ZachXBT

Tornado Cash is a decentralized, non-custodial cryptocurrency mixing protocol deployed on Ethereum in December 2019, co-founded by Roman Storm, Roman Semenov, and Alexey Pertsev. It was sanctioned by the U.S. Treasury's Office of Foreign Assets Control (OFAC) in August 2022 for allegedly laundering over $7 billion in virtual currency, including hundreds of millions stolen by North Korea's Lazarus Group; the sanctions were later lifted in March 2025 following a Fifth Circuit ruling that immutable smart contracts do not constitute sanctionable 'property' under IEEPA. All three co-founders face or have faced criminal proceedings: Pertsev was convicted in the Netherlands in May 2024 and sentenced to 64 months in prison, Storm was convicted on one of three counts in the U.S. in August 2025, and Semenov remains at large.

Lazarus Group is a North Korean state-sponsored advanced persistent threat (APT) actor, also tracked as APT38, TraderTraitor, BlueNorOff, Hidden Cobra, and ZINC, operating under the Reconnaissance General Bureau (RGB) of the Korean People's Army. Active since approximately 2009, the group has stolen an estimated $6.75 billion in cryptocurrency through targeted attacks on exchanges, bridges, and blockchain companies, using stolen funds to finance North Korea's weapons programs and circumvent international sanctions. The U.S. Department of Justice has indicted three named members, and OFAC placed the group on the Specially Designated Nationals (SDN) list in April 2022.

BlackSuit is a ransomware-as-a-service (RaaS) operation that emerged in May 2023 as a rebranding of the Royal ransomware gang, itself a successor to the Conti cybercrime syndicate believed to be operated by Russian-speaking threat actors. The group employed double-extortion tactics across critical infrastructure sectors including healthcare, automotive, education, and government, compromising over 450 U.S. victims and demanding more than $500 million in ransom, primarily in Bitcoin, before international law enforcement dismantled its infrastructure in July 2025 under Operation Checkmate.

A fraudulent mobile application impersonating Hyperliquid, the decentralized perpetuals exchange, was identified on the Google Play Store in November 2025 by on-chain investigator ZachXBT. The app, published under the developer name 'Tvtion Inc.', replicated Hyperliquid's branding and interface to harvest users' seed phrases, transmitting them to an external server. An Ethereum address linked to the operation has been associated with thefts exceeding $281,000; Hyperliquid has never released an official mobile application, making any such listing inherently fraudulent.

Chris Larsen is the co-founder and Executive Chairman of Ripple, one of the most prominent figures in the XRP ecosystem. On January 30, 2024, attackers drained an estimated 213–283 million XRP (valued at $112.5–$150 million) from his personal cryptocurrency accounts — not Ripple corporate wallets — in what became the largest individual crypto theft of 2024. A U.S. government forfeiture complaint filed in March 2025 linked the breach to the 2022 LastPass password manager hack, alleging that private keys had been stored in an online vault subsequently compromised by attackers.

Compound Finance is an Ethereum-based decentralized lending protocol founded in 2017 by Robert Leshner and Geoffrey Hayes that allows users to lend and borrow cryptocurrencies algorithmically. The protocol has been subject to multiple significant security and governance incidents, including a 2021 smart contract bug that placed up to ~280,000 COMP tokens (approximately $80–90 million) at risk, a 2024 alleged governance takeover by a whale known as 'Humpy,' and a July 2024 front-end DNS hijacking attack tied to the Squarespace registrar migration. Despite these incidents, the core smart contract protocol has not been exploited; the recurring issues have primarily affected token distribution, governance integrity, and front-end infrastructure.

Fake Ledger Live apps are malicious wallet impersonation applications distributed through official app stores — including the Microsoft Store and Apple App Store — that harvest cryptocurrency seed phrases to drain victims' wallets. Two major documented incidents have resulted in confirmed losses of at least $10.3 million: approximately $768,000 via the Microsoft Store in November 2023, and approximately $9.5 million via the Apple App Store in April 2026. Parallel macOS malware campaigns distributing trojanized DMG installers have been active since at least August 2024, with four concurrent active campaigns identified by security researchers.

Malone Lam Yu Xuan (born July 19, 2004), a Singaporean national residing in Miami and Los Angeles, is the alleged ringleader of a crypto theft and money laundering enterprise responsible for stealing over $263 million across multiple victims between 2023 and 2025. He was arrested by the FBI on September 18, 2024, and faces RICO conspiracy charges in what prosecutors describe as the first Bitcoin-related RICO prosecution in U.S. history. As of early 2026, he remains in pretrial detention while negotiating a plea deal.

Velodrome Finance is an automated market maker (AMM) and decentralized exchange (DEX) launched on June 2, 2022, on the Optimism Layer 2 network. It is a fork and improvement of Andre Cronje's Solidly Exchange, implementing a ve(3,3) governance and liquidity incentive model. The protocol has experienced three documented security incidents: an insider theft of $350,000 by a team member in August 2022, a DNS/frontend social-engineering attack in November–December 2023 resulting in approximately $250,000 in user losses, and a second DNS hijacking in November 2025 attributed to a NameSilo registrar insider, resulting in estimated losses of $700,000–$1,000,000. Smart contracts have not been directly exploited; all monetary losses have stemmed from front-end and operational security failures.

Ledger SAS is a Paris-based hardware cryptocurrency wallet manufacturer founded in 2014, producing the Nano S and Nano X devices used by millions worldwide. Despite its status as a legitimate and established company, Ledger has been involved in two major security incidents: a 2020 customer database breach exposing over 1 million email addresses and 272,000 physical addresses, and a December 2023 supply chain attack on its @ledgerhq/connect-kit npm package that drained approximately $600,000–$850,000 from users of multiple DeFi protocols via the Angel Drainer malware-as-a-service. A third-party data breach via payment processor Global-e was disclosed in January 2026.

Pink Drainer was a Drainer-as-a-Service (DaaS) phishing toolkit that operated from approximately July 2023 to May 2024, facilitating the theft of over $85.3 million in cryptocurrency from more than 21,000 victims across Ethereum and other networks. The operators ran the service by licensing a sophisticated wallet-draining script to affiliate phishers for a 20-30% cut of stolen proceeds, then announced a voluntary shutdown on May 17, 2024, citing their goal as 'accomplished.'

Inferno Drainer is a scam-as-a-service (drainer-as-a-service) platform that provided phishing infrastructure and malicious wallet-draining scripts to criminal affiliates in exchange for a percentage of stolen funds. Active from November 2022 through at least early 2025, it is attributed to stealing over $80 million from approximately 137,000 victims during its initial operational phase, with operators claiming a cumulative total exceeding $250 million across all periods including a covert post-shutdown phase. It operates by luring victims to phishing websites impersonating legitimate crypto brands, tricking users into signing malicious transactions that drain wallets across multiple EVM-compatible blockchains.

The Democratic People's Republic of Korea (DPRK), operating primarily through state-sponsored hacking units designated as the Lazarus Group, TraderTraitor, and APT38, has stolen an estimated $6.75 billion in cryptocurrency since 2016 across dozens of major exploits. These operations are attributed by the FBI, OFAC, CISA, and allied governments to North Korea's Reconnaissance General Bureau and are conducted to fund the regime's weapons of mass destruction and ballistic missile programs in circumvention of international sanctions. DPRK-linked hackers are responsible for the largest single crypto theft in history — the $1.5 billion Bybit hack in February 2025 — and continue to operate at unprecedented scale and sophistication.

An unidentified threat actor or group breached LastPass in August–November 2022, exfiltrating encrypted customer password vaults containing cryptocurrency seed phrases and private keys stored by an estimated 25–30 million users. Beginning in late 2022 and continuing at least through late 2025, the actors allegedly cracked weak master passwords offline and drained cryptocurrency wallets in coordinated waves, with documented losses exceeding $250 million across hundreds of victims and a single high-profile $150 million XRP theft attributed to Ripple co-founder Chris Larsen. TRM Labs on-chain analysis and law enforcement investigations link the laundering activity to Russian cybercriminal infrastructure, including OFAC-sanctioned exchange Cryptex.

The Blockchain Bandit is an unidentified threat actor or group that systematically exploited Ethereum wallets holding cryptographically weak private keys between approximately 2015 and 2018, accumulating more than 45,000 ETH (worth over $54 million at peak 2018 valuations) through a technique researchers later termed 'Ethercombing.' The actor compromised 732 private keys across 49,060 transactions, draining wallets in near-real-time using automated blockchain monitoring. Dormant since 2018, the actor re-emerged in January 2023 and again in December 2024, consolidating approximately 51,000 ETH (valued at roughly $172 million) into a single multisig wallet, as tracked by on-chain investigator ZachXBT.

WazirX is an Indian cryptocurrency exchange co-founded in 2018 by Nischal Shetty, Sameer Mhatre, and Siddharth Menon that suffered the largest crypto hack in Indian history on July 18, 2024, when approximately $234.9 million in user assets were stolen from a Gnosis Safe multisig wallet via a sophisticated supply-chain-style attack attributed by Elliptic, ZachXBT, and a joint US-Japan-South Korea government statement to North Korea's Lazarus Group. The hack triggered suspension of all withdrawals, a Singapore court-supervised restructuring process in which users are expected to recover approximately 55% of their assets, and ongoing regulatory and law enforcement scrutiny in India.

Vkevin is a pseudonymous threat actor known for operating fake Safeguard Telegram bot phishing campaigns that have allegedly drained seven figures from victims' cryptocurrency wallets. On January 23, 2025, blockchain investigator ZachXBT published a 31-minute video exposing Vkevin in the act of running these scams from what was described as a New York school, and confirmed the individual had been doxxed. Vkevin is additionally alleged to have conducted a 2022 Discord attack against DigikongNFT using a spoofed MEE6 bot, resulting in over $300,000 in NFT losses.

On November 3, 2024, unidentified scammers compromised the X (Twitter) account of rapper Wiz Khalifa (35.7 million followers) and used it to promote two fraudulent Solana meme coins — $WIZ and $WIZZLE — launched on pump.fun. The $WIZ token reached a peak market cap of approximately $2.5 million within 15 minutes before collapsing over 95% in under one hour, with at least two insider wallets extracting a combined $160,000 in profit. Blockchain investigator ZachXBT linked the incident to a broader campaign of celebrity account takeovers that allegedly stole over $3.5 million in total, and subsequently accused a former professional Fortnite player known as 'Serpent' of involvement in the coordinated scheme.

Magnate Finance was a DeFi lending and borrowing protocol deployed on Coinbase's Base Layer 2 network that executed an exit scam on August 25, 2023, stealing approximately $6.4–6.5 million in user funds by manipulating its price oracle. On-chain investigator ZachXBT issued a public warning hours before the rug pull, having traced the deployer address to at least two prior exit scams: Solfire ($4.8M, January 2022) and Kokomo Finance ($5.5M, March 2023), establishing this as the work of a repeat-offender scam ring responsible for over $16.7 million in total losses.

Glori Finance was an alleged DeFi lending protocol deployed on the Arbitrum network in early 2024, operating as a Compound V2 fork with approximately $1.4 million in total value locked (TVL) at the time of its exposure. On April 14, 2024, blockchain investigator ZachXBT identified that the top GLORI token holders had seeded liquidity using funds stolen from prior scams — specifically the Crolend, Hash DAO, and HellHoundFi frauds — linking Glori Finance to a serial scam ring responsible for over $20 million in cumulative losses. Following ZachXBT's public disclosure, the Glori Finance X account was deactivated and the protocol's website went offline, consistent with an exit scam.

NFTMachine is the online alias of Tyler Gaye, a Denver, Colorado resident who allegedly orchestrated a presale fraud in early 2021 by raising approximately $500,000 (reportedly 277 ETH from 130+ investors) for a promised NFT marketplace called opeNFT (also stylized ONFT), which was never launched. A Denver District Court judge entered a default judgment of $275,000 against Gaye in November 2022, classifying the conduct as civil theft. On-chain investigator ZachXBT has subsequently alleged Gaye continued launching new crypto projects — including Arcade DAO and Gamegear — under the alias 'scaredofboobs' without satisfying the court-ordered judgment.

Bitforex was a cryptocurrency exchange founded in 2017, registered in Seychelles and operating under a Hong Kong address, which collapsed in February 2024 after approximately $56.5 million was drained from its hot wallets across Ethereum, Tron, and Bitcoin in a controlled fund extraction widely characterized as an exit scam. The exchange had a documented history of wash trading allegations dating to 2018, a prior unexplained withdrawal freeze in 2022, regulatory warnings from Japan's FSA and Hong Kong's SFC, and operated without a license in the jurisdictions it claimed as home. Following the collapse, team members were allegedly detained by Jiangsu Province police in China, and the exchange briefly reopened for KYC-verified withdrawals in July 2024 before announcing permanent closure.

Aqua (also known as AquaBot) was a Solana-based Telegram trading bot that conducted a presale in September 2025, raising approximately 21,770 SOL ($4.65 million) from retail investors before executing an apparent exit scam. On-chain investigator ZachXBT flagged the project after presale funds were split into four tranches, routed through intermediary wallets, and sent to instant exchanges hours before the scheduled token generation event. The project had secured endorsements from multiple established Solana ecosystem participants — including Meteora, Helius, Dialect, SYMMIO — and had received a near-perfect audit score from QuillAudits just days before the alleged rug pull.

eXch (exch.cx) was a no-KYC instant cryptocurrency swap service operating from 2014 until its forced shutdown in May 2025. Registered in Belize under the name Private Project Facilitators LTD, the platform processed an estimated $1.9 billion in total volume, deliberately advertising its absence of anti-money laundering controls on criminal underground forums. German federal law enforcement seized approximately $38 million in cryptocurrency assets and 8 terabytes of data from the platform in April 2025, following evidence linking eXch to laundering roughly $200 million of funds stolen in the $1.46 billion Bybit hack carried out by North Korea's Lazarus Group.

Veer Chetal, known online as 'Wiz,' is a 19-year-old from Danbury, Connecticut who pleaded guilty in November 2024 to conspiracy to commit wire fraud and conspiracy to launder monetary instruments in connection with a $243–245 million Bitcoin theft targeting a single Genesis creditor via social engineering. He was identified and exposed by blockchain investigator ZachXBT, who traced stolen funds on-chain and publicly named the perpetrators before law enforcement arrests were made. Chetal was re-arrested in early 2025 after committing additional crypto thefts while released on bond and faces a federal sentencing guideline range of 19–24 years imprisonment.

Friend.tech was a SocialFi application launched on Coinbase's Base L2 in August 2023 that allowed users to buy and sell tokenized 'keys' (shares) of social media influencers. The platform suffered a wave of SIM-swap attacks draining at least 343 ETH from users, exposed wallet addresses of 101,000 users via an API data breach, launched its FRIEND token in May 2024 which collapsed 98% within months, and was ultimately abandoned by its pseudonymous founders in September 2024 after they extracted approximately $44 million in protocol fees.

TradeOgre was an unregistered, no-KYC cryptocurrency exchange founded around 2018 and known for listing privacy coins including Monero (XMR) and Pirate Chain. On September 18, 2025, the RCMP executed Canada's largest-ever cryptocurrency seizure, dismantling the platform and seizing over CAD $56 million (approximately USD $40 million) in digital assets. Investigators determined that the majority of funds transacted on the platform came from criminal sources, including ransomware proceeds, darknet market activity, hacking exploits, and fraud schemes.

Nobitex is Iran's largest cryptocurrency exchange, founded in 2017, claiming over 11 million users and handling approximately 70% of Iran's on-chain crypto volume. A March 2025 Reuters investigation identified its founders as brothers Ali and Mohammad Kharrazi — members of a family with documented ties to Iran's Supreme Leaders and the founding of the Islamic Revolutionary Guard Corps — who operated the exchange under an alternative surname. Blockchain analytics firms including Elliptic, Chainalysis, and TRM Labs have documented billions of dollars in flows through Nobitex connected to sanctioned Iranian state entities including the Central Bank of Iran and the IRGC, making the platform a critical node in Iran's sanctions evasion infrastructure.

The 'WallStreetBets' brand has been exploited in at least two distinct crypto fraud incidents: a 2021 Telegram pre-mine scam using a fake 'WallStreetBets – Crypto Pumps' channel that stole over $2.1 million in BNB and ETH, and a 2023 Ethereum meme token (WSB Coin) that surged to a $50 million market cap before insiders allegedly dumped $635,000 worth of tokens within days of launch, collapsing the price by over 90%. Neither token was authorized by Reddit or the r/WallStreetBets subreddit, and ZachXBT publicly identified the alleged perpetrators in the 2023 incident.

JELLY (JellyJelly / JELLYJELLY) is a Solana memecoin launched in January 2025 by Venmo co-founder Iqram Magdon-Ismail that became the center of a major market manipulation incident on Hyperliquid on March 26, 2025. A coordinated trader used a self-liquidation strategy — opening large opposing long and short positions — to force Hyperliquid's HLP liquidity vault to absorb a toxic short, causing up to $13.5 million in unrealized losses before validators emergency-delisted the token and force-settled all positions at a fixed price. The incident triggered widespread criticism of Hyperliquid's decentralization claims and raised systemic questions about perpetuals DEX risk management.

Avalanche C-Chain address 0x327a81d0d128db8886d265be73c9fdda97194f30 was flagged by on-chain investigator ZachXBT in June 2024 as the primary launderer for the BTCTurk exchange hack, having transferred approximately 1.96 million AVAX (valued at ~$54.2 million) to Coinbase, Binance, Gate.io, and THORChain. ZachXBT's timing analysis linked subsequent BTC withdrawals of approximately $45.96 million to the same threat actor, who was also allegedly responsible for a concurrent $2.9 million theft from Sportsbet. The address currently holds negligible funds, consistent with successful laundering of proceeds.

GANA Payment was a BNB Smart Chain payment-focused DeFi project (BEP-20 token) that launched on November 11, 2025 and was exploited nine days later on November 20, 2025, resulting in losses exceeding $3.1 million. On-chain investigator ZachXBT confirmed the attack, which involved a compromised deployer private key combined with abuse of EIP-7702 to drain the project's staking contract; stolen funds were subsequently laundered through Tornado Cash on both BSC and Ethereum. The GANA token lost over 90% of its value within 24 hours of the exploit.

Sportsbet.io is a cryptocurrency gambling and sports betting platform operated by mBet Solutions N.V. under the Yolo Group umbrella, licensed in Curaçao. On June 22, 2024, blockchain investigator ZachXBT publicly identified that the platform's hot wallets were drained of approximately $3.5 million in USDT and TRX, attributing the attack to the same threat actor who hours later stole an estimated $55 million from Turkish exchange BtcTurk, with stolen funds allegedly commingled between both hacks. The platform has drawn ongoing scrutiny for operating in regulatory grey markets, serving users in jurisdictions where it holds no local license, and for systemic user complaints involving account closures and fund seizures following wins. Yolo Group founder Tim Heath confirmed in 2025 that the brand is being wound down in favor of fully regulated markets.

TON (The Open Network) is a layer-1 blockchain originally developed by Telegram, abandoned in 2020 following an SEC enforcement action that compelled a $18.5 million penalty and $1.22 billion investor return, and subsequently revived by an independent TON Foundation. By 2024, rapid ecosystem growth attracted a significant wave of phishing campaigns, wallet drainer toolkits, pyramid schemes, and rug pull activity, with over 1,200 fraud cases reported in H1 2024 alone. In May 2026, Pavel Durov announced Telegram would reassume control as the network's largest validator, reintroducing centralization risk to a network already under scrutiny for facilitating illicit marketplaces.

pump.fun (operated by Baton Corporation Ltd., also listed on AVOID.NET as 'pumpdotfun') is a Solana-based meme token launchpad that launched in January 2024 and rapidly became one of the most-used token creation platforms in crypto, generating over $800 million in cumulative revenue and more than 11.9 million tokens. The platform is subject to an active RICO class action lawsuit in the SDNY alleging up to $5.5 billion in retail losses, a UK FCA regulatory ban, a $1.9 million insider flash loan exploit, documented use by North Korea's Lazarus Group for money laundering, and independent research classifying 98.6% of its tokens as rug pulls or fraud.

Wallex is an Iranian cryptocurrency exchange founded in 2018 in Tehran by graduates of Sharif University of Technology, serving approximately 1 million users as of 2022 and operating as a major domestic crypto-to-rial on/off-ramp. On March 25, 2026, blockchain investigator ZachXBT flagged suspicious fund consolidation activity, prompting both Tether (USDT) and Circle (USDC) to simultaneously blacklist Wallex-linked wallet addresses, leaving approximately $2.49 million stranded on-chain. Wallex operates in a jurisdiction under comprehensive U.S. OFAC sanctions, has been linked by Chainalysis to transactions with a U.S.-sanctioned individual, and suffered a confirmed data breach in 2021 that exposed user credentials.

pump.fun (operated by Baton Corporation Ltd., also listed on AVOID.NET as 'pumpdotfun') is a Solana-based meme token launchpad that launched in January 2024 and rapidly became one of the most-used token creation platforms in crypto, generating over $800 million in cumulative revenue and more than 11.9 million tokens. The platform is subject to an active RICO class action lawsuit in the SDNY alleging up to $5.5 billion in retail losses, a UK FCA regulatory ban, a $1.9 million insider flash loan exploit, documented use by North Korea's Lazarus Group for money laundering, and independent research classifying 98.6% of its tokens as rug pulls or fraud.

C&M Software (also styled CMSW) is a Brazilian financial technology company authorized by the Banco Central do Brasil to provide connectivity between smaller financial institutions and Brazil's national payment infrastructure, including the PIX instant-payment system. On June 30, 2025, hackers exploited credentials sold by an insider employee to drain approximately R$800 million (roughly USD 140–148 million) from reserve accounts of at least six financial institutions, in what became Brazil's largest recorded banking cyberattack. A portion of the stolen funds—estimated at USD 30–40 million—was subsequently laundered through Latin American OTC desks and crypto exchanges using Bitcoin, Ethereum, and Tether USDT, with on-chain investigator ZachXBT playing a central role in tracing and partially freezing the laundered assets.

Masa (also known as Masa Finance, later rebranded as Gopher) is a Web3 data and identity protocol that launched a soulbound token standard on Ethereum in 2023 before pivoting to a decentralized AI data network. The MASA token, sold via CoinList in March 2024 at $0.079 and hitting an all-time high of approximately $0.4697 on its April 11, 2024 listing date, subsequently collapsed by over 99.9% to trade near $0.00002 by mid-2026. ZachXBT publicly accused the project of concealing a six-figure security exploit in September 2024, which the team later confirmed only after the allegation was made public.

LastPass is a widely used password manager that suffered a catastrophic two-stage data breach in 2022, resulting in the theft of encrypted customer password vaults containing cryptocurrency seed phrases and private keys. Threat actors subsequently cracked these vaults offline over the following years, draining crypto wallets in waves totaling more than $438 million across hundreds of victims by late 2025. The breach has led to a £1.2 million UK ICO regulatory fine, a $24.45 million US class action settlement, US federal seizures, and on-chain attribution by TRM Labs and blockchain researcher ZachXBT to Russian cybercriminal infrastructure.

Tapioca DAO is an omnichain DeFi money market built on LayerZero, offering a CDP stablecoin (USDO) and isolated lending markets (Singularity/Big Bang) across Arbitrum and BNB Chain. On October 18, 2024, the protocol suffered a critical security breach when a team member was targeted by a social engineering attack attributed to North Korea's Contagious Interview campaign, resulting in private key compromise, drainage of TAP token vesting contracts, and the minting of 5 quintillion USDO. Approximately $4.4–4.7 million was stolen before a partial counter-exploit recovered roughly 996 ETH (~$2.7 million), leaving the protocol treasury down approximately 45% and the TAP token price collapsed over 95%.

Garden Finance is a cross-chain Bitcoin bridge protocol launched in 2023 by former Ren Protocol developers, using Hash Time Locked Contracts (HTLCs) and an intents-based solver network to enable atomic swaps across Ethereum, Solana, Arbitrum, Base, and other chains. On October 30–31, 2025, one of its largest solver operators was compromised via a leaked private key, resulting in approximately $11.4 million in stolen assets that were subsequently laundered through Tornado Cash. Prior to the exploit, blockchain investigator ZachXBT alleged that over 80% of the protocol's recent fee revenue was derived from laundering funds stolen in the February 2025 Bybit hack, which the Lazarus Group (DPRK) perpetrated for approximately $1.4 billion.

Bitcoin Depot was once the largest Bitcoin ATM operator in North America, operating more than 9,000 kiosks before filing for Chapter 11 bankruptcy on May 18, 2026. The company faces lawsuits from the attorneys general of Iowa and Massachusetts alleging it knowingly facilitated crypto scams, with one state finding that more than 80% of high-value transactions at its kiosks were linked to fraud. Multiple data breaches, a $3.6 million wallet theft, regulatory enforcement in California, and on-chain evidence flagged by ZachXBT further document systemic compliance and security failures.

MEXC is a centralized cryptocurrency exchange founded in 2018, incorporated in Seychelles, that has accumulated a significant regulatory record across multiple jurisdictions including warnings or cease orders from authorities in Hong Kong, Germany, Belgium, Japan, Estonia, and South Korea. The exchange gained widespread notoriety in late 2025 after on-chain investigator ZachXBT amplified user reports of frozen funds, including a high-profile case in which a trader known as 'The White Whale' had approximately $3 million frozen without adequate explanation, eventually prompting a public apology from the exchange's Chief Strategy Officer. MEXC's parent entity MEXC Global Ltd was struck off by the Seychelles registry in August 2023, dissolved in December 2024, and never obtained a license under the Seychelles VASP Act 2024, leaving its current operational and legal standing opaque.

Kroll Restructuring Administration LLC served as the court-appointed claims and noticing agent for the FTX, BlockFi, and Genesis bankruptcy proceedings. On August 19, 2023, a threat actor executed a SIM swap attack against a Kroll employee's T-Mobile account, gaining unauthorized access to files containing the personal data of tens of thousands of crypto bankruptcy claimants. The exposed data was subsequently exploited in large-scale phishing and social engineering campaigns, with blockchain investigator ZachXBT estimating total losses attributable to the breach at eight to nine figures, and at least one alleged perpetrator — Danish Zulfiqar, also known as 'Danny' — was arrested in Dubai in late 2025 on RICO charges related to a broader $263 million social engineering conspiracy.

Wasabi Protocol is a decentralized perpetual futures and leveraged trading platform for memecoins and long-tail assets, deployed on Ethereum, Base, Berachain, and Blast. On April 30, 2026, the protocol suffered a critical multi-chain exploit in which a compromised admin deployer key was used to execute malicious UUPS proxy upgrades across core contracts, draining over $5 million in user funds. Security firm BlockSec reported that the attacker's wallets had been funded via Tornado Cash, and on-chain investigator ZachXBT publicly criticized the protocol for single-EOA admin control, absence of a timelock or multisig, and alleged misappropriation of project funds on influencer marketing.

HyperCycle (HYPC) is an Ethereum ERC-20 token marketed as infrastructure for decentralized AI-to-AI transactions, co-founded by SingularityNET's Ben Goertzel and TODA inventor Toufi Saliba. The token has lost approximately 99% of its value from its all-time high of $1.29, and its smart contract contains a PAUSER_ROLE that allows a designated admin to halt all token transfers at will. No independent smart contract security audit has been publicly submitted, and the tokenomics structure — which allocates 20% to team, advisors, and partners with a relatively short vesting cliff — has been cited by multiple analysts as generating sustained selling pressure that disadvantages retail participants. ZachXBT has broadly flagged AI-narrative token projects as high-risk.

Noones is a peer-to-peer cryptocurrency trading platform targeting Africa and the Global South, founded and initially led by Ray Youssef, co-founder of the now-defunct Paxful. In January 2025, the platform suffered an $8 million hot-wallet exploit that was concealed for nearly three weeks before on-chain investigator ZachXBT publicly exposed the breach. Compounding platform risk, Youssef was subsequently indicted by the DOJ in early 2026 on federal AML charges stemming from his leadership of Paxful, and stepped down as Noones CEO shortly thereafter.

1EU2pMence1UfifCco2UHJCdoqorAtpT7 is a legacy P2PKH Bitcoin address holding approximately 9,999.99 BTC that has never had any outgoing transactions, marking it as a dormant high-value wallet. The address has been publicly circulated in attacker-community repositories as a brute-force cracking target, appearing in GitHub issue lists of 'rich wallet addresses for BTC crack' alongside automated key-collision tools. No verifiable private-key compromise or confirmed theft has been documented as of the investigation date; however, the address's inclusion in brute-force tooling databases and its indexing on privatekeys.pw elevates its risk profile considerably.

Renzo Protocol is an Ethereum liquid restaking protocol that issues ezETH, serving as an interface to the EigenLayer ecosystem. In April 2024, ezETH suffered a severe depeg event — dropping as low as $700 in under one hour — triggered by an unpopular REZ tokenomics announcement that concentrated approximately 65% of supply with insiders and investors. The event caused over $56 million in DeFi liquidations affecting more than 250 users, and the REZ token has since lost approximately 97% of its all-time high value.

KelpDAO (also KernelDAO) is an Ethereum-based liquid restaking protocol that issues rsETH, a yield-bearing token representing restaked positions via EigenLayer. On April 18, 2026, attackers attributed to North Korea's Lazarus Group (TraderTraitor subunit) exploited a single-verifier bridge configuration to mint 116,500 unbacked rsETH tokens worth approximately $292 million, making it the largest single DeFi exploit of 2026. The attack triggered cascading losses across Aave, SparkLend, and Fluid, sparked a $300 million+ industry recovery coalition (DeFi United), a legal dispute over $71 million frozen by Arbitrum's Security Council, and a protracted public blame dispute between KelpDAO and bridge provider LayerZero.

Metawin is an offshore crypto casino and gaming platform licensed under the Anjouan (Comoros) gaming authority, operated by Asobi N.V. from Curacao, and founded by Richard 'Skel' Skelhorn. On November 3, 2024, the platform suffered a significant hot wallet exploit across Ethereum and Solana blockchains resulting in approximately $4 million in stolen funds, with blockchain investigator ZachXBT tracing the stolen assets to KuCoin and a nested HitBTC service across more than 115 attacker-linked addresses. The CEO subsequently claimed to have personally covered the losses, restoring withdrawals for approximately 95% of affected users, though the platform's offshore jurisdictional status and the underlying security vulnerability raise ongoing concerns.

Netmind AI (netmind.ai) is a London-based decentralized GPU compute network that issues the NMT token on both Ethereum (ERC20) and BNB Smart Chain (BEP20) via upgradeable proxy contracts. In March 2024, 440,000 NMT tokens were sold in a sudden dump that caused a 76% price crash — attributed by the team to a compromised early miner wallet, though the mechanism remains disputed. The NMT contract is an upgradeable transparent proxy that grants the owner unilateral ability to disable sells, change fees, mint, or transfer tokens, representing a material centralization and rug-risk vector flagged by security tools and, according to AVOID.NET source tagging, by ZachXBT.

ANDY is a meme token launched on the Base (Ethereum L2) network in 2024, built around the 'boy's club' internet meme character. Blockchain investigator ZachXBT documented a theft of approximately $2 million in ANDY tokens from a victim's wallet in June 2024, with the perpetrator converting roughly half the stolen funds to Ethereum. CertiK's Skynet platform assigned the token a score of 2.7 out of 100, indicating serious security and governance deficiencies. Allegations that individuals associated with the token conducted SIM-swap attacks targeting Korean-American crypto holders have been attributed to ZachXBT's flagging but remain unconfirmed by independently verifiable Tier 1 or Tier 2 sources.

JRNY Crypto (real name allegedly Tony Spark) is a pseudonymous cryptocurrency and NFT influencer operating since 2017, with over 760,000 followers on X and 590,000 YouTube subscribers at peak activity. ZachXBT flagged the account in November 2024 after approximately $4 million in crypto assets were drained from associated wallets in a suspected private key compromise; JRNY did not publicly acknowledge the incident. Separate community-sourced allegations include undisclosed paid promotions, a paid strategic advisory role at BSC launchpad Seedify that critics allege was not consistently disclosed to audiences, and criticism over the JRNY Club and Planet Xolo NFT projects failing to meet roadmap commitments.

Mixin Network is a Hong Kong-based cross-chain Layer 2 protocol that suffered one of the largest cryptocurrency hacks of 2023, losing approximately $200 million when its cloud service provider's database was compromised on September 23, 2023. The hack exposed a fundamental contradiction in Mixin's self-described decentralized architecture: the majority of user funds were held in hot wallets backed by a centralized cloud database. As of early 2026, the majority of stolen assets remain unrecovered, with the attacker beginning to launder funds through Tornado Cash.

Spartans Bet (spartans.com) is a crypto betting and casino platform launched in 2025, operated by Nexus International Entertainment Ltd, a company registered in Belize and licensed under the disputed Anjouan (Comoros) gaming authority. On-chain investigator ZachXBT alleged in 2025 that the platform's suspected co-founder, Gurhan Kiziloz, is also the hidden operator behind BlockDAG Network, a project ZachXBT claims raised over $300 million from retail investors through deceptive social media advertising and misappropriated presale funds via Middle Eastern OTC channels. Spartans makes prominent 'provably fair' claims that lack independently verifiable third-party audit documentation, and the platform carries a below-average safety index of 6.4/10 from casino.guru, with user complaints citing refused withdrawals and unfair bonus terms.

Token 2049 is one of the world's largest crypto conferences, held annually in Singapore and Dubai by Hong Kong-based BOB Group. The event has faced repeated criticism for insufficient sponsor vetting, most notably when OFAC- and UK-sanctioned Russia-linked stablecoin A7A5 was listed as a platinum sponsor and given a speaking slot at the October 2025 Singapore edition. Separately, in March 2025, on-chain investigator ZachXBT publicly flagged multiple Token 2049 sponsors — including DWF Labs, Bitunix, JuCoin, WEEX, and Spacecoin — for fraud, wash trading, and regulatory non-compliance, warning that conference sponsorship carries no implied credibility.

Renzo Protocol is an EigenLayer liquid restaking protocol that issues ezETH, a liquid restaking token (LRT) representing restaked ETH. In April 2024, ezETH suffered a severe depeg — falling from ~$3,100 to as low as $688 on Uniswap — triggered by a controversial REZ tokenomics announcement that allocated only 5% of tokens to the community airdrop while reserving over 60% for team, investors, and advisors, causing cascading liquidations exceeding $56 million across DeFi platforms. Eight high-severity vulnerabilities were identified in a concurrent Code4rena security audit, and the incident exposed structural risks including withdrawal restrictions that prevented users from redeeming ezETH directly for ETH.

Truflation is a blockchain-based inflation data oracle protocol that provides real-time economic indices to DeFi applications via its Truflation Stream Network (TSN) and TRUF token. In September 2024, the project suffered a confirmed malware attack that compromised private keys across its treasury multisig and personal wallets, resulting in losses estimated between $4.6 million and $5.2 million — predominantly in TRUF tokens, ETH, and DAI. On-chain investigator ZachXBT was among the first to publicly identify and report the incident; the project subsequently initiated a full TRUF token migration as a remediation measure.

Act I: The AI Prophecy (ACT) is a Solana-based AI-narrative memecoin launched via Pump.fun in October 2024 with no verified product utility. The token reached an all-time high of approximately $0.92 in November 2024 before declining over 98% to roughly $0.013 by mid-2026. It has been subject to a documented co-founder token dump, a suspicious 49% flash crash on Binance in April 2025 attributed to large coordinated sell orders, and broad sector criticism from on-chain investigator ZachXBT who labeled 99% of AI agent tokens as scams.

SBI Crypto is a cryptocurrency mining subsidiary of Japan's SBI Holdings, operating one of the top Bitcoin mining pools globally and offering related infrastructure services. On September 24, 2025, addresses linked to the company saw approximately $21–24 million in suspicious outflows across five cryptocurrencies; blockchain investigator ZachXBT and security firm Cyvers identified laundering patterns consistent with DPRK-affiliated Lazarus Group operations. SBI Group did not proactively disclose the breach and provided only minimal confirmation after independent researchers surfaced the incident publicly.

Crypto.com is a Singapore-headquartered centralized cryptocurrency exchange founded in 2016 (originally as Monaco) by Kris Marszalek, Bobby Bao, Gary Or, and Rafael Melo. The platform has been subject to multiple serious security incidents, including a confirmed January 2022 hack in which $34 million was stolen via a 2FA bypass and laundered through Tornado Cash, and an alleged 2023 data breach linked to the Scattered Spider hacking group that the company did not publicly disclose to affected users. Blockchain investigator ZachXBT has publicly accused Crypto.com of governance manipulation and tokenomics fraud, citing the March 2025 reissuance of 70 billion CRO tokens that had been permanently burned in 2021, and the company's controversial 2020 forced swap from its original MCO token to CRO at unfavorable rates.

BtcTurk is Turkey's oldest and largest centralized cryptocurrency exchange, founded in 2013 in Istanbul. The exchange has suffered two major hot wallet breaches in 14 months — approximately $55 million stolen in June 2024 and approximately $48–$49 million in August 2025 — both attributed to private key compromise, establishing a pattern of repeated critical security failures. Despite operating under Turkish regulatory frameworks (CMB and MASAK) and maintaining cold wallet protections, the exchange's inability to prevent a second near-identical attack within a year raises serious concerns about the adequacy of its security controls.

PAAL AI is an Ethereum ERC20 token launched in July 2023, marketed as an AI-powered chatbot and automation ecosystem for crypto communities. In September 2023, blockchain investigator ZachXBT published on-chain evidence and leaked Telegram messages alleging that four prominent crypto influencers — TraderSZ, TraderNJ1, PetaByte, and Trader_XO — received undisclosed token allocations from the PAAL AI team and engaged in a coordinated pump-and-dump scheme, collectively dumping hundreds of thousands of dollars in PAAL tokens on retail buyers. The token subsequently declined approximately 98.7% from its March 2024 all-time high of $0.8653 to below $0.013 by mid-2026, while the PAAL brand has also been exploited by third-party wallet-draining scams impersonating its staking platform.

Cardano (ADA) holders face a persistent and multi-vector threat landscape that includes deepfake giveaway scams impersonating founder Charles Hoskinson, social media account hijackings used to promote fraudulent tokens, phishing campaigns distributing credential-stealing malware disguised as wallet software, and NFT-based wallet drainers. The Cardano Foundation's own X account was compromised in December 2024, resulting in the promotion of a fake token and false regulatory claims. State-sponsored actors including the North Korean Lazarus Group have also targeted ADA holders through the Atomic Wallet supply chain attack.

Nexera (formerly AllianceBlock) is a blockchain infrastructure protocol focused on compliant real-world asset tokenization, operating primarily on Ethereum. In August 2024, a threat actor later attributed to North Korea's Lazarus Group used social engineering and BeaverTail malware to steal smart contract management credentials, enabling unauthorized transfer of 47.24 million NXRA tokens valued at approximately $1.9 million. The team mitigated further losses by zeroing out and subsequently burning the 32.5 million tokens that remained in the attacker's wallet, limiting confirmed liquidated losses to roughly $449,000.

Serenity Shield is a blockchain-based data storage and crypto inheritance protocol built on BNB Smart Chain, operating a product called StrongBox. On February 27, 2024, a team MetaMask wallet was compromised and 6.9 million SERSH tokens valued at approximately $5.6 million were stolen, causing the token price to collapse by over 95% within 24 hours. On-chain investigator ZachXBT linked the attacker to a serial hacker responsible for multiple private-key compromise incidents across at least six other protocols in late 2023 and early 2024.

CoinEx is a centralized cryptocurrency exchange that suffered a major hot wallet breach on September 12, 2023, with losses estimated between $54 million and $70 million across multiple blockchains. On-chain investigators ZachXBT and Elliptic attributed the attack to the Lazarus Group (TraderTraitor), a North Korean state-sponsored threat actor, based on wallet address overlap with the contemporaneous Stake.com hack. Stolen proceeds were subsequently laundered in part through the Sinbad Bitcoin mixer, which was sanctioned by the U.S. Treasury's OFAC on November 29, 2023.

EigenLayer is a legitimate Ethereum restaking protocol operated by Eigen Labs that became a high-value target for phishing campaigns, wallet drainer attacks, and social engineering in 2024 following the launch of its EIGEN token. In October 2024 alone, the protocol's official X account was compromised to promote a fake airdrop resulting in at least $800,000 lost by one victim, and a separate email-based social engineering attack redirected approximately $5.7 million in locked investor tokens to an attacker's wallet. EIGEN holders and restakers face an elevated and persistent threat surface from impersonation sites, fake airdrop claims, and token-approval drainer schemes that exploit the protocol's name and brand recognition.

Trust Wallet is a widely-used non-custodial mobile and browser cryptocurrency wallet, originally acquired by Binance in 2018 and later divested as an independent entity. It has been the subject of multiple documented security incidents spanning 2022–2025, including a critical WebAssembly entropy vulnerability (CVE-2024-23660), a supply-chain compromise of its Chrome extension in December 2025 that resulted in approximately $8.5 million in user losses, and a historical low-entropy key generation flaw exploited in 2023. Blockchain investigator ZachXBT flagged the December 2025 browser extension incident and documented hundreds of victims.

Andy Ayrey is a New Zealand-based AI researcher and self-described performance artist who created Truth Terminal, an autonomous AI chatbot that became closely associated with the Goatseus Maximus (GOAT) memecoin, which briefly reached a $900M–$1B market cap in late 2024. Ayrey disclosed holding 1.25 million GOAT tokens gifted to him and pledged not to trade on insider knowledge, later establishing a non-profit foundation (Truth Collective) to manage the AI's holdings. ZachXBT's involvement concerns the October 2024 SIM-swap hack of Ayrey's X account — which third-party hackers exploited to deploy scam memecoins netting over $1.5M — rather than direct fraud allegations against Ayrey himself; however, broader ethical concerns persist around the gray-area ecosystem of AI-agent-driven memecoin promotion that Truth Terminal helped legitimize.

Vitalik Buterin is the legitimate co-founder of Ethereum and is not himself a scam actor. However, his name, likeness, and social media presence constitute one of the most heavily weaponized impersonation surfaces in crypto. Documented threats include a September 2023 SIM-swap of his X account (linked to Pink Drainer, resulting in ~$691K stolen from followers), persistent fake giveaway livestreams on YouTube, thousands of fraudulent Instagram accounts, and an escalating campaign of AI-generated deepfake videos distributing wallet-drainer phishing links.

Kiln is an institutional-grade, non-custodial staking infrastructure provider that manages over $14 billion in staked assets across 50+ proof-of-stake networks, including approximately 6% of the entire Ethereum validator set. In September 2025, Kiln suffered a sophisticated supply chain attack in which a threat actor compromised a GitHub access token belonging to a Kiln infrastructure engineer, injected malicious code into the Kiln Connect API, and caused the theft of approximately 192,600 SOL (~$41 million) from enterprise customer SwissBorg. The incident prompted Kiln to exit all 1.6 million ETH worth of its Ethereum validators as a precautionary measure, triggering the longest Ethereum exit queue backlog in the network's history.

CoinDCX is one of India's largest cryptocurrency exchanges, founded in 2018 and valued at $2.45 billion following Coinbase investment. In July 2025, the exchange suffered a $44.2 million security breach attributed by cybersecurity firm Cyvers to North Korea's Lazarus Group, which was first publicly identified by blockchain investigator ZachXBT before official disclosure. While customer funds were not directly affected and the exchange covered losses from treasury, the incident compounded existing concerns including co-founder arrests over alleged fraud in March 2026 and ongoing user withdrawal complaints.

MustStopMurad is the X handle of Murad Mahmudov, a Princeton-educated former Goldman Sachs analyst and co-founder of the now-defunct Adaptive Capital hedge fund, who rose to prominence in 2024 as the primary advocate of the 'memecoin supercycle' thesis following a widely-circulated speech at TOKEN2049 Singapore. On-chain investigator ZachXBT published what he alleged to be 11 wallets linked to Mahmudov in October 2024, holding approximately $24 million in memecoins, raising concerns about undisclosed large holdings in tokens he publicly promotes to hundreds of thousands of followers. No regulatory action has been filed; the core allegations of supply control, potential front-running, and undisclosed conflicts of interest remain contested and unproven in any legal forum.

Sui is a Layer 1 blockchain developed by Mysten Labs, launched in May 2023 and built on the Move programming language. The network suffered one of the largest DeFi exploits of 2025 when Cetus Protocol — its primary DEX — was drained of approximately $223 million in May 2025, triggering a controversial emergency validator vote to freeze and reclaim stolen funds that exposed deep centralization concerns. Separately, ZachXBT investigated a $29 million SUI token theft in late 2024 involving Tornado Cash laundering and subsequently announced in July 2025 that he would no longer take Sui ecosystem cases due to inadequate incident-response infrastructure and lack of support from the ecosystem.

Thunder Terminal is a Solana-based on-chain trading terminal that suffered a $240,000 exploit on December 27, 2023, when an attacker leveraged compromised MongoDB credentials to steal session tokens and drain 86.5 ETH and 439 SOL from 114 user wallets in under nine minutes. The attacker subsequently routed the stolen ETH through the Railgun privacy protocol and demanded a 50 ETH ransom for deletion of alleged user data, directly contradicting Thunder Terminal's public claim that no user data or private keys were compromised. Thunder Terminal pledged full reimbursement of stolen funds, engaged the FBI, and implemented additional security controls, though no public confirmation of completed reimbursements has been verified.

Ethena is a DeFi protocol founded in 2023 by Guy Young that issues USDe, a synthetic dollar stablecoin backed by delta-neutral perpetual futures hedges on centralized exchanges. The protocol reached $14 billion in supply at its 2025 peak before contracting sharply to approximately $5.9 billion following a flash crash in October 2025 and BaFin's enforcement action that forced Ethena GmbH to cease EU operations. Multiple concerns have been raised including: a German regulatory shutdown citing MiCA breaches and alleged unregistered securities offerings via sUSDe; insider airdrop farming allegations involving 180 million foundation-controlled ENA tokens; two separate security incidents (Discord hack July 2024 and domain registrar compromise September 2024); and structural risks tied to funding rate volatility, exchange counterparty exposure, and an undersized reserve fund relative to protocol TVL.

BitoPro is a Taiwanese centralized cryptocurrency exchange operated by BitoGroup, serving over 800,000 users with TWD (New Taiwan Dollar) fiat on/off-ramps. On May 8, 2025, the exchange suffered an approximately $11.5 million hot wallet theft attributed to North Korea's Lazarus Group via a social-engineering and AWS-token-hijacking attack. The exchange did not publicly disclose the breach for approximately 25 days, only confirming the incident after on-chain investigator ZachXBT flagged suspicious outflows on June 2, 2025.

Rain (rain.com / Rain Financial) is a Bahrain-headquartered cryptocurrency exchange founded in 2017, holding licenses from the Central Bank of Bahrain and the Abu Dhabi Global Market's Financial Services Regulatory Authority. In April 2024, the exchange suffered a confirmed security breach of approximately $14.8 million in BTC, ETH, SOL, and XRP, which went undisclosed for approximately two weeks until blockchain investigator ZachXBT publicly exposed it. Rain subsequently confirmed the incident and stated that all customer funds were covered from company reserves.

BONAD.fun is a permissionless meme token launchpad operating on the Monad blockchain, positioned as BONK's community-driven expansion from Solana into the EVM ecosystem via Monad. The platform is an independent community project not officially endorsed or vetted by the BONK Foundation, and no public smart contract audit has been documented. The platform shares brand identity and fee-recycling mechanics with Bonk.fun, the Solana-based predecessor that suffered a domain hijacking and wallet-drainer attack in March 2026 — a front-end attack vector that is directly relevant to BONAD.fun's risk surface as a structurally similar deployment.

SafePal is a hardware and software cryptocurrency wallet founded in 2018 by Veronica Wong and incubated by Binance Labs, with over 10 million claimed users. The platform has been surrounded by multiple serious security incidents including a malicious Firefox extension that impersonated the wallet for seven months in 2021, a Binance-backed Launchpad token (SFP), hardware vulnerabilities disclosed by Kraken Security Labs, and a $6.5–7 million theft linked to a tampered hardware wallet sold via the Chinese platform Douyin (TikTok China). SafePal itself has not been hacked directly, but its brand has been repeatedly exploited by third-party threat actors, and ZachXBT has documented its wallets appearing in fund-laundering flows.

CoinsPaid is an Estonia-based cryptocurrency payment processor founded by Max Krupyshev that was targeted in two major security breaches: a $37.3 million hack in July 2023 attributed by the company and the FBI to North Korea's Lazarus Group (achieved via a sophisticated social engineering campaign using fake job offers), and a second breach in January 2024 resulting in approximately $7.5 million in losses. Despite the company's stated transparency and rapid operational recovery, the consecutive incidents raise significant concerns about its security posture and its status as a repeated high-value target for state-sponsored threat actors.

Across Protocol is a cross-chain bridge protocol built on UMA's optimistic oracle, founded by Hart Lambur and the UMA/Risk Labs team and launched in 2021. In June 2025, pseudonymous investigator Ogle alleged that protocol insiders used undisclosed wallets to push through two governance proposals transferring approximately 150 million ACX tokens ($23 million) from the DAO treasury to Risk Labs, the team's own organization, constituting alleged self-dealing and DAO manipulation. Separate allegations from LayerZero founder Bryan Pellegrino claimed insider trading preceded a surprise Binance listing of ACX in December 2024, with the protocol subsequently proposing in early 2026 to dissolve its DAO entirely and convert to a U.S. C-corporation.

KAITO is the native token of Kaito AI, an AI-powered 'InfoFi' (information finance) platform built on Base blockchain, founded by former Citadel quantitative trader Yu Hu and launched in February 2025. On March 15, 2025, both the official Kaito AI X account and Yu Hu's personal account were compromised by hackers who spread false claims of wallet breaches while simultaneously holding short positions on KAITO, netting an estimated $1 million in profit from the manufactured price panic. The platform faced additional scrutiny from blockchain investigator ZachXBT over alleged AI bot spam incentivized by its Yaps reward system, which was ultimately sunset in January 2026 after X revoked API access to all InfoFi applications.

Hypurr NFTs are a 4,600-piece cat-themed NFT collection airdropped by the Hyper Foundation on September 28, 2025, to early Hyperliquid users who participated in the November 2024 Genesis Event. On the day of launch, blockchain investigator ZachXBT flagged the theft of eight Hypurr NFTs from compromised HyperEVM wallets, yielding approximately $400,000 in profit for the attacker. The collection itself is a legitimate product of the Hyper Foundation, but the incident exposed wallet security vulnerabilities in the HyperEVM ecosystem and coincided with a broader pattern of exploits across Hyperliquid-based protocols in late September 2025.

Cointelegraph is a major legitimate cryptocurrency news outlet that has been a victim of two distinct infrastructure compromises. In January 2024, attackers breached its email service provider MailerLite and sent phishing emails to subscribers using Angel Drainer malware, resulting in estimated losses of $580,000 to over $700,000 across affected platforms. In June 2025, attackers separately compromised Cointelegraph's banner advertising system to serve Inferno Drainer-linked pop-ups promoting a fake CTG token airdrop to site visitors.

Coinbase (NASDAQ: COIN) is the largest publicly listed cryptocurrency exchange in the United States, founded in 2012 and regulated across multiple jurisdictions. Despite its regulated status, the platform has been the subject of significant documented concerns: a May 2025 insider-enabled data breach affecting approximately 70,000 users with estimated remediation costs of $180–400 million, ongoing documented losses exceeding $300 million per year from social engineering scams targeting Coinbase users (as reported by blockchain investigator ZachXBT), a $100 million AML compliance settlement with the NYDFS in 2023, and controversies surrounding its Base Layer-2 blockchain including a disputed token launch and a contentious departure from the Optimism OP Stack ecosystem.

Strike (operated by Zap Solutions, Inc.) is a Bitcoin and Lightning Network payments application founded by Jack Mallers. The platform has faced scrutiny over a 2023 data breach it initially denied, the use of Tether (USDT) as a backing for purported USD cash balances for non-US users, and a 2026 proposed merger with Twenty One Capital (XXI) that raises serious conflict-of-interest concerns given Mallers serves as CEO of both entities.

Rapper Nelly (Cornell Iral Haynes Jr.) is flagged here not as a perpetrator of crypto fraud, but as a victim of an account compromise. In October 2023, an X (formerly Twitter) account associated with Nelly — handle @NellioETH — was hacked by an unknown third party who then used it to run a social engineering phishing campaign against crypto users. Blockchain investigator ZachXBT first identified and publicized the incident; specific amounts stolen from victims and detailed on-chain forensics have not been publicly confirmed.

Circle Internet Group is the issuer of USDC, the second-largest USD-pegged stablecoin by market capitalization. Circle has faced sustained criticism from blockchain investigator ZachXBT and others for its policy of refusing to freeze USDC linked to hacks or scams without a formal court order or law enforcement mandate, which critics allege has allowed over $420 million in illicit funds to flow freely since 2022. The company went public on the NYSE in June 2025 under the ticker CRCL and received conditional OCC approval for a national trust bank charter in December 2025.

M2 is a UAE-based cryptocurrency exchange licensed by the Abu Dhabi Global Market (ADGM) Financial Services Regulatory Authority, operating as a regulated Multilateral Trading Facility and custodian since late 2023. On October 31, 2024, the exchange suffered a $13.7 million hot wallet breach attributed to an access control vulnerability across the Bitcoin, Ethereum, and Solana networks. M2 subsequently reimbursed all affected customers from its own assets and stated it had engaged law enforcement and regulatory authorities.

No verifiable information about an entity named 'Burgeleth' was found across any indexed web source as of May 2026. Exhaustive searches across news outlets, blockchain explorers, social media platforms, regulatory databases, domain registries, and crypto-specific intelligence sources (ZachXBT, Chainalysis, Scam Sniffer) returned zero results matching this name in a crypto or financial context. The slug may refer to an extremely obscure or newly created entity, an alternate spelling of a different entity, or a name that has not yet generated any publicly indexed presence.

Bittensor is a decentralized blockchain protocol functioning as a peer-to-peer marketplace for machine intelligence, using the TAO token to reward AI model contributors. In July 2024, the protocol was the target of a supply chain attack via a malicious version of its official PyPI package, resulting in the theft of approximately $28 million in TAO tokens from 32 wallets. A civil lawsuit filed in January 2025 alleges that former Opentensor Foundation employees orchestrated the attack, and on-chain investigator ZachXBT identified a key suspect through NFT wash-trade analysis and Railgun de-mixing.

Porkbun LLC is a legitimate ICANN-accredited domain registrar founded circa 2014-2015, headquartered in Sherwood, Oregon, and managing over 3.45 million domains. While the company is not itself a scam operation, it has attracted scrutiny from the crypto security community — including on-chain investigator ZachXBT — for hosting phishing infrastructure linked to Angel Drainer and Inferno Drainer wallet-draining services, including fake Ledger sites. Third-party tracking platforms document hundreds of flagged phishing domains registered through Porkbun and allege that the company's abuse-response enforcement has been inadequate, with a majority of reported domains remaining active after formal abuse reports.

Transak is a fiat-to-crypto on-ramp infrastructure provider founded in 2019 and serving over 8 million users across 160+ countries, with integrations into major platforms including MetaMask, Phantom, and Uniswap. In October 2024, a phishing attack on an employee's laptop led to unauthorized access to a third-party KYC vendor's dashboard, exposing the personal identity documents of approximately 92,554 users globally, including names, dates of birth, government-issued IDs, and selfie photos. The breach resulted in a $601,000 class action settlement covering U.S.-based affected users, and the Stormous ransomware group claimed responsibility, alleging extraction of over 300GB of data.

Pendle is a permissionless yield-trading protocol on Ethereum, launched in 2021 by TN Lee and Vu Nguyen, that allows users to separate and trade the principal and yield components of yield-bearing assets. In September 2024, Penpie — an independent yield optimizer built on top of Pendle — suffered a $27 million reentrancy exploit that was made possible in part by Pendle's permissionless market creation design. Although Pendle's own contracts were not directly exploited, the protocol's architecture contributed to the attack surface, and all 11,261 ETH in stolen funds were subsequently laundered through Tornado Cash.

CoinSpot is an Australian cryptocurrency exchange founded in 2013 by Russell Wilson and headquartered in Melbourne. It is registered with AUSTRAC as a Digital Currency Exchange (since May 2018) and holds ISO 27001 certification. On November 8, 2023, the platform suffered a suspected private key compromise resulting in the loss of approximately 1,283 ETH (~$2.4 million USD), with stolen funds bridged to Bitcoin via THORChain and Wan Bridge. No customer funds were reported lost in the incident.

Trezor is a legitimate Prague-based hardware wallet manufacturer (SatoshiLabs) and one of the oldest in the industry, but it has accumulated a significant threat ecosystem around its brand. A January 2024 breach of its third-party support portal exposed contact data for approximately 66,000 users, which subsequently fueled targeted phishing campaigns delivered via email, physical mail, and fake apps. Trezor hardware devices have also been subject to disclosed physical attack vectors, including an alleged unpatchable flaw in the STM32 microcontroller used in the Trezor T model.

Bybit is a Dubai-headquartered cryptocurrency derivatives and spot exchange founded in 2018 by Ben Zhou, serving over 80 million registered users globally. On February 21, 2025, the exchange suffered the largest cryptocurrency theft in recorded history when North Korean state-sponsored hackers attributed to the Lazarus Group (TraderTraitor) stole approximately $1.46 billion in Ethereum via a supply chain compromise of Safe{Wallet}'s frontend infrastructure. Separately, Bybit accounts have been cited in the ICIJ's 2025 Coin Laundry investigation into crypto exchanges facilitating international criminal money flows.

Ninamo is a purported crypto entity whose name was submitted for investigation on AVOID.NET. Exhaustive searches across regulatory databases, blockchain explorers, crypto news outlets, scam trackers, social media platforms, domain registries, and the Wayback Machine returned no verifiable information about any crypto project, exchange, token, or DeFi protocol operating under the name Ninamo. No wallet addresses, enforcement actions, community reports, or archived web presence could be located.