1/ An investigation into how Greavys (Malone Iam), Wiz (Veer Chetal), and Box (Jeandiel Serrano) stole $243M from a single person last month in a highly sophisticated social engineering attack and my efforts which have helped lead to multiple arrests and millions frozen.

Update: USG made a press release today formally announcing Ronald has been charged.

You can read my investigation below

I am pleased to share that the threat actor ‘Ronald Spektor’ (Ron) was recently arrested in New York. In November 2024 I published my investigation detailing his involvement in a $6M Coinbase support impersonation scam and other thefts after a victim contacted me for

Update: A superseding indictment from a few hours ago confirmed my analysis that Danny / Danish Zulfiqar (Khan) was arrested in Dubai. Seizure address 0xb37d617716e46511E56FE07b885fBdD70119f768

2/2 You can read my investigation from Oct 2024 into the incident below.

1/2 In June 2024 a victim was brutally robbed for $4.3M+ of crypto assets at gunpoint via home invasion in the UK after the attackers posed as delivery drivers. I am proud to share that Faris & his two other accomplices were just sentenced and nearly the full amount of stolen

6/ I wanted to make this post so more people do not continue the privacy mistake of accidentally revealing their transparent address when bridging with shielded ZEC until a Zashi update is implemented. Should I do more posts like this in the future about how to maintain proper

5/ I contacted the Zashi team and they informed me they plan to solve this privacy issue by adding ephemeral addresses soon and eventually shielded Near Intent refunds. In the meantime I suggest using multiple seeds on separate devices if you use Near Intent integration for

4/ My order completed after several minutes but the issue is a Near Intents refund txn of 0.001598 ZEC was also made to my t - address I initially shielded from which establishes a clear link between my addresses. Someone can simply match up timing/amounts from the Near Intents

3/ Now let’s say I want to anonymously fund an ETH address from my Zashi wallet with my shielded ZEC so I use the “Crosspay” feature via Near Intents to receive 0.005 ETH to the following address: 0x6dda3649f19191a9df465f4010019f2f59c34bc4

2/ For this example I bridged 1 SOL from Solana to Zcash via Near Intents & shielded it after. Source txn from 27sfYM 3R82PEDc1WsvQHbEaEph5igAbfvunWjg3ErpjrAvQ5rzkhcqRkhp9MKocKXMNLAwTNrW2rrP3cicywb2HFcBMxF4 Destination txn to t1MQ9Z

1/ As part of my work I like to test out privacy products and figure out what works and what doesn’t so I can abuse any design flaws for my investigations. With the recent hype around Zashi & its Near Intents integration I tested it for Zcash.

9/ Unfortunately the likelihood of this victim seeing any funds recovered is rather low due to a delay in reporting the theft to competent people within the private sector. I recommend victims try to report theft addresses to people as soon as possible as otherwise it can be

8/ Another lesson is >95% of recovery companies are predatory and charge large amounts for basic reports with few actionable insights. I have found the firms who optimize SEO tend to be more predatory. Predatory firms will pursue cases when recovery does seem not viable just

7/ The XRP victim mentioned in a later video how they could not quickly get in touch with US law enforcement for a $3M theft. There’s few LE qualified to handle such cases and endless victim reports so naturally incidents are overlooked. In general US, Netherlands,

6/ One lesson our industry needs to do better with is not causing confusion with products when you offer both custodial and non-custodial products. The XRP victim thought they were using the Ellipal cold wallet product when it was a hot wallet. Frequently I see large Coinbase

5/ Huione has directly facilitated laundering billions in illicit funds over the past couple years from pig butchering scams, investment scams, human trafficking and hacks/exploits in Southeast Asia. Last week the US applied additional restrictions against Huione in relation to

4/ The funds consolidated on Tron at the following address on Oct 12. TGF3hP5GeUPKaRJeWKpvF2PVVCMrfe2bYw By Oct 15 the funds were completely laundered away to OTCs adjacent to Huione (illicit online marketplace in SEA).

3/ The attacker created 120+ Ripple -> Tron orders via Bridgers on Oct 12, 2025. On block explorers the transactions show as Binance since Bridgers (formerly SWFT) uses them for liquidity.

2/ Although the victim did not directly share the theft address after watching the video I found it by reviewing the date and amount. r3cf5mgj5qEcj9n4Th28Es7NVRnXGJjkzc The victim seems inexperienced and does not provide enough details to determine how the Ellipal wallet