3M-unreported-theft-DPRK.png
710.2 KB
π39π24π€£10β€5π±4πΎ4π1
An unknown victim is suspected of being hacked by Lazarus Group on Tron for ~$3.1M on Feb 28, 2025.
Theft addresses
TYQ3455gFNeqyw3sqdcWuiARq4UTMqk4D4
0xcced1276382f4dd0a6d0e73b07f43294733981ae
The funds were bridged from Tron to Ethereum and ETH was split between ten addresses before it was deposited to Tornado Cash (96 X 10 ETH, 4 X 100 ETH, 78 X 1 ETH, 5 X 0.1 ETH)
The attacker however reused a theft address from the Fantom exec hack in October 2023 which had been previously attributed to Lazarus Group as part of a spearphishing campaign in a March 2024 report published by the UN.
Theft addresses
TYQ3455gFNeqyw3sqdcWuiARq4UTMqk4D4
0xcced1276382f4dd0a6d0e73b07f43294733981ae
The funds were bridged from Tron to Ethereum and ETH was split between ten addresses before it was deposited to Tornado Cash (96 X 10 ETH, 4 X 100 ETH, 78 X 1 ETH, 5 X 0.1 ETH)
The attacker however reused a theft address from the Fantom exec hack in October 2023 which had been previously attributed to Lazarus Group as part of a spearphishing campaign in a March 2024 report published by the UN.
π249π’156π80β€54π€£31π25π18π12π³11π¨βπ»9π5
With the announcement of the US Crypto Reserve here's your reminder that XRP addresses activated by Chris Larsen (co-founder of Ripple) still hold 2.7B+ XRP ($7.18B) and these addresses tied to him transferred $109M+ worth of XRP to exchanges in January 2025.
2.7B XRP address list from dormant addresses activated by Chris Larsen (rB5TihdPbKgMrkFqrqUC3yLdE8hhv4BdeY)
rPoJNiCk7XSFLR28nH2hAbkYqjtMC3hK2k
rD6tdgGHG7hwGTA6P39aE7W89fbqxXRjzk
rDfrrrBJZshSQDvfT2kmL9oUBdish52unH
r476293LUcDqtjiSGJ5Dh44J1xBCDWeX3
r44CNwMWyJf4MEA1eHVMLPTkZ1LSv4Bzrv
rhREXVHV938ToGkdJQ9NCYEY4x8kSEtjna
(disclaimer: multiple of these addresses have been dormant for 6-7 yrs so it's possible he lost access or sent funds to other people in Feb 2013. He was also hacked for $112M early last year)
2.7B XRP address list from dormant addresses activated by Chris Larsen (rB5TihdPbKgMrkFqrqUC3yLdE8hhv4BdeY)
rPoJNiCk7XSFLR28nH2hAbkYqjtMC3hK2k
rD6tdgGHG7hwGTA6P39aE7W89fbqxXRjzk
rDfrrrBJZshSQDvfT2kmL9oUBdish52unH
r476293LUcDqtjiSGJ5Dh44J1xBCDWeX3
r44CNwMWyJf4MEA1eHVMLPTkZ1LSv4Bzrv
rhREXVHV938ToGkdJQ9NCYEY4x8kSEtjna
(disclaimer: multiple of these addresses have been dormant for 6-7 yrs so it's possible he lost access or sent funds to other people in Feb 2013. He was also hacked for $112M early last year)
π€£532π167π68β€34β€βπ₯33π₯31π±21π―18π18π6π6
Investigations by ZachXBT
It appears a Ripple insider was hacked for ~213M XRP ($112.5M) Source address rJNLz3A1qPKfWCtJLPhmMZAfBkutC2Qojm So far the stolen funds have been laundered through MEXC, Gate, Binance, Kraken, OKX, HTX, HitBTC, etc Update: Confirmation of the hack fromβ¦
A forfeiture complaint filed yesterday by US law enforcement revealed the cause for the ~$150M (283M XRP) hack of Ripple co-founder, Chris Larsen's wallet in Jan 2024 was the result of storing private keys in LastPass (password manager which was hacked in 2022).
Up to this point Chris Larsen had not publicly disclosed the cause of the theft.
Up to this point Chris Larsen had not publicly disclosed the cause of the theft.
π€£709π93β€60π50π€―26π±23π₯12πΏ11π³10π8π―6
Investigations by ZachXBT
An unknown victim is suspected of being hacked by Lazarus Group on Tron for ~$3.1M on Feb 28, 2025. Theft addresses TYQ3455gFNeqyw3sqdcWuiARq4UTMqk4D4 0xcced1276382f4dd0a6d0e73b07f43294733981ae The funds were bridged from Tron to Ethereum and ETH was splitβ¦
A high confidence Tornado Cash demix for the theft reveals funds from the DPRK hack purchased 437.6B PEPE ($3.1M) on March 11, 2025 after ETH was withdrawn from Tornado Cash
0x7A7DDa0eBFF13eB014F763D05e7784B36418022F
Edit: A closer analysis reveals DPRK got rugged by using a compromised Tornado Cash UI.
Three other instances of TC withdrawals that purchased PEPE which. One of them comes from a known TC UI theft.
0x5d3a17a828aeb89729299ba5dd72200295b00df0
0x921213AB8cB18E0487B41DfFf18E39836FD19f04
0x77793F723A5538972A566D701cc7FBd32770CC96
For the $3.1M DPRK theft the TC the amounts deposited was very unique (96 X 10 ETH, 4 X 100 ETH, etc) with matching withdrawals happening minutes after the deposits.
0x7A7DDa0eBFF13eB014F763D05e7784B36418022F
Edit: A closer analysis reveals DPRK got rugged by using a compromised Tornado Cash UI.
Three other instances of TC withdrawals that purchased PEPE which. One of them comes from a known TC UI theft.
0x5d3a17a828aeb89729299ba5dd72200295b00df0
0x921213AB8cB18E0487B41DfFf18E39836FD19f04
0x77793F723A5538972A566D701cc7FBd32770CC96
For the $3.1M DPRK theft the TC the amounts deposited was very unique (96 X 10 ETH, 4 X 100 ETH, etc) with matching withdrawals happening minutes after the deposits.
π€£467π₯58π56β€38π±22πΎ21π€―16π€·ββ14π’8π5π5
Spending long hours helping freeze funds for the Bybit hack has been eye opening.
This industry is unbelievably cooked when it comes to exploits/hacks and sadly idk if the industry is going to fix this itself unless the government forcibly passes regulations that hurt our entire industry.
Several βdecentralizedβ protocols have recently had nearly 100% of their monthly volume/fees derived from DPRK and refuse to take any accountability.
Centralized exchanges end up being worse as when illicit funds flow through them a few take multiple hours to respond when it only takes minutes to launder.
KYT is completely flawed and easily evadable
KYC is just a honeypot for regular users bc of breaches/insiders and is useless in majority of cases due to purchased accounts.
DPRK laundering $1.4B from the recent hack has only exposed how broken it is.
This industry is unbelievably cooked when it comes to exploits/hacks and sadly idk if the industry is going to fix this itself unless the government forcibly passes regulations that hurt our entire industry.
Several βdecentralizedβ protocols have recently had nearly 100% of their monthly volume/fees derived from DPRK and refuse to take any accountability.
Centralized exchanges end up being worse as when illicit funds flow through them a few take multiple hours to respond when it only takes minutes to launder.
KYT is completely flawed and easily evadable
KYC is just a honeypot for regular users bc of breaches/insiders and is useless in majority of cases due to purchased accounts.
DPRK laundering $1.4B from the recent hack has only exposed how broken it is.
π’1.17Kβ€319π266π€£129π74π51π41π¦40π29π€19π13
Please stop trying to invite me as a speaker for conferences, podcasts, or interviews as the answer will be no.
Majority of the time they are only beneficial if you have something new to promote or can get exposure to a different audience.
You should always be skeptical of the projects who spend more time attending conferences or making podcast appearances rather than actually building their products
Majority of the time they are only beneficial if you have something new to promote or can get exposure to a different audience.
You should always be skeptical of the projects who spend more time attending conferences or making podcast appearances rather than actually building their products
β€984π€£343π294π―201π₯68π44π23π17π16π»16β€βπ₯8
I regularly have people ask me about tools I use in my investigations so hereβs a comprehensive list:
Cielo - Wallet Tracking (EVM, Bitcoin, Solana, Tron, etc)
TRM - Create graphs for addresses/transactions
MetaSuites - Chrome extension that adds additional data on block explorers
OSINT Industries - email/username/phone lookups
LeakPeek - db lookups
Snusbase - db lookups
Intelx - db lookups
Spur - IP lookups
Cavalier (Hudson Rock) - Infostealer lookups
Impersonator - Chrome extension to spoof login to dApps
MetaSleuth - Similiar to TRM but intended for retail users
Arkham - Multichain block explorer, entity labels, create graphs, alerts
Obsidian - Create flow charts / diagrams
Wayback Machine - archive web pages
Archive Today - archive web pages
Etherscan/Solscan - block explorer for EVM / Solana
Blockchair - bitcoin block explorer
Range - CCTP bridge explorer
Pulsy - bridge explorer aggregator
Socketscan - EVM bridge explorer
Dune - Analytics platform to query blockchain data
Mugetsu - X/Twitter username history & meme coin lookups
TelegramDB Search Bot - Basic Telegram OSINT
Discord[.]ID - Basic Discord account info
CryptoTaxCalculator -Track PNL for an address
Note: I am not paid by these platforms to mention them and do not have referral links to share
Cielo - Wallet Tracking (EVM, Bitcoin, Solana, Tron, etc)
TRM - Create graphs for addresses/transactions
MetaSuites - Chrome extension that adds additional data on block explorers
OSINT Industries - email/username/phone lookups
LeakPeek - db lookups
Snusbase - db lookups
Intelx - db lookups
Spur - IP lookups
Cavalier (Hudson Rock) - Infostealer lookups
Impersonator - Chrome extension to spoof login to dApps
MetaSleuth - Similiar to TRM but intended for retail users
Arkham - Multichain block explorer, entity labels, create graphs, alerts
Obsidian - Create flow charts / diagrams
Wayback Machine - archive web pages
Archive Today - archive web pages
Etherscan/Solscan - block explorer for EVM / Solana
Blockchair - bitcoin block explorer
Range - CCTP bridge explorer
Pulsy - bridge explorer aggregator
Socketscan - EVM bridge explorer
Dune - Analytics platform to query blockchain data
Mugetsu - X/Twitter username history & meme coin lookups
TelegramDB Search Bot - Basic Telegram OSINT
Discord[.]ID - Basic Discord account info
CryptoTaxCalculator -Track PNL for an address
Note: I am not paid by these platforms to mention them and do not have referral links to share
β€1.43Kπ€£1.34Kπ429π₯218π81π€48β‘37πΏ32π₯°30π¦19π10
Investigations by ZachXBT
My new post sharing an investigation on a $243M theft from last month which lead to multiple arrests and $9M+ frozen https://x.com/zachxbt/status/1836752923830702392?
Update: Veer Chetal (Wiz) was arrested likely as part of his involvement in the $243M Genesis creditor theft.
Hereβs the mug shot:
Hereβs the mug shot:
π423π197π135β€113π70π46π₯32πΏ23π€―19π13π11
Five addresses linked to the entity who manipulated JELLY on Hyperliquid still hold ~10% of the JELLY supply on Solana ($1.9M+). All JELLY was purchased since March 22, 2025.
Hc8gNSMaQiahiRiGjUfTaW8AXudRJHeGoeGpAn8WRcwq
GffAXdcDqi8gTXEsNBMyck3DMPkaJRY1Ng2chdSRFUDC
DWr1VNg6Lsn2sANVhtWVSHMgJTNU5W4kGutDP3KyBZgA
6Ld2XDxwXcwJ4bjayeP2TAY1MepTP1zEdBVsDo3Nzmoo
G2WrQENBmsKJciQCrxce5NbWw6sEGgQMjJrFXH7MYTsv
This entity sold JELLY in the last hour from two addresses
Gm35VHcLqnpow5PCHeLMvG2krJ2deGANKfc2xAuQmept
CWvCD7EfuMu3QMTPtFb4rCF663HsD35GuW5G1xjSuaHD
Hc8gNSMaQiahiRiGjUfTaW8AXudRJHeGoeGpAn8WRcwq
GffAXdcDqi8gTXEsNBMyck3DMPkaJRY1Ng2chdSRFUDC
DWr1VNg6Lsn2sANVhtWVSHMgJTNU5W4kGutDP3KyBZgA
6Ld2XDxwXcwJ4bjayeP2TAY1MepTP1zEdBVsDo3Nzmoo
G2WrQENBmsKJciQCrxce5NbWw6sEGgQMjJrFXH7MYTsv
This entity sold JELLY in the last hour from two addresses
Gm35VHcLqnpow5PCHeLMvG2krJ2deGANKfc2xAuQmept
CWvCD7EfuMu3QMTPtFb4rCF663HsD35GuW5G1xjSuaHD
π₯241π€―92π65β€37π€¬21π16π13πΏ11π8π8π7
Community Alert: As Token 2049 approaches be careful of sponsors as little due diligence is done on them for conferences (just because someone is a title or platinum sponsor does not mean they are credible)
Title sponsor
-Spacecoin (botted project)
Platinum sponsor
-Bitunix (sketchy exchange)
-JuCoin (sketchy exchange)
-WEEX (sketchy exchange)
-DWF (sketchy market maker)
Note: These are the only teams I have on my radar and I suspect more would make the list
One of the easiest due diligence hacks for a centralized exchange is to verify if the team is public and has prior work history in the space. Bitunix, JuCoin, & WEEX all fail this test.
Example: In late 2023 a sketchy exchange JPEX was a Platinum sponsor for Token 2049 and the team was flagged by Hong Kong government during the conference for "suspicous features" and was later arrested after 1400 reports by victims to law enforcement and $100M+ was suspected stolen.
Title sponsor
-Spacecoin (botted project)
Platinum sponsor
-Bitunix (sketchy exchange)
-JuCoin (sketchy exchange)
-WEEX (sketchy exchange)
-DWF (sketchy market maker)
Note: These are the only teams I have on my radar and I suspect more would make the list
One of the easiest due diligence hacks for a centralized exchange is to verify if the team is public and has prior work history in the space. Bitunix, JuCoin, & WEEX all fail this test.
Example: In late 2023 a sketchy exchange JPEX was a Platinum sponsor for Token 2049 and the team was flagged by Hong Kong government during the conference for "suspicous features" and was later arrested after 1400 reports by victims to law enforcement and $100M+ was suspected stolen.
π532β€179π63π40π₯21π€13π³11π»11π8β‘5πΎ3
It is suspected a Coinbase user was scammed yesterday for $34.9M (400.099 BTC).
Theft address
bc1qvlustvxhqzee9tgqers4tfungrg6c0fs4u76jf
After uncovering this theft I noticed multiple other suspected thefts from Coinbase users in the past two weeks bringing the total stolen this month to $46M+. Funds from each theft were bridged from Bitcoin to Ethereum via Thorchain / Chainfllip and swapped for DAI.
60.164 BTC - Mar 26
bc1qhc72zfqwqh3e6lns5ay084k29tmqlgw75jsxec
46.147 BTC - Mar 25
bc1qd6v3220v49j0xgmycksze59z90gru46dlxg8ff
20.028 BTC - Mar 16
bc1qd59e296yyr8x4gyr53xt4yjmmgukwemetalcuf
Coinbase has not flagged any of the theft addresses from these victims in compliance tools.
Last month I posted an investigation on X about how $65M was stolen from Coinbase users in December 2024 - January 2025 and talked about how Coinbase has quietly been facing a $300M / yr social engineering scam problem affecting its users.
Theft address
bc1qvlustvxhqzee9tgqers4tfungrg6c0fs4u76jf
After uncovering this theft I noticed multiple other suspected thefts from Coinbase users in the past two weeks bringing the total stolen this month to $46M+. Funds from each theft were bridged from Bitcoin to Ethereum via Thorchain / Chainfllip and swapped for DAI.
60.164 BTC - Mar 26
bc1qhc72zfqwqh3e6lns5ay084k29tmqlgw75jsxec
46.147 BTC - Mar 25
bc1qd6v3220v49j0xgmycksze59z90gru46dlxg8ff
20.028 BTC - Mar 16
bc1qd59e296yyr8x4gyr53xt4yjmmgukwemetalcuf
Coinbase has not flagged any of the theft addresses from these victims in compliance tools.
Last month I posted an investigation on X about how $65M was stolen from Coinbase users in December 2024 - January 2025 and talked about how Coinbase has quietly been facing a $300M / yr social engineering scam problem affecting its users.
π±634π€―190π101β€96π70πΎ42π₯34π’32π18π13π―9
So far there's multiple suspects in the $330M (3520 BTC) social engineering theft from April 27, 2025. Both have since deleted social media accounts.
-Nina/Mo: Operates a call scam centre in Camden, UK
-W0rk: Assisted with the site/call
-Nina/Mo: Operates a call scam centre in Camden, UK
-W0rk: Assisted with the site/call
π428β€105π₯82π±77π40π25π23πΎ21π15π14π14
Auto blocking all people who send a DM with zero context or cannot formulate a basic sentence.
Only send messages with 3-4 short sentences including the theft address/txn hash, date of theft, size of theft, type of theft (if you know).
Due to the number of DMs I receive I can only guarantee a reply if the theft size is large or if your message stands out about an ongoing incident / provides intel (though I read all DMs)
Only send messages with 3-4 short sentences including the theft address/txn hash, date of theft, size of theft, type of theft (if you know).
Due to the number of DMs I receive I can only guarantee a reply if the theft size is large or if your message stands out about an ongoing incident / provides intel (though I read all DMs)
π€£580π299β€158π27β17π₯17π15π12β‘10π€·ββ6π₯°4
The NY Post does not want to interview you on Telegram. If you received this DM earlier today on X itβs a scam.
Seems a threat actor gained access to the NY Post X account and is sending DMs to people from CT.
Scammer TG ID: 7524587720
I almost did not make a warning post but some of you are 0 iq.
The other week a scam message with a similar script was sent to people via DM from TheDefiant.
Seems a threat actor gained access to the NY Post X account and is sending DMs to people from CT.
Scammer TG ID: 7524587720
I almost did not make a warning post but some of you are 0 iq.
The other week a scam message with a similar script was sent to people via DM from TheDefiant.
π€£685π117β€73π20π10π10π9π€―8π7π€6π±4
Another $45M+ was stolen from Coinbase users via social engineering scams in just the last week.
Theft addresses
bc1qksulmw0scf9en4w22hzh3hvarnrfflyh52mydz
bc1qjpepgf7nfkm3mlumdru8lgjmsca8cc982f08xd
bc1qfmc6pkq3u63dzt6w28yxd28fhluqdzcyjfngy2
bc1q7x2fexw0fcufym04ug7kdk2r6pzfeg00g6xfjk
bc1qv9p9gcng7u9k8qxcqee5fhxnm8y6zwd4lal3lv
bc1qm6u4d4a0d6dnlwr22ywwlgzayvtgx6h45v4dln
bc1qel8as46edjk4h750kem4z280l09294ewj458qk
bc1qw3ggh8vdjtry04w790pz2w0synz3ewtpfc9rdj
0xaDEFbB6082F98BE8f0f7F0323af19eCD216f13B9
0x75B09e181a8bCfC4e05DB22B673d92bc55Fee150
h/t tanuki42 for the assistance
Over the past few months I have reported on nine figures stolen from Coinbase users via similar social engineering scams.
Interestingly no other major exchange has the same problem.
Theft addresses
bc1qksulmw0scf9en4w22hzh3hvarnrfflyh52mydz
bc1qjpepgf7nfkm3mlumdru8lgjmsca8cc982f08xd
bc1qfmc6pkq3u63dzt6w28yxd28fhluqdzcyjfngy2
bc1q7x2fexw0fcufym04ug7kdk2r6pzfeg00g6xfjk
bc1qv9p9gcng7u9k8qxcqee5fhxnm8y6zwd4lal3lv
bc1qm6u4d4a0d6dnlwr22ywwlgzayvtgx6h45v4dln
bc1qel8as46edjk4h750kem4z280l09294ewj458qk
bc1qw3ggh8vdjtry04w790pz2w0synz3ewtpfc9rdj
0xaDEFbB6082F98BE8f0f7F0323af19eCD216f13B9
0x75B09e181a8bCfC4e05DB22B673d92bc55Fee150
h/t tanuki42 for the assistance
Over the past few months I have reported on nine figures stolen from Coinbase users via similar social engineering scams.
Interestingly no other major exchange has the same problem.
π393π€£201π92β€57π’51π41π₯24π16π13π€11π10
Investigations by ZachXBT
Auto blocking all people who send a DM with zero context or cannot formulate a basic sentence. Only send messages with 3-4 short sentences including the theft address/txn hash, date of theft, size of theft, type of theft (if you know). Due to the numberβ¦
May have to temporarily turn off my DMs again bc many people do not respect your time.
EX: Someone spamming me about a 0.0367 SOL theft
Still unsure how to best filter out these type of people from being able to contact me.
EX: Someone spamming me about a 0.0367 SOL theft
Still unsure how to best filter out these type of people from being able to contact me.
π€£1.34Kπ340π53π53β€41π₯΄31π―26π’19π16π13π12
A press release just posted from the Frankfurt prosecutors office revealed the instant exchange 'eXch' had 34M euros and infrastructure for the platform seized by law enforcement.
eXch was used to launder hundreds of millions from the Bybit hack, Multisig hack, FixedFloat exploit, $243M Genesis Creditor theft, and countless phishing drainer services over the past few years with refusal to block addresses and freeze orders.
eXch was used to launder hundreds of millions from the Bybit hack, Multisig hack, FixedFloat exploit, $243M Genesis Creditor theft, and countless phishing drainer services over the past few years with refusal to block addresses and freeze orders.
β€387π153π82π₯43πΏ37π30π19π€―17π’15π9π€©2
Investigations by ZachXBT
My new post sharing an investigation on a $243M theft from last month which lead to multiple arrests and $9M+ frozen https://x.com/zachxbt/status/1836752923830702392?
Update: 12 people were just charged in the $243M Genesis Creditor theft from Aug 2024.
π253π₯108β€62π€£38π32π30πΏ17π15π’11π€ͺ10π±5
The threat actor who stole $300M+ from Coinbase users by paying customer support just began trolling me onchain with this message after swapping $42.5M+ from BTC -> ETH via Thorchain today.
Transaction hash
0x18c909a8438d94e88a434521ee9fc143c8777452fbecb09b034b8fd049d6477f
Transaction hash
0x18c909a8438d94e88a434521ee9fc143c8777452fbecb09b034b8fd049d6477f
π€£1.28Kπ145π±80β€40π36π33π₯28πΎ25π€24π12π€©6