Bored Ape Yacht Club phishing ring (2021) In 2021, ZachXBT tracked a
phishing operation targeting owners of
Bored Ape Yacht Club (BAYC)
non-fungible tokens. The scheme involved a fraudulent service that purported to animate users' BAYC NFTs but instead directed them to a phishing site designed to steal the NFTs from their wallets. ZachXBT identified the five-person crime ring behind the operation, which had stolen more than $2.5 million in NFTs. His findings assisted French authorities in arresting and convicting all five individuals.
$243 million Genesis creditor theft (2024) On August 19, 2024, ZachXBT received an alert about an unusually large
Bitcoin transaction while preparing to board a flight. The attackers had used
social engineering to impersonate Google and Gemini support staff, convincing the victim to reset
two-factor authentication settings and install
remote desktop software, which allowed them to extract
private keys from the victim's
Bitcoin Core wallet. ZachXBT traced the stolen 4,064 BTC as it was split across more than 15 exchanges and converted between Bitcoin,
Litecoin,
Ethereum, and
Monero to obscure the trail. ZachXBT identified three suspects and shared his findings with U.S. law enforcement. The
United States Department of Justice subsequently charged Malone Lam and Jeandiel Serrano, who were arrested in
Miami and
Los Angeles on September 18, 2024. Cryptoforensic Investigators, zeroShadow, and
Binance Security froze more than $9 million in stolen funds, with over $500,000 returned to the victim. Within hours, ZachXBT submitted evidence to blockchain analytics platform
Arkham Intelligence identifying
North Korea's
Lazarus Group as the perpetrators, based on analysis of test transactions and connected wallets used ahead of the exploit, as well as forensic graphs and timing analyses linking the attack to prior Lazarus Group operations against other exchanges. The
Federal Bureau of Investigation subsequently confirmed the Lazarus Group's responsibility.
U.S. Marshals Service seized crypto theft (2026) In late January 2026, ZachXBT published an investigation alleging that an individual operating under the online handle "Lick" had stolen more than $46 million in cryptocurrency from wallets managed by the
United States Marshals Service (USMS). The investigation originated after ZachXBT obtained a recording of a dispute in a private
Telegram group chat, in which two individuals attempted to prove who controlled more cryptocurrency. During the exchange, one participant screen-shared a wallet holding approximately $2.3 million and then transferred $6.7 million in
ether in real time, inadvertently demonstrating control over addresses that ZachXBT traced back to government wallets. ZachXBT identified the individual as John Daghita, the son of Dean Daghita, president of Command Services & Support (CMDSS), a Virginia-based firm awarded a USMS contract in October 2024 to manage and dispose of certain categories of seized digital assets. Law enforcement seized cash, hard drives, and security keys during the arrest. The case drew scrutiny to the USMS's reliance on outside contractors for custody of seized digital assets. == See also ==