ZachXBT
@zachxbt1.bsky.social
Several sources say they have been unresponsive to messages for the past couple days.
December 5, 2025 at 9:59 PM
Several sources say they have been unresponsive to messages for the past couple days.
Several hours ago multiple addresses tied to him I was tracking consolidated funds to 0xb37d in a similar pattern to other law enforcement seizures.
Danny was last known to be in Dubai. It’s alleged a villa was raided and others there were arrested as well.
Danny was last known to be in Dubai. It’s alleged a villa was raided and others there were arrested as well.
December 5, 2025 at 9:59 PM
Several hours ago multiple addresses tied to him I was tracking consolidated funds to 0xb37d in a similar pattern to other law enforcement seizures.
Danny was last known to be in Dubai. It’s alleged a villa was raided and others there were arrested as well.
Danny was last known to be in Dubai. It’s alleged a villa was raided and others there were arrested as well.
Danny was also involved in the Kroll SIM Swap from Aug 2023 that compromised the PII of BlockFi, Genesis, & FTX creditors that has since lead to $300M+ stolen via targeted social engineering scams.
December 5, 2025 at 9:59 PM
Danny was also involved in the Kroll SIM Swap from Aug 2023 that compromised the PII of BlockFi, Genesis, & FTX creditors that has since lead to $300M+ stolen via targeted social engineering scams.
I previously was monitoring and had identified him for his involvement in the $243M Genesis Creditor theft from August 2024 with Malone, Veer, Chen, & Jeandiel.
December 5, 2025 at 9:59 PM
I previously was monitoring and had identified him for his involvement in the $243M Genesis Creditor theft from August 2024 with Malone, Veer, Chen, & Jeandiel.
Theft addresses:
0x40d76a78ddba2ea81fb0f9fba147a08bcfc2b866
bc1qx0a2kfjd7eweczv8xqjm6rggm40v0nkhfss78l
qpv9nh5ktagsmtkqle8z2w4dd3mksskpmy499z7c9k
ltc1qjyrn9p803efj3p8a0g3fmlevs45kq704ns363t
DRiEQuJ9pt3GgNraQmHVTjNg4B7uv1XuGb
h/t to Cyvers for helping investigate.
0x40d76a78ddba2ea81fb0f9fba147a08bcfc2b866
bc1qx0a2kfjd7eweczv8xqjm6rggm40v0nkhfss78l
qpv9nh5ktagsmtkqle8z2w4dd3mksskpmy499z7c9k
ltc1qjyrn9p803efj3p8a0g3fmlevs45kq704ns363t
DRiEQuJ9pt3GgNraQmHVTjNg4B7uv1XuGb
h/t to Cyvers for helping investigate.
October 2, 2025 at 4:44 PM
Theft addresses:
0x40d76a78ddba2ea81fb0f9fba147a08bcfc2b866
bc1qx0a2kfjd7eweczv8xqjm6rggm40v0nkhfss78l
qpv9nh5ktagsmtkqle8z2w4dd3mksskpmy499z7c9k
ltc1qjyrn9p803efj3p8a0g3fmlevs45kq704ns363t
DRiEQuJ9pt3GgNraQmHVTjNg4B7uv1XuGb
h/t to Cyvers for helping investigate.
0x40d76a78ddba2ea81fb0f9fba147a08bcfc2b866
bc1qx0a2kfjd7eweczv8xqjm6rggm40v0nkhfss78l
qpv9nh5ktagsmtkqle8z2w4dd3mksskpmy499z7c9k
ltc1qjyrn9p803efj3p8a0g3fmlevs45kq704ns363t
DRiEQuJ9pt3GgNraQmHVTjNg4B7uv1XuGb
h/t to Cyvers for helping investigate.
Interestingly several indicators share similiarities to other known DPRK attacks.
SBI Crypto is a mining pool that's a subsidiary of SBI Group, a publicly traded company in Japan.
As of now it does not appear they have publicly disclosed the incident.
SBI Crypto is a mining pool that's a subsidiary of SBI Group, a publicly traded company in Japan.
As of now it does not appear they have publicly disclosed the incident.
October 2, 2025 at 4:44 PM
Interestingly several indicators share similiarities to other known DPRK attacks.
SBI Crypto is a mining pool that's a subsidiary of SBI Group, a publicly traded company in Japan.
As of now it does not appear they have publicly disclosed the incident.
SBI Crypto is a mining pool that's a subsidiary of SBI Group, a publicly traded company in Japan.
As of now it does not appear they have publicly disclosed the incident.
Update: The OpenVPP team made a statement and says the reply was accidentally hidden by a 24/7 intern.
September 18, 2025 at 12:06 AM
Update: The OpenVPP team made a statement and says the reply was accidentally hidden by a 24/7 intern.
OpenVPP then hid her reply from the post.
I reviewed the accounts promoting OpenVPP and it’s the usual influencer suspects.
I reviewed the accounts promoting OpenVPP and it’s the usual influencer suspects.
September 18, 2025 at 12:06 AM
OpenVPP then hid her reply from the post.
I reviewed the accounts promoting OpenVPP and it’s the usual influencer suspects.
I reviewed the accounts promoting OpenVPP and it’s the usual influencer suspects.
Theft address
0x37cDB6B40861F350E23AA5733E75755fCBed739F
Currently majority of the stolen funds sit at 0x7abc09ab94d6015053f8f41b01614bb6d1cc7647
0x37cDB6B40861F350E23AA5733E75755fCBed739F
Currently majority of the stolen funds sit at 0x7abc09ab94d6015053f8f41b01614bb6d1cc7647
September 13, 2025 at 5:34 PM
Theft address
0x37cDB6B40861F350E23AA5733E75755fCBed739F
Currently majority of the stolen funds sit at 0x7abc09ab94d6015053f8f41b01614bb6d1cc7647
0x37cDB6B40861F350E23AA5733E75755fCBed739F
Currently majority of the stolen funds sit at 0x7abc09ab94d6015053f8f41b01614bb6d1cc7647
A few hours ago the funds were split four ways and transferred between intermediary addresses before being sent to multiple instant exchanges.
The team has since turned off replies on X (Twitter) for all posts.
Presale address
4Ea23VxEGAgfbtauQZz11aKNtzHJwb84ppsg3Cz14u6q
The team has since turned off replies on X (Twitter) for all posts.
Presale address
4Ea23VxEGAgfbtauQZz11aKNtzHJwb84ppsg3Cz14u6q
September 9, 2025 at 11:25 PM
A few hours ago the funds were split four ways and transferred between intermediary addresses before being sent to multiple instant exchanges.
The team has since turned off replies on X (Twitter) for all posts.
Presale address
4Ea23VxEGAgfbtauQZz11aKNtzHJwb84ppsg3Cz14u6q
The team has since turned off replies on X (Twitter) for all posts.
Presale address
4Ea23VxEGAgfbtauQZz11aKNtzHJwb84ppsg3Cz14u6q
Coincidentally this theft happened on the one year anniversary of the $243M Genesis Creditor theft.
Theft txn hash
da598f2a941ee3c249a3c11e5e171e186a08900012f6aad26e6d11b8e8816457
Theft address
bc1qyxyk4qgyrkx4rjwsuevug04wahdk6uf95mqlej
Theft txn hash
da598f2a941ee3c249a3c11e5e171e186a08900012f6aad26e6d11b8e8816457
Theft address
bc1qyxyk4qgyrkx4rjwsuevug04wahdk6uf95mqlej
August 23, 2025 at 7:43 PM
Coincidentally this theft happened on the one year anniversary of the $243M Genesis Creditor theft.
Theft txn hash
da598f2a941ee3c249a3c11e5e171e186a08900012f6aad26e6d11b8e8816457
Theft address
bc1qyxyk4qgyrkx4rjwsuevug04wahdk6uf95mqlej
Theft txn hash
da598f2a941ee3c249a3c11e5e171e186a08900012f6aad26e6d11b8e8816457
Theft address
bc1qyxyk4qgyrkx4rjwsuevug04wahdk6uf95mqlej