ZachXBT
@zachxbt1.bsky.social
On September 24, 2025 addresses linked to SBI Crypto saw ~$21M in suspicious outflows on Bitcoin, Ethereum, Litecoin, Doge, & Bitcoin Cash.
The stolen funds were transferred to five instant exchanges and deposited to Tornado Cash.
The stolen funds were transferred to five instant exchanges and deposited to Tornado Cash.
October 2, 2025 at 4:44 PM
On September 24, 2025 addresses linked to SBI Crypto saw ~$21M in suspicious outflows on Bitcoin, Ethereum, Litecoin, Doge, & Bitcoin Cash.
The stolen funds were transferred to five instant exchanges and deposited to Tornado Cash.
The stolen funds were transferred to five instant exchanges and deposited to Tornado Cash.
A new Bloomberg article on Scattered Spider revealed that the centralized exchange Crypto[.]com previously had a breach and never publicly disclosed the incident that exposed the personal information for a portion of its users.
#crypto #bloomberg #scatteredspider #cryptodotcom
#crypto #bloomberg #scatteredspider #cryptodotcom
September 22, 2025 at 12:18 AM
A new Bloomberg article on Scattered Spider revealed that the centralized exchange Crypto[.]com previously had a breach and never publicly disclosed the incident that exposed the personal information for a portion of its users.
#crypto #bloomberg #scatteredspider #cryptodotcom
#crypto #bloomberg #scatteredspider #cryptodotcom
In a press release, RCMP just confirmed they seized 56M CAD in assets from TradeOgre.
#crypto #cryptonews #rcmp #tradeogre
#crypto #cryptonews #rcmp #tradeogre
September 19, 2025 at 11:53 AM
In a press release, RCMP just confirmed they seized 56M CAD in assets from TradeOgre.
#crypto #cryptonews #rcmp #tradeogre
#crypto #cryptonews #rcmp #tradeogre
Update: The OpenVPP team made a statement and says the reply was accidentally hidden by a 24/7 intern.
September 18, 2025 at 12:06 AM
Update: The OpenVPP team made a statement and says the reply was accidentally hidden by a 24/7 intern.
OpenVPP then hid her reply from the post.
I reviewed the accounts promoting OpenVPP and it’s the usual influencer suspects.
I reviewed the accounts promoting OpenVPP and it’s the usual influencer suspects.
September 18, 2025 at 12:06 AM
OpenVPP then hid her reply from the post.
I reviewed the accounts promoting OpenVPP and it’s the usual influencer suspects.
I reviewed the accounts promoting OpenVPP and it’s the usual influencer suspects.
This week the project @OpenVPP ($OVPP) claimed to be working with the US government on the tokenization of energy.
12 hrs ago Hester Pierce replied saying she does not work alongside or endorse private crypto projects.
12 hrs ago Hester Pierce replied saying she does not work alongside or endorse private crypto projects.
September 18, 2025 at 12:06 AM
This week the project @OpenVPP ($OVPP) claimed to be working with the US government on the tokenization of energy.
12 hrs ago Hester Pierce replied saying she does not work alongside or endorse private crypto projects.
12 hrs ago Hester Pierce replied saying she does not work alongside or endorse private crypto projects.
JP (THORChain co-founder & Vultisig co-founder) had a personal wallet drained for $1.35M by DPRK on September 9, 2025 after a meeting call scam on Telegram.
Ironically JP and his products have benefited significantly financially from the laundering of DPRK exploits/hacks such as Bybit in the past.
Ironically JP and his products have benefited significantly financially from the laundering of DPRK exploits/hacks such as Bybit in the past.
September 13, 2025 at 5:34 PM
JP (THORChain co-founder & Vultisig co-founder) had a personal wallet drained for $1.35M by DPRK on September 9, 2025 after a meeting call scam on Telegram.
Ironically JP and his products have benefited significantly financially from the laundering of DPRK exploits/hacks such as Bybit in the past.
Ironically JP and his products have benefited significantly financially from the laundering of DPRK exploits/hacks such as Bybit in the past.
Yesterday an unknown victim was exploited for ~3.047M USDC on Ethereum.
The attacker swapped USDC for ETH and immediately deposited the funds to Tornado.
Theft address
0xf0a6c5b65a81f0e8ddb2d14e2edcf7d10c928020
#crypto #usdc #ethereum #scamawareness
The attacker swapped USDC for ETH and immediately deposited the funds to Tornado.
Theft address
0xf0a6c5b65a81f0e8ddb2d14e2edcf7d10c928020
#crypto #usdc #ethereum #scamawareness
September 11, 2025 at 7:14 PM
Yesterday an unknown victim was exploited for ~3.047M USDC on Ethereum.
The attacker swapped USDC for ETH and immediately deposited the funds to Tornado.
Theft address
0xf0a6c5b65a81f0e8ddb2d14e2edcf7d10c928020
#crypto #usdc #ethereum #scamawareness
The attacker swapped USDC for ETH and immediately deposited the funds to Tornado.
Theft address
0xf0a6c5b65a81f0e8ddb2d14e2edcf7d10c928020
#crypto #usdc #ethereum #scamawareness
It appears the Solana project 'Aqua' has likely rug pulled 21.77K SOL ($4.65M) after being promoted by teams such as Meteora, Quill Audits, Helius, SYMMIO, Dialect, and many influencers.
September 9, 2025 at 11:25 PM
It appears the Solana project 'Aqua' has likely rug pulled 21.77K SOL ($4.65M) after being promoted by teams such as Meteora, Quill Audits, Helius, SYMMIO, Dialect, and many influencers.
NEW LEAK: Price sheet of 200+ crypto influencers and their wallet addresses from a project they were recently contacted by to promote.
From 160+ accounts who accepted the deal I only saw <5 accounts actually disclose the promotional posts as an advertisement.
#crypto
From 160+ accounts who accepted the deal I only saw <5 accounts actually disclose the promotional posts as an advertisement.
#crypto
September 2, 2025 at 8:07 AM
NEW LEAK: Price sheet of 200+ crypto influencers and their wallet addresses from a project they were recently contacted by to promote.
From 160+ accounts who accepted the deal I only saw <5 accounts actually disclose the promotional posts as an advertisement.
#crypto
From 160+ accounts who accepted the deal I only saw <5 accounts actually disclose the promotional posts as an advertisement.
#crypto
Coincidentally this theft happened on the one year anniversary of the $243M Genesis Creditor theft.
Theft txn hash
da598f2a941ee3c249a3c11e5e171e186a08900012f6aad26e6d11b8e8816457
Theft address
bc1qyxyk4qgyrkx4rjwsuevug04wahdk6uf95mqlej
Theft txn hash
da598f2a941ee3c249a3c11e5e171e186a08900012f6aad26e6d11b8e8816457
Theft address
bc1qyxyk4qgyrkx4rjwsuevug04wahdk6uf95mqlej
August 23, 2025 at 7:43 PM
Coincidentally this theft happened on the one year anniversary of the $243M Genesis Creditor theft.
Theft txn hash
da598f2a941ee3c249a3c11e5e171e186a08900012f6aad26e6d11b8e8816457
Theft address
bc1qyxyk4qgyrkx4rjwsuevug04wahdk6uf95mqlej
Theft txn hash
da598f2a941ee3c249a3c11e5e171e186a08900012f6aad26e6d11b8e8816457
Theft address
bc1qyxyk4qgyrkx4rjwsuevug04wahdk6uf95mqlej
11/ The main challenge faced in fighting DPRK ITWs at companies include the lack of collaboration between services and the private sector.
There’s also the negligence by the teams hiring them who become combative when alerted.
There’s also the negligence by the teams hiring them who become combative when alerted.
August 17, 2025 at 12:45 AM
11/ The main challenge faced in fighting DPRK ITWs at companies include the lack of collaboration between services and the private sector.
There’s also the negligence by the teams hiring them who become combative when alerted.
There’s also the negligence by the teams hiring them who become combative when alerted.
10/ Still one of the more common questions is “how do you know they are North Korean?”
Well besides all of the fraudulent documents detailed above their search history showed frequent Google Translate usage with translations to Korean with a Russian IP.
Well besides all of the fraudulent documents detailed above their search history showed frequent Google Translate usage with translations to Korean with a Russian IP.
August 17, 2025 at 12:45 AM
10/ Still one of the more common questions is “how do you know they are North Korean?”
Well besides all of the fraudulent documents detailed above their search history showed frequent Google Translate usage with translations to Korean with a Russian IP.
Well besides all of the fraudulent documents detailed above their search history showed frequent Google Translate usage with translations to Korean with a Russian IP.
9/ Other interesting items from their searches and browser history included:
August 17, 2025 at 12:45 AM
9/ Other interesting items from their searches and browser history included:
8/ The 0x78e1 address is closely tied onchain to the recent $680K Favrr exploit from June 2025 where their CTO and other devs turned out to be DPRK ITWs with fraudulent documents.
Additional DPRK ITWs were identified at projects from the 0x78e1 address.
Additional DPRK ITWs were identified at projects from the 0x78e1 address.
August 17, 2025 at 12:41 AM
8/ The 0x78e1 address is closely tied onchain to the recent $680K Favrr exploit from June 2025 where their CTO and other devs turned out to be DPRK ITWs with fraudulent documents.
Additional DPRK ITWs were identified at projects from the 0x78e1 address.
Additional DPRK ITWs were identified at projects from the 0x78e1 address.
7/ One of the wallet addresses used by them to send and receive multiple payments was
0x78e1a4781d184e7ce6a124dd96e765e2bea96f2c
0x78e1a4781d184e7ce6a124dd96e765e2bea96f2c
August 17, 2025 at 12:41 AM
7/ One of the wallet addresses used by them to send and receive multiple payments was
0x78e1a4781d184e7ce6a124dd96e765e2bea96f2c
0x78e1a4781d184e7ce6a124dd96e765e2bea96f2c
6/ The DPRK ITWs would purchase Upwork & LinkedIn accounts, buy or rent a computer, and then use AnyDesk to conduct work.
August 17, 2025 at 12:41 AM
6/ The DPRK ITWs would purchase Upwork & LinkedIn accounts, buy or rent a computer, and then use AnyDesk to conduct work.
5/ Here is a spreadsheet that shows the meeting schedules for jobs and a script used for the fake identity ‘Henry Zhang’
August 17, 2025 at 12:41 AM
5/ Here is a spreadsheet that shows the meeting schedules for jobs and a script used for the fake identity ‘Henry Zhang’
4/ A spreadsheet for expenses shows them purchasing SSNs, Upwork/LinkedIn accounts, phone numbers, AI subscriptions, computer rentals and VPNs/proxies.
August 17, 2025 at 12:41 AM
4/ A spreadsheet for expenses shows them purchasing SSNs, Upwork/LinkedIn accounts, phone numbers, AI subscriptions, computer rentals and VPNs/proxies.
3/ Another spreadsheet shows weekly reports for team members from 2025 which provides insight into how they operate and what they think about.
“I can't understand job requirement, and don't know what I need to do”
“Solution / fix: Put enough efforts in heart”
“I can't understand job requirement, and don't know what I need to do”
“Solution / fix: Put enough efforts in heart”
August 17, 2025 at 12:41 AM
3/ Another spreadsheet shows weekly reports for team members from 2025 which provides insight into how they operate and what they think about.
“I can't understand job requirement, and don't know what I need to do”
“Solution / fix: Put enough efforts in heart”
“I can't understand job requirement, and don't know what I need to do”
“Solution / fix: Put enough efforts in heart”
2/ An export of their Google Drive, Chrome profiles, and screenshots from their devices was obtained.
Google products were extensively used by them to organize their team’s schedules, tasks, and budgets with communications primarily in English.
Google products were extensively used by them to organize their team’s schedules, tasks, and budgets with communications primarily in English.
August 17, 2025 at 12:41 AM
2/ An export of their Google Drive, Chrome profiles, and screenshots from their devices was obtained.
Google products were extensively used by them to organize their team’s schedules, tasks, and budgets with communications primarily in English.
Google products were extensively used by them to organize their team’s schedules, tasks, and budgets with communications primarily in English.
1/ An unnamed source recently compromised a DPRK IT worker device which provided insights into how a small team of five ITWs operated 30+ fake identities with government IDs and purchased Upwork/LinkedIn accounts to obtain developer jobs at projects.
August 17, 2025 at 12:30 AM
1/ An unnamed source recently compromised a DPRK IT worker device which provided insights into how a small team of five ITWs operated 30+ fake identities with government IDs and purchased Upwork/LinkedIn accounts to obtain developer jobs at projects.
Here’s the judgement for Redman from yesterday.
TLDR: Term consists of 12 MONTHS and 1 DAY as to each count, to be served concurrently; 3 YR SR TERM W/ CONDITIONS - term consists of 3 YEARS as to each count, to run concurrently; $400 SA; $248,257.07 Restitution; $60,000 Fine
TLDR: Term consists of 12 MONTHS and 1 DAY as to each count, to be served concurrently; 3 YR SR TERM W/ CONDITIONS - term consists of 3 YEARS as to each count, to run concurrently; $400 SA; $248,257.07 Restitution; $60,000 Fine
July 30, 2025 at 11:36 PM
Here’s the judgement for Redman from yesterday.
TLDR: Term consists of 12 MONTHS and 1 DAY as to each count, to be served concurrently; 3 YR SR TERM W/ CONDITIONS - term consists of 3 YEARS as to each count, to run concurrently; $400 SA; $248,257.07 Restitution; $60,000 Fine
TLDR: Term consists of 12 MONTHS and 1 DAY as to each count, to be served concurrently; 3 YR SR TERM W/ CONDITIONS - term consists of 3 YEARS as to each count, to run concurrently; $400 SA; $248,257.07 Restitution; $60,000 Fine