ZachXBT

Pink Drainer was a phishing-as-a-service (drainer-as-a-service) criminal toolkit active from approximately April 2023 through May 2024, during which it facilitated the theft of an estimated $75–85 million in cryptocurrency and NFTs from more than 21,000 victims. Operated by a pseudonymous developer known as 'Pink' (previously 'Blockdev'), the service sold access to a wallet-draining toolkit to phishing affiliates who ran attack campaigns via compromised Discord servers, hijacked social media accounts, and fake airdrop and NFT-claim websites. The operators announced a self-described 'retirement' on May 17, 2024, though associated wallet addresses have continued to hold and move funds post-shutdown, and copycat operations and successor drainer services have continued the attack model.

Lazarus Group is a North Korean state-sponsored advanced persistent threat (APT) actor subordinate to the Reconnaissance General Bureau (RGB), the principal intelligence directorate of the Democratic People's Republic of Korea (DPRK). Active since at least 2007, the group has been responsible for some of the largest cryptocurrency thefts in history, with cumulative estimates of stolen digital assets ranging from $3.4 billion to over $6.75 billion across all-time operations. The group and two affiliated sub-clusters — Bluenoroff and Andariel — are designated on the U.S. Treasury OFAC Specially Designated Nationals (SDN) list, and multiple individual members have been federally indicted.

According to independent investigator ZachXBT, Hypurr NFTs has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Nina/Mo has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Aqua has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Vkevin has been flagged for alleged suspicious activity.

CoinDCX suffered a documented infrastructure incident with reported losses of $44.20M on Unknown chain. This page tracks DeFiLlama's record of the event.

According to independent investigator ZachXBT, Glori Finance has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, WazirX has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, PAAL has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Pendle has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Malone has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, JRNY has been flagged for alleged suspicious activity.

Sui is a blockchain protocol that reportedly experienced a significant theft incident in December 2024. According to ZachXBT (Telegram, 2025-01-26), an unidentified user was allegedly hacked for $29 million worth of SUI tokens, which were subsequently laundered through cross-chain bridges and privacy protocols.

eXch is an instant cryptocurrency exchange that had 34 million euros and its infrastructure seized by Frankfurt prosecutors, according to ZachXBT (Telegram, 2025-05-09). The exchange is alleged to have been used to launder hundreds of millions of dollars from major cryptocurrency hacks and exploits.

GANA Payment suffered a documented infrastructure incident with reported losses of $3.10M on BSC. This page tracks DeFiLlama's record of the event.

According to independent investigator ZachXBT, Mixin has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, HyPC has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, burgel.eth has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Noones has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Velodrome has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, NFTMachine has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Inferno Drainer has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Thunder Terminal has been flagged for alleged suspicious activity.

CoinsPaid suffered a documented ecosystem incident with reported losses of $37.30M on Unknown chain. This page tracks DeFiLlama's record of the event.

BtcTurk suffered a documented security incident with reported losses of $54.00M on Unknown chain. This page tracks DeFiLlama's record of the event.

According to independent investigator ZachXBT, Veer Chetal has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, BitoPro has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Kiln has been flagged for alleged suspicious activity.

Crypto.com suffered a documented infrastructure incident with reported losses of $33.70M on Ethereum, Bitcoin. This page tracks DeFiLlama's record of the event.

According to independent investigator ZachXBT, Garden Finance has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, BitcoinDepot has been flagged for alleged suspicious activity.

Nobitex suffered a documented infrastructure incident with reported losses of $82.00M on Tron, Ethereum, BSC, Avalanche, Arbitrum, Polygon, Bitcoin. This page tracks DeFiLlama's record of the event.

Tapioca DAO suffered a documented protocol logic incident with reported losses of $4.70M on Arbitrum. This page tracks DeFiLlama's record of the event.

Truflation suffered a documented infrastructure incident with reported losses of $5.00M on Unknown chain. This page tracks DeFiLlama's record of the event.

Nexera suffered a documented protocol logic incident with reported losses of $1.80M on Ethereum. This page tracks DeFiLlama's record of the event.

Rain suffered a documented infrastructure incident with reported losses of $14.80M on Bitcoin, Ethereum, XRP, Solana. This page tracks DeFiLlama's record of the event.

According to independent investigator ZachXBT, SafePal has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Sportsbet has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, LastPass threat actor has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Serenity Shield has been flagged for alleged suspicious activity.

SBI Crypto suffered a documented infrastructure incident with reported losses of $24.00M on Bitcoin, Ethereum, Litecoin, Doge, BitcoinCash. This page tracks DeFiLlama's record of the event.

According to independent investigator ZachXBT, M2 has been flagged for alleged suspicious activity.

CoinSpot suffered a documented infrastructure incident with reported losses of $2.40M on Ethereum. This page tracks DeFiLlama's record of the event.

According to independent investigator ZachXBT, Bitforex has been flagged for alleged suspicious activity.

CoinEx suffered a documented infrastructure incident with reported losses of $55.00M on Ethereum, BSC, Bitcoin, Tron, Kadena, Solana, Dagger, XRP, BitcoinCash, Polygon, Stellar, Arbitrum. This page tracks DeFiLlama's record of the event.

According to independent investigator ZachXBT, Andy Ayrey has been flagged for alleged suspicious activity.

C&M Software is a Brazilian Central Bank services provider that allegedly experienced a major cyberattack in June 2025, resulting in approximately $140 million in unauthorized access to financial institutions' reserve accounts. According to ZachXBT (Telegram, 2025-07-04), attackers allegedly gained access through compromised employee credentials and converted tens of millions to cryptocurrency.

According to independent investigator ZachXBT, Porkbun has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Netmind AI has been flagged for alleged suspicious activity.

A fraudulent Ledger Live app distributed through the Apple App Store allegedly stole $9.5 million from over 50 victims between April 7-13, 2026. According to ZachXBT (Telegram, 2026-04-14), the fake application targeted users across multiple blockchain networks including Bitcoin, Ethereum, Tron, Solana, and Ripple, with stolen funds allegedly laundered through KuCoin exchange addresses.

According to independent investigator ZachXBT, TradeOgre has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, DPRK has been flagged for alleged suspicious activity.

Bittensor suffered a documented infrastructure incident with reported losses of $8.00M on Unknown chain. This page tracks DeFiLlama's record of the event.

According to independent investigator ZachXBT, Metawin has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, BlackSuit has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, ANDY has been flagged for alleged suspicious activity.

KelpDAO (also KernelDAO) is an Ethereum-based liquid restaking protocol that issues rsETH, a yield-bearing token representing restaked positions via EigenLayer. On April 18, 2026, attackers attributed to North Korea's Lazarus Group (TraderTraitor subunit) exploited a single-verifier bridge configuration to mint 116,500 unbacked rsETH tokens worth approximately $292 million, making it the largest single DeFi exploit of 2026. The attack triggered cascading losses across Aave, SparkLend, and Fluid, sparked a $300 million+ industry recovery coalition (DeFi United), a legal dispute over $71 million frozen by Arbitrum's Security Council, and a protracted public blame dispute between KelpDAO and bridge provider LayerZero.

Tornado Cash is an open-source, non-custodial Ethereum-based cryptocurrency mixer (tumbler) launched in 2019 by Roman Storm, Roman Semenov, and Alexey Pertsev that uses zero-knowledge cryptography to obscure transaction trails. The U.S. Treasury's OFAC sanctioned the protocol in August 2022, alleging it laundered over $7 billion including funds stolen by North Korea's Lazarus Group; those sanctions were overturned by the Fifth Circuit in November 2024 and formally lifted in March 2025. Criminal prosecutions of the founders remain ongoing in both the United States and the Netherlands.

Trust Wallet suffered a documented infrastructure incident with reported losses of $7.00M on Ethereum, Bitcoin, Solana. This page tracks DeFiLlama's record of the event.

According to independent investigator ZachXBT, Wasabi has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Renzo Protocol has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Ledger has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Ethena has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, MustStopMurad has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Spartans Bet has been flagged for alleged suspicious activity.

Magnate Finance suffered a documented rugpull incident with reported losses of $6.40M on Base. This page tracks DeFiLlama's record of the event.

According to independent investigator ZachXBT, Circle has been flagged for alleged suspicious activity.

pump.fun suffered a documented infrastructure incident with reported losses of $2.00M on Solana. This page tracks DeFiLlama's record of the event.

According to independent investigator ZachXBT, MEXC has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, 1EU2pMence1UfifCco2UHJCdoqorAtpT7 has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Transak has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Wallex has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Cardano has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Blockchain Bandit has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, 0x327a81d0d128db8886d265be73c9fdda97194f30 has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, LastPass has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, PumpDotFun has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, WallStreetBets has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, ACT has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Cointelegraph has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Fake Hyperliquid App has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Masa has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, TON Blockchain has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Kroll has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Vitalik Buterin has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Renzo has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Trezor has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Compound Finance has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Strike has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Token 2049 has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Eigenlayer has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Across Protocol has been flagged for alleged suspicious activity.

KAITO is a cryptocurrency token associated with the Kaito Yapper community on X (formerly Twitter), which faced significant market impact after X announced restrictions on InfoFi applications. According to ZachXBT (Telegram, 2026-01-15), the token's price dropped 17% following the announcement that led to the community's removal from the platform.

According to independent investigator ZachXBT, JELLY has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Wiz Khalifa Pump Fun has been flagged for alleged suspicious activity.

Coinbase is the largest publicly traded cryptocurrency exchange in the United States (NASDAQ: COIN), operating since 2012 with approximately 9.7 million monthly transacting users as of 2025. The platform has experienced a pattern of serious security incidents, including a 2021 MFA bypass affecting 6,000 accounts, an ongoing crisis of social engineering attacks that on-chain analyst ZachXBT estimated cost users over $300 million annually as of 2025, and a May 2025 insider-assisted data breach affecting approximately 69,461 customers with an estimated $180–400 million remediation cost. Coinbase was also sued by the SEC in June 2023 for operating an unregistered securities exchange, though that case was dismissed without penalty in February 2025.

According to independent investigator ZachXBT, Friend Tech has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Bonad has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Chris Larsen has been flagged for alleged suspicious activity.

According to independent investigator ZachXBT, Nelly has been flagged for alleged suspicious activity.

Bybit is a Dubai-headquartered cryptocurrency derivatives and spot exchange founded in 2018 by Ben Zhou, serving over 80 million registered users globally. On February 21, 2025, the exchange suffered the largest cryptocurrency theft in recorded history when North Korean state-sponsored hackers attributed to the Lazarus Group (TraderTraitor) stole approximately $1.46 billion in Ethereum via a supply chain compromise of Safe{Wallet}'s frontend infrastructure. Separately, Bybit accounts have been cited in the ICIJ's 2025 Coin Laundry investigation into crypto exchanges facilitating international criminal money flows.