On-chain investigator ZachXBT shed more light on the recent case of BTC phishing that took away 3,520 BTC from a single wallet. Apparently, the funds were stolen in a personalized scam targeting an elderly investor.
On-chain investigator ZachXBT shed more light on the recent heist that took 3,520 BTC from a single wallet. The heist was noticed when Monero (XMR) rallied to a one-year high, as the thief was trying to cash out through an anonymous coin.
ZachXBT reported that $7M was tracked and frozen with the help of other on-chain investigators and Binance’s team.
Update: So far $7M+ has been frozen with the help of @CFInvestigators, @tanuki42_, Binance Security team, and myself.
— ZachXBT (@zachxbt) May 2, 2025
The heist was traced to two social media personalities, Nina/Mo, and W0rk, who operated from the UK. The scammers later deleted their social media, though they left tracks on the Bitcoin chain.
The targeted individual was based in the USA, and apparently had little trouble in keeping the BTC, after moving the funds to a new address about a month ago. The targeted wallet belonged to a relatively early BTC whale, who used Gemini to build up the large wallet.
Investigators suspect either lax security or trusting the scammers enough to expose the wallet or send funds. No malware or smart contracts have been involved. Confidence games have also spoofed investment opportunities, complete with deposit links for crypto.
BTC phishing funds swapped or kept in new wallets
Heists targeting BTC are relatively rare, as the coin is not held in easily accessible Web3 wallets. However, the phishing team still managed to make their target to expose the wallet.
Some of the funds are still held in new addresses with smaller holdings, split into small sums of 5 BTC. Over 17 BTC were sent to a KuCoin hot wallet, with the potential to intercept the funds.
The hacker address received multiple transactions from the victim, with the largest one for 2.78K BTC in a single transaction. Investigators have not answered whether the victim sent out the transactions willingly or if the wallet’s keys were compromised.
The theft of BTC remains unusual, as most confidence scams often resort to using stablecoins. However, the pattern of attacking elderly investors remains valid. Stablecoins can be concealed more easily, using P2P markets like Huione Guarantee.
Following the theft, the price of XMR remained elevated at above $280. Most of the XMR volume concentrated on KuCoin. Nearly 47% of all XMR activity is locked in several pairs on the South Korean exchange.
One obstacle for the hacker may be the inability to withdraw XMR from the exchange. The coin saw highly elevated volumes as other traders joined.
KuCoin only shares its reserves of BTC, ETH, and stablecoins, with no data on actual XMR available for withdrawal. While on the exchange, XMR offers no actual privacy. However, KuCoin has not been mentioned as one of the assistants of ZachXBT for intercepting some of the funds.
The MEXC exchange was also used for some of the swaps. The market operator has not shared its XMR or other available reserves.
Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot
