On August 19, a young man known online as ZachXBT was on his way to board a flight home. Although he preferred not to disclose which airport he was at, his real name, or where he resided, he was focused on his phone when an alert caught his attention. A significant amount of bitcoins had been transferred to a small cryptocurrency exchange, one of many he vigilantly monitored on Bitcoin’s blockchain for indications of illicit money laundering. This particular transaction stood out, valued at approximately $600,000—a withdrawal far exceeding the usual trade size on that platform.
As he reached his boarding gate, another notification informed him of a subsequent transaction on the same exchange, this time surpassing $1 million. Moments later, he received yet another alert for a transaction worth $2 million. While queuing to board, ZachXBT quickly began tracing the flow of these funds on his phone, tracking them back through various Bitcoin addresses and flagging the suspicious transactions. He worked against the clock, aiming to uncover their origins before the inevitable internet blackout that occurs when a flight takes off, which would last until the in-flight Wi-Fi became available. By the time the plane ascended, he discovered that the funds originated from a crypto wallet that had remained inactive since 2012, containing hundreds of millions of dollars worth of Bitcoin. This considerable sum was now being hastily liquidated at exchanges that typically charge high transaction fees—something no rational, long-term Bitcoin investor would consider.
To ZachXBT, the movement of these funds appeared to be the result of a massive theft. As he verified his conclusions, it became evident that approximately $243 million worth of Bitcoin had been stolen from a single individual—potentially the largest known crypto heist targeting someone directly. “It was such an abnormally large amount stolen from a single person,” ZachXBT shared. “I had to make sure I wasn’t crazy.”
Once he reached an altitude of 10,000 feet and regained internet access, ZachXBT continued to monitor the outflows of the stolen assets. He meticulously traced the paths they took as they were shuffled through various exchanges and coin-swapping services. Throughout the following hours, he worked frantically to map the complex web of transactions, as the culprits sought to conceal their tracks by routing the coins through over a dozen platforms.
As he traced the path back to the source of the lost bitcoins, ZachXBT discovered that a portion of the funds originated from the now-defunct Genesis cryptocurrency exchange. He reached out to the exchange’s administrators on X, requesting to connect with the victim who would ultimately hire him to recover the stolen funds.
By the time his flight landed, ZachXBT had identified three significant leads related to the stolen money, each pointing to what he suspected were three potential culprits. He also shared a message with his over 650,000 followers on X, highlighting the ongoing theft on the blockchain. Soon after, he received a message from a source claiming to have information about the thieves’ identities.
In the following week, dedicating himself to the case around the clock with little sleep, and regularly updating law enforcement on his progress, ZachXBT pinpointed the alleged perpetrators behind the theft—two young hackers, Malone Lam and Jeandiel Serrano, both in their early twenties. (ZachXBT also identified another alleged hacker who has not been publicly named since the individual has not been arrested or charged.) He even acquired a video recording that reportedly shows one of their screens as they completed the theft, celebrating their substantial profit. In his intense investigation, ZachXBT went as far as to monitor the alleged suspects on Instagram and TikTok, observing one of them lavishly spending millions on luxury cars, private jets, and nightclubs, where he allegedly dropped as much as $500,000 in a single night.
Less than a month after receiving the alert on his phone while on the plane, two of the three suspected thieves were arrested and criminally charged.
When ZachXBT finally encountered the mug shot of one of the suspected hackers, he experienced a fleeting surge of adrenaline. However, that feeling vanished swiftly. “I didn’t really feel any special sense of accomplishment,” ZachXBT recounts. “I was just treating it as any other case.”
If investigating a theft worth a quarter billion dollars feels routine to ZachXBT, it’s likely because he has carved out a niche for himself over the past three years as the most notable independent crypto detective globally. Since he embarked on his journey as an amateur investigator in 2021, he has traced billions of dollars related to stolen assets and scams. By his own estimation—which he detailed for WIRED in a spreadsheet—his countless investigations have facilitated the recovery of about $210 million in criminal crypto assets, along with another $225 million in seized funds where he played at least some indirect role in helping to retrieve money for victims. He has exposed influencers engaged in pump-and-dump schemes, tracked down cybercriminals responsible for major crypto heists, and unveiled numerous instances of North Korean hackers accessing crypto firms or infiltrating those companies as employees.
In pursuing this role as a crypto vigilante, ZachXBT has been primarily funded through cryptocurrency donations, receiving grants from crypto organizations and contributions from those who share his address posted on his social media, totaling around $1.3 million since 2021. “He’s a new generation of investigator. He works for the people,” states Joe McGill, an analyst at the Secret Service who has partnered with ZachXBT. “His success is entirely connected to the outcome of his investigations.”
Throughout his endeavors, ZachXBT has maintained his anonymity rigorously. Online, he is represented solely by his avatar, a whimsical platypus cartoon figure dressed in a detective’s trench coat or occasionally a hoodie. To evade retribution from numerous adversaries within the realm of crypto criminals and fraudsters, he has never revealed his face, true identity, or exact age, agreeing to speak with WIRED only on the condition that his identifying details remain undisclosed.
During some of their initial conference calls, McGill recounts that ZachXBT not only kept his camera off but also utilized a voice-changer application. At times, he sounded like a high-pitched character from “South Park,” as McGill describes it, while on other occasions, he altered his voice to a deeper tone that reminded him of something from a horror movie. “It was quite strange at first,” says McGill, who was then employed at the crypto-tracing firm TRM Labs. “However, I respected his desire for privacy, as this anonymous individual was accomplishing remarkable work.”
ZachXBT consistently uncovers numerous cryptocurrency scams and thefts, usually on a weekly basis, and often operates at a pace that outstrips law enforcement agencies. Nick Bax, a cryptocurrency investigator and founder of the firm Five I’s, has half-jokingly wondered if he might be some type of bot.
“He operates like a machine,” Bax states.
In one particular investigation last year, where they worked together to trace a $60 million heist involving a cryptocurrency project named AnubisDAO in 2021, Bax provided ZachXBT with a list of 500 transactions on a Saturday evening. Each transaction required meticulous analysis alongside all its related blockchain addresses. “I thought that would occupy him for a few days,” Bax remarks. To his astonishment, by the next afternoon, ZachXBT had successfully reviewed every transaction and pinpointed those linked to the theft. “I was astounded,” Bax exclaims. “He must have been glued to his computer for 12 hours straight.”
Many of the results of ZachXBT’s investigations are unceremoniously posted to his account on X. Over time, however, his findings have increasingly gained the attention of law enforcement agencies—many of which he often shares his discoveries with before publication. This has led to real and growing consequences for the targets of his investigative work. “As Zach has gotten bigger, there have been financial repercussions and legal repercussions,” says Taylor Monahan, a security researcher at the crypto firm MetaMask and one of ZachXBT’s closest collaborators on investigations, including the $243 million theft case. “If Zach posts a thread about someone now, and it’s a good one, that person is going to get arrested.”
So how has ZachXBT managed to outpace even law enforcement’s crypto investigators, despite lacking formal training or organizational backing? Even he isn’t entirely certain. “That’s a tough question. I don’t know why I’m good,” ZachXBT tells WIRED in a phone interview. He attributes his success to a willingness to work around the clock—since crypto markets never close—and a familiarity with analyzing cryptocurrency blockchains that stems from years spent examining those vast ledgers of transactions. “The more you look at the blockchain, like when you eat, sleep, and breathe it, it starts to make more sense over time,” he explains. “You can just start to pick up on those connections. I can look at a wallet, and I can profile it and tell you if it’s a bad actor within seconds.”
ZachXBT’s understanding of blockchains is influenced by his years of experience as a crypto enthusiast and trader—and also as a victim of some of the crypto economy’s numerous pitfalls targeting unsuspecting investors. Around 2017, he admits he was naively purchasing thousands of dollars worth of crypto tokens, all of which would eventually plummet in value—often due to so-called “rug pulls,” where a token’s creator sells off their holdings, leaving other investors with worthless assets. “I was buying in like, ‘This is going to change the world.’ I just held it and never sold,” ZachXBT reflects. Consequently, he admits, “I was the person getting scammed.”
By 2018, not only had all those investments collapsed, but an Electrum crypto wallet that ZachXBT used was hacked through a malicious software update. He lost nearly $15,000 as a result.
At that moment, he realized it was time to reevaluate his strategy. Rather than just purchasing and holding onto tokens, he dove into analyzing the blockchains of cryptocurrencies, which are accessible to anyone able to interpret the ownership of various addresses. His goal was to observe the trading behaviors of more accomplished investors, aiming to mimic their activities.
By 2020, thanks to this blockchain analysis, he had developed a keen ability to track cryptocurrency transactions. This skill enabled him to identify ongoing scams that were not evident to the casual investor. He would notice an influencer promoting a cryptocurrency asset to their vast audience, elevating its price, only to trace their movements on the blockchain and find that they were offloading their own investments shortly after. This often resembled a classic pump-and-dump scheme. “It felt more like being a whistleblower,” ZachXBT remarks. “I’d detect such activity and reflect, ‘This reminds me of my experiences back in 2017 and 2018. Why not share this insight?’ Then, that began to gain traction.”
When the NFT trend emerged later that year, ZachXBT applied the same scrutiny to various NFT projects, such as Bored Bunny and Billionaire Dogs Club, to uncover where the funds were genuinely directed. Many NFT creators would accumulate millions based solely on whimsical cartoon .jpg images, asserting that ownership would grant access to exclusive events or memberships. However, through his blockchain analysis, ZachXBT realized that the sellers were merely siphoning off the money. Occasionally, his investigation would reveal that an NFT seller was a rebranded version of a previous project that had already been established as fraudulent.
In several cases, ZachXBT’s revelations about NFT sellers managed to deter potential buyers and thwart dubious NFT vendors from making sales. However, he eventually grew weary of exposing the same blatant schemes repetitively, and he became disheartened by the absence of significant outcomes: nobody connected to the NFT projects he highlighted faced any legal repercussions.
In early 2022, he started to observe a concerning trend: a group of hackers was infiltrating the Twitter accounts of prominent crypto figures and disseminating phishing links to Ethereum smart contracts aimed at draining users’ wallets. This operation resulted in losses amounting to tens of millions of dollars. Whenever a heartbroken victim shared their experience of losing their savings, ZachXBT would reach out to them and diligently track down the lost funds. He combined the clues gathered from the blockchain with information he had started to compile from Discord and Telegram channels frequented by young crypto criminals. This led him to discover a few online aliases of teenagers who appeared to be responsible for the phishing scheme and were openly boasting about their massive gains.
By this stage, ZachXBT had garnered a notorious reputation within the crypto underground. One of the individuals he suspected even included a clear jibe about “mr xbt” in a Twitter post, where he flaunted a diamond-encrusted Audemars Piguet watch he had purchased. ZachXBT managed to track down the watch seller through a luxury watch Discord channel and persuaded the vendor, who had sold the watch for nearly $50,000, to provide the teenager’s shipping address and real name.
Public records do not appear to indicate whether any of the alleged thieves were apprehended—likely due to their status as minors, which may have led to sealed charges or a lack of formal accusations. However, ZachXBT uncovered a forfeiture notice revealing that in October 2022, merely a month after ZachXBT shared his findings on X, the FBI seized over $200,000 worth of cryptocurrency from the identified teen suspect—and also the diamond wristwatch.
That same year, ZachXBT applied similar investigative methods to track down another $2.5 million worth of NFTs that had been stolen through a separate phishing scheme, linking them to an alleged duo of French hackers. A couple of months later, French authorities detained five suspects in connection with this case, and Agence France-Presse reported that ZachXBT’s thread on X was instrumental in assisting their investigation into the two alleged masterminds. “To witness law enforcement taking action based on something I had shared was incredibly rewarding,” ZachXBT reflects. “It led me to believe that I might truly be onto something significant with my efforts.”
Over the past two years, ZachXBT has caught the attention of law enforcement due to the increasing scale and impact of his investigations. In February 2023, he successfully tracked nearly $9 million stolen from the crypto project Platypus, quickly identifying one of the suspected thieves. Shortly thereafter, French police arrested two individuals linked to the case. While the charges were later dropped, police managed to recover millions, prompting Platypus to express gratitude to ZachXBT via social media. Later in the year, he uncovered a $25 million theft involving crypto firm Uranium Finance, much of which had been laundered through the purchase of rare Magic: The Gathering cards. In another incident, after the cybercriminal group known as Scattered Spider executed a ransomware attack on Caesar’s Entertainment in Las Vegas, extorting $15 million, ZachXBT assisted in tracing and recovering $12 million of the stolen funds, according to investigators who collaborated on the case and shared their insights with WIRED.
Around that same period, ZachXBT revealed findings from extensive investigations covering 25 crypto thefts perpetrated by North Korean hackers, totaling over $200 million, of which he had aided in freezing about $7 million. Notably, half of these hacks had not been publicly disclosed prior to this. He followed that up with further revelations about a network of around 30 North Korean IT workers who had infiltrated corporate tech firms while being compensated in cryptocurrency. One such worker, allegedly tied to North Korea, had secured employment at the NFT company Munchables and managed to steal $62 million in crypto assets from the organization. When ZachXBT identified and flagged the funds, the media attention surrounding the perpetrator made it so difficult to liquidate those assets that the funds were simply returned.
Regardless, when ZachXBT received text alerts while at the airport about a theft amounting to $243 million from a single victim on August 19, it marked one of the most significant thefts he had ever pursued.
Upon returning home from his international journey, he dedicated days to tracing the complex movement of those funds while also monitoring social media for updates on his three suspects, two of whom operated under the aliases Greavys and Box. Greavys, whose actual name was Malone Lam and who appeared to be situated in Miami, was actively showcasing a lifestyle filled with luxury real estate, diamond watches, private jets, and high-end sports cars including a Lamborghini Revuelto and a Pagani Huayra—vehicles that commonly exceed $3 million in worth. Additionally, ZachXBT discovered posts from influencers flaunting gifts like Birkin and Hermès bags valued at $30,000 to $50,000 each, along with photographs of electric signs in a club that said, “WHO WANT A BIRK,” tagged with his name.
“It felt like their only focus was partying and stealing money,” recalls ZachXBT.
Just a few days passed before he managed to convince the source that had initially reached out to him during his flight to provide him with a video showcasing a screenshare session between three hackers implicated in the heist. Unbeknownst to the involved individuals, one of the suspected hackers had inadvertently re-shared his screen during that call with another group of friends, and it appears one of them recorded the entire session. Throughout the 90-minute footage, ZachXBT notes, the hackers address one another by their first names, and at one juncture, one of them briefly displays his Windows home screen, revealing his last name as well.
The video even captures the moment when the alleged hackers revealed their ecstatic response to successfully executing a nine-figure theft. “Oh my god! Oh my god! 243 million dollars! Yes!” one of them exclaims during the recording. “I’m going to spaz out! Yo! We’re done. We’re done. I’m spazzing out. Do you know how much money that is?”
On the afternoon of September 18, nearly a month after the onset of ZachXBT’s investigation, Lam was apprehended in Miami at a waterfront rental property that cost him $68,000 a month. Box, whose actual name is Jeandiel Serrano, was detained at the Los Angeles airport while returning from a vacation in the Maldives with his girlfriend. According to prosecutors, he was wearing a watch valued at $500,000 during his arrest, renting a house near Los Angeles for over $40,000 a month, and had spent $1 million on luxury automobiles. The following day, wire fraud and money laundering charges against both Lam and Serrano were made public. Court documents reveal that both hackers admitted to law enforcement officers their involvement in several crypto thefts, with Lam specifically acknowledging that the proceeds from these crimes supported his purchases of at least 31 luxury cars.
To date, authorities have managed to seize or freeze $79 million out of the $243 million that was allegedly stolen. ZachXBT remains optimistic that more of the funds will be recovered. Prosecutors estimate that over $100 million of the stolen amount is still unaccounted for, despite the alleged hackers’ extravagant spending.
The third suspect identified by ZachXBT, who according to public records appears to reside in Connecticut, has not yet faced any charges. However, reporter Brian Krebs has highlighted a criminal complaint that details an incident where a group of men reportedly carjacked a couple in their fifties in a Lamborghini merely four days following the $243 million theft that took place in late August. The carjackers briefly held the couple captive, believing that their son had access to a considerable amount of digital currency. This raises the possibility that the couple may be the parents of the individual traced by ZachXBT as the third recipient of the stolen funds.
For ZachXBT, this investigation marks a significant milestone. For the first time, he was hired by the victim and compensated for his expertise rather than volunteering based on donations. He expresses intentions to pivot to more paid work or possibly establish his own investigative firm.
Nonetheless, he insists that his motivation is not wealth from his investigations. “I witness money being seized, returned to victims, and people being arrested, and that fulfills my purpose. That’s what drives me,” ZachXBT states. “The real reward for me is seeing that my work positively impacts people.”
His collaborator, Taylor Monahan from the crypto wallet company MetaMask, who has partnered with him on numerous investigations, believes that ZachXBT is primarily motivated by a sense of justice. This sense stems from his past experiences as a victim of the harsh realities of the crypto world, fueling his desire to protect others from similar fates.
“He underwent the same ordeal as many in this community, where something unfortunate occurs, and those around you respond with, ‘Too bad for you,’” Monahan remarks. “He fundamentally rejects that situation and is determined to bring about change.”