Investigations by ZachXBT

03 May 2024 14:30

Someone lost $68M (1155 WBTC) three hours ago from an address poisoning scam by mistakenly copying the wrong address.

Theft transaction
0x3374abc5a9c766ba709651399b6e6162de97ca986abc23f423a9d893c8f5f570

Victim
0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5

Investigations by ZachXBT

17 Apr 2024 01:34

Someone hacked the X/Twitter account of the actor Tom Holland and began posting photos of the phishing scammer ‘Bonad’

Investigations by ZachXBT

23 Mar 2024 15:16

Cointelegraph X/Twitter account is currently compromised

Investigations by ZachXBT

19 Mar 2024 03:20

Community Alert: TON Blockchain X/Twitter account is currently compromised

Investigations by ZachXBT

15 Mar 2024 15:44

Interestingly the address who just hacked the Netmind AI holder is connected to the Webaverse Nov 2022 compromise.

NMT hacker
0x4484771fa71bf0c1c679e452e57f3a5cd9e60220

Webaverse compromise
0x965718fd990f8a1cc02cddf850420ecb9b5b3b36

Investigations by ZachXBT

06 Mar 2024 14:40

Hopefully a few of you were able to frontrun the sells

Investigations by ZachXBT

06 Mar 2024 13:53

Looks like someone was just phished for $736K worth of PAAL. Would expect the drainer customer to start selling in the near future.

0x3e47db5a54e132886f648f5c5f17f3ce6ef750455aa911bec5508b7a5b2df33d

Investigations by ZachXBT

29 Feb 2024 03:40

Which one of you hacked the League of Legends Esports Facebook lol

Investigations by ZachXBT

21 Feb 2024 11:25

From February 19 - 20 a new batch of 22+ LastPass hack victims was observed with losses exceeding $6.2M.

Stolen funds on EVM chains were quickly swapped and bridged to Bitcoin.

View the theft addresses here.

Back in October 2023 I reported on 25 victims from the hack who were drained of ~$4.4M.

Investigations by ZachXBT

23 Jan 2024 12:17

Be careful CoinTelegraph, WalletConnect, Token Terminal, and De.Fi all appear to be sending out phishing emails to users.

~$580K has been drained so far

Scammers address:
0xe7D13137923142A0424771E1778865b88752B3c7

Investigations by ZachXBT

06 Jan 2024 12:38

It looks like Coinspaid had another security incident. Hot wallets linked to them saw $6.1M in suspicous outflows ~17 hrs ago. 0xe5f07ceb38cd95356c1a2f83f65fa8b59569f9b1

Withdrawals for some of their customers such as Hypedrop are not being processed as a result of the incident. So far the stolen funds have been laundered through a number of exchanges (Whitebit, HitBTC, ChangeNow, N Exchange, etc).

Back in July 2023 CoinsPaid/Alphapo was hacked for $70M by DPRK.

Investigations by ZachXBT

29 Dec 2023 01:19

Looks like someone got phished for ~275,700 LINK ($4.4M) 2.5 hrs ago
h/t ScamSniffer

Phishing transactions:
0x70026eae27a76205cfb2271108e201570cb03b7daa7e8395280f9acdfbd82a05
0x15bc5516ed7490041904f1a4c594c33740060e0f0271cb89fe9ed43c974a7a69

The stolen funds were sold for ETH and are currently being laundered through eXch.

Investigations by ZachXBT

27 Dec 2023 02:38

Interesting the attacker just said this

Investigations by ZachXBT

26 Dec 2023 22:06

Just checked DMs for a few seconds and entitled people like this are exactly why I am tired of X/Twitter and will be off it for some time.

(keep in mind I keep read receipts turned off and was logged out past few days)

You can help people out for free but longterm it is not a sustainable model as people will continue to ask for more and more from you.

Investigations by ZachXBT

24 Dec 2023 01:18

Just deactivated on X/Twitter for an unspecified amount of time.

Do not purchase any of these ZachXBT meme coins people are creating as I will never launch a coin.

Happy Holidays.

Investigations by ZachXBT

29 Apr 2024 15:21

My new 15 month long investigation sharing how Lazarus Group laundered $200M from 25+ crypto hacks to fiat from 2020–2023

https://x.com/zachxbt/status/1784935501935390930

Investigations by ZachXBT

14 Apr 2024 16:43

Withdraw your assets immediately if you have any funds in Glori Finance on Arbitrum.

Scammers added liquidity from prior scams such as Crolend and HellhoundFi to bait people in.

This group of scammers has stolen 8 figures over the past few years with copy paste lending protocol scams such as Magnate, Kokomo, Lendora, Solfire, Crolend, HashDAO, Leaper, Zebra, etc.

Investigations by ZachXBT

20 Mar 2024 00:06

Trezor X/Twitter account is currently compromised

Investigations by ZachXBT

18 Mar 2024 21:12

The draining service ‘Inferno Drainer’ was exploited for $2.3M according to leaked messages from inside the customer group chat.

0x61640ff8b9d3c3726f1bf02319671061d9d61e1f

Investigations by ZachXBT

15 Mar 2024 14:50

On-chain clown of the day:

Sent 1.36M USDT to the Tether USDT contract address

0x7d300a81374a6f99a9c7f8b8f1aad94c1fe87377679ace997f8d6dfa0c2f903f

Investigations by ZachXBT

06 Mar 2024 14:02

This victim was originally phished 74 days ago but forgot to revoke the approval.

0x107c047bb84eed8f2bb963b09e7ecce244aa8353372facc9c448078be98791d1

Investigations by ZachXBT

05 Mar 2024 17:23

The same group just hacked another project one hour ago for $278K

Theft address
0x01720163e9385e832fFe3387ba7098be4dF303e0
0x0cDB613Ec9a07E2AFE898F8519a0c0a981032118

0x017 was funded by the Serenity Shield hacker in the txn below

0x0520195f57c3a5fe886aa95778dafe684854b78c252d20f29cbe0c9c4c4bbddd

Investigations by ZachXBT

27 Feb 2024 17:09

Six hours ago the project Serenity Shield had one of their wallets hacked on BSC for 6.9M SERSH which was sold for ~$586K.

Interestingly it is connected on-chain to the recent OKX Dex & Concentric hacks as well

Theft addresses
0x26b30F457f1e97E3DA22b9f43Fc03F3FA4D3F2ca
0x29D473678B19edb5a419a13554Ca93851604477F
0x93a8b27C8DC2089BB071c22491a715DcB381F554

Investigations by ZachXBT

31 Jan 2024 15:06

It appears a Ripple insider was hacked for ~213M XRP ($112.5M)

Source address
rJNLz3A1qPKfWCtJLPhmMZAfBkutC2Qojm

So far the stolen funds have been laundered through MEXC, Gate, Binance, Kraken, OKX, HTX, HitBTC, etc

Update: Confirmation of the hack from Chris Larsen (Ripple Co-Founder & Executive Chairman)

Theft addresses
rGhR13XyM43WdDaSMznHd5rZ4cJatybvEg
rHQVKntyfkDCPhEBL2ctryuEAkDZgckmmV
rLsUemhuBZtF44rqqzneb2F9JgyrRYYd4t
rKPERax7t9iFvT3RHXn5nifyNpzp9a4hBa
rpjs4HLX1gJoEenH69PsQmXaXY22QhCYAT
rLRhugR4ysNa2xkt4E6fKN8krs9jatCp6w
rnCyeUNvfDbtTagGEPjBfTCBz6EqJjf2Uj
rHVjfYzTaB8MzSoQGqpzH9barZr85QsZW7

Investigations by ZachXBT

08 Jan 2024 12:02

It seems someone got scammed for 3.03M USDT the other day. The funds from the theft were immediately swapped for ETH and deposited to Tornado Cash.

Theft txn hash
0x056f66964204cc66cf6a86d0c9b0d49722945eadcae6d5f94a032f6c76f74dcc

Investigations by ZachXBT

03 Jan 2024 21:58

Which one of you hacked Mandiant lol

Investigations by ZachXBT

28 Dec 2023 18:23

Community Alert: X/Twitter User scaredofboobs is a scammer known as NFTMachine.

In November 2022 he was ordered by a court to pay back $275K+ after defrauding investors by using their funds to purchase rare NFTs for personal use instead of building.

So far investors have not been paid back anything and he continues to create more grifts.

He has moved from Ethereum to Solana and their community is less familiar with his scams.

Investigations by ZachXBT

27 Dec 2023 01:55

It seems Thunder Terminal was exploited and the attacker already transferred 86.5 ETH to Railgun.

Attacker address
0x2a2C200af4E659348C4182DD9806a340851df42e

Investigations by ZachXBT

26 Dec 2023 02:19

Community Alert: The Across Protocol docs currently have a Fake Discord server linked.

It seems that their vanity invite address was stolen at some point (gg/across)

This lead to someone losing ~$880k tonight.

Update: Across team replied they are removing the links right now.

Investigations by ZachXBT

11 Dec 2023 15:25

Here’s your reminder that I do not have a Discord server.

Have received multiple messages about a phishing scammer who is messaging people with the vanity link discord[.]gg/investigations to scam them.