Published

ZachXBT Alleges Crypto Theft from US Seizure Wallets

3 min read
Dmitry Kozlov
ZachXBT Alleges Crypto Theft from US Seizure Wallets

Key Takeaways

  • 1 ZachXBT published a detailed thread alleging a single online alias coordinated large cryptocurrency movements.
  • 2 The alleged actor reportedly exposed themselves in a leaked Telegram call; onchain tracing linked wallets to tens of millions in suspect inflows.
  • 3 Some of the traced funds were tied to U.S. government-controlled seizure addresses, but no charges or official statements have followed.

Blockchain investigator ZachXBT published a thread accusing an online alias 'John' or 'Lick' of moving tens of millions from private wallets and U.S. seizure addresses, based on leaked Telegram recordings and onchain tracing.

Blockchain investigator ZachXBT published a detailed thread on X alleging that an online alias known as “John” or “Lick” sits at the center of a network of cryptocurrency thefts. The thread links private wallets and U.S. government seizure addresses and describes how a leaked Telegram call and onchain analysis provided the main leads.

Overview of the Alleged Theft

ZachXBT’s post frames the case as a coordinated series of transfers rather than isolated hacks, with wallets showing tens of millions in suspect inflows. The investigator says the online persona “John” or “Lick” was connected to those wallets through transaction patterns and other onchain signals. These findings brought renewed attention because some of the traced funds were associated with addresses described as controlled by U.S. government agencies.

Details of the Investigation

Leaked Telegram call

According to the onchain analysis, the alleged actor revealed identifying clues during a leaked Telegram call, where boasting and comments produced material that could be matched to blockchain activity. That recording provided the breadcrumbs investigators used to focus their wallet tracing efforts, turning a private conversation into a public piece of evidence.

Onchain analysis and wallet tracing

Onchain tracing linked the addresses highlighted by the investigator to significant inflows described as suspect, and the pattern of movements suggested deliberate, threaded transfers rather than opportunistic one-off drains. The analysis relied on matching transaction flows and timing to build a chain of connections between wallets attributed to the alleged actor.

Connection to U.S. government seizure addresses

The investigator reported that some wallets in the traced chain had links to addresses previously identified as controlled by U.S. government seizure processes, which raised concern among observers about how those funds were moved. While the traced amounts were described as totaling tens of millions, the findings stopped short of showing a direct, publicly verifiable chain from seizure to final destination.

Reactions and Current Status

The thread reverberated across crypto communities and prompted discussion about access and oversight of high-value addresses, but official agencies have not issued statements. No criminal charges have been announced, and the absence of confirmation from authorities has left the situation in a state of public speculation rather than settled fact.

Implications and Lessons

The case highlights two linked dynamics: the visibility of blockchain records and the risk that human error or identifiable talk can undermine operational secrecy. It also illustrates how leaked communications can become key leads when combined with transparent onchain data, even if they do not immediately produce legal action.

For context on other thefts and wallet compromises, see a recent Trust Wallet hack and the reported Coinbase fraud case, which both show how attackers and stolen funds can move across services and addresses.

Why this matters

If you run one or many mining rigs in Russia, this story may not change your day-to-day operations, but it is a reminder that high-value addresses are not immune to complex exploitation. The incident shows that public blockchain records, combined with leaked communications, can reveal connections investigators or the public can follow even when official channels stay silent.

What to do?

Practical steps for small and medium miners are simple and focused on risk reduction. Treat keys and account access as the primary attack surface, keep holdings in properly managed wallets, and avoid reusing credentials across services.

  • Keep private keys offline when possible (cold storage) and use reputable hardware wallets for significant balances.
  • Use unique, strong credentials and enable two-factor authentication on all exchange and custody accounts.
  • Monitor addresses you interact with and be cautious with unknown links or offers; sudden transfers and social engineering often accompany larger schemes.
  • Maintain up-to-date software on mining equipment and management tools to reduce exposure from compromised endpoints.

Frequently Asked Questions

Who is “John” or “Lick”?

An online alias that ZachXBT tied to wallets allegedly linked to multiple large-scale cryptocurrency thefts.

What funds were allegedly stolen?

The investigation points to private wallets and U.S. government seizure addresses holding tens of millions of dollars in suspect inflows.

How was the actor identified?

Through leaked Telegram recordings and onchain wallet tracing, according to the investigator.

Have authorities confirmed the claims?

No charges have been filed and official agencies have remained silent, so there is no public confirmation from authorities.

Related Articles