A Bitcoin user just lost 91 million USD in a transaction due to a sophisticated social engineering scam, according to blockchain investigator ZachXBT, and the stolen Bitcoin was later concealed through a privacy-focused wallet.
The victim was lured by impersonators posing as exchange support and hardware wallet support, transferring 783 Bitcoin in one go. On-chain data shows that the attacker laundered money through Wasabi Wallet, while ZachXBT ruled out North Korea's Lazarus group as the perpetrator.
MAIN CONTENT
Lost 91 million USD due to social engineering: 783 BTC was transferred in a single transaction, later laundered through Wasabi Wallet.
ZachXBT rules out Lazarus; tactics impersonating exchange support and hardware wallets have increased, especially with Ledger and Trezor.
How did the 91 million USD loss occur?
Victims were deceived by impersonators posing as cryptocurrency exchange and hardware wallet support, transferring 783 Bitcoin (BTC) in one transaction, according to ZachXBT.
Information published by ZachXBT on X confirms this is a scam based on social engineering, exploiting trust to gain control. The number 783 BTC corresponds to about 91 million USD at the time of the transaction, reflecting a massive loss in just a few minutes.
The incident reaffirms the trend of attackers targeting individuals rather than technical vulnerabilities, especially when the victim possesses a significant amount of assets and has a habit of interacting with 'technical support'.
When did the stolen transaction occur and where did the money go?
The transaction took place at 11:06 UTC, equivalent to 18:06 Vietnam time, Tuesday. The next day, the money was laundered through Wasabi Wallet.
On-chain data shows that the attacker received funds into a clean address bc1qyxyk and then used the privacy feature of Wasabi Wallet to obscure the trail, according to ZachXBT. You can view the transaction address on an independent explorer tool to verify the cash flow.
Using Wasabi reflects the goal of disrupting traceability, a familiar tactic after major thefts to obscure and legitimize assets.
Is Lazarus Group involved?
No. ZachXBT stated that they could not identify a suspect but ruled out North Korea's Lazarus Group.
According to the description, the money was transferred to a clean address before entering Wasabi Wallet, showing no signs that matched the behavior patterns usually attributed to Lazarus. ZachXBT also notes it is coincidental that the attack occurred exactly one year after the 243 million USD theft targeting Genesis creditors.
Excluding Lazarus helps narrow the investigation to a scam model based on impersonating technical support, rather than sophisticated attacks on the exchange's infrastructure.
Why are social engineering attacks still effective?
Because it exploits human factors: fear, urgency, misplaced trust, causing victims to give access.
Attacks often combine phone calls, emails, messages, and fake websites to lure victims into providing private keys or recovery phrases. Once the information is leaked, assets in self-managed wallets are very difficult to recover because blockchain transactions are irreversible.
Scammers also use remote support tools, impersonating 'security updates' to manipulate users' transaction signing actions, especially with hardware wallets.
How do scammers impersonate exchange support and hardware wallets?
They impersonate official contacts, borrowing the names of Ledger, Trezor... requesting recovery phrases or instructions to 'update security'.
At the end of April, impersonators of Ledger sent company-stamped letters, asking users to provide their recovery phrase to 'resolve issues' and threatened to restrict wallet access if they did not comply. Also that month, an elderly citizen in the United States lost over 330 million USD in Bitcoin due to social engineering, shocking the community.
This is a repeating pattern: create a sense of urgency, demand immediate action, and lure victims into revealing sensitive information or signing transactions without proper checking.
What will the scale of cryptocurrency theft be in 2025?
In the first 5 months of 2025, losses from cryptocurrency-related attacks surpassed 2.1 billion USD, according to CertiK (June).
CertiK reports that most losses stem from wallet compromises and phishing incidents, indicating that user safety remains a weak link. The largest incident at that time was a 1.4 billion USD exploit targeting Bybit exchange in February, despite being a large platform that is regularly audited.
These numbers show that cybercriminals continue to successfully exploit both individual and business targets, using a combination of technical and psychological tactics.
How to reduce the risk of falling victim to social engineering?
Core principle: independently verify every contact, do not provide your recovery phrase or private key under any circumstances.
– Always access the official site by typing it yourself or bookmarking it. – Do not install software/extensions as instructed by strangers. – Enable multi-factor authentication not via SMS. – Separate long-term storage wallets from transaction wallets, with low limits. – Carefully check transaction details on the hardware wallet screen before signing.
"Assume that every call or email you receive is a scam by default."
ZachXBT, a blockchain investigator, responded on X. Source: X.com (contact for Q&A with @JoeyMooose, referring to ZachXBT's Thursday post)
Safety lessons about recovery phrases and hardware wallets?
The recovery phrase is the lifeline of the wallet. No one has the right to ask you to reveal it, not even 'technical support'.
If someone asks you to provide a 12/24-word phrase or instructions to enter the phrase into a strange site/app, it is a scam. For hardware wallets, only update firmware through official software, check the URL and digital signatures. Store the recovery phrase offline, separate locations, avoid photographing or saving it in the cloud.
"Ledger will never ask you to provide your 24-word recovery phrase."
Ledger Support, official support center. Source: Ledger's phishing avoidance guide.
What to do immediately if you suspect your key has been compromised?
Transfer assets to a new wallet and a new phrase immediately. Revoke access to third-party applications, revoke token approvals, and scan the computer for remote control software.
Contact the security team of the relevant exchange/app through official channels, provide transaction hashes and addresses. Keep evidence, report to local authorities to assist in the investigation.
Summary table of common tactics and how to identify them
Below is a brief description of common tactics and recommended preventive actions.
Tactic Identification Signs Safe Actions Impersonating exchange/wallet support Requesting recovery phrase, creating a sense of urgency, strange phone/email do not provide the phrase; cut contact; check the official site yourself Phishing email/SMS Strange links, typos, similar domains do not click links; verify URL; enable browser security alerts Fake software updates Installation files via chat/email, requesting to disable security only download from official websites; check checksums/digital signatures Remote control tools Requesting to install AnyDesk/TeamViewer for 'support' refuse; do not grant control over the machine with the wallet SIM swap Unusual signal loss, OTP failure use app-based 2FA; lock SIM; contact the carrier immediately
Primary sources and references
– ZachXBT's post about the incident and cash flow: X.com/ZachXBT. – On-chain transaction data: independent blockchain explorer. – Discussion on preventing social engineering: discussions on X related. – Loss data for the first 5 months of 2025: CertiK, June 2025 report. – Phishing prevention guide: Ledger Support, support center.
Frequently asked questions
Why do scammers use Wasabi Wallet to launder money?
Because Wasabi provides privacy features like coinjoin, which help obscure on-chain cash flows. This is a common step after major thefts to hinder tracing.
How to verify that support contact is legitimate?
Do not respond to links/calls sent to you. Manually type the official website address, log in, and open a ticket in the system. Verify the domain, HTTPS certificates, and verified social media accounts.
If I have already shared the recovery phrase, is there still a way to recover?
Hardly. Create a new phrase on a new wallet, transfer all assets immediately. Revoke app permissions, check the device, and contact the exchange/app for investigation support.
Can Bitcoin transactions be reversed?
No. Bitcoin transactions are immutable. The only way is to prevent and react super quickly to transfer assets before they are completely withdrawn.
Is Lazarus Group suspected in this case?
No. According to ZachXBT, Lazarus is ruled out. The cash flow and method do not match the usual behavior patterns of this group.
Source: https://tintucbitcoin.com/zachxbt-bitcoiner-mat-91-trieu-usd/
Thank you for reading this article!
Please Like, Comment, and Follow TinTucBitcoin to stay updated with the latest news in the cryptocurrency market and not miss any important information!
