On August 19, a twentysomething man who goes by the online handle ZachXBT was walking into an airport to board a flight home—which airport, his real name, where home is, he’d rather not say—when he saw an alert on his phone. A sum of bitcoins had just been transferred to a small cryptocurrency exchange, one of many whose transactions he constantly monitors on Bitcoin’s blockchain for signs of criminal money laundering. The alert piqued his interest: This transaction was worth around $600,000, a cash-out of funds that was easily 10 times bigger than the typical trade on that service.
When he reached his gate, another ping alerted him to a second transaction on the same exchange worth more than $1 million. Then one for $2 million. As he stood in line to board his plane, ZachXBT hurriedly traced the money on his phone, following it backward in time from one Bitcoin address to another, flagging the suspicious funds and racing to find their origin before the half hour of internet blackout between wheels-up and the plane’s Wi-Fi coming online. Before he was in the air, he had determined that the money had come from a crypto wallet that had held hundreds of millions of dollars worth of Bitcoin that hadn’t moved since 2012—and that this nine-figure mountain of money was now being hurriedly liquidated at exchanges with high transaction costs that no patient, decade-plus Bitcoin investor would accept.
To ZachXBT, the flow of funds immediately looked instead like a giant theft. In fact, as he double-checked his findings, it appeared that someone had stolen around $243 million worth of Bitcoin from one unlucky victim, perhaps the biggest known crypto heist ever to target an individual. “It was such an abnormally large amount stolen from a single person,” ZachXBT tells. “I had to make sure I wasn’t crazy.”
Once he was above 10,000 feet with working Wi-Fi, ZachXBT began to trace more outflows of the stolen funds as they were passed through one exchange and coin-swapping service after another. Over the next hours, he raced to graph out the branching money movements as the thieves transferred the coins through more than a dozen of those platforms in an apparent attempt at obfuscating their path.
As he followed that trail back to whoever had lost the bitcoins, ZachXBT could see that a portion of the funds had originally come from the now-defunct Genesis cryptocurrency exchange. He direct-messaged the exchange’s administrators on X and asked them to put him in touch with the victim, who would ultimately hire him to hunt for the stolen money.
By the time his flight had landed, ZachXBT had come to see that there were three main threads of the stolen funds—going to what he believed were three likely culprits. He had also posted a message to his more than 650,000 followers on X, pointing out the theft in progress on the blockchain. He would soon be rewarded with a message from a source who claimed to have clues of the thieves’ identities.
Over the next week, working on the case day and night, sleeping no more than four or five hours at a time, and periodically sharing his findings with law enforcement agencies, ZachXBT would identify the alleged suspects behind the theft—two young hackers named Malone Lam and Jeandiel Serrano, both in their early twenties. (ZachXBT also identified another alleged hacker whom has chosen not to publicly name because the individual hasn’t been arrested or charged.) He even obtained a video recording that he says shows one of their screens as the theft was completed and they celebrated their enormous windfall. In his whirlwind investigation, ZachXBT went so far as to track the alleged suspects on Instagram and TikTok, watching one of them blow millions on cars, private jets, and clubs where the alleged culprit spent as much as $500,000 a night.