Crypto investigator ZachXBT has publicly identified Dritan Kapllani Jr., a US-based threat actor who recently turned 18, as being connected to $19 million in social engineering thefts targeting cryptocurrency holders — publishing the exposé just hours after federal prosecutors unsealed a criminal complaint against a co-conspirator in the case.
In an eight-part thread posted on X on May 12, ZachXBT traced Kapllani’s wallets back to a 185 BTC theft ($13 million) that occurred on March 14, 2026, and connected a second wallet to at least $5.85 million in additional high-confidence social engineering thefts spanning August through October 2025.
ZachXBT said he assisted one of the affected parties by uncovering the on-chain activity linking the conspirators but held off publishing until the charges became public.
The “Band for Band” That Started It All
Kapllani first came to ZachXBT’s attention through a “band for band” (B4B)—a bragging competition common in cybercriminal circles where threat actors attempt to prove who controls more stolen cryptocurrency. On April 23, 2026, Kapllani was recorded on a Discord call displaying $3.68 million in his Exodus wallet to prove he had more money than another threat actor.
ZachXBT identified Kapllani’s Ethereum address (0x4487db847db2fc99372a985743a26f46e0b2bba6) from the recording. On-chain tracing revealed that the wallet had received $5.3 million from the 185 BTC theft the day after it occurred — March 15, 2026. By the time of the B4B six weeks later, $1.6 million had already been spent or laundered.
The investigator noted that Kapllani “flexes luxury cars, watches, private jets, and clubs all over social media” — a pattern that has become a recurring feature in social engineering crew exposés throughout 2025 and 2026.
Federal Charges Unsealed
On May 11, a criminal complaint against Trenton Johnson was unsealed in connection with the 185 BTC theft. Johnson faces up to 40 years in prison. The complaint identifies Kapllani as Co-Conspirator 1 (CC-1), though he has not been formally charged.
In a separate but related development, meme coin KOL @yelotree was also charged for allegedly helping launder stolen funds through his Miami rental car business. He faces up to 30 years.
ZachXBT noted the irony that Kapllani had previously participated in a B4B with John Daghita, known as “Lick”—the threat actor whose January 2026 bragging session inadvertently exposed $23 million in stolen cryptocurrency linked to a $46 million theft from U.S. government-controlled wallets. That earlier investigation by ZachXBT led to Daghita’s arrest by federal authorities.
During the Daghita investigation, Daghita posted one of Kapllani’s old wallet addresses (0x97da0685dbba50b4cbabb0ca9e8336f4fbe41122) in a now-deleted Telegram message in apparent retaliation. ZachXBT verified that the address “looked accurate as Dritan moved funds to the same laundering service within minutes of the 185 BTC theft.”
$5.85M in Additional Thefts Traced
ZachXBT traced the source of funds for the 0x97da wallet back to at least $5.85 million stolen across five separate high-confidence social engineering thefts in 2025. He published the theft addresses spanning August, September, and October 2025 — each linked to a distinct victim.
The combined total across the 185 BTC theft and the 2025 thefts brings Kapllani’s alleged involvement to approximately $19 million.
“The Com” and Plot Armor
ZachXBT described Kapllani as being known within “The Com”—the loose online network of young social engineering and SIM-swapping threat actors that has been responsible for some of the largest individual crypto thefts in recent years, including the $243 million Genesis creditor theft in August 2024 and the $282 million hardware wallet social engineering theft in January 2026.
Kapllani is known within The Com “for having lots of plot armor as all of his friend groups (ACG, 41/RM Boyz, etc) have kept getting arrested without him,” ZachXBT wrote. He attributed this partly to Kapllani having been a minor until recently—noting that law enforcement typically delays prosecution of minors.
“He just turned 18 so hopefully now his borrowed time is finally up,” ZachXBT concluded.
Social Engineering: The Dominant Crypto Threat Vector of 2026
The Kapllani expose is the latest in a series of ZachXBT investigations that have systematically mapped the social engineering ecosystem targeting crypto holders. The attack vector—which relies on psychological manipulation rather than technical exploits, typically by impersonating exchange support staff or hardware wallet providers—has produced the largest individual crypto thefts of both 2025 and 2026.
In August 2024, the Greavys/Wiz/Box crew stole $243 million from a single Genesis creditor by impersonating Google and Gemini support. In January 2026, a separate social engineering attack stole $282 million in BTC and LTC, with funds rapidly converted to Monero. In March 2026, a Kraken user lost $18.2 million through a similar social engineering scheme, with funds laundered via Thorchain.
A common thread across these cases: the perpetrators are overwhelmingly young — many are teenagers or barely adults — and their operational security is often undermined by the same impulse that funds their lifestyle: the compulsion to show off stolen wealth on social media and in B4B competitions.
