ZachXBT, blockchain investigator, traced more than $2 million in alleged losses by reconstructing a trail that combined on-chain transfers with off-chain behavior tied to a Canadian suspect. Our conclusion is that transparent ledgers plus basic human error created enough linkage to move from “wallet activity” to a credible attribution hypothesis.
We see this case as a clean example of how laundering patterns can look “sophisticated” at a glance while still being vulnerable to operational-security mistakes. The investigator’s edge came from pairing repeatable transaction behavior with self-incriminating digital traces that aligned with observed balances and timing.
On-chain reconstruction and the laundering pattern
The investigation started by tracking specific stolen assets through their earliest hops. A victim wallet showed an outbound transfer of about 21,000 XRP, roughly valued at $44,000 at the time, which was routed through instant exchange deposit addresses and rapidly converted into Bitcoin. The XRP-to-BTC swap and immediate onward movement matches a textbook obfuscation playbook intended to break simple attribution.
From there, the pattern continued in a way we typically associate with deliberate trace-friction: rapid swaps, then withdrawals into newly created wallets. The repeated use of fresh addresses after conversion is a standard tactic designed to complicate follow-the-money workflows.
As linkages across incidents accumulated, the same transactional pattern was associated with additional Coinbase-related thefts totaling approximately $500,000. On one identified Bitcoin address, the investigator observed a balance near $237,000 during the active period of transfers. These balances and consolidations served as the financial backbone of the attribution narrative by showing victim funds concentrating into personal wallets after on-chain swaps.
Where the identity linkage came from
On-chain evidence established how value moved, but it did not, by itself, supply a real-world identity. The suspect reportedly boasted privately in Telegram groups and shared screenshots of wallet balances that matched what the investigator could see on-chain. When private screenshots align with public balances, the suspect’s own behavior becomes a bridge between pseudonymous wallets and a human operator.
A leaked screen recording was cited as allegedly showing the individual impersonating Coinbase support while exposing an email address and Telegram handles consistent with the same online persona. We view that kind of “self-doxing” artifact as the type of operational lapse that can collapse an otherwise disciplined laundering chain.
The identity hypothesis was further supported with additional public postings—lifestyle photos, luxury purchases, and nightlife displays described as inconsistent with legitimate income—paired with transaction timing and flow analysis. Those combined signals were used to attribute an alleged location in Abbotsford, British Columbia, as part of the broader reconstruction.
Coinbase’s own warnings about support protocols were reiterated in the context of the case, including that staff would never request passwords, two-factor codes, or instruct users to move funds to “safe” addresses. This detail is material because it frames the incident as social engineering rather than a platform vulnerability.
For institutional teams, our takeaway is twofold: blockchains preserve immutable movement records, and attackers still win by exploiting human trust even when no technical exploit is involved. The most defensible posture is to pair on-chain anomaly monitoring with rigorous user education and incident-response playbooks that assume impersonation attempts will continue.
