This article is from: Wired; Original author: Andy Greenberg

Translation: Odaily Planet Daily (@OdailyChina); Translator: Azuma (@azuma_eth)

Editor’s note: ZachXBT may be one of the most prominent names in the cryptocurrency world today.

Over the past few years, ZachXBT has solved numerous security incidents through personal investigations, directly recovering hundreds of millions of dollars and exposing countless cases of manipulation and insider scams.

The latest case occurred the day before yesterday, after the meme project SHAR unexpectedly "went viral." ZachXBT revealed that the project was suspected of conspiracy and KOL manipulation. Soon after, SHAR's true nature was exposed, and the operators behind it directly crashed the token's market value from $40 million to $3 million.

Throughout years of investigative work, ZachXBT has also garnered a fair amount of hostility; some hate him for exposing their beloved positions, thinking that without him, the manipulators might not have harvested so early; some have plotted for a long time, only to be starkly exposed by him at the moment of success; some had already stolen over a hundred million dollars, enjoying a lavish lifestyle, only to be sent to jail by ZachXBT's investigation.

Due to concerns about potential retaliation, ZachXBT has concealed his name online; no one knows what he looks like, what his name is, how old he is, or where he lives. However, there is almost a consensus in the industry — when disaster strikes, this "four-eyed platypus" (ZachXBT's social media avatar) appears like an angel bathed in holy light.

Recently, ZachXBT rarely accepted an exclusive interview with the well-known media outlet Wired, during which he mentioned some personal information that wouldn’t expose his identity. Below is the original content of the Wired interview, translated by Odaily Planet Daily.

On August 19, a man in his twenties, known online as ZachXBT, was walking into an airport preparing to board a flight home — he was unwilling to disclose which airport it was, what his real name is, or where he lives — when he saw an alert pop up on his phone. A sum of Bitcoin had just been transferred to a small exchange, one of many he monitors daily to look for signs of crime or money laundering. This alert piqued ZachXBT's interest; the total value of the transfer was about $600,000, roughly ten times the usual transfers for this small exchange.

When ZachXBT reached the boarding gate, another alert came in: a second transfer exceeding $1 million had occurred at the same exchange, followed by another of $2 million… As ZachXBT queued to board, he quickly tracked these transactions on his phone, tracing back from one Bitcoin address to another, marking suspicious funds, trying to identify the source of the suspicious funds before the half-hour offline period began when the plane took off and the in-flight Wi-Fi activated. Before takeoff, ZachXBT had already determined that these funds came from an address that had held hundreds of millions of dollars in Bitcoin since 2012 — now this nine-figure sum was being hastily liquidated at any cost, something no patient Bitcoin investor holding for over a decade would do.

In ZachXBT's view, these unusual transfers were clearly another massive theft. When he carefully checked his leads again, he discovered that someone had apparently stolen about $243 million in Bitcoin from an unfortunate victim, potentially the largest theft targeting an individual in cryptocurrency history.

ZachXBT told Wired: “To steal so much money from one person… I had to make sure I wasn't going crazy.”

As the plane ascended above 10,000 feet and the in-flight Wi-Fi activated, ZachXBT began to further track the movement of the stolen funds, as they were being transferred through one exchange and token swap service after another. Over the next few hours, ZachXBT rapidly mapped out the distribution of the fund flows — the thief's frequent transfers through a dozen platforms were clearly intended to obfuscate the transaction paths.

When ZachXBT traced the leads back to the owner, he found that part of the funds initially came from the now-defunct cryptocurrency exchange Genesis. ZachXBT directly messaged the administrators of that exchange on X, asking them to help contact the victim, who ultimately decided to hire ZachXBT to attempt to recover the stolen funds.

By the time the flight landed, ZachXBT had identified three main leads in the theft — each pointing to a possible suspect. ZachXBT also sent a message to his 650,000 followers on X, highlighting the ongoing theft on-chain. Soon, he received a message from a source claiming to have information on the identity of the thief.

In the following week, ZachXBT worked day and night, sleeping no more than four or five hours each night, and regularly sharing his findings with law enforcement. Ultimately, ZachXBT confirmed the suspects in the theft — two young hackers, Malone Lam and Jeandiel Serrano, both just over 20 years old — and he also identified another implicated individual, but Wired chose not to disclose their name as the suspect had not yet been arrested or charged.

ZachXBT even found a video recording showing the involved hackers celebrating their massive windfall after the theft. In this rapid investigation, ZachXBT even tracked down the thieves' Instagram and TikTok accounts, witnessing one of them lavishly spending millions on luxury cars, private jets, and nightclubs — one suspect reportedly spent up to $500,000 in a single night at a nightclub.

From the alert before boarding to the arrest and criminal charges of two of the three suspects, it took less than a month. ZachXBT mentioned that when he saw a facial photo of one of the involved hackers, he felt a brief adrenaline rush, but that feeling quickly passed.

“I didn’t really feel any special sense of achievement; I just treated it like any other case.”

The Top "On-Chain Detective"

If for ZachXBT, tracking a $243 million theft feels like an ordinary day, it may be because over the past three years, he has become the most prolific and well-known on-chain detective in the cryptocurrency world. Since starting amateur investigations in 2021, ZachXBT has tracked stolen funds and scams totaling billions of dollars. ZachXBT provided Wired with a form, and according to his own statistics, he has directly recovered about $210 million in stolen funds through hundreds of investigations and indirectly assisted in the seizure of about $225 million in stolen funds. ZachXBT has also exposed various rug pulls by project teams and KOLs, tracked down cybercriminals behind major thefts, and uncovered dozens of cases of North Korean hacking, including infiltrations as employees in certain projects.

Throughout this process, ZachXBT's income has come almost entirely from cryptocurrency donations, mostly from various cryptocurrency organizations or strangers, totaling about $1.3 million since 2021. Joe McGill, an analyst with the Secret Service who has worked with ZachXBT, said: “He is a new generation of investigator, working for the public, and his success entirely depends on the success of his work.”

In the years ZachXBT has been acting as a cryptocurrency "vigilante," he has kept his true identity firmly hidden. Online, his avatar is his persona — a platypus dressed in what looks like a detective's trench coat and a hoodie. To avoid retaliation from thieves, scammers, and other potential "enemies," ZachXBT has never appeared in public, nor has he disclosed his real name or exact age, and he only agreed to the interview with Wired on the condition that they would not attempt to dig into these details.

McGill recalled that in some early phone meetings they had, ZachXBT would not only turn off his camera but would even use a voice changer, sometimes sounding very high-pitched, like a character from South Park, and at other times deepening his voice, reminiscent of certain horror movie sounds. McGill, who was still working at data analysis company TRM Labs at the time, said: “At first, it was very strange, but I respected his privacy because this anonymous guy was doing really great work.”

ZachXBT reveals multiple cryptocurrency scams and thefts almost every week, often much faster than law enforcement, to the point where Nick Bax, a founder of Five I's and a cryptocurrency investigator, half-jokingly suspected he might be some kind of robot.

Bax laughed: “He is a machine.”

Last year, they collaborated to track a theft where a cryptocurrency project called AnubisDAO was robbed of $60 million in 2021. Bax provided ZachXBT with a list containing over 500 transactions on a Saturday night, each transaction and its related addresses requiring detailed manual analysis. Bax thought it would keep ZachXBT busy for at least several days, but by early the next afternoon, ZachXBT had already reviewed every transaction and identified which ones were related to the case.

“I was shocked,” Bax said: “He must have been sitting at his computer for 12 hours straight.”

Many of ZachXBT's investigative findings are published directly on his X account. Over time, his findings have gained increasing attention from law enforcement — he now often shares his discoveries with law enforcement before public release. The result is that the impact of his investigative work is becoming increasingly real and serious.

A security researcher at MetaMask and one of ZachXBT's closest collaborators in various investigations (including the $243 million theft), Taylor Monahan, stated: “As ZachXBT's influence grows, his words and actions have begun to have economic and legal impacts. If ZachXBT were to post about someone now, and the content is reasonable, that person would be arrested.”

From Victim to Whistleblower

How has ZachXBT managed to track cryptocurrency security incidents faster and more efficiently than law enforcement, without any formal training or organizational support? He himself is not quite sure: “It's hard to answer; I don't know why I'm good at this.”

In a phone interview with Wired, ZachXBT attributed this to his willingness to work around the clock (after all, the blockchain never stops) and his familiarity with the blockchain, which comes from years of studying countless transactions. He said: “The more you delve into the blockchain, just like eating, sleeping, and breathing, over time it starts to become clearer. You begin to capture those connections. Now, I can just glance at an address, give myself a few seconds to analyze it, and tell you whether it belongs to a bad actor.”

In addition to years of experience as a cryptocurrency enthusiast, ZachXBT also disclosed that he himself had been a victim of some cryptocurrency security incidents. Around 2017, ZachXBT naively purchased thousands of dollars worth of cryptocurrency, which ultimately depreciated significantly due to rug pulls. “When I bought in, I thought this could change the world. So I held on to it and never sold… In the end, I became the one who was scammed.”

By 2018, not only had those investments failed, but one of the wallets ZachXBT used, Electrum, was also hacked, resulting in a loss of nearly $15,000.

It was only then that ZachXBT decided to rethink his approach. He no longer simply bought or held tokens; instead, he began analyzing on-chain movements of cryptocurrencies — almost all blockchain addresses and transactions are publicly visible — and decided to see how more successful large investors traded, then tried to mimic their operations.

By continuously analyzing on-chain behavior, by 2020, ZachXBT had become sufficiently familiar with tracking cryptocurrency transactions to uncover hidden scams that ordinary investors could not see. He noticed certain KOLs publicly promoting a particular crypto asset to hundreds of thousands of followers, trying to drive up its price, but when ZachXBT tracked their funds on-chain, he found that these KOLs were actually continuously selling their holdings right after. This seemed like a classic “pump and dump” scheme. ZachXBT stated: “Doing this is somewhat like being a whistleblower, but I noticed those activities and thought about my experiences in 2017 and 2018, so I thought, why not post something to tell everyone? Then those posts started to go viral.”

Later that year, the NFT craze officially began, and ZachXBT started to review NFT projects in a similar manner, such as Bored Bunny and Billionaire Dogs Club, to track where the funds flowing into them were actually going. At that time, some NFT projects could raise millions of dollars based solely on a small set of cartoon JPG images, promising various perks for these NFTs, such as access to exclusive events or clubs. However, through on-chain analysis, ZachXBT saw that some projects were actually just dispersing funds and pocketing them; sometimes he even discovered that some NFT projects were merely rebranded versions of earlier projects that had already been proven to be scams.

In some cases, ZachXBT's disclosures about certain NFT projects did indeed alert potential buyers and prevent those suspicious project teams. But over time, ZachXBT grew weary of repeatedly exposing the same obvious scams and felt frustrated by the general outcome — none of the NFT scams he exposed resulted in criminal charges.

By early 2022, ZachXBT noticed a group of hackers becoming active on X, posting various phishing links that had led to tens of millions of dollars being stolen. Whenever a grieving victim posted about their savings being stolen, ZachXBT would reach out to them and carefully track their lost funds. He combined these on-chain clues with leads he found in Discord and Telegram channels — some young cryptocurrency hackers liked to frequent certain channels, and ZachXBT found several teenage accounts that were suspected of conducting phishing activities and bragging about their “achievements.”

By this time, ZachXBT's reputation had already spread throughout the hacker community, to the extent that someone he suspected posted on X mocking him as “mr xbt” and flaunting a diamond-studded watch they had just purchased. ZachXBT found the seller of that watch in a luxury watch Discord channel and persuaded the seller, who sold the watch for nearly $50,000, to provide the delivery address and real name of the suspect.

There are no public records indicating whether the accused suspect has been arrested — as the suspect is a minor, the charges are either sealed or have not been filed at all. However, a forfeiture notice for stolen funds that ZachXBT found showed that in October 2022, just a month after ZachXBT disclosed the investigation on X, the FBI seized over $200,000 in cryptocurrency from the minor suspect he identified, including that diamond-studded watch.

That same year, ZachXBT used similar techniques to track another $2.5 million NFT theft, which was reportedly carried out by a pair of French hackers through various phishing activities. In that case, French prosecutors arrested five suspects months later. According to reports from AFP, the prosecutors specifically thanked ZachXBT for the clues he posted on X that helped them identify the two alleged masterminds. ZachXBT remarked: “Seeing law enforcement take action based on the information I shared gives me a sense of accomplishment. It makes me feel that maybe what I've been doing really matters.”

Two years after ZachXBT's investigations first caught the attention of law enforcement, the scale of his investigations (and in some cases, their impact) has exploded. In February 2023, ZachXBT tracked nearly $9 million in stolen funds from Platypus, identifying one of the suspects within hours; a week later, French police arrested two suspects. Although the charges against the couple were eventually dropped, the police still recovered millions of dollars in stolen funds, and Platypus publicly thanked ZachXBT. Later that year, ZachXBT also tracked a $25 million theft from Uranium Finance, most of which appeared to have been laundered through the purchase of rare Magic: The Gathering cards. Subsequently, a cybercrime group named Scattered Spider had launched a ransomware attack against Caesar's Entertainment in Las Vegas, and other investigators involved in the case, who spoke to Wired, recalled that the company was extorted for $15 million; ZachXBT assisted in tracking and recovering $12 million of that.

Around the same time, ZachXBT published extensive findings on 25 cryptocurrency thefts carried out by North Korean hackers, with a total of over $200 million involved, of which about $7 million had been frozen with his assistance; about half of the hacking attacks had never been publicly disclosed before. ZachXBT also uncovered another investigation revealing a network of about 30 North Korean IT workers who infiltrated various tech companies and were paid in cryptocurrency. In an earlier case this year, one technician seemingly linked to North Korea was employed by the NFT project Munchables and successfully stole $62 million in cryptocurrency from that project. After ZachXBT helped identify and tag those funds, multiple parties surrounded the suspect, making it difficult for them to cash out, ultimately leading to the return of the stolen funds.

“I’m going crazy! Do you know how much this is???!!!”

Even with such rich experiences, when ZachXBT received a text alert about a personal victim who had $243 million stolen at the airport, it was still one of the largest thefts he had ever pursued.

After returning home from the airport, ZachXBT continued to track the dispersed funds for several days while also searching for the three suspects on social media, two of whom went by the names Greavys and Box. Particularly, Greavys, whose real name is Malone Lam, seemed to live in Miami based on the photos he posted of his mansion, diamond watches, jets, and sports cars (including a Lamborghini Revuelto and a Pagani Huayra, which typically sells for over $3 million). ZachXBT also saw posts from influencers where Greavys gifted them some Hermès handbags, each valued between $30,000 and $50,000. He also discovered a photo of a nightclub server holding a sign that read “WHO WANT A BIRK,” tagged with Greavys's name.

ZachXBT said: “It looks like their daily routine is partying and stealing money.”

A few days later, he persuaded a tipster who had first provided him with leads during a flight to send him a video showing three hackers who seemed to be involved in the theft sharing their screens. What they didn’t know was that one of the involved hackers was also sharing his screen with another group of friends during that screen share, and one of them recorded it. In the 90-minute video, ZachXBT repeatedly heard the three hackers calling each other by their real names, and at one point, one hacker briefly displayed his Windows homepage, revealing his last name.

The video even captured the hackers' ecstatic reactions after their successful theft: “Oh my God! Oh my God! $243 million! It’s real! I’m going crazy! Ah! We’re done! We’re done! I’m going crazy! Do you know how much this is???!!!”

On the afternoon of September 18, less than a month after ZachXBT's investigation began, Lam was arrested at a beachfront mansion in Miami, for which he paid $68,000 in rent each month. Another suspect, Box, whose real name is Jeandiel Serrano, was arrested at Los Angeles airport after returning from a vacation in the Maldives with his girlfriend. According to prosecutors, Serrano was wearing a $500,000 watch at the time of his arrest, lived in a house near Los Angeles with a monthly rent of over $40,000, and had spent $1 million on luxury cars. The next day, wire fraud and money laundering charges were announced against Lam and Serrano. According to court documents, both hackers admitted to law enforcement that they participated in multiple cryptocurrency thefts, and Lam acknowledged using the stolen funds to purchase no fewer than 31 luxury cars.

As of now, $79 million of the total $243 million theft has been seized or frozen. ZachXBT hopes to find more funds. Prosecutors stated that even after the hackers' extravagant spending, over $100 million remains unaccounted for.

According to public records, the third suspect identified by ZachXBT appears to reside in Connecticut but has not yet been charged with any crimes. However, journalist Brian Krebs pointed out a criminal complaint describing a group of men who carjacked a Lamborghini belonging to a couple in their fifties in Connecticut at the end of August (just four days after the theft) and briefly kidnapped them, as the carjackers “believed the victims' son had access to a large amount of digital currency” — indicating that the victims might be the parents of the third suspect identified by ZachXBT.

For ZachXBT personally, this investigation could be a turning point, as it is the first time he has been directly hired by a victim in a case and received payment for his effective investigation, rather than working as a volunteer relying on donations. He mentioned that he might transition to doing more paid work and could even start his own investigation company.

But ZachXBT insists that he does not want to get rich from his investigations: “I want to see the funds seized, see the funds returned to the victims, see the criminals arrested; that is my goal, that is what I am determined to do. Seeing my work benefit others is where my pride comes from.”

Taylor Monahan from MetaMask, a collaborator of ZachXBT, who has worked with him on dozens of investigations, believes that ZachXBT's actions are still primarily driven by a sense of justice — a sense of justice that comes from his own experiences as a victim of the chaos in the cryptocurrency world, and he does not want others to have the same fate.

Monahan said: “Like many people in this industry, he has had bad experiences, and everyone around him is saying how unlucky he is, but he instinctively resists that and wants to change the situation.”

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。