Crypto investigator ZachXBT has publicly identified Dritan Kapllani Jr., a US-based threat actor who recently turned 18, as being connected to $19 million in social engineering thefts targeting cryptocurrency holders — publishing the exposé just hours after federal prosecutors unsealed a criminal complaint against a co-conspirator in the case.
In an eight-part thread posted on X on May 12, ZachXBT traced Kapllani’s wallets back to a 185 BTC theft ($13 million) that occurred on March 14, 2026, and connected a second wallet to at least $5.85 million in additional high-confidence social engineering thefts spanning August through October 2025.
ZachXBT published comprehensive TRM Labs fund flow diagrams mapping the complete chain from multiple victims across 2025 and 2026 through intermediary addresses, cross-chain bridges, and exchange deposits—all converging on wallets controlled by Kapllani. ZachXBT said he assisted one of the affected parties by uncovering the on-chain activity linking the conspirators but held off publishing until the charges became public.
The “Band for Band” That Started It All
Kapllani first came to ZachXBT’s attention through a “band for band” (B4B)—a bragging competition common in cybercriminal circles where threat actors attempt to prove who controls more stolen cryptocurrency.
On April 23, 2026, Kapllani was recorded on a Discord call displaying $3.68 million in his Exodus wallet to prove he had more money than another threat actor. A screenshot from the Discord session shows Kapllani actively screen-sharing his wallet to multiple listeners—users identified as “dh sos,” “The Punisher,” “kenele,” and others—with a balance exceeding $4.17 million visible on screen.
ZachXBT identified Kapllani’s Ethereum address (0x4487db847db2fc99372a985743a26f46e0b2bba6) from the recording. On-chain tracing revealed that the wallet had received $5.3 million from the 185 BTC theft the day after it occurred — March 15, 2026. By the time of the B4B six weeks later, $1.6 million had already been spent or laundered.
The Exodus wallet’s metadata provided further corroboration. Its portfolio age at the time of the B4B was just 1 month and 8 days — confirming it was created around the date of the theft, not a long-standing personal wallet. The highest recorded balance was $5,383,534.01, logged on March 15, 2026, the exact day stolen funds arrived. The wallet held only two assets: Bitcoin and Ethereum.
A TRM Labs flow diagram published by ZachXBT maps the complete fund trail from the victim—who lost $10.5 million and $2.64 million in two separate flows—through multiple Bitcoin intermediary addresses with precise timestamps on March 14, across a bridge to Ethereum, and into at least four wallets labeled as belonging to Kapllani, ultimately terminating at the 0x4487 address displayed during the Discord B4B.
The investigator noted that Kapllani “flexes luxury cars, watches, private jets, and clubs all over social media”—a pattern that has become a recurring feature in social engineering crew exposés throughout 2025 and 2026.
Federal Charges Unsealed
On May 11, a criminal complaint against Trenton Johnson was unsealed in connection with the 185 BTC theft. Johnson faces up to 40 years in prison. The complaint identifies Kapllani as Co-Conspirator 1 (CC-1), though he has not been formally charged.
The court filings contain a devastating series of messages exchanged between Johnson and CC-1 on the day of the theft — March 14, 2026 — and in the days that followed. The messages explicitly reference the attack method, the stolen amount, and plans for laundering the proceeds.
On March 14, Johnson messaged CC-1: “we just did shit n*****s haven’t been able to do,” referencing “prime tree” and “Trezor”—the latter suggesting the victim was using a Trezor hardware wallet, consistent with social engineering attacks that impersonate hardware wallet support. CC-1 responded: “we so goated,” “185 btc,” “felt so good,” and “so fcking motivating.”
CC-1 immediately pushed for more: “we need to hit another big one.” Johnson replied: “Bro we rlly actually did some crazy ass shit lol.” CC-1 responded: “we were always destined to be 8figure n****s, ngl.”
In subsequent messages, CC-1 outlined his laundering plan explicitly: “I’m not spending a dollar from my cut,” “I have 500k I alr had,” and — critically — “Putting it in XMR and living off that.” Monero (XMR) is a privacy-focused cryptocurrency commonly used by threat actors to obscure the trail of stolen funds. The stated intent to convert to XMR aligns with a broader pattern in social engineering thefts throughout 2025 and 2026, where attackers rapidly bridge stolen assets into Monero through instant exchanges.
Both parties continued to celebrate over the following days. Most chillingly, by March 16 — just two days after the 185 BTC theft—Johnson was already planning further attacks, writing, “I’ll lyk I’m chilling tn so I can get on early tmr morning,” followed by a message about targeting more victims “for lots of btc.”
In a separate but related development, meme coin KOL @yelotree was also charged for allegedly helping launder stolen funds through his Miami rental car business. He faces up to 30 years.
The Laundering Trail: Bridges, Splits, and Exchange Deposits
TRM Labs diagrams published alongside ZachXBT’s thread reveal the full laundering infrastructure. After the 185 BTC was stolen on March 14, the funds were split across multiple Bitcoin addresses with precise timestamps between 1:10 AM and 2:41 AM. Bitcoin was then routed through intermediary addresses before being bridged to Ethereum.
On the Ethereum side, the funds flowed through at least four Kapllani-controlled wallets before being deposited into at least seven separate deposit addresses on a single exchange — a common technique of splitting deposits across multiple accounts to evade exchange-level detection thresholds and AML monitoring.
The diagrams also show exact ETH amounts: 334.99 ETH, 669.49 ETH, 1,004.48 ETH, and 517.33 ETH moving between Kapllani’s wallets on March 14, with the final flows landing in the 0x4487 wallet within hours of the theft.
The Daghita Connection
ZachXBT noted the irony that Kapllani had previously participated in a B4B with John Daghita, known as “Lick”—the threat actor whose January 2026 bragging session inadvertently exposed $23 million in stolen cryptocurrency linked to a $46 million theft from U.S. government-controlled wallets. That earlier investigation by ZachXBT led to Daghita’s arrest by federal authorities.
During the Daghita investigation, Daghita posted one of Kapllani’s old wallet addresses (0x97da0685dbba50b4cbabb0ca9e8336f4fbe41122) in a now-deleted Telegram message in apparent retaliation. ZachXBT verified that the address “looked accurate as Dritan moved funds to the same laundering service within minutes of the 185 BTC theft.”
$5.85M in Additional Thefts Traced
ZachXBT traced the source of funds for the 0x97da wallet back to at least $5.85 million stolen across five separate high-confidence social engineering thefts in 2025. He published the theft addresses spanning August, September, and October 2025 — each linked to a distinct victim.
A separate TRM Labs flow diagram confirms the on-chain connection between these 2025 theft victims and two Kapllani-controlled wallets (0x97da…1122 and 0x06ad…142e), establishing a pattern of repeated social engineering attacks feeding into the same laundering infrastructure over at least seven months.
The combined total across the 185 BTC theft and the 2025 thefts brings Kapllani’s alleged involvement to approximately $19 million.
“The Com” and Plot Armor
ZachXBT described Kapllani as being known within “The Com”—the loose online network of young social engineering and SIM-swapping threat actors that has been responsible for some of the largest individual crypto thefts in recent years, including the $243 million Genesis creditor theft in August 2024 and the $282 million hardware wallet social engineering theft in January 2026.
Kapllani is known within The Com “for having lots of plot armor as all of his friend groups (ACG, 41/RM Boyz, etc) have kept getting arrested without him,” ZachXBT wrote. He attributed this partly to Kapllani having been a minor until recently—noting that law enforcement typically delays prosecution of minors.
“He just turned 18 so hopefully now his borrowed time is finally up,” ZachXBT concluded.
Social Engineering: The Dominant Crypto Threat Vector of 2026
The Kapllani expose is the latest in a series of ZachXBT investigations that have systematically mapped the social engineering ecosystem targeting crypto holders. The attack vector—which relies on psychological manipulation rather than technical exploits, typically by impersonating exchange support staff or hardware wallet providers—has produced the largest individual crypto thefts of both 2025 and 2026.
The federal complaint’s reference to “Trezor” in the March 14 messages suggests this attack followed the dominant playbook: impersonating hardware wallet support to convince victims to reveal seed phrases or approve malicious transactions. In January 2026, a separate social engineering attack stole $282 million in BTC and LTC, with funds rapidly converted to Monero. In March 2026, a Kraken user lost $18.2 million through a similar social engineering scheme, with funds laundered via Thorchain.
A common thread across these cases: the perpetrators are overwhelmingly young—many are teenagers or barely adults—and their operational security is often undermined by the same impulse that funds their lifestyle: the compulsion to show off stolen wealth on social media and in B4B competitions.
In Kapllani’s case, the Discord bragging session, the Exodus wallet’s 1-month portfolio age, the real-time celebration messages in the federal complaint, and the TRM Labs fund flow diagrams collectively form a forensic chain that leaves little room for ambiguity.
Also Read: Ex-Goliath Ventures CEO Apologizes as $328M Crypto Scam Charges Mount
