British threat actor reportedly arrested, $18.6M crypto seized

British cybercriminal Danny Khan, known online as Danish Zulfiqar or Meech, appears to have been apprehended by law enforcement authorities in Dubai, according to blockchain security sleuth ZachXBT. 

In his Telegram Investigations by ZachXBT channel, the 2D investigator posted an identification document doxxing Khan and reported that $18.58 million in cryptocurrency assets were seized during the suspected arrest. The funds were spotted in Ethereum wallet address 0xb37d6…9f768, following the transfer of approximately 3,670 ETH into the wallet on Friday. 

“Several hours ago multiple addresses tied to him I was tracking consolidated funds to 0xb37d in a similar pattern to other law enforcement seizures,” ZachXBT wrote.

Dubai villa allegedly raided to arrest Khan, associates went silent

ZachXBT’s sources claimed that Danny Khan was last reported to be in Dubai, and they alleged that a villa he resided in was raided. Several other individuals were reportedly arrested during the operation, and people close to Khan have been unresponsive to communications for the past several days.

The cybersecurity analyst had been tracking Meech since 2024, linking him to the $243 million theft from a Genesis creditor in August that year. The operation was conducted with co-conspirators Malone Lam, Veer Chetal, Chen, and Jeandiel Serrano through a social engineering attack on an unnamed individual.

On August 19, 2024, the group impersonated Google and Gemini support and convinced the victim to reset two-factor authentication, transfer Gemini funds to a wallet they could access, and even share private Bitcoin keys through the remote desktop app AnyDesk. 

Per Gemini transaction records shared in a Discord video of the three boasting about their score, 59.34 BTC and 14.88 BTC were transferred to addresses under the control of the thieves.

“Oh my God! We are done! Do you know how much money that is?” Veer Chetal was recorded saying in a video Zach shared on his X thread. Chetal, who received a significant portion of the funds, exposed his full identity in the screen-sharing session.

The stolen $243 million was divided among the group and moved back-and-forth among more than 15 crypto exchanges and converted between Bitcoin, Litecoin, Ethereum, and Monero. 

Later on in the year, the US Department of Justice unsealed an indictment on the Genesis theft charging Malone Lam, 20, of Miami and Los Angeles, and Jeandiel Serrano, 21, of Los Angeles, with conspiracy to steal and launder over $230 million in cryptocurrency. 

Both were arrested last night and appeared in the US District Court in the Southern District of Florida and the Central District of California in September last year, although Danny Khan was not identified as part of the perpetrators then.

Khan was part of the T-Mobile Kroll SIM swap

ZachXBT also placed the Danish Zulfiqar among the bad actors of the Kroll SIM swap in August 2023, which exposed the personal information of BlockFi, Genesis, and FTX creditors. The attack reportedly led to over $300 million in losses swindled through social engineering, much like the Genesis one. 

Kroll provided a statement confirming the breach and revealed that a hacker had compromised an employee’s T-Mobile account using a SIM swapping attack.

SIM swapping, also known as port-out or SIM-jacking, is where a threat actor impersonates a mobile account holder to transfer their phone number to a new SIM card. T-Mobile transferred the employee’s phone number without authorization from Kroll, which helped the threat actor to access personal information of BlockFi, FTX, and Genesis bankruptcy claimants.

“Never forget Kroll had an employee SIM swapped in Aug 2023, resulting in breaches for Blockfi, FTX, Genesis creditors, which led to 8-9 figs stolen by cybercriminals via email phishing campaigns and social engineering scams. Idk how your company has not been sued to oblivion for the security incident,” Zach bashed Kroll on social platform X in January this year.

Throughout his criminal activity, Khan reportedly worked with a tight-knit network of co-conspirators. While official confirmation of Khan’s arrest has not yet been released by law enforcement agencies, several sources have insinuated authorities are actively pursuing the case.

Join a premium crypto trading community free for 30 days - normally $100/mo.