ZachXBT
Pseudonymous blockchain investigator
From Wikipedia, the free encyclopedia
ZachXBT, also identified as Zachary Wolk[2] is a pseudonymous American blockchain investigator and open-source intelligence (OSINT) researcher known for independent forensic investigations into cryptocurrency fraud, scams, and thefts. He has been active on X (formerly Twitter) since 2021, publishing detailed investigative threads that trace stolen funds, expose rug pulls, and identify perpetrators of crypto-related crime.[3][4] His work has contributed to the recovery of hundreds of millions of dollars in stolen digital assets and has assisted law enforcement agencies in arrests across multiple countries.[4][5]
- Blockchain investigator
- OSINT researcher
ZachXBT | |
|---|---|
| Born | Zachary Wolk[1] |
| Occupations |
|
| Employer | Paradigm (2025–present) |
| Known for | Independent cryptocurrency fraud investigations |
| Website | Official website |
Wired has described ZachXBT as the most prolific independent crypto-focused detective in the world.[3] He was named to CoinDesk's Most Influential 2024 list.[6] In February 2025, he joined the cryptocurrency investment firm Paradigm as an incident response advisor.[7]
Early life and identity
ZachXBT maintains strict anonymity and has never publicly disclosed his full name or appearance.[3] His online persona is represented by an avatar of a cartoon platypus wearing a detective's trench coat.[3] In a 2024 interview with Wired, he participated on the condition that the publication would not attempt to identify him.[3] Court filings from a 2023 defamation lawsuit revealed his full name as Zachary Wolk and established that he resides within the jurisdiction of the United States District Court for the Western District of Texas.[8][9][10]
According to his own account, ZachXBT entered the cryptocurrency space around 2017, during the initial coin offering boom. After losing money to multiple fraudulent projects, he began analyzing blockchain data and tracing the flow of stolen funds.[3] He has stated that he has no formal training in investigations or law enforcement, describing his skills as self-taught through years of blockchain analysis.[3]
Career
Independent investigations (2021–2025)
ZachXBT began publishing investigative threads on Twitter (now X) in 2021. In his early collaborations with law enforcement, he would keep his camera off during conference calls and use voice-changing software to protect his identity. Joe McGill, a United States Secret Service analyst who worked with ZachXBT, recalled that the practice was initially unusual but that the quality of ZachXBT's work warranted respect for his anonymity.[3]
He publishes findings primarily through detailed threads on X and maintains a Telegram channel for longer-form investigations.[6] ZachXBT generally provides investigative services without charge, though he has accepted paid engagements from victims of major thefts.[6][4]
Paradigm (2025–present)
In February 2025, ZachXBT joined Paradigm, a cryptocurrency venture capital firm, as an incident response advisor, working with the firm on security matters.[7] Paradigm co-founder Matt Huang stated that ZachXBT had helped recover more than $350 million for victims of hacks and scams.[11]
Investigative methods
ZachXBT's investigative approach combines blockchain forensics with open-source intelligence (OSINT) techniques.[12] His methods include tracing fund flows across wallets and exchanges, address clustering to identify related accounts, and cross-referencing on-chain data with public records such as domain registrations, court filings, and social media activity.[12] He also monitors online forums and chat groups on Telegram and Discord where cybercriminals congregate, using social media intelligence to identify suspects.[4]
In August 2025, ZachXBT was announced as a launch partner for the Beacon Network, a real-time communication network created by blockchain intelligence firm TRM Labs. The network allows investigators, cryptocurrency exchanges, and custodians to collaborate instantly to freeze stolen funds. ZachXBT's role involves providing incident response and research to help mitigate the impact of active exploits.[13][14]
He publishes his findings primarily through detailed threads on X and maintains a Telegram channel for longer-form investigations.[6] ZachXBT generally provides his investigative services without charge, though he has accepted paid engagements from victims of major thefts.[6][4]
Cryptocurrency investigator Nick Bax, founder of the firm Five I's, has described ZachXBT's work rate as extraordinary, noting an instance in which ZachXBT manually analyzed 500 transactions in approximately 12 hours.[3] Taylor Monahan, a security researcher at MetaMask and a frequent collaborator, has stated that ZachXBT's published findings increasingly carry direct consequences for their subjects, often leading to arrests.[3]
Notable investigations
Bored Ape Yacht Club phishing ring (2021)
In 2021, ZachXBT tracked a phishing operation targeting owners of Bored Ape Yacht Club (BAYC) non-fungible tokens. The scheme involved a fraudulent service that purported to animate users' BAYC NFTs but instead directed them to a phishing site designed to steal the NFTs from their wallets. ZachXBT identified the five-person crime ring behind the operation, which had stolen more than $2.5 million in NFTs. His findings assisted French authorities in arresting and convicting all five individuals.[15]
$243 million Genesis creditor theft (2024)
On August 19, 2024, ZachXBT received an alert about an unusually large Bitcoin transaction while preparing to board a flight.[4] He began tracing the funds back to a wallet holding approximately $243 million in Bitcoin, some dating back to 2012, belonging to a single creditor of the defunct trading firm Genesis who held assets through the Gemini exchange.[4][16]
The attackers had used social engineering to impersonate Google and Gemini support staff, convincing the victim to reset two-factor authentication settings and install remote desktop software, which allowed them to extract private keys from the victim's Bitcoin Core wallet.[17] ZachXBT traced the stolen 4,064 BTC as it was split across more than 15 exchanges and converted between Bitcoin, Litecoin, Ethereum, and Monero to obscure the trail.[16]
A source provided ZachXBT with screen recordings of a Discord chat session made during the heist, in which one of the suspects inadvertently revealed his real name.[4][18] ZachXBT identified three suspects and shared his findings with U.S. law enforcement. The United States Department of Justice subsequently charged Malone Lam and Jeandiel Serrano, who were arrested in Miami and Los Angeles on September 18, 2024.[17] A third suspect, Veer Chetal, whose parents were subsequently targeted in a violent kidnapping attempt in Danbury, Connecticut connected to the stolen funds, was arrested in March 2025.[4][18] A fourth suspect, identified by ZachXBT as Danish Zulfiqar, was reportedly taken into custody in Dubai in December 2025.[19] Cryptoforensic Investigators, zeroShadow, and Binance Security froze more than $9 million in stolen funds, with over $500,000 returned to the victim.[17]
Bybit hack and Lazarus Group attribution (2025)
On February 21, 2025, the cryptocurrency exchange Bybit suffered a security breach resulting in the loss of approximately $1.5 billion in Ethereum-related assets, the largest single theft in cryptocurrency history at the time.[20] Within hours, ZachXBT submitted evidence to blockchain analytics platform Arkham Intelligence identifying North Korea's Lazarus Group as the perpetrators, based on analysis of test transactions and connected wallets used ahead of the exploit, as well as forensic graphs and timing analyses linking the attack to prior Lazarus Group operations against other exchanges.[21] The Federal Bureau of Investigation subsequently confirmed the Lazarus Group's responsibility.[22]
U.S. Marshals Service seized crypto theft (2026)
In late January 2026, ZachXBT published an investigation alleging that an individual operating under the online handle "Lick" had stolen more than $46 million in cryptocurrency from wallets managed by the United States Marshals Service (USMS).[23] The investigation originated after ZachXBT obtained a recording of a dispute in a private Telegram group chat, in which two individuals attempted to prove who controlled more cryptocurrency. During the exchange, one participant screen-shared a wallet holding approximately $2.3 million and then transferred $6.7 million in ether in real time, inadvertently demonstrating control over addresses that ZachXBT traced back to government wallets.[24][25]
ZachXBT identified the individual as John Daghita, the son of Dean Daghita, president of Command Services & Support (CMDSS), a Virginia-based firm awarded a USMS contract in October 2024 to manage and dispose of certain categories of seized digital assets.[25] After ZachXBT reported his findings to authorities, the USMS opened an investigation.[23] Daghita reportedly taunted ZachXBT on Telegram and sent small amounts of allegedly stolen cryptocurrency to ZachXBT's public wallet address in what is known as a dust attack.[5]
On March 5, 2026, FBI director Kash Patel announced that Daghita had been arrested on the island of Saint Martin in a joint operation between the FBI and the French Gendarmerie's elite tactical unit.[26][27] Law enforcement seized cash, hard drives, and security keys during the arrest.[5] The case drew scrutiny to the USMS's reliance on outside contractors for custody of seized digital assets.[25]