Key Highlights
- ZachXBT traced a wallet holding roughly $23 million to addresses linked to suspected U.S. government crypto thefts.
- The exposure followed a leaked recording in which the hacker publicly “flexed” wallet balances.
- On-chain data suggests total inflows tied to the wallet exceed $90 million across 2024–2025.
Crypto investigator ZachXBT exposed a network of crypto wallets allegedly holding stolen funds this week after tracing transactions tied to U.S. government seizure addresses across Ethereum and Tron.
The findings emerged after leaked recordings from late 2025 showed a threat actor publicly flaunting wallet balances during a dispute with another hacker, inadvertently providing proof of control. Using the recordings and on-chain analysis, ZachXBT linked the addresses to millions in funds, turning a flex into an easy trail for investigators.
A public flex turns into an on-chain trail
ZachXBT said a threat actor known as “John” was caught showing off roughly $23 million in crypto during a recorded argument with another hacker in a private group chat. The exchange, described as a “band for band” contest, prompted John to screen-share wallet balances, handing investigators the proof needed to trace ownership.
According to ZachXBT, the recordings show John controlling multiple addresses, including Ethereum and Tron wallets that later consolidated funds into a single address holding tens of millions of dollars.
Funds traced back to seized government assets
Following the recordings, ZachXBT traced the wallet’s inflows backward. The onchain trail points to a wallet that received nearly $25 million from a U.S. government–linked address in March 2024, tied to seized crypto from earlier cases. Later inflows from suspected victims in late 2025 push the total traced amount beyond $90 million.
In one case, over 4,000 ETH, worth about $12 million at the time, was sent from a centralized exchange into the wallet, further tying the recorded owner to the funds.
Why investigators say the case is unusually clear
What sets this case apart isn’t just the money, but the mistake behind it. Instead of staying quiet, the attacker openly showed wallet balances on video, making ownership hard to deny. As ZachXBT pointed out, that kind of proof is exactly what investigators usually struggle to get.
After the thread went public, John reportedly scrubbed usernames and identifiers from his Telegram account.
The incident highlights that the blockchain never forgets, and showing off usually speeds up attribution. While there are rumors that the individual may already be on law enforcement’s radar, ZachXBT noted that more confirmation is still needed.
Also read: Makina Finance Hacked: MEV Bot Snipes 1,299 ETH in $4M Protocol Exploit
