Co
Image: YouTube/Coffeezilla
Tech

Meet the Blockchain Detectives Who Track Crypto’s Hackers and Scammers

A handful of skilled independent investigators are uncovering high profile scams and hacks in the crypto and web3 world.

In a recent video, a YouTuber known as Coffeezilla wears his signature white shirt and red suspenders, and sits in his virtual studio that looks like it’s pulled out of a B-list cyberpunk video game. There are several blinking computer screens, a roof with exposed tubes, and a wall where photos of different people are connected by intersecting red lines, like in the office of an old-school detective who pulls the threads of a major mystery—or like that evergreen conspiracy meme from It’s Always Sunny in Philadelphia

Advertisement

It's a fitting setting for Coffeezilla, whose real name is Stephen. He wouldn't disclose his last name to Motherboard, to protect his privacy. He calls himself an “internet detective,” and he focuses on exposing scams in the world of cryptocurrencies, web3, and decentralized finance, or DeFi. 

And there's plenty of work to be done. The video is the latest in a series of six videos about the alleged scams promoted by influencers and professional boxer brothers Jake and Logan Paul. In the 8-minute investigation, he accuses Jake Paul of raking in more than $2 million dollars by promoting a series of crypto projects that are actually scams designed to deceive investors, according to Coffeezilla.   

“At the end of the day Jake Paul's fans got screwed while he got rich,” Coffeezilla says in the video. 

Three people who claim to have been victims of a “pump and dump” scheme promoted by executives of SafeMoon, a company that launched an eponymous token, have filed a class-action against the company. Jake Paul and other celebrities and influences are named as defendants for their alleged role in aiding the scheme. SafeMoon, Jake Paul, and the other influencers named in the lawsuit have yet to respond to it, according to court documents reviewed by Motherboard. 

Advertisement

“It's the wild wild west out there. […] So the crypto community has to figure out how to self monitor.”

Lawyers representing SafeMoon and its executives did not respond to a request for comment. 

Representatives of Jake Paul did not respond to a request for comment. 

“Everyone hears all the time about how crypto is changing the world for the better. And there's not a lot of talking about how people at the bottom are being exploited for the worse. I’m by no means anti-crypto, but I am anti-scams and there’s a lot of scams in crypto,” Coffeezilla told Motherboard in an interview. “It's the wild wild west out there. And the regulators are just a little slow to catch up right now. So the crypto community has to figure out how to self monitor.”

Coffeezilla is not the only one doing this kind of work. Motherboard spoke to seven people who have become important parts of the web3 ecosystem as independent investigators—some call them “vigilantes”—who expose scammers and track down hackers in an attempt to both call them out and alert potential investors to stay away from them, often from behind pseudonymous identities. 

In the last year, there’s been an explosion of interest in traditional cryptocurrency and newer products like NFTs and DeFi projects built on blockchains. And because of this interest, there has been an explosion of scams and hacks as well. It seems like every other day some collector gets a precious NFT stolen, an anonymous developer runs away with everyone's money, or a crypto project gets hacked losing millions of dollars. 

Advertisement

Most of these investigators are not against cryptocurrency and the web3 world, they just want to help make it safer and healthier. For years, companies like Chainalysis and Elliptic have tracked hackers and thieves on the blockchain, mostly working with other companies or law enforcement. The independent sleuths use some of the same techniques to track stolen crypto or NFTs, taking advantage of the fact that the blockchain is transparent, and never forgets. 

Untitled design (71).png

A screenshot of the video where Coffeezilla accuses Jake Paul of scamming more than $2 million by promoting several questionable cryptocurrency projects. And Jake Paul sitting courtside at an NBA game. (Image: YouTube and Bob Levey/Getty Images)

ZachXBT prefers not to show his face, nor his real name, but his impact on the web3 and crypto world is just as significant as Coffeezilla’s. He has more than 180,000 followers on Twitter, the platform where he delves into crypto scams, so-called rug pulls—a scam in which a developer promotes a new project or token, builds up interest and attracts investors, and then disappears with all the proceedings—and crypto hacks. He describes himself as an "on-chain sleuth" and "10x rug pull survivor" in his Twitter bio. 

He told Motherboard that investigating crypto scams has now become his full time job, thanks to donations, grants he gets from crowdfunding platform Gitcoin, and trading cryptocurrency on the side. 

ZachXBT has published more than 30 investigations into crypto scams and the people allegedly involved in them. For example, he accused rapper Gunna of promoting a short-lived cryptocurrency scam, exposed an NFT "cash grab" that raised $71 million, and helped Motherboard dive into the bizarre story of Melania Trump’s NFT sale, where the creator of the NFT put up the funds for the sale.  

Advertisement

Do you work at the intersection of cybersecurity and crypto? Do you research vulnerabilities on cryptocurrencies and their networks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email lorenzofb@vice.com

In January, he revealed that one of the co-founders of the popular Avalanche-based Wonderland DeFi (or decentralized finance) protocol and its TIME token was Michael Patryn. In 2013, Patryn co-founded QuadrigaCX, a popular Canadian cryptocurrency exchange that went bankrupt in 2019 under mysterious circumstances after the other founder, Gerald Cotten, died and left more than $190 million CAD allegedly locked away forever. Investigators later determined that QuadrigaCX was operating as a fraud and a "Ponzi" under Cotten. In the past, and separately from QuadrigaCX, Patryn has been accused of being a serial scammer and convicted of computer fraud, bank and credit fraud, and other crimes, as Bloomberg reported in 2019

Advertisement

The news that Patryn, known as Sifu,  was involved in Wonderland—overseeing its treasury, no less—was a stunning revelation that shook the project’s investors and the larger DeFi world. After the revelation, investors decided to vote him out of the Decentralized Autonomous Organization, or DAO, which governs the project.

“Perhaps Sifu did really want to repair his image and had good intentions, however it’s important in a DAO that the community is the one to ultimately make that decision,” ZachXBT said.  

In November of last year, ZachXBT accused Ran Neuner, the founder of the YouTube show Crypto Banter, which has 500,000 subscribers, of pumping and dumping an altcoin called The Famous Token (TFT) during a stream earlier in the year. The token was abandoned by the developers in September 2021, and the video where Neuner promoted the token has now been made private

“I discovered they bought a couple hundred thousand dollars worth of tokens for a project before the stream and selling directly after for a 100 percent gain,” ZachXBT said in an interview, explaining that this is his favorite investigation so far, “primarily because of how he attempts to hide it from his audience all the while preaching ethics. He has always denied the allegations even though the blockchain shows differently. It frustrates me how someone can have such a large audience yet deceive them constantly.” 

Advertisement

Neuner did not respond to requests for comment via Twitter DM. 

Molly White is a software engineer and a well-known crypto critic who runs the popular Twitter account and website called “web3 is going just great,” which serves as a running archive of scams, hacks, and lawsuits in the web3 world. In an online chat with Motherboard, she said that independent investigators like ZachXBT are doing “incredible work” made necessary by the lack of “any consumer protection” in the web3 ecosystem, which “has led to almost a vigilante movement of people trying to protect others.” 

“ZachXBT in particular has such a deep knowledge of crypto that helps him connect dots that I know I certainly would miss,” she told Motherboard in an online chat. “I also think the fact that they need to do this kind of work really underscores how flawed the ‘do your own research’ refrain is among crypto projects. The vast majority of people don't have the ability to do the kind of research they are doing.”

Bennet Tomlin, the co-host of the Crypto Critics’ Corner podcast, told Motherboard that without the “critical” work of ZachXBT and others like him “tons of scams would never have been exposed, and certainly would not have reached the number of people they have.” ZachXBT was interviewed on the podcast last month, where he talked about his work with a masked voice.

Advertisement

There are several other people who do the kind of work ZachXBT and Coffeezilla do. Many prefer to stay anonymous due to the nature of their investigations, which often involve millions of dollars, and accusations of scamming and other crimes. Often, they're just average people with an interest in crypto and a passion for justice. 

John goes by CryptoShields or “Anti Scammer Squad (A.S.S.)" online, and declined to disclose his last name to protect his privacy. On Twitter, his motto is “Find them, Flag Them and Flush them.” 

He said that he’s “just a regular guy with a background in computer science, father, husband and crypto enthusiast,” in a chat with Motherboard. 

“The fact that they need to do this kind of work really underscores how flawed the ‘do your own research’ refrain is among crypto projects.”

BlameBootsy is another pseudonymous investigator who said he is a teacher and former “sports entertainment guy” who does investigations in his spare time. 

Some crypto investigators are comfortable using their real names, however. 

Alessandro Ribeiro initially did investigations as an independent sleuth under the moniker Rug Pull Finder after falling for three different rug pull scams himself, according to his co-founder Nik Horniacek.  At the end of February, Ribeiro registered Rug Pull Finder in the UK as an actual company with the goal of “more easily build relationships with federal agencies and technology partners,” Horniacek told Motherboard, adding that they now have a team of 16 people. 

Advertisement
rugpullfinder.jpg

There’s also Simona Panzica, an artist and cybersecurity veteran who now works to educate people in the NFT world about the risks they face from hackers and scammers. Panzica doesn't only educate, however—she also works to retrieve stolen digital assets. 

Panzica has published a book (as an NFT, naturally) that teaches cybersecurity to NFT artists and collectors. She hosts Twitter Spaces and Clubhouse meetings talking about what people involved in the community should know to avoid becoming victims of hackers. Finally, she also helps artists and collectors who got their art or crypto stolen. Just like other sleuths, she looks into blockchain transactions, delves into the social media and online presence of the scammer or hacker, and sometimes helps the victims report the case to the police, she said.

In some cases, Panzica told Motherboard in a phone call, she has been able to recover the stolen NFTs using what she called “positive social engineering.” 

First, she said she tracks the stolen NFT on the blockchain, trying to identify who stole it. If she’s able to unmask the hacker, she helps the victim report the theft to the police, including all the data she has dug out. Then she contacts the alleged thief and tries to convince them to return the stolen NFT as a way to avoid legal trouble by telling them: “The police are on the case, we know who you are, we know where you live.” 

Advertisement

One of the reasons these independent investigators exist is because the web3 ecosystem relies on public blockchains, which allow anyone to inspect the flow of crypto, public Discord channels, and social media accounts. 

“Independent investigators have access to far more information than they would in other ecosystems. It means it's easier for talented investigators to quickly pull on threads and uncover scams and then write compelling narratives,” Nick Bax, the head of research at web3 cybersecurity firm Convex Labs, told Motherboard in an online chat. “This is stuff that would've been much more difficult if the scammers had used credit cards, bank accounts, or cash.”

“What we're seeing is the cryptocurrency and NFT communities fighting back against these scams in some of the only ways we can. That is, bringing awareness to prevent more scams, and naming and shaming,” he added.

Convex Labs has recently launched its first project, called HonestNFT, which promises to audit “NFT projects for fairness.” The project is also selling its own NFT collection called “Vigilante NFT.

All these independent investigators are making it hard for the bad guys to get away with it without anybody being the wiser. It’s unclear if the authorities are investigating all of the many cases exposed by the independent investigators, but at least the scammers get exposed and marked publicly. 

Advertisement

“As the community of investigators grows, the skills and expertise do provide a little bit of deterrence,” Jessy Irwin, a cybersecurity practitioner who works for a blockchain company, told Motherboard in an online chat. 

satoshi.jpeg

Statue of Satoshi Nakamoto. (Image: Janos Kummer/Getty Images)

Deterrence and a dislike for scammers is what motivates these vigilante investigators, even if they're fans of cryptocurrency. 

Coffeezilla told Motherboard that he has always disliked “people who preyed on the vulnerable and exploited them.” When he was a teenager, he said, his mother was diagnosed with cancer, and “preyed on” by people peddling snake oil health cures. 

Some people see crypto as a “safe branch” to make money in a tough economy, a place where people they know—as well as celebrities and influencers—seem to make “easy money,” Coffeezilla said. But then these people end up getting into “sketchy cryptocurrencies” and “find themselves taken advantage of,” he said.

ZachBXT said he got into this line of work with the goal of exposing the people promoting “sketchy projects undisclosed and lying to their audience on a regular basis,” with a particular attention on influencers. 

“What’s most rampant at its current stage is undisclosed promotions by influencers and celebrities on social media platforms like Twitter, YouTube, and Instagram,” he said, explaining how these scams work. “You see all different types of compensation ranging from: straight up being paid USD, being gifted tokens or NFTs, and what I think the most shady type of compensation has been allocations to seed/private rounds for projects.”

Advertisement

“Influencers get invited to participate in seed/private rounds even though many influencers are aware it is typically cash grabs or poorly designed projects. These types of projects offer the most upside but hurt their audience the most,” he added. 

CIA Officer is a security researcher who not only investigates crypto hacks, but also openly shares his methodology. He told Motherboard that “my sense of justice pushes me forward. I also want to connect OSINT and crypto so a lot of talented guys get jobs.” 

As you might expect, this type of investigation into scams can result in people getting mad.  Coffeezilla's videos routinely get hundreds of thousands of views, and can make some of the alleged scammers he talks about upset. Coffeezilla said he sometimes gets cease and desist letters, but “nothing too serious.”

ZachBXT has been on the receiving end of harassment as a result of his work, he said.

“Thankfully I have a strong group of people that support what I am trying to do,” he said. “Receiving death threats is never something you enjoy.”

opensea.jpeg

A collection on the NFT marketplace Opensea. (Image: Daniel Harvey Gonzalez/In Pictures via Getty Images)

In an attempt to protect himself from lawsuits accusing him of defamation, Coffeezilla includes a disclaimer in his video’s descriptions: “This video is an opinion and in no way should be construed as statements of fact. Scams, bad business opportunities, and fake gurus are subjective terms that mean different things to different people. I think someone who promises $100K/month for an upfront fee of $2K is a scam. Others would call it a Napoleon Hill pitch.”

With reputations for being knowledgeable "good guys" in a world overrun with baddies, you might think that these open-source sleuths would be eager to leverage their expertise into a position at one of the existing firms that conducts blockchain analysis. But ZachXBT said that he wants to stay independent, even though he has gotten offers for contract work from some companies that track cryptocurrencies. 

“Working for any entity doesn’t allow the same level of freedom and creativity,” he said.

That freedom has allowed him to provide victims’ lawyers with his findings, and he has also filed reports to law enforcement authorities. So far, however, none have reached out to him, ZachXBT said.

When asked whether any authorities ever asked for help in their investigations, Coffeezilla laughed and said he shouldn’t say anything about that. 

On March 24, the Department of Justice charged two men accusing them of money laundering and fraud for a “rug pull” scheme, showing law enforcement is also looking into these types of scams

By exposing scammers and hackers, these investigators hope to make web3 a safe, healthier space where investors can legitimately make money without becoming victims of scammers.

“It’s up to the community to educate people and make the onboarding process as seamless as possible,” ZachXBT said. 

“I am passionate about and strongly believe in the opportunities web3 can deliver to many,” said Horniacek of Rug Pull Finders. “Will it ever be completely free from scams? No, and we would be naive to think that. But I do believe that this space can be healthy in a way that reduces the risk. There is power in the collective efforts of the community to drive this space forward.”

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.