoin’s blockchain for signs of criminal money laundering. The alert piqued his interest: This transaction was worth around $600,000, a cash-out of funds that was easily 10 times bigger than the typical trade on that service.

When he reached his gate, another ping alerted him to a second transaction on the same exchange worth more than $1 million. Then one for $2 million. As he stood in line to board his plane, ZachXBT hurriedly traced the money on his phone, following it backward in time from one Bitcoin address to another, flagging the suspicious funds and racing to find their origin before the half hour of internet blackout between wheels-up and the plane’s Wi-Fi coming online. Before he was in the air, he had determined that the money had come from a crypto wallet that had held hundreds of millions of dollars worth of Bitcoin that hadn’t moved since 2012—and that this nine-figure mountain of money was now being hurriedly liquidated at exchanges with high transaction costs that no patient, decade-plus Bitcoin investor would accept.

To ZachXBT, the flow of funds immediately looked instead like a giant theft. In fact, as he double-checked his findings, it appeared that someone had stolen around $243 million worth of Bitcoin from one unlucky victim, perhaps the biggest known crypto heist ever to target an individual. “It was such an abnormally large amount stolen from a single person,” ZachXBT tells. “I had to make sure I wasn’t crazy.”

Once he was above 10,000 feet with working Wi-Fi, ZachXBT began to trace more outflows of the stolen funds as they were passed through one exchange and coin-swapping service after another. Over the next hours, he raced to graph out the branching money movements as the thieves transferred the coins through more than a dozen of those platforms in an apparent attempt at obfuscating their path.

As he followed that trail back to whoever had lost the bitcoins, ZachXBT could see that a portion of the funds had originally come from the now-defunct Genesis cryptocurrency exchange. He direct-messaged the exchange’s administrators on X and asked them to put him in touch with the victim, who would ultimately hire him to hunt for the stolen money.

By the time his flight had landed, ZachXBT had come to see that there were three main threads of the stolen funds—going to what he believed were three likely culprits. He had also posted a message to his more than 650,000 followers on X, pointing out the theft in progress on the blockchain. He would soon be rewarded with a message from a source who claimed to have clues of the thieves’ identities.

Over the next week, working on the case day and night, sleeping no more than four or five hours at a time, and periodically sharing his findings with law enforcement agencies, ZachXBT would identify the alleged suspects behind the theft—two young hackers named Malone Lam and Jeandiel Serrano, both in their early twenties. (ZachXBT also identified another alleged hacker whom has chosen not to publicly name because the individual hasn’t been arrested or charged.) He even obtained a video recording that he says shows one of their screens as the theft was completed and they celebrated their enormous windfall. In his whirlwind investigation, ZachXBT went so far as to track the alleged suspects on Instagram and TikTok, watching one of them blow millions on cars, private jets, and clubs where the alleged culprit spent as much as $500,000 a night.

A diagram showing Malone Lam's social media posts
A detail of a diagram ZachXBT created showing how he identified one of the alleged thieves of the $243 million, Malone Lam, including social media posts showing Lam’s spending on cars, private jets, nightclubs and gifts of $50,000 luxury handbags.Courtesy of ZachXBT

Less than a month after the alert pinged ZachXBT’s phone on the plane, two out of three suspected thieves would be arrested and criminally charged.

When ZachXBT finally saw the mug shot of one of the alleged hackers, he says he felt a brief rush of adrenaline. But it passed quickly. “I didn’t really feel any special sense of accomplishment,” ZachXBT says. “I was just treating it as any other case.”

A Crypto Private Eye for the People

If tracing a quarter-billion-dollar theft feels to ZachXBT like just another day on the internet, that’s perhaps because he has distinguished himself over the past three years as the most prolific independent crypto-focused detective in the world. Since he began his work as an amateur investigator in 2021, he has traced billions of dollars in stolen funds and scams. By his own count—which he broke down for in a spreadsheet—his hundreds of investigations have directly led to the recovery of around $210 million worth of criminal crypto proceeds, as well as another $225 million in seized funds he had at least some less-direct hand in helping to claw back for victims. He has called out influencers promoting coins in pump-and-dump schemes, hunted down cybercriminals behind massive crypto heists, and revealed dozens of incidents of North Korean hackers breaching crypto firms or even infiltrating those companies as employees.

Throughout all of it, he has been funded almost entirely by cryptocurrency donations in the forms of grants from cryptocurrency organizations and payments from strangers who send contributions to an address he lists in his social media profiles, adding up to around $1.3 million since 2021. “He’s a new generation of investigator. He works for the people,” says Joe McGill, an analyst at the Secret Service who has collaborated with ZachXBT. “His success is completely tied to the success of his investigations.”

As ZachXBT has pursued that career as a crypto vigilante, he has also kept his mask firmly in place. Online, he appears only as his avatar, a kind of platypus cartoon figure in a detective’s trench coat or sometimes a hoodie. To avoid retaliation from his many enemies in the world of crypto criminals and con artists, he has never publicly shown his face nor revealed his real name or exact age and would only speak to on the condition that I not try to dig up those identifying details.

On some of their early conference calls, McGill says, ZachXBT would not only keep his camera off but even use a voice-changer application, sometimes sounding like a high-pitched “South Park character,” as McGill puts it, or on other occasions deepening his voice’s pitch until it reminded him of something out of a horror film. “It was very odd, initially,” says McGill, who at the time worked at the crypto-tracing firm TRM Labs. “But I respected his privacy, because this anonymous guy was doing really great work.”

ZachXBT exposes so many crypto criminal scams and thefts on a near-weekly basis, often working far faster than law enforcement agencies, says Nick Bax, a cryptocurrency investigator and founder of the firm Five I’s, that Bax has wondered half-jokingly if he might be some kind of bot.

“He is a machine,” Bax says.

As part of one investigation last year where they collaborated to trace a $60 million theft from a crypto project called AnubisDAO in 2021, Bax gave ZachXBT a list of 500 transactions on a Saturday night, each of which needed to be manually analyzed along with all its connected blockchain addresses. “I figured that would keep him busy for at least a few days,” Bax says. Instead, by early the next afternoon, ZachXBT had gone through every transaction and identified which ones were tied to the theft. “I was shocked,” Bax says. “He definitely had to have been on his computer for 12 hours straight.”

Many of the results of ZachXBT’s investigations are unceremoniously posted to his account on X. Over time, however, his findings have increasingly gained attention from law enforcement agencies—several of which he now often shares his findings with prior to publication. The result has been real and growing consequences for the targets of that detective work. “As Zach has gotten bigger, there have been financial repercussions and legal repercussions,” says Taylor Monahan, a security researcher at crypto firm MetaMask and one of ZachXBT’s closest collaborators on investigations, including the $243 million theft case. “If Zach posts a thread about someone now, and it’s a good one, that person is going to get arrested.”

From Victim to Whistleblower

So how has ZachXBT managed to outrace and out-trace even law enforcement’s crypto investigators, despite having no formal training or organizational support? Even he isn’t entirely sure. “That’s a tough question. I don’t know why I’m good,” ZachXBT tells in a phone interview. He chalks it up to a willingness to work around the clock—crypto markets never close, after all—and a familiarity with analyzing cryptocurrency blockchains that comes from years of poring over those vast ledgers of transactions. “The more you look at the blockchain, like when you eat, sleep, and breathe it, it starts to make more sense over time,” he says. “You can just start to pick up on those connections. I can look at a wallet, and I can profile it and tell you if it’s a bad actor within seconds.”

ZachXBT says that familiarity with blockchains comes from his years of experience as a crypto enthusiast and trader—and as a victim himself of some of the crypto economy’s many traps for unwary investors. Around 2017, he says, he was naively buying thousands of dollars worth of crypto tokens that would all eventually tank in value—often due to so-called “rug pulls,” when a crypto token’s creator sells off their holdings and all the other investors are left with a worthless asset. “I was buying in like, ‘This is going to change the world.’ I just held it and never sold,” ZachXBT says. As a result, he says, “I was the person getting scammed.”

By 2018, not only had all those investments cratered, but an Electrum crypto wallet that ZachXBT used was hacked with a malicious software update. He lost close to $15,000 more.

Only at that point did he decide to take a step back and rethink his approach. Instead of simply buying and holding tokens, he began analyzing cryptocurrencies’ blockchains—almost all of which are publicly visible to anyone who can decipher the owner of different addresses—to see how larger, more successful investors were trading tokens and coins, then to try to emulate their moves.

As a result of that blockchain analysis, he was familiar enough by 2020 with tracing crypto transactions to be able to spot scams in progress that weren’t visible to the average investor. He’d see an influencer publicly promoting a crypto asset to their hundreds of thousands of followers, boosting its price, and then follow their funds on a blockchain to see that they were actually selling their own holdings immediately afterward in what often seemed to be a classic pump-and-dump scheme. “It was more like being a whistleblower,” ZachXBT says. “I’d notice that activity and think, ‘This kind of reminds me of what I fell for back in 2017 and 2018. Why not make a post about it?’ And that started to blow up.”

When the NFT craze kicked off later that year, ZachXBT began similarly scrutinizing NFT projects like Bored Bunny and Billionaire Dogs Club to show where the money flowing into them was really going. Some of those NFT sellers would raise millions with little more than cartoon .jpg images, promising that the NFTs created from them would confer perks like entry to exclusive events or clubs. Instead, ZachXBT could see through blockchain analysis that the sellers were simply dividing and pocketing the funds. Sometimes, he’d even discover through crypto tracing that an NFT seller was, in fact, a rebrand of an earlier project that had already proven to be a scam.

In some of those instances, ZachXBT’s posts about NFT sellers did manage to scare off buyers and prevent shady NFT dealers from selling their wares. But over time, he grew bored of uncovering the same often transparent hustles run again and again, and frustrated with the lack of more concrete results: No one linked to the NFT projects he exposed faced criminal charges.

Then, in early 2022, he began to notice that a group of hackers were taking over the Twitter accounts of high-profile crypto users and posting phishing links to Ethereum smart contracts designed to drain users’ wallets, resulting in tens of millions of dollars in thefts. Whenever a devastated victim posted that their savings had been stolen, ZachXBT would make contact with them and then meticulously trace out the funds they’d lost. He combined those blockchain clues with sources he’d begun to develop in the Discord and Telegram channels frequented by young crypto thieves, which led him to a few online handles of teenagers who seemed to be behind the phishing campaign and were bragging about their massive scores.

By this point, ZachXBT had become notorious enough in the crypto underworld that one person he believed to be a suspect had even included an apparent taunt about “mr xbt” in a Twitter post boasting about a diamond-encrusted Audemars Piguet wristwatch he’d bought. ZachXBT tracked down the watch seller in a luxury watch Discord channel and convinced the vendor, who had sold the timepiece for close to $50,000, to turn over the teenager’s shipping address and real name.

No public records appear to document whether the alleged thieves’ were arrested—possibly because the suspects were minors and the charges have either been sealed or were never filed. But ZachXBT found a forfeiture notice showing that in October of 2022, a month after ZachXBT posted his findings on X, the FBI seized more than $200,000 worth of crypto assets from the teen suspect he’d identified—and the diamond watch.

That same year, ZachXBT used similar techniques to trace another $2.5 million worth of NFTs stolen through a different phishing campaign to an alleged pair of French hackers. In that case, French prosecutors arrested five suspects a couple of months later and, according to Agence France-Presse, specifically credited ZachXBT’s thread posted to X for aiding in their investigation into the two alleged ringleaders. “To see law enforcement acting on something I’d shared, that was very fulfilling,” ZachXBT says. “It made me think maybe I was actually onto something with what I’d been doing.”

In the two years since first gaining law enforcement’s attention, the scale—and, in some cases, the consequences—of ZachXBT’s investigations has exploded. In February of 2023, he tracked down nearly $9 million in funds stolen from the crypto project Platypus, identifying one of the alleged thieves in a matter of hours; French police arrested two suspects just over a week later. Though the charges against the pair would ultimately be dropped, police recovered several million dollars in funds, and Platypus thanked ZachXBT in a tweet. Later that year, he traced a $25 million theft from crypto firm Uranium Finance, much of which appeared to have been laundered through the purchase of rare Magic: The Gathering cards. When the cybercriminal group known as Scattered Spider carried out a ransomware attack against Caesar’s Entertainment in Las Vegas that extorted $15 million from the company, ZachXBT helped to trace and recover $12 million of the funds, according to other investigators who worked on the case and spoke.

Around the same time, ZachXBT published the results of a massive collection of investigations into 25 crypto thefts carried out by North Korea hackers totaling more than $200 million, about $7 million of which he’d helped to freeze. Around half of the hacks had never before been publicly revealed. He followed up that investigation with another that exposed a web of around 30 North Korean IT workers who had infiltrated tech companies and were being paid in cryptocurrency. In one case, one of those tech workers who seemed to be linked to North Korea had gotten hired at the NFT firm Munchables and had managed to steal $62 million in crypto assets from the company. When ZachXBT helped to identify and flag the funds, the spotlight on the thief made the money so hard to liquidate that they simply gave it back.

“Do You Know How Much Money That Is?”

Even so, when ZachXBT got the text alerts in the airport that put him onto the trail of $243 million taken from a single victim on August 19, it was one of the biggest thefts he’d ever chased.

When he got back home from his international flight, he continued to follow those branching funds for days while monitoring social media for signs of his three suspects, two of whom went by the handles Greavys and Box. Greavys in particular—whose real name was Malone Lam and who appeared to be in Miami—was posting and appearing in photos of luxury real estate, diamond watches, jets, and sports cars including a Lamborghini Revuelto and a Pagani Huayra, the latter of which typically sells for more than $3 million. ZachXBT found posts from influencers to whom Greavys had gifted Birkin and Hermès purses worth between $30,000 and $50,000 each, and pictures of electric signs in a nightclub carried by servers that read, “WHO WANT A BIRK,” tagged with his name.

“It seemed like all they did was just party and steal money,” ZachXBT says.

Within a few days, he’d persuaded the source who’d first DMed him during his flight to send him a video of a screenshare among the three hackers who appeared to be involved in the theft. Unbeknownst to them, one of the alleged hackers had re-shared his screen during that screenshare with another group of friends—and one of them appears to have recorded it. Several times in the 90-minute video, ZachXBT says, the three hackers refer to each other by their first names. At another point, one of the three men also briefly flashed his Windows home screen, revealing his last name, too.

The video even captures the moment of the alleged hackers’ delirious reaction to pulling off a nine-figure theft. “Oh my god! Oh my god! 243 million dollars! Yes!” one of them says in the recording. “I’m going to spaz out! Yo! We’re done. We’re done. I’m spazzing out. Do you know how much money that is?”

Late in the afternoon on September 18, just shy of a month after ZachXBT’s investigation began, Lam was arrested in Miami at a waterfront rental property for which he was paying $68,000 a month. Box—whose real name is Jeandiel Serrano—was taken into custody in the Los Angeles airport while flying home from a vacation in the Maldives with his girlfriend. According to prosecutors, he was wearing a $500,000 watch at the time of his arrest, was renting a house near LA for more than $40,000 a month, and had spent $1 million on luxury cars. The next day, wire fraud and money laundering charges against both Lam and Serrano were unsealed. According to court documents, both hackers had confessed to law enforcement investigators that they participated in multiple crypto thefts. Lam specifically admitted that the profits from them had funded his purchases of no fewer than 31 high-end cars.

So far, $79 million of the $243 million they allegedly stole has been seized or frozen. ZachXBT is hopeful that more of the money will still be found. Prosecutors say that more than $100 million remains unaccounted for, even after the alleged hackers’ spending spree.

ZachXBT’s third suspect, who appears to live in Connecticut, based on public records, has yet to be charged with any crime. Reporter Brian Krebs has pointed to a criminal complaint, however, that describes how a group of men allegedly carjacked a Connecticut couple in their fifties in a Lamborghini four days after the $243 million theft in late August and briefly kidnapped them because the carjackers “believed the victims’ son had access to significant amounts of digital currency”—suggesting that the victims may have been the parents of the third alleged recipient of the funds ZachXBT had traced.

For ZachXBT, the investigation may be a kind of turning point. For the first time, he was retained by the victim in the case and was paid for his skills rather than working as a volunteer for donations. He says he may transition to doing more of that paid work or even start his own investigations firm.

But he maintains that he’s still not out to get rich from his exposés. “I see money seized, money returned to victims, people arrested, and that’s my goal. That’s what I set out to do,” ZachXBT says. “To see that it’s benefiting people. That’s what I get my gratification from.”

His collaborator, Taylor Monahan of crypto wallet firm MetaMask, who has now worked with him on dozens of investigations, says she believes ZachXBT is still driven largely by a sense of justice—the kind that comes from once having been a victim of the crypto world’s cruelty himself, and wanting to prevent that same outcome for others.

“He had the same experience that so many people in this space have had, which is that something bad happens, and everyone around you says, ‘Sucks for you,’” Monahan says. “He viscerally rejects that experience. And he wants to change it.”

Leave a Reply

Your email address will not be published. Required fields are marked *