Investigations by ZachXBT
23.02.202513:05
As if this year could not get any more strange we have an entity laundering for the Bybit hack who launched / traded Pump Fun meme coins.
On Feb 22 the attacker received $1.08M from the Bybit hack to 0x363908df2b0890e7e5c1e403935133094287d7d1 who bridged USDC to Solana.
EFmqz8PTTShNsEsErMUFt9ZZx8CTZHz4orUhdz8Bdq2P bridged all of the USDC from Solana to BSC to two addresses
Both BSC addresses programatically split the USDC between 30+ addresses in many txns before consolidating the USDC to 0x0be9ab85f399a15ed5e8cbe5859f7a882c7b55a3
0x0be9 split 106K USDC between ten BSC addresses before bridging back to ten Solana addresses. A few of the addresses were dusted by meme coin scammers and the person laundering the Bybit funds the meme coins received for SOL.
15 hrs ago I made 920+ addresses receiving funds tied to the Bybit hack public and noticed a person laundering for Lazarus Group previously launched meme coins via Pump Fun.
Not posting the exact wallet for obvious reasons and had it removed from UI on multiple analytics tools.
All funds tied to the hack were then transferred to various services/exchanges.
On Feb 22 the attacker received $1.08M from the Bybit hack to 0x363908df2b0890e7e5c1e403935133094287d7d1 who bridged USDC to Solana.
EFmqz8PTTShNsEsErMUFt9ZZx8CTZHz4orUhdz8Bdq2P bridged all of the USDC from Solana to BSC to two addresses
Both BSC addresses programatically split the USDC between 30+ addresses in many txns before consolidating the USDC to 0x0be9ab85f399a15ed5e8cbe5859f7a882c7b55a3
0x0be9 split 106K USDC between ten BSC addresses before bridging back to ten Solana addresses. A few of the addresses were dusted by meme coin scammers and the person laundering the Bybit funds the meme coins received for SOL.
15 hrs ago I made 920+ addresses receiving funds tied to the Bybit hack public and noticed a person laundering for Lazarus Group previously launched meme coins via Pump Fun.
Not posting the exact wallet for obvious reasons and had it removed from UI on multiple analytics tools.
All funds tied to the hack were then transferred to various services/exchanges.
22.02.202507:36
21.02.202515:32
My sources confirm it's a security incident
04.02.202514:31
On-chain clown of the day: DPRK was attemping to deposit 46.3K XRP ($121K) from a hack to an exchange 30 minutes ago and forgot to include the destination tag in the transaction.
For those who are unfamiliar with Ripple this means the funds were not credited to an account as exchanges would not know who to credit the funds to.
Transaction Hash
79858B66DAA0F5BF28FC8E2ACC8C05CBE5105FEA0EA678CB78E8876294BEE185
For those who are unfamiliar with Ripple this means the funds were not credited to an account as exchanges would not know who to credit the funds to.
Transaction Hash
79858B66DAA0F5BF28FC8E2ACC8C05CBE5105FEA0EA678CB78E8876294BEE185
Could not access
the media content
the media content
26.01.202507:47
If you somehow fell for the Dean Norris, Ross Gerber, or Keith Urban X/Twitter hacks after my warning it’s probably a sign you are not built for the trenches and are simply exit liquidity.
10.01.202500:21
For any meme coin traders who hold ACT a victim was drained for ~$1M (3.39M ACT) worth of ACT due to a compromised X account and the scammer has not sold the tokens yet.
Theft address:
5bN3hmhSjZbvpMHSgKMEqb7HwtuFMYA6xnFdGh4sb1YY
Theft address:
5bN3hmhSjZbvpMHSgKMEqb7HwtuFMYA6xnFdGh4sb1YY
23.02.202513:05
21.02.202516:00
The attacker just split 10K ETH to 39 addresses. If you are an exchange or service who follows my channel blacklist these addresses on all EVM chains:
0x40e98feeebad7ddb0f0534ccaa617427ea10187e
0x30a822cdd2782d2b2a12a08526452e885978fa1d
0x6d46bd3aff100f23c194e5312f93507978a6dc91
0x660bfcea3a5faf823e8f8bf57dd558db034dea1d
0x140c9ab92347734641b1a7c124ffdee58c20c3e3
0x8c7235e1a6eef91b980d0fca083347fbb7ee1806
0xb172f7e99452446f18ff49a71bfeecf0873003b4
0xcd7ec020121ead6f99855cbb972df502db5bc63a
0x0e8c1e2881f35ef20343264862a242fb749d6b35
0x2290937a4498c96effb87b8371a33d108f8d433f
0x1bb0970508316dc735329752a4581e0a4babc6b4
0xf0a16603289eaf35f64077ba3681af41194a1c09
0x5af75eab6bec227657fa3e749a8bfd55f02e4b1d
0xb4a862a81abb2f952fca4c6f5510962e18c7f1a2
0x959c4ca19c4532c97a657d82d97accbab70e6fb4
0xb72334cb9d0b614d30c4c60e2bd12ff5ed03c305
0xfc926659dd8808f6e3e0a8d61b20b871f3fa6465
0xfa3fcccb897079fd83bfba690e7d47eb402d6c49
0x51e9d833ecae4e8d9d8be17300aee6d3398c135d
0x1eb27f136bfe7947f80d6cee3cf0bfdf92b45e57
0x83c7678492d623fb98834f0fbcb2e7b7f5af8950
0x52207ec7b1b43aa5db116931a904371ae2c1619e
0x83ef5e80fad88288f770152875ab0bb16641a09e
0x23db729908137cb60852f2936d2b5c6de0e1c887
0xaf620e6d32b1c67f3396ef5d2f7d7642dc2e6ce9
0xcd1a4a457ca8b0931c3bf81df3cfa227adbdb6e9
0x96244d83dc15d36847c35209bbdc5bdde9bec3d8
0x09278b36863be4ccd3d0c22d643e8062d7a11377
0x3a21f4e6bbe527d347ca7c157f4233c935779847
0xbc3e5e8c10897a81b63933348f53f2e052f89a7e
0x9271eddda0f0f2bb7b1a0c712bdf8dbd0a38d1ab
0x4c198b3b5f3a4b1aa706dac73d826c2b795ccd67
0x684d4b58dc32af786bf6d572a792ff7a883428b9
0xd3c611aed139107dec2294032da3913bc26507fb
0x9ef42873ae015aa3da0c4354aef94a18d2b3407b
0xbde2cc5375fa9e0383309a2ca31213f2d6cabcbd
0xe69753ddfbedbd249e703eb374452e78dae1ae49
0xe9bc552fdfa54b30296d95f147e3e0280ff7f7e6
0xbca02b395747d62626a65016f2e64a20bd254a39
Update: 10K ETH split to another 9 addresses
0xF302572594a68aA8F951faE64ED3aE7DA41c72Be
0x21032176B43d9f7E9410fB37290a78f4fEd6044C
0xD5b58Cf7813c1eDC412367b97876bD400ea5c489
0xA5A023E052243b7cce34Cbd4ba20180e8Dea6Ad6
0x723a7084028421994d4a7829108D63aB44658315
0x1512fcb09463A61862B73ec09B9b354aF1790268
0xEB0bAA3A556586192590CAD296b1e48dF62a8549
0xf03AfB1c6A11A7E370920ad42e6eE735dBedF0b1
0x55CCa2f5eB07907696afe4b9Db5102bcE5feB734
0x40e98feeebad7ddb0f0534ccaa617427ea10187e
0x30a822cdd2782d2b2a12a08526452e885978fa1d
0x6d46bd3aff100f23c194e5312f93507978a6dc91
0x660bfcea3a5faf823e8f8bf57dd558db034dea1d
0x140c9ab92347734641b1a7c124ffdee58c20c3e3
0x8c7235e1a6eef91b980d0fca083347fbb7ee1806
0xb172f7e99452446f18ff49a71bfeecf0873003b4
0xcd7ec020121ead6f99855cbb972df502db5bc63a
0x0e8c1e2881f35ef20343264862a242fb749d6b35
0x2290937a4498c96effb87b8371a33d108f8d433f
0x1bb0970508316dc735329752a4581e0a4babc6b4
0xf0a16603289eaf35f64077ba3681af41194a1c09
0x5af75eab6bec227657fa3e749a8bfd55f02e4b1d
0xb4a862a81abb2f952fca4c6f5510962e18c7f1a2
0x959c4ca19c4532c97a657d82d97accbab70e6fb4
0xb72334cb9d0b614d30c4c60e2bd12ff5ed03c305
0xfc926659dd8808f6e3e0a8d61b20b871f3fa6465
0xfa3fcccb897079fd83bfba690e7d47eb402d6c49
0x51e9d833ecae4e8d9d8be17300aee6d3398c135d
0x1eb27f136bfe7947f80d6cee3cf0bfdf92b45e57
0x83c7678492d623fb98834f0fbcb2e7b7f5af8950
0x52207ec7b1b43aa5db116931a904371ae2c1619e
0x83ef5e80fad88288f770152875ab0bb16641a09e
0x23db729908137cb60852f2936d2b5c6de0e1c887
0xaf620e6d32b1c67f3396ef5d2f7d7642dc2e6ce9
0xcd1a4a457ca8b0931c3bf81df3cfa227adbdb6e9
0x96244d83dc15d36847c35209bbdc5bdde9bec3d8
0x09278b36863be4ccd3d0c22d643e8062d7a11377
0x3a21f4e6bbe527d347ca7c157f4233c935779847
0xbc3e5e8c10897a81b63933348f53f2e052f89a7e
0x9271eddda0f0f2bb7b1a0c712bdf8dbd0a38d1ab
0x4c198b3b5f3a4b1aa706dac73d826c2b795ccd67
0x684d4b58dc32af786bf6d572a792ff7a883428b9
0xd3c611aed139107dec2294032da3913bc26507fb
0x9ef42873ae015aa3da0c4354aef94a18d2b3407b
0xbde2cc5375fa9e0383309a2ca31213f2d6cabcbd
0xe69753ddfbedbd249e703eb374452e78dae1ae49
0xe9bc552fdfa54b30296d95f147e3e0280ff7f7e6
0xbca02b395747d62626a65016f2e64a20bd254a39
Update: 10K ETH split to another 9 addresses
0xF302572594a68aA8F951faE64ED3aE7DA41c72Be
0x21032176B43d9f7E9410fB37290a78f4fEd6044C
0xD5b58Cf7813c1eDC412367b97876bD400ea5c489
0xA5A023E052243b7cce34Cbd4ba20180e8Dea6Ad6
0x723a7084028421994d4a7829108D63aB44658315
0x1512fcb09463A61862B73ec09B9b354aF1790268
0xEB0bAA3A556586192590CAD296b1e48dF62a8549
0xf03AfB1c6A11A7E370920ad42e6eE735dBedF0b1
0x55CCa2f5eB07907696afe4b9Db5102bcE5feB734
21.02.202515:26
mETH & stETH is currently being swapped on DEXs for ETH
31.01.202514:30
Coinbase has a serious fraud problem just uncovered many more recent thefts from Coinbase users with tanuki42 so I think I will need to dedicate an entire post on X/Twitter to them.
The $150M / yr stolen from Coinbase users is just from thefts i independently confirmed so it's more than likely multiples of this number…..
The $150M / yr stolen from Coinbase users is just from thefts i independently confirmed so it's more than likely multiples of this number…..
24.01.202508:24
The P2P marketplace Noones was likely exploited for ~$7.9M on Ethereum, Tron, Solana, & BSC on January 1-2, 2025 as its hot wallets saw hundreds of suspicous outflows for <$7K per txn.
Shortly after the platform made an announcement about maintenance although no official statement was made about any security incident.
Funds were bridged to Ethereum/BSC and then deposited to Tornado Cash.
Theft consolidation addresses:
Ethereum
0x72c1eabafc42a2ac6d0447b02c657b96f07402e6
0x4b0edd27196063476d91b634333be289beca9202
0x6c9b55b50e6a42fd7a14b49ba7747096090b0465
Tron
TLRzLWbrCPVjXEcTDHv4Lavm6CxonUgJST
TSnsmxEPy7rqk9XRsCiYEk5ntchweGFq2A
BSC
0x72c1eabafc42a2ac6d0447b02c657b96f07402e6
Solana
BBJoEgHq1igbH4fXfLtxRBodpFb1qcYQRk4UCpzVKobo
Shortly after the platform made an announcement about maintenance although no official statement was made about any security incident.
Funds were bridged to Ethereum/BSC and then deposited to Tornado Cash.
Theft consolidation addresses:
Ethereum
0x72c1eabafc42a2ac6d0447b02c657b96f07402e6
0x4b0edd27196063476d91b634333be289beca9202
0x6c9b55b50e6a42fd7a14b49ba7747096090b0465
Tron
TLRzLWbrCPVjXEcTDHv4Lavm6CxonUgJST
TSnsmxEPy7rqk9XRsCiYEk5ntchweGFq2A
BSC
0x72c1eabafc42a2ac6d0447b02c657b96f07402e6
Solana
BBJoEgHq1igbH4fXfLtxRBodpFb1qcYQRk4UCpzVKobo
03.01.202520:15
Please stop flexing phantom screenshots and your expensive purchases this bull run on CT.
TLDR: Family member of a crypto influencer was just kidnapped and found by the police in the trunk of a car, with gasoline on him in France after trying to extort the son for money.
Source 1: https://www.francebleu.fr/infos/faits-divers-justice/un-homme-retrouve-ligote-dans-le-coffre-d-une-voiture-interceptee-par-la-police-pres-du-mans-deux-hommes-en-fuite-7958611
Source 2: https://cryptoast.fr/pere-influenceur-crypto-sequestre-soir-nouvel-an/
TLDR: Family member of a crypto influencer was just kidnapped and found by the police in the trunk of a car, with gasoline on him in France after trying to extort the son for money.
Source 1: https://www.francebleu.fr/infos/faits-divers-justice/un-homme-retrouve-ligote-dans-le-coffre-d-une-voiture-interceptee-par-la-police-pres-du-mans-deux-hommes-en-fuite-7958611
Source 2: https://cryptoast.fr/pere-influenceur-crypto-sequestre-soir-nouvel-an/
22.02.202521:38
Onchain clown of the day: The eXch team accidentally sent 34 ETH ($96K) to the hot wallet of another exchange after laundering $35M+ for Lazarus Group from the Bybit hack today.
Transaction hash
0x51b4597d74f71c59c6f5038d3cf4bc9e3b4cc21052249fb4597df8bb64f8253e
Transaction hash
0x51b4597d74f71c59c6f5038d3cf4bc9e3b4cc21052249fb4597df8bb64f8253e
21.02.202516:00
21.02.202515:20
Currently monitoring suspicious outflows from Bybit of $1.46B+ will update as information becomes available
0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2
0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2
31.01.202512:59
A Coinbase user was likely social engineered and scammed for 110 cbBTC ($11.5M) on Base last month by a threat actor.
The stolen funds were immediately swapped, bridged, and laundered through multiple instant exchanges and funds consolidated with other Coinbase victims on Ethereum.
Theft transaction hash
0x8639f4b4420d47d68f27dc27967ff62ec913106e5b9ce99011de99b8d91813cd
0xb5895314777776da645529df83cd0d0883ed456e2c81e27c97eb5cf45a59c36b
0xfa26f3917519444c7d3d9ca05fc70b289d44958cb55801b9221d7b492f41c76d
Coinbase social engineering scams have resulted in $150M+ / yr stolen from users due to data breaches, email/call spoofing, bad detection, etc
The stolen funds were immediately swapped, bridged, and laundered through multiple instant exchanges and funds consolidated with other Coinbase victims on Ethereum.
Theft transaction hash
0x8639f4b4420d47d68f27dc27967ff62ec913106e5b9ce99011de99b8d91813cd
0xb5895314777776da645529df83cd0d0883ed456e2c81e27c97eb5cf45a59c36b
0xfa26f3917519444c7d3d9ca05fc70b289d44958cb55801b9221d7b492f41c76d
Coinbase social engineering scams have resulted in $150M+ / yr stolen from users due to data breaches, email/call spoofing, bad detection, etc
24.01.202505:30
It seems apparent for a lot of you that you do not understand the current scammer meta is to hack X/Twitter accounts with weak security that are in same niche as the current meme coin meta and immediately drop tokens.
Most recently that has been large political accounts, government accounts, country usernames
Now scammers are rotating back to celebrity accounts again.
In general when you see a surprise announcement for a meme coin launch it’s more than likely a scam as scammers only have access to the account for a few hours at most before losing access depending on the time of day.
Sadly the Trump/Melania surprise announcement meme coin launches probably helped add legitimacy to the hacked account token launches.
This post is mostly catered to average / newbie degens and not more sophisticated people who have an edge to profit from this.
Be diligent as scammers are easily making 6-7 figs off of these hacked accounts for the moment (EX: Nasdaq).
Most recently that has been large political accounts, government accounts, country usernames
Now scammers are rotating back to celebrity accounts again.
In general when you see a surprise announcement for a meme coin launch it’s more than likely a scam as scammers only have access to the account for a few hours at most before losing access depending on the time of day.
Sadly the Trump/Melania surprise announcement meme coin launches probably helped add legitimacy to the hacked account token launches.
This post is mostly catered to average / newbie degens and not more sophisticated people who have an edge to profit from this.
Be diligent as scammers are easily making 6-7 figs off of these hacked accounts for the moment (EX: Nasdaq).
30.12.202421:34
The Blockchain Bandit attacker woke up after being dormant for multiple years and consolidated 51,000 ETH ($172.2M) to a single multisig.
Multisig address
0xC45C36017b0B7708f493534Ca4f0930964C1D542
Multisig address
0xC45C36017b0B7708f493534Ca4f0930964C1D542
22.02.202507:36
Lazarus Group transferred 5K ETH from the Bybit Hack to a new address and began laundering funds via eXch (a centralized mixer) and bridging funds to Bitcoin via Chainflip.
5K ETH transfer on Feb 22, 2025 6:28:23 AM
0xbf80907830e46317da2c1708a13a9f016e242f8a6db6e6b0706ea5f2328cb001
Bitcoin destination address via Chainflip
bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq
5K ETH transfer on Feb 22, 2025 6:28:23 AM
0xbf80907830e46317da2c1708a13a9f016e242f8a6db6e6b0706ea5f2328cb001
Bitcoin destination address via Chainflip
bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq
21.02.202515:34
If you are an exchange or service who follows my channel blacklist these addresses on all EVM chains:
0x47666fab8bd0ac7003bce3f5c3585383f09486e2
0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e
0x36ed3c0213565530c35115d93a80f9c04d94e4cb
0x1542368a03ad1f03d96D51B414f4738961Cf4443
0xdD90071D52F20e85c89802e5Dc1eC0A7B6475f92
0x47666fab8bd0ac7003bce3f5c3585383f09486e2
0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e
0x36ed3c0213565530c35115d93a80f9c04d94e4cb
0x1542368a03ad1f03d96D51B414f4738961Cf4443
0xdD90071D52F20e85c89802e5Dc1eC0A7B6475f92
21.02.202509:15
Have turned off my DMs on X/Twitter for the next few weeks as people do not respect my time and lack basic financial literacy or common sense.
This means there’s currently no way to contact me so do not get scammed.
This means there’s currently no way to contact me so do not get scammed.
26.01.202513:14
It seems someone was likely hacked for $29M (6.27M SUI) on Sui last month on December 12th, 2024.
The stolen funds were bridged from Sui to Ethereum via Bridgers and then deposited to Tornado Cash in batches.
Primary theft address
0x731c2cd8f060428e7bb520899c855b48bf4b22d981f07a69ce3d0a258f3e589a
Theft transaction hash
4xo5ub1BbxgHjFwJv7iBaC4mfds8JSpHAYihAeKDwPBU
6VbgJTWMvomi4VY8hoZcUNPUVaaFcWjZRfxjtdV6MCHo
2WHUdTGonBwDsYW4nVK7zVEVtG9PnRSE9HCRgcmouYgM
The victim transferred their .sui domains to a new uncompromised address shortly after the theft.
Current limitations with Sui block explorers and Sui analytics tools make the theft difficult to trace.
The stolen funds were bridged from Sui to Ethereum via Bridgers and then deposited to Tornado Cash in batches.
Primary theft address
0x731c2cd8f060428e7bb520899c855b48bf4b22d981f07a69ce3d0a258f3e589a
Theft transaction hash
4xo5ub1BbxgHjFwJv7iBaC4mfds8JSpHAYihAeKDwPBU
6VbgJTWMvomi4VY8hoZcUNPUVaaFcWjZRfxjtdV6MCHo
2WHUdTGonBwDsYW4nVK7zVEVtG9PnRSE9HCRgcmouYgM
The victim transferred their .sui domains to a new uncompromised address shortly after the theft.
Current limitations with Sui block explorers and Sui analytics tools make the theft difficult to trace.
23.01.202510:22
Uploaded a 31 minute video to X of the phishing scammer ‘Vkevin’ secretly being recorded while running a fake @Safeguard bot scam in various Telegram channels that has resulted in 7 figs drained from the wallets of victims.
https://x.com/zachxbt/status/1882370833429254523
https://x.com/zachxbt/status/1882370833429254523
17.12.202416:41
There’s been so many account compromises on X/Twitter lately.
Would expect a new panel, recovery method, or exploit is going around as I highly doubt all of these accounts lack 2FA with a security key or authenticator app.
Would expect a new panel, recovery method, or exploit is going around as I highly doubt all of these accounts lack 2FA with a security key or authenticator app.
Shown 1 - 20 of 20
Log in to unlock more functionality.