A victim had suspicious outflows of ~$1.1M from five wallets on EVM chains 23 hours ago in a private key compromise.
The attacker swapped out of all assets for ETH immediately and deposited 330 ETH to Tornado.
Theft address
0x4f8affe6cd269d1f8352d0542432de6975c3912d
The attacker swapped out of all assets for ETH immediately and deposited 330 ETH to Tornado.
Theft address
0x4f8affe6cd269d1f8352d0542432de6975c3912d
π’309π«‘73β€49π€£42π26π€―22π19π14π8π₯6π€6
Community alert: A number of Trust Wallet users have reported that funds were drained from wallet addresses within the past couple of hours.
While the exact root cause has not been determined coincidentally the Trust Wallet Chrome extension pushed a new update yesterday.
Send me a DM on X (Twitter) if you were affected and I will update the list of theft addresses below as I verify more.
Theft addresses
EVM
Bitcoin
Solana
While the exact root cause has not been determined coincidentally the Trust Wallet Chrome extension pushed a new update yesterday.
Send me a DM on X (Twitter) if you were affected and I will update the list of theft addresses below as I verify more.
Theft addresses
EVM
0x3b09A3c9aDD7D0262e6E9724D7e823Cd767a0c74
0x463452C356322D463B84891eBDa33DAED274cB40
0xa42297ff42a3b65091967945131cd1db962afae40xe072358070506a4DDA5521B19260011A490a5aaA0xe072358070506a4DDA5521B19260011A490a5aaA0xc22b8126ca21616424a22bf012fd1b7cf48f02b10x463452c356322d463b84891ebda33daed274cb40
0x109252d00b2fa8c79a74caa96d9194eef6c995810x30cfa51ffb82727515708ce7dd8c69d1216484450x4735fbecf1db342282ad5baef585ee301b1bce250xf2dd8eb79625109e2dd87c4243708e1485a85655Bitcoin
bc1qjj7mj50s2e38m4nn7pt2j0ffddxmuxh2g8tyd8
bc1ql9r9a4uxmsdwkenjwx7t5clslsf62gxt8ru7e8bc1q4g8u7kctk6f2x3f6nh43x76qm4fd0xyv3jugdybc1qw7s35umfzgcc7nmjdj9wsyuy9z3g6kqjr0vc7wbc1qgccgl9d0wzxxnvklj4j55wqeqczgkn6qfcgjdgbc1q3ykewj0xu0wrwxd2dy4g47yp75gxxm565kaw6mSolana
HoQ6z1wW3LUnEGHnseC3ND3PoC6i6RghMCphHhK42FEHπ489π€―125π103β€62π±31π26π’20π19π19π€8π6
Investigations by ZachXBT
Community alert: A number of Trust Wallet users have reported that funds were drained from wallet addresses within the past couple of hours. While the exact root cause has not been determined coincidentally the Trust Wallet Chrome extension pushed a new updateβ¦
Update: Hundreds of Trust Wallet victims & $6M+ stolen from the intial list of theft addresses
Update 2: Trust Wallet confirmed the incident on X
Update 3: Losses will be covered
Update 2: Trust Wallet confirmed the incident on X
Update 3: Losses will be covered
π±471π130π€£110π56β€50π’39π€19π17π€¬16π11π10
It appears hundreds of wallets are currently being drained on various EVM chains for small amounts (<$2k total per victim) with a root cause not yet unidentified.
So far ~$107K has been drained from them with the theft total still increasing.
Suspicious address
0xAc2e5153170278e24667a580baEa056ad8Bf9bFB
So far ~$107K has been drained from them with the theft total still increasing.
Suspicious address
0xAc2e5153170278e24667a580baEa056ad8Bf9bFB
π406π€―193β€70π€52π34π28π’28π₯13π₯΄9π8π₯°6
If you are a GLM holder please consider allocating your rewards to me for Octant Epoch 10.
Voting will be open until January 20, 2025.
Voting will be open until January 20, 2025.
π€£382β€181π91π47π«‘23π16π³13π€12π₯7β5π―5
Investigations by ZachXBT
Earlier today Serpent (Ethos Network founder) publicly shared a dataset of 70K InfoFi users from Kaito, Wallchain, Cookie, Galxe, Xeet, & Ethos. I worked with Shob to compare the InfoFi users to their X account location and here were the results:
The head of product at X (Nikita Bier) announced 30 minutes ago they will no longer allow InfoFi apps to operate on X (formerly Twitter) due to excessive AI slop / spam.
The Kaito Yapper community on X with 157K members was banned and the KAITO token price has crashed 17% since the announcement.
The Kaito Yapper community on X with 157K members was banned and the KAITO token price has crashed 17% since the announcement.
π€£794β€415π₯129π76π58π45π20π18π―16π13β‘3
On January 10, 2026 at around 11 pm UTC a victim lost $282M+ worth of LTC & BTC due to a hardware wallet social engineering scam.
The attacker began converting the stolen LTC & BTC to Monero via multiple instant exchanges causing the XMR price to sharply increase.
BTC was also bridged to Ethereum, Ripple, & Litecoin via Thorchain.
Theft addresses (2.05M LTC, 1459 BTC):
bc1qluxw46r55wf3dnk9c652vrt4duadm3hpuktf86
bc1qpsmh26ja0fzzf286zulmt9eywujc2pggj40wzm
ltc1qly43c2prj4c2e85dcspzpjd36jnapnenldnr70
The attacker began converting the stolen LTC & BTC to Monero via multiple instant exchanges causing the XMR price to sharply increase.
BTC was also bridged to Ethereum, Ripple, & Litecoin via Thorchain.
Theft addresses (2.05M LTC, 1459 BTC):
bc1qluxw46r55wf3dnk9c652vrt4duadm3hpuktf86
bc1qpsmh26ja0fzzf286zulmt9eywujc2pggj40wzm
ltc1qly43c2prj4c2e85dcspzpjd36jnapnenldnr70
π817π±292π€―155πΎ97β€83π65π’35πΏ27π€·ββ22π21π11
A special thanks to Hyperliquid for their recent generous donation.
Here's the updated all time leaderboard for my top 10 largest donors by amount:
1). Optimism
2). Hyperliquid
3). Octant
4). The White Whale
5). Arbitrum
6). BNB Chain
7). Unipcs
8). Nouns
9). CL207
10). High Stakes Capital
Here's the updated all time leaderboard for my top 10 largest donors by amount:
1). Optimism
2). Hyperliquid
3). Octant
4). The White Whale
5). Arbitrum
6). BNB Chain
7). Unipcs
8). Nouns
9). CL207
10). High Stakes Capital
β€1.45Kπ₯422π192π€52π44π38π€¬26π23π21β19π17
BREAKING: Circle froze the USDC balance of 16 hot wallets for various businesses late yesterday.
I spoke with one of the affected businesses directly and they stated it was due to an ongoing US civil case whose details are not yet disclosed.
I reviewed the onchain activity and the exchanges, casinos, forex businesses do not appear to be related at all to each other.
Why was the request not properly reviewed by Circle?
For those unfamiliar a crypto business has a hot wallet to process the bulk of transactions for its users.
An analyst with basic tools could have identified within minutes that these were operational business wallets from the thousands of transactions they process.
Now their business operations have been negatively impacted by Circle, Lawyer, Forensics firm, & Judge
Rain[.]gg
Clash[.]gg
Whale[.]io
Goated[.]com
500 Casino
Finrax
Herofx
Unknown service hot wallets
I spoke with one of the affected businesses directly and they stated it was due to an ongoing US civil case whose details are not yet disclosed.
I reviewed the onchain activity and the exchanges, casinos, forex businesses do not appear to be related at all to each other.
Why was the request not properly reviewed by Circle?
For those unfamiliar a crypto business has a hot wallet to process the bulk of transactions for its users.
An analyst with basic tools could have identified within minutes that these were operational business wallets from the thousands of transactions they process.
Now their business operations have been negatively impacted by Circle, Lawyer, Forensics firm, & Judge
Rain[.]gg
0x87d18ee84e8f4f5709cbf3500179a4c601da12ceClash[.]gg
0x9e2a58d257963a276452fff1be94c0eb7e2775ccWhale[.]io
0x4bd282c083d9ec35aa6c3e0f366d79f12f3a1630Goated[.]com
0x61f08d119974a3d9915f06765d83fe1aa677e543500 Casino
0x68416debc20d13e5ef694cdcac9506f4c1a20184Finrax
0x258494a21d9ea90fcbcb9e22bd57c6899de0d995Herofx
0x2704ba2d5d3544e6292d9aca536b6bbbfebd80e9
Coinsbuy
0x5f9acf4e85aa7283e0c16dd94cbc942f9d6251510x22face80f43b857141e9752c3bae8c3309fcdd0fUnknown service hot wallets
0xfb3a175ce3cb33d9f464a3c5ea0b834dae2aaaf6
0xb25ea1d493b49a1ded42ac5b1208cc618f9a9b80
0x090aac31fca0d19f91e30e02ec8217098a3a4446
0xbfca3e2097baa1eb354e9d915180707dde1027f2
0x3b848ac300b9e0d260e812b628b87a03d278db95
0x00e84a0b678cd4584a9a377d334c810025970873
0xf9e83020cccbd1a95f0f257a5a9e3d58149762f8π±235π€£129β€80π33π€―27πΏ18π15π’13π11π₯7π―6
It appears the Iranian exchange Wallex[.]ir had one of its wallet addresses frozen by both Circle & Tether.
A few hours ago Wallex began consolidating crypto assets from different hot wallets on Tron and Ethereum to BSC via multiple bridges.
$2.49M currently sits dormant at
0x6926408f55c4f322ebe1a3cc7e4fff380c5543dfA few hours ago Wallex began consolidating crypto assets from different hot wallets on Tron and Ethereum to BSC via multiple bridges.
$2.49M currently sits dormant at
0xf945c7566f4204ad286a0c3ff1d8a72183e6ccddπ228π79β€50π€¬50π32π₯28π’22π±20π19π16π¨βπ»7
Investigations by ZachXBT
BREAKING: Circle froze the USDC balance of 16 hot wallets for various businesses late yesterday. I spoke with one of the affected businesses directly and they stated it was due to an ongoing US civil case whose details are not yet disclosed. I reviewedβ¦
Circle unfroze the USDC for the Goated hot wallet a few minutes ago.
I expect more hot wallets to be unfrozen in the near future.
Update 1: 500 Casino & Whale were unfrozen
Update 2: ckUSDC (Dfinity bridge) & unknown service 0x00e were unfrozen
Still no public information about why the overreach ever occurred to begin with.
0x61f08d119974a3d9915f06765d83fe1aa677e543I expect more hot wallets to be unfrozen in the near future.
Update 1: 500 Casino & Whale were unfrozen
Update 2: ckUSDC (Dfinity bridge) & unknown service 0x00e were unfrozen
Still no public information about why the overreach ever occurred to begin with.
π₯156β€78π47π€£46π€¨22π16π8π¦7π6π5π4
An unknown Kraken user lost $18.2M due to a suspected social engineering scam.
The threat actor began bridging 45 minutes ago from Ethereum to Bitcoin via THORChain with SafePal wallet.
Theft address
The threat actor began bridging 45 minutes ago from Ethereum to Bitcoin via THORChain with SafePal wallet.
Theft address
0xC55149BbD560435a9FbEabFdcF9711cf928acA21
1D8f8956EEFLXN28AHfioEx4ywVbxCz8KNπ415π±102β€52π€£42π’28π28π15π15π14π13π€12
On April 6, 2026 BitcoinDepot (BTM) disclosed in an SEC 8K filing it uncovered an incident on March 23, 2026 which resulted in 50.9 BTC ($3.6M) stolen.
However the report did not include theft addresses so I manually traced out the incident onchain and found 19 high confidence theft addresses from March 20.
This means it took three days for BitcoinDepot to notice the funds were missing from its business.
A delta of 3.55 BTC (54.45 BTC total) vs 50.9 BTC reported was found indicating other employee personal accounts may have also been impacted.
54 BTC ($3.7M) flowed to KuCoin, a crypto exchange increasingly used by illicit actors.
At the time of my post the theft addresses still have not been reported in any compliance tools I use.
Suspected theft addresses:
However the report did not include theft addresses so I manually traced out the incident onchain and found 19 high confidence theft addresses from March 20.
This means it took three days for BitcoinDepot to notice the funds were missing from its business.
A delta of 3.55 BTC (54.45 BTC total) vs 50.9 BTC reported was found indicating other employee personal accounts may have also been impacted.
54 BTC ($3.7M) flowed to KuCoin, a crypto exchange increasingly used by illicit actors.
At the time of my post the theft addresses still have not been reported in any compliance tools I use.
Suspected theft addresses:
bc1qqt65qe94rm5kh7srhpp2u5cd5gtcc3peyesfmz
bc1q9mppvhrrmdw9d05tvtvacgk87muvwstpxt59ce
bc1qg4evf89vlnd5escw5lf3pksftljkj8hczwed3k
bc1qzjt0l0tutwrqgq7ftv9l405qqu5gvsh0j8en0z
bc1qmx2sunxc76kdpsdhtnt7gdwcdhz6zptypy60tj
bc1qqnnh38wu4clderxu6x8fanqtekjehhvd9n0m4d
bc1qegrffryc6s80u7jcehyqzw2c30rzwhweq8x33k
bc1qt6cc729nz2pu5mjlmj36ajxn9put8372s3dshk
bc1qyym7sqe95h4003c6fk0p8r2q4vdzm2hx64hazz
bc1q4ut9geva75wyeh78vx7tm4lehlkl77z6w5vksp
bc1q4vjezx6rf9xkpcassmmlpd3678593q5lk3lg7p
bc1qp989gkepg255ngkntd4sppnzzg6fcx997tjz79
bc1qyzqsnn4msw4a2ar0397da7xe4f2r8wt4fn2l9c
bc1qaqkk0sdp7mmjpr5ax7dphuxt7wv8qtkgu6pevd
bc1qfhafkxq388k3adlvn8qaqf7y486u3rauaqg75y
bc1qq6cy97pyhmnw52p6906uupyca02uq563ndy9r6
bc1qsrxf2cmmausfdkyq34mcluluvmlr0e5s7c8n7s
bc1qc3py8la4y4864wkvjpjwvq6690u7uxse0lgrzs
bc1q5aes997chagmc6h8z4nlq0nk2waj8ff370hnluβ€212π83π«‘64π±39π₯27π€17π7π6π4πΏ4π€2
If you gamble I advise caution for the new casino Spartans Bet if you are an influencer, player, or work in the industry.
Have been made aware by a few people of them offering unrealistic amounts of funds to influencers / players.
Ownership is tied to Gurhan Kiziloz who is behind a sketchy project called Blockdag Network.
Blockdag raised $300M+ from unsophisticated retail investors via social media ads which stated unsustainable returns and misleading partnerships.
Iβve had 10+ investors DM or tag me claiming to have lost money on it with the product not functional and the token presale has been ongoing for 2+ years.
When you search his name online it is mostly paid PR articles.
I would avoid any business that is connected to Gurhan Kiziloz.
Source 1: https://www.dlnews.com/articles/defi/inside-crypto-project-blockdag-442-million-usd-maze/
Source 2: https://www.businessinsider.com/lanistar-uk-regulator-scam-instagram-warning-2020-11
Have been made aware by a few people of them offering unrealistic amounts of funds to influencers / players.
Ownership is tied to Gurhan Kiziloz who is behind a sketchy project called Blockdag Network.
Blockdag raised $300M+ from unsophisticated retail investors via social media ads which stated unsustainable returns and misleading partnerships.
Iβve had 10+ investors DM or tag me claiming to have lost money on it with the product not functional and the token presale has been ongoing for 2+ years.
When you search his name online it is mostly paid PR articles.
I would avoid any business that is connected to Gurhan Kiziloz.
Source 1: https://www.dlnews.com/articles/defi/inside-crypto-project-blockdag-442-million-usd-maze/
Source 2: https://www.businessinsider.com/lanistar-uk-regulator-scam-instagram-warning-2020-11
β€326π146π39π₯33β21π€―16π€16π7π³5π4π€4
Community alert: A fake Ledger Live app on the Apple App Store is tied to $9.5M stolen from 50+ suspected victims between April 7β13 across Bitcoin, EVM, Tron, Solana, & Ripple.
Stolen funds were laundered via 150+ KuCoin deposit addresses tied to AudiA6, a centralized mixing service that charges high fees to launder illicit funds.
Theft addresses
Kucoin has seen a sharp increase in illicit activity over the past year. Kucoin was banned from onboarding new EU users by Austrian regulators in February 2026 after only receiving its MiCA permit in November 2025. Kucoin previously paid fines of $300M+ to the US government to settle its case for violating AML laws in January 2025.
I'd be curious to see if this presents grounds for a class action against Apple.
The fake app was removed by Apple yesterday. The three largest victims lost seven figures each.
Apr 9 Victim: $3.23M (3.23M USDT)
TFsLWCYxj4aVUdjKg6Vnz5RtDe1AFWzmYK
Apr 11 Victim: $2.079M (2.079M USDC)
GZWb4arrwVPzdEDrK5MwTNN5zsXNpKUK2yeYu9SA5S18
Apr 8 Victim: $1.95M total (20.64 BTC, 211 stETH, 70 ETH)
96ccf116c95d9ad0065ec2529dd1761eb93dd504cbf2ac9298c60bf7b5984b4b
0x98bc748eb4451417f7259190675ea565dbd5ed85
Stolen funds were laundered via 150+ KuCoin deposit addresses tied to AudiA6, a centralized mixing service that charges high fees to launder illicit funds.
Theft addresses
bc1qf7wdsx03xdwkqxznjzfhz2q98law46yyje5rvy
bc1q34u3g5r0m00a9dk6trhj6e69vgzvdaw8xnt6dl
0x6876e75730125618d09df064091a1094275bda39
0x2cddfc496c9ba7765955773f4dcc5920cc147d72
TLPgiPEniadnUNKMApu4oGZynwzvUbUUTs
2bmPSvwCYnQAeJW115vuLDgKSdf5Nn3sBqgYTpTwxKiV
FCPwCE4TNuQKwLwPJrfvSTfSdhN6a7Nc6mtHi8yuFt7p
rnrQZFpVCUcNgi9dBrSd7BcEnLNooGcBUQKucoin has seen a sharp increase in illicit activity over the past year. Kucoin was banned from onboarding new EU users by Austrian regulators in February 2026 after only receiving its MiCA permit in November 2025. Kucoin previously paid fines of $300M+ to the US government to settle its case for violating AML laws in January 2025.
I'd be curious to see if this presents grounds for a class action against Apple.
The fake app was removed by Apple yesterday. The three largest victims lost seven figures each.
Apr 9 Victim: $3.23M (3.23M USDT)
TFsLWCYxj4aVUdjKg6Vnz5RtDe1AFWzmYK
Apr 11 Victim: $2.079M (2.079M USDC)
GZWb4arrwVPzdEDrK5MwTNN5zsXNpKUK2yeYu9SA5S18
Apr 8 Victim: $1.95M total (20.64 BTC, 211 stETH, 70 ETH)
96ccf116c95d9ad0065ec2529dd1761eb93dd504cbf2ac9298c60bf7b5984b4b
0x98bc748eb4451417f7259190675ea565dbd5ed85
π±313π143β€89π34π€£30π₯΄20π’18π10π8π7β€βπ₯5
KelpDAO appears to have had $280M+ stolen one hour ago on Ethereum and Arbitrum.
The attack addresses were funded via Tornado Cash.
Theft addresses
(Edited to update the victim later identified as KelpDAO)
The attack addresses were funded via Tornado Cash.
Theft addresses
0x5d3919F12bCc35c26Eee5F8226A9bee90c257Ccc|
0xBb6A6006Eb71205e977eCeb19FCaD1C8d631C787
0x1F4C1c2e610f089D6914c4448E6F21Cb0db3adeF
0xeBA786C9517a4823A5cFD9c72e4E80BF8168129B
0xCBb24A6B4DAfaAA1a759A2F413eA0eB6AE1455CC
0x8d11AeAC74267DD5C56D371bf4AE1AFA174C2d49(Edited to update the victim later identified as KelpDAO)
π438π€―127π’57π±45π€£38π24π22π₯21π12π11π8
Just hit 1M followers on X (Twitter) and it's been an insane ride from May 2021 to now.
I don't usually post about this type of stuff, but I cannot say I anticipated ever reaching this follower milestone.
Thanks to everyone who has supported my work over the years.
I don't usually post about this type of stuff, but I cannot say I anticipated ever reaching this follower milestone.
Thanks to everyone who has supported my work over the years.
β€1.85Kπ₯477π155π₯°82β€βπ₯62π54π18β15π€·ββ14π14π12
Investigations by ZachXBT
KelpDAO appears to have had $280M+ stolen one hour ago on Ethereum and Arbitrum. The attack addresses were funded via Tornado Cash. Theft addresses 0x5d3919F12bCc35c26Eee5F8226A9bee90c257Ccc| 0xBb6A6006Eb71205e977eCeb19FCaD1C8d631C787 0x1F4C1c2e610f089Dβ¦
Update: DPRK began laundering $1.5M from the $290M KelpDAO/LZ exploit from Ethereum mainnet to Bitcoin via Thorchain and another $78K via Umbra
Thorchain transactions:
Umbra transactions:
Thorchain transactions:
0x99e09424a28873145f0f4d2ad2cedaebe788df5fab25ba87a06057c457ac31ef
0x171b08024347b5cb7399761b1d6836649f9cbfaf8e94bcbb42625874db5dc206
0x2909e93741e9fe32286dafc8769be5089de0bad4cfcc9ad4b715124f50307171
Umbra transactions:
0xa2a6cc54afd2dd487ea052cd712ed0e1889f2886d857d46c266014173caa7509π’170β€64π₯38π27π17π€£16π11π«‘10πΏ6π4π€ͺ3