A US investor says he lost $3 million in XRP after hackers emptied his wallet, and blockchain tracking suggests the funds moved fast through shadowy over-the-counter networks tied to Southeast Asia. Related Reading: Biggest Shiba Inu Burn In Months — And It Came From A Coinbase Account Funds Traced To OTC Networks According to blockchain sleuth ZachXBT, the stolen coins were first pooled into a single Tron address and then pushed through OTC services linked to an illicit marketplace known as Huione Guarantee. Reports have disclosed that Huione Guarantee is tied to a range of criminal activity, and that once funds enter those channels they are very hard to recover. The trace provides a clear record of movement on public ledgers, but it does not guarantee that law enforcement can follow the money to its final holders. 9/ Unfortunately the likelihood of this victim seeing any funds recovered is rather low due to a delay in reporting the theft to competent people within the private sector. I recommend victims try to report theft addresses to people as soon as possible as otherwise it can be… pic.twitter.com/Ficcit611f — ZachXBT (@zachxbt) October 19, 2025 Victim Says He Followed Best Practices Brandon LaRoque, the investor at the center of the case, told viewers that he had built his position over eight years and held about 1.2 million XRP. He posted a video this week explaining the loss, which has drawn wide attention online. “I thought I did all the things right,” he said, after describing how his Ellipal device turned out to be connected to the internet. The device maker, Ellipal, acknowledged that the seed phrase was imported into an app and said it was doing everything possible to help. Based on reports, the company suggested the theft followed a misuse of the seed rather than a flaw in a strictly offline product. A Human Cost LaRoque said he and his wife retired about a year ago and were planning to buy a house in Las Vegas. Now they say they may need to return to work. The loss is a stark example of how long-term small investors can be swept away by a single security lapse. The emotional impact is real. Many viewers on social platforms have offered help, but experts warn that public attention does not equal recovery. Experts Urge Caution On Recovery Firms According to ZachXBT, victims who want to pursue recovery must move quickly and seek competent private investigators, while avoiding predatory firms that promise guaranteed returns. Tracing on the blockchain can show where funds went next, and it can expose links to mixing services or OTC desks, but converting that trace into arrests or asset returns is complex. In the US, access to specialized crypto law enforcement is limited, which reduces the odds of successful recovery in many cross-border theft cases. Related Reading: Bitcoin’s Moment? Analyst Urges Traders To Swap Gold For Crypto Institutional Activity Rises As Retail Losses Persist Meanwhile, XRP has seen notable activity in regulated markets. Reports show more than 476,000 XRP futures contracts traded since May 2025, totaling $23.7 billion. Open interest has reached $1.4 billion, and the number of large institutional investors hit a record of 29. Featured image from Gemini, chart from TradingView
Onchain sleuth ZachXBT says an attacker routed some $3.05 million in stolen XRP through bridges and OTC channels tied to Huione.
The onchain sleuth leaked a spreadsheet he says lists crypto KOL promo rates, alleging fewer than five disclosed their posts as ads.
An on-chain investigation has revealed that North Korea IT workers posing as foreign developers have earned nearly $17 million from crypto startups and blockchain companies this year. The findings, revealed by prominent blockchain investigator ZachXBT, show that these individuals have successfully integrated into dozens of crypto projects by concealing their identities and locations. According to […]
The post North Korean IT workers earned $17M this year with some funds coming from Circle accounts appeared first on CryptoSlate.
Prominent blockchain investigator ZachXBT has criticized two prominent stablecoins, including Ripple’s RLUSD and Circle’s USDC, highlighting concerns about their compliance and adoption strategies. In a now-deleted social media post, ZachXBT questioned Ripple’s RLUSD stablecoin, arguing that it lacked an authentic user base and relied on paid partnerships to create the illusion of organic growth. Due […]
The post ZachXBT deletes call out of Ripple RLUSD adoption but questions trust appeared first on CryptoSlate.
From Silk Road to today, dormant wallets and mixing tools are no longer enough to hide illicit funds onchain, as ZachXBT’s investigations continue to prove.
As his gambling losses grew, Nieves allegedly stole from accomplices who helped pilfer over $4 million by posing as Coinbase support agents.
An onchain investigator has flagged a major breach at Iran-based Nobitex, where hackers made off with more than $81 million in digital assets. Related Reading: Tether Enforces Freeze On $12 Million In Tron Funds Over Illicit Activity Based on reports from blockchain sleuth ZachXBT, at least $81.7 million was moved out of the exchange’s hot wallets on June 16, 2025. The stolen funds came from both the Tron network and various Ethereum Virtual Machine (EVM) chains. Massive Funds Drained From Hot Wallets According to ZachXBT’s Telegram post, the first chunk—$49 million—went through a vanity address that read “TKFuckiRGCTerrorists…mNX.” A second custom address, “0xffFFfFFffFF…Dead,” was used to pull the rest. These special wallet names aren’t random. They show how attackers slipped around Nobitex’s checks and grabbed funds meant to stay locked down. Vanity Addresses Exploit Access Controls Experts say the use of these human‑readable addresses points to a flaw in the exchange’s internal controls. “Attackers managed to infiltrate systems that should have blocked unauthorized wallets,” noted Hakan Unal of Cyvers security. The exchange confirmed that it spotted the breach quickly and suspended the affected hot wallets. Political Motive Behind The Breach A pro‑Israel hacker group calling itself “Gonjeshke Darande” claimed responsibility in an X post. The group called Nobitex a tool for “regime financing” and threatened to release source code and internal files within 24 hours. After the IRGC’s “Bank Sepah” comes the turn of Nobitex WARNING! In 24 hours, we will release Nobitex’s source code and internal information from their internal network. Any assets that remain there after that point will be at risk! The Nobitex exchange is at the heart of the… pic.twitter.com/GFyBCPCFIE — Gonjeshke Darande (@GonjeshkeDarand) June 18, 2025 They warned that any assets left on the platform would be in danger. This hack comes as tensions surged between Israel and Iran after Israel’s largest strikes on Iran since the 1980s. Reports say at least 224 people died in Iran and 24 in Israel during the renewed conflict. Cold Storage And User Security Assurances Nobitex says users’ main funds are safe in cold storage, and only a fraction of hot‑wallet assets were hit. The exchange promised to cover all losses with its insurance fund and internal resources. That promise should reassure customers, though the fear of leaked code or files could drive some to pull funds. Related Reading: Crypto Gets A Green Light From Spanish Banking Giant Unmoved Funds Could Reveal Next Steps Interestingly, none of the stolen coins have moved since the hack was first spotted. That could mean the hackers are choosing their next move. Or it might be a warning shot meant to show they can strike again. Either way, this incident highlights how vital it is for exchanges to guard against insider‑level slip‑ups. Protocols alone aren’t enough if people and processes leave doors open. As the crypto world watches, Nobitex users will be looking closely at how the platform rebuilds trust and keeps their money safe. Featured image from Unsplash, chart from TradingView
North Korea’s hackers has reportedly stolen nearly $2 billion from centralized crypto exchanges over the past year. Blockchain security researcher Tay Monahan attributes a significant portion of those funds, around $1.8 billion, to a series of major hacks targeting centralized crypto trading platforms like Bybit, DMM Bitcoin, WazirX, Phemex, and BingX. Despite setbacks such as […]
The post North Korea’s hackers could have laundered as much as $1.5 billion in stolen crypto appeared first on CryptoSlate.
Cybercriminals are adopting increasingly deceptive tactics to target crypto users, with some now posing as blockchain security companies. Their aim is to steal assets and implicate their victims in the process, making it harder for them to seek redress. This evolution comes amid a sharp rise in crypto-related losses. In May 2025 alone, hackers and […]
The post Hackers now pose as security companies to frame victims while stealing private keys appeared first on CryptoSlate.
On-chain sleuth ZachXBT reports that BitoPro suffered a suspected $11.5 million exploit on May 8, with stolen funds laundered through Tornado Cash and Thorchain.
ZachXBT said there were suspicious outflows from hot wallets on multiple networks including Tron, Ethereum, Solana and Polygon.
Blockchain investigator ZachXBT has publicly accused high-risk trader James Wynn of hypocrisy and deceptive trading practices. In a May 28 post on X, ZachXBT alleged that Wynn, who recently condemned scam tokens tied to his name, had previously engaged in similar pump-and-dump tactics involving memecoins. The controversy started after Wynn warned his followers about a […]
The post ZachXBT exposes Hyperliquid high-risk trader James Wynn’s alleged hypocrisy and deceptive tactics appeared first on CryptoSlate.
ZachXBT said a wallet involved in social engineering attacks on Coinbase users sent him a troll text onchain following this week's data breach disclosures.
Coinbase revealed that it suffered a data breach that affected less than 1% of its active monthly users, according to the May 15 statement. Following the hack, the exchange CEO Brian Armstrong said the perpetrators tried to extort it of $20 million in Bitcoin. How Coinbase was breached According to the exchange, the threat actors […]
The post Coinbase resists $20 million Bitcoin ransom demand after insider-led data breach appeared first on CryptoSlate.
Data thieves demanded $20 million from Coinbase to not publish stolen customer data. The company has now offered the same amount bountry on the extorters.
An analyst has suggested that Monero (XMR) could repeat its 2021 cycle-high amid its recent price jump. However, a renowned on-chain sleuth has linked the surge to suspicious Bitcoin (BTC) transactions. Related Reading: XRP Price Shoots For 20% Surge To $2.51 Amid Pullback To Breakout Zone Monero Soars After $330 Million BTC Theft Privacy and security-focused token Monero saw its price soar 52% to a four-year high on Monday. The cryptocurrency surged from its recently reclaimed $220-$230 support toward the $340 resistance, hitting $347 in the early hours of Monday. Amid the massive surge, on-chain detective ZachXBT has linked the pump to a “suspicious transfer” from a potential victim of social engineering. The crypto sleuth explained that a suspicious transfer of 3,520 BTC, worth around $330.7 million, was made on Sunday night. According to the post, the funds were laundered via more than 6 instant exchanges shortly after the initial transfer, being swapped for XMR, seemingly based on timing analysis and the Monero price jump. An X user suggested the stolen Bitcoin was “likely from the Bitstamp hack that occurred in 2014.” The internet detective denied the idea, stating that the victim was likely an OG Bitcoiner. Meanwhile, others questioned whether the wallet owner made the transactions or if it was a theft. ZachXBT detailed multiple factors that led him to believe it was likely a theft, including the wallet being a longtime BTC holder and a Gemini, River, and Coinbase user. Additionally, he noted that the $330 million in Bitcoin was suddenly moved and transferred in small increments to instant exchanges, creating hundreds of orders. This would make the owner lose multiple 7-figures to fees, making it inefficient for a normal person. The crypto sleuth also considers that the theft isn’t likely related to North Korea’s Lazarus Group, which recently stole $1.5 billion worth of Ethereum (ETH) from crypto exchange Bybit. Is XMR Near A Breakout? Since the pump, Monero has retraced around 25% from today’s high to trade between the $250-$260 range. Crypto analyst Rekt Capital noted that XMR has successfully retested its $214 range’s low as support amid the market recovery. Notably, the cryptocurrency has been moving within the $112-$214 price range since 2022, surging above the range’s resistance line amid the November post-US elections breakout. After the Q3 2024 rally, Monero entered its key $214-286 range, which has previously worked as a key support and resistance area. After breaking out of the range’s upper boundary, the cryptocurrency rallied to its 2018 all-time high (ATH) of $542 and its 2021 high of $480. During the Q1 2025 retraces, the XMR dropped below the $214 mark, testing the $200 area as support before bouncing. Similarly, the early April pullback sent the cryptocurrency toward this level, finally reclaiming it two weeks ago. Since then, the cryptocurrency has rallied toward the $220-$230 range, fueled by the ongoing market recovery, but was ultimately rejected at the key resistance level. Today’s recent pump has seen Monero break above the $230 mark for the first time since February. Related Reading: Cardano (ADA) Bulls Push for Breakout — Is a Sharp Rally Next? Despite the alleged laundering-driven surge, the analyst affirmed that the cryptocurrency has now “repeated early 2021 history,” where the token reclaimed its current range and retested its lower boundary before breaking out to cycle highs. If history repeats and XMR’s price holds its current range, it could position itself for a surge above the $300 barrier. Featured Image from Unsplash.com, Chart from TradingView.com
Blockchain investigator ZachXBT has spotlighted two individuals, Reef Finance founder Denko Mancheski and X user Fukugo Ryōshu, as potentially linked to the sudden 90% crash of Mantra’s OM token on April 13. On April 14, ZachXBT reported: “The two names I keep hearing tied to the Mantra incident are Denko (Reef Finance founder) and Fukogoryushu […]
The post ZachXBT identifies key figures tied to Mantra’s 90% OM token crash appeared first on CryptoSlate.
Coinbase users are again in the spotlight after losing more than $46 million to social engineering scams this month alone, according to blockchain sleuth ZachXBT. On March 28, the on-chain investigator reported on his Telegram channel that an unnamed Coinbase user lost approximately 400 BTC—worth around $34.9 million—after being the victim of an elaborate theft. […]
The post Coinbase users lose $46 million to social engineering scams in March – ZachXBT appeared first on CryptoSlate.
ZachXBT said scammers have stolen over $46 million in Bitcoin and other crypto from Coinbase users in March alone.
Crypto detective ZachXBT alleged that the mysterious “Hyperliquid whale” that’s been making headlines across the crypto community is suspected to be a convicted criminal from the UK. The trader has made around $20 million in profit from leveraged trading, raising questions about their identity. Related Reading: Bitcoin To Get ‘Interesting’ As Price Retests $85,000 – Here Are The Levels To Watch Mysterious Hyperliquid Whale Not A Crypto Insider On Thursday, ZachXBT shared an investigation revealing the “Hyperliquid Whale” as a British hacker previously charged with multiple crimes. The trader’s identity has been a hot topic among crypto investors over the past few weeks. According to the X thread, the trader was identified as William Parker, known as Alistair Packover, before he changed his name. Parker was arrested and sentenced in Finland in 2024 for stealing nearly $1 million from two online casinos in 2023. Since January 2025, the trader has made millions by opening several highly leveraged positions on Hyperliquid and GMX but gained attention this month for two specific trades. Right before US President Donald Trump’s “Strategic Crypto Reserve” announcement on March 2, the whale opened a large Ethereum (ETH) and Bitcoin (BTC) long position on 50X leverage using address 0xe4d3. Following this trade, the crypto community speculated that the whale could be an insider, with some users alleging that the trader was linked to the Trump family due to their timing. Meanwhile, others suggested that the mysterious whale was tied to the North Korean hacking group Lazarus. The trader later opened a BTC short position on 40X leverage using address 0xf3F4, profiting $19 million from the two positions. After the whale closed its short position earlier this week, the crypto sleuth revealed that the trader was allegedly involved in illicit activity. “It’s funny watching CT speculate on the ‘Hyperliquid whale’ when in reality it’s just a cybercriminal gambling with stolen funds,” he initially responded to the speculation. Connecting The On-Chain Dots In the thread, ZachXBT shared four key counterparties of the 0xf3f address, including 0xe4d3, which he had identified. He also noted that the cluster was tied to Roobet, Binance, Gamdom, ChangeNOW, Shuffle, Alphapo, BC Game, and Metawin accounts. Additionally, the 0xf3f signed a message on-chain with an X account under the username @qwatio, which has seemingly been purchased recently. After the crypto detective’s initial claims, the X user denied the cybercrime allegations and claimed the $20 million profits from the GMX and HL trades were clean and traceable on the blockchain. However, the on-chain investigator alleges that “he would have to control the related wallets in this cluster for the $20M number to be accurate.” Notably, an address in the cluster, 0x7ab, was found to have received funds from a phishing scam and an exploited casino game on Solana. Related Reading: SUI Ready For 15% Move Amid Key Level Retest – Breakout Or Breakdown Ahead? Then, ZachXBT tracked down a recent payment from 0xe4d3 and obtained a UK phone number that seemingly connects the trader and the name William Parker. I tracked down a recent payment from 0xe4d3 to an unnamed person who confirmed they had been paid by the HL trader. They provided a UK phone number used to communicate with them. Public record reveals the name William Parker is likely tied to this number. The crypto sleuth concluded that Parker, who was also convicted three times in the early 2010s for crimes related to fraud, hacking, and gambling, has now “gambled 6 figs into $20M using high leverage on-chain” for the past two months, and will likely continue to do so. Featured Image from Unsplash.com, Chart from TradingView.com
The Solana-based memecoin Launchpad Pump.fun’s X account has been hacked and used to promote fake cryptocurrencies, including an “official” PUMP governance token. On-chain investigators suspect the hack is linked to other X account compromises. Related Reading: Red Monday, Green Week? Bitcoin Needs To Reclaim This Level For Trend Continuation – Analyst Pump.Fun Hackers Launch PUMP Memecoin On Wednesday, Pump.fun’s official X account was compromised, with hackers promoting different tokens during the incident. The account started to post different contract addresses (CA) for various memecoins before deleting them. The hackers initially shared the contact address of PUMP, the “official Pump.fun governance token,” stating that “democracy has never been this degen” and that they would be rewarding their “OG DEGENS.” The crypto community quickly identified the memecoin as a scam and alerted other users of the potential account compromise. Blockchain data firm Bubblemaps warned users of the fake memecoin, explaining that PUMP was “heavily bundled and will dump,” as 60% of the token’s supply was held in two clusters. Meanwhile, Pump.fun’s founder, Alon Cohen, confirmed the X hack and asked the community not to interact with it or any links shared until it was recovered. According to on-chain investigator Dethective, the hackers extracted around $600,000 from the token minutes after sharing the memecoin. The crypto sleuth explained that their strategy consisted of posting the CA of a bundled scam token and deleting it after rugging investors. Besides the fake PUMP token, the malicious actor promoted OG, Extract Protocol (EXAI), and Pump.fun Hacked (HACKED), extracting around $90,000 from these memecoins. Dethective noted that some investors continue to buy the tokens after the hackers repeatedly rugged the previous ones, with the last token hitting a $1.5 million market capitalization at the top. The malicious actors asked the crypto community whether they should create a “legit token on Pump.fun” and call it “Hackeddotfun.” They “promised” to pump the memecoin to a market capitalization of $100 million, assuring it wouldn’t “be a bundle” and would be launched through the platform before deleting the posts. Pump.Fun Hack Linked To Jupiter’s X Compromise? Renowned on-chain detective ZachXBT revealed the Pump.fun compromise is “directly connected on-chain” to the Jupiter DAO and DogWifcoin compromises from February 2025 and November 2024, respectively. On his Telegram channel, the internet sleuth suggested that the attacks are “likely not the fault of either the Pump.fun or Jupiter teams.” Instead, Zach suspects a threat actor is “social engineering employees at X with fraudulent documents/emails or a panel is being exploited.” Wu blockchain shared GMGN data revealing that only one Pump.fun memecoin had a market value above $1 million yesterday. The post detailed that several tokens hit the $1 million barrier but quickly experienced a sharp drop. Related Reading: Solana Sentiment Hits 1-Year Low Amid Market Correction – Analyst Suggests Drop To $70 Following the TRUMP and MELANIA memecoins and the recent Libra token controversy, investors have expressed exhaustion from the continued memecoin scams deployed via the Solana-based launchpad. Some community members called the hack “the nail on the meme coin coffin,” as sentiment surrounding the sector’s “memecoin fiesta” is at its lowest point this cycle. At the time of this writing, Pump.fun’s team has regained access to the account and stated they will continue to monitor the situation as “the attack that led to this compromise is unknown, but it’s unlikely that the team is at fault.” Featured Image from Unsplash.com, Chart from TradingView.com
ZachXBT's focus will not change and "we just want to support his ability to keep up the good work," Paradigm's Matt Huang said.
The blockchain sleuth claimed that Coinbase failed to prevent social engineering attacks on exchange users.
Noones, a peer-to-peer crypto marketplace, suffered a security breach resulting in approximately $8 million in losses. On Jan. 24, on-chain investigator ZachXBT noted that the exploit likely occurred between Jan. 1 and Jan. 2, with the platform’s hot wallets processing hundreds of questionable transactions. According to him, these outflows, each valued under $7,000, collectively amounted […]
The post Noones acknowledges $8 million exploit after ZachXBT raises concerns appeared first on CryptoSlate.
A Solana wallet tied to renowned blockchain investigator ZachXBT has been accused of withdrawing nearly $4 million from a memecoin project associated with his name. The controversy comes amid a community-led effort to raise funds for his investigative work. ZACHXBT token Blockchain data shows that an address allegedly belonging to ZachXBT, identified as investigations.sol, received […]
The post Blockchain sleuth ZachXBT under scrutiny for alleged $4M memecoin exit appeared first on CryptoSlate.
The Blockchain Bandit, a hacker infamous for exploiting vulnerabilities in Ethereum wallets, has reappeared, consolidating stolen assets after years of inactivity. On Dec. 30, blockchain investigator ZachXBT reported that the hacker moved 51,000 ETH, worth approximately $172 million, into a single wallet. These funds were transferred from ten previously inactive wallets, marking the hacker’s first […]
The post 2016 hacker Blockchain Bandit resurfaces shifting $172 million in Ethereum to new wallets appeared first on CryptoSlate.
The notorious hacker accumulated 51,000 Ether mostly by guessing weak private keys from 2016 to 2018.
ZachXBT says a hacker has breached 15 crypto-focused X accounts to share scam memecoins that have netted the attacker around $500,000.
Blockchain investigator ZachXBT has revealed that malicious actors, identified as the “LastPass threat actor,” have siphoned off approximately $5.36 million in cryptocurrencies. In a Dec. 17 post on his Telegram Channel, ZachXBT stated: “Today an estimated $5.36M was drained by the LastPass threat actor from 40+ victim addresses. Stolen funds were swapped for ETH and […]
The post LastPass-linked crypto theft climbs to over $250 million after latest $5.4 million hit appeared first on CryptoSlate.