Inside the $282mln ZachXBT investigation – How stolen Bitcoin hit Tornado Cash

On the night of 10th January, while most of the world was asleep, one of the largest individual heists in crypto history was unfolding in real-time.

It wasn’t a flaw in code or a breach of a protocol, but a breach of human trust.

In a major move of social engineering, an attacker successfully bypassed the gold standard of hardware wallet security, siphoning over $282 million in Bitcoin and Litecoin from a single victim.

But the theft was only the beginning.

Details of the scam

As blockchain investigator ZachXBT and security firm PeckShield tracked events in real time, the attacker moved quickly to launder the stolen funds across multiple blockchains.

Hardware wallets like Trezor are often described as the safest way to store crypto. But they have one major weakness, and that is the person using them.

Reports suggest the victim was tricked through a highly convincing impersonation scam.

The attacker pretended to be “Trezor Value Wallet” support and gained the victim’s trust. Following this, the attacker convinced the victim to share their seed phrase that controls the wallet.

Once that happened, the hardware wallet no longer mattered.

Funds lost and moved

After stealing more than $282 million worth of Bitcoin [BTC] and Litecoin [LTC], the attacker saw that the transactions were visible on public blockchains.

Hence, to hide the trail, the attacker turned to THORChain, a decentralized liquidity protocol.

Using THORChain, the attacker moved around $71 million, or roughly 928.7 BTC, across different chains.

Unlike centralized exchanges, THORChain does not require KYC, allowing the attacker to swap Bitcoin for Ethereum and Ripple [XRP] without providing any identification.

Once the funds reached the Ethereum [ETH] network, the attacker took further steps to hide them.

A large amount, including 1,468.66 ETH worth about $4.9 million, was sent through Tornado Cash, a privacy mixer.

For those unaware, mixers combine funds from many users, breaking the clear link between where the money came from and where it ends up.

The attacker also swapped large amounts into Monero, a privacy-focused cryptocurrency, pushing Monero’s price higher for a short time.

Market reaction and more

All of this happened during a period of market chaos.

On the same day, crypto markets were already falling due to Trump’s new tariff shock.

Bitcoin dropped 2.26% to $93,075, while Litecoin fell 7.19% as per CoinMarketCap data.

However, with so many scams surging, there are signs of progress.

Recently, Europol and international law enforcement agencies shut down a major fraud and money laundering network operating across multiple countries.

That group had stolen more than €700 million from thousands of victims.

Final Thoughts

• This incident proves that crypto security failures no longer involve bugs but trusted narratives, too.
• Cross-chain liquidity protocols have unintentionally become accelerants for large-scale laundering.