Author: Chloe, ChainCatcher
In recent days, the event "Which Crypto company will ZachXBT expose for insider trading?" that has attracted market attention and accumulated tens of millions of dollars in bets on Polymarket has finally come to an end. On February 26, on-chain detective ZachXBT officially released his investigation report, directly targeting the DeFi trading platform Axiom Exchange.
The report alleges that a senior employee at the platform is suspected of abusing internal management privileges to illegally access users' private wallet data for an extended period and converting this sensitive information into tools for insider trading. This article will delve into the evidence chain revealed by ZachXBT, where "on-chain transparency" has been hijacked by "off-chain black box management."
ZachXBT Exposes Axiom Exchange Insider Trading Scandal
Axiom Exchange was created by founders Mist and Cal, and was selected for the Y Combinator Winter Batch (W25) in early 2025; this platform delivered an astounding revenue of over $390 million within just one year. However, behind the brilliant financial data, a senior business development employee named Broox Bauer was turning Axiom's backend tools into his private hunting ground.
According to ZachXBT's investigation, Broox Bauer was not working alone; he established an organized "information monetization" process, with the core being Axiom's internal control dashboard, allowing Broox to casually query any user's private information through promotional codes, wallet addresses, or UIDs. Broox stated in the recordings that he could "find out anything about that person," and his operations had a strong awareness of counter-surveillance:
Initially querying only 10 to 20 wallets to avoid triggering system anomaly alerts.
The targets were not randomly selected. For example, an influencer named Marcell, who had purchased a large amount of meme coins using a private wallet, became a key target after promoting liquidity withdrawals to his fans. Such traders' private wallets are rarely public, and the re-use rate of addresses is low, making this information highly valuable for arbitrage.
Established organization and rules, such as another Axiom employee Ryan (Ryucio) assisting in user information searches, hiring Gowno as a moderator, and compiling these private wallets into Google Sheets for tracking.
These violations continued for over ten months (starting in April 2025), with the evidence chain including backend management screenshots of victims like "Jerry" and "Monix". This has sparked questions: why did a business development employee have access privileges that crossed functional boundaries? The monitoring alerts and privilege segregation that should exist clearly did not function.
Axiom's Official Response Cannot Cover Up Structural Disempowerment
After the release of ZachXBT's report, Axiom's official response followed a standard crisis management protocol: issuing a statement expressing "shock and disappointment," revoking access, and launching an investigation. However, this still cannot hide the underlying structural disempowerment; such events reveal a failure in the platform's privilege control, rather than just the individual actions of a single employee.
1. Missing Audit Logs
In traditional finance or mature Web2 tech companies, any operation accessing sensitive user data must leave logs. If a business development employee can query hundreds of wallet addresses unrelated to their business, the system should trigger alerts at the first instance. Axiom's ten-month regulatory vacuum indicates that its internal system may not even have an "anomalous behavior detection mechanism," and whether "operation records" are maintained is questionable.
2. The scope of affected users remains unclear
Axiom's statement did not mention the scale of affected users. This raises deeper concerns: If Broox Bauer could access this information, what about other employees? The moderator Gowno mentioned in the report and another business development employee Ryan were accomplices in his crime, indicating that such privilege abuse could be relatively easy. When an organization's governance structure is based on "trust" rather than "system," the marginal cost of internal corruption is extremely low.
Privileges Are Almost Worthless? The Data Governance Black Hole of Web3 Startups
A closer examination of the core of this scandal. The dimensions of the backend-accessible data listed in ZachXBT's report are shocking: complete user wallet lists, wallets being tracked by users, complete transaction histories, user-defined wallet notes, and associated accounts; this list encompasses not only transaction data but also an entire pattern of on-chain behavior that could recreate a user’s complete activity.
In traditional financial institutions, access to this kind of data is strictly constrained by the "minimum necessary information principle." Any employee without a clear business need should not access sensitive client information; all access actions must retain auditable operation logs, which are regularly sampled by compliance departments. The design logic of this mechanism is simple: it does not rely on the individual's moral standards but constrains through technology and systems to minimize harm before issues occur.
Axiom's backend clearly did not meet this standard. More importantly, such issues are not isolated cases within Web3 startups. Rapidly expanding teams often concentrate engineering resources on product iterations, while the establishment of compliance and data governance frameworks is postponed or even considered a "later issue" once the token is released. However, once a platform reaches a scale like Axiom, the sensitivity of the data accessible by backend tools has far exceeded that of the early stages, while the construction of protective mechanisms often remains at the founding stage.
This case also reveals the unique absurd paradox of Web3: on-chain transparency does not equal off-chain transparency. The blockchain grants transactions "anonymously transparent" status, allowing everyone to see the flow of addresses but making it difficult to discern the underlying entities; however, the real risk occurs at the moment users complete their registration, bind wallets, and set notes: they hand over the most crucial correspondence—"the owner of this address is me"—to the platform's centralized database.
After this, anonymity gradually becomes an illusion. Once this layer of identity is linked to more information, labeled with more tags, or even abused, the transparency on-chain no longer protects users but instead becomes the most precise tool in the hands of the perpetrator.
Decentralization at the Protocol Level Never Equals Company Decentralization
The Axiom scandal reveals not only the personal misconduct of a few employees. It serves more as a mirror reflecting a significant contradiction long avoided by the entire Web3 industry under the narrative of "decentralization": decentralization at the protocol level never equates to decentralization at the operational level of the company.
When a platform's core business still relies on centralized backend systems, human customer service, and employee judgment, the tags of "DeFi" or "Web3" feel more like decorative frontend labels. Users trust in the immutability of smart contracts but forget that at the moment they input personal information and bind wallets, they have delivered the most crucial information to a completely centralized organization.
Trust has never been free; in places where systems are not mature, the side bearing the cost of trust is always the one with the greatest information asymmetry.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
