Update 2: It gets much worse from my understanding the Zama team does NOT appear to have been notified of the Circle freeze prior.

One of the plaintiffs responsible for the civil case against Overnight Finance is Patagon Management an entity known for hostile DAO takeovers / RFV raiding protocols.

Overall I feel bad for Zama users who have now been indirectly impacted with this mess of a US civil case.

Update: After further analysis 0xf7Fcc767dE537953b3519D4b3097A24A6dFE1c84 deposited 12.4M USDC to Zama on May 11, 2026.

0xf7fcc appears to relate to Overnight Finance which held a governance vote recently to distribute treasury funds after holders alleged the team was rug pulling.

Regardless it's precedent setting to unilaterally freeze the contracts / addresses of a protocol where funds have been commingled with Zama users.

Looks like Circle blacklisted the Zama (privacy protocol) Confidential USDC (cUSDC) contract on Ethereum 7 hours ago which has frozen 12.6M USDC of user funds.

The cUSDC contract is publicly labeled in the protocol docs and on block explorers.

Zama contract address frozen by Circle
0xe978F22157048E5DB8E5d07971376e86671672B2

It still remains unclear why Circle froze the USDC however in March 2026 I reported how Circle froze 16+ hot wallets for businesses, protocols, services without providing any transparency.

An entity previously received ESPORTS, RIVER, & LIGHT tokens via Sablier vesting contract and is also directly tied to a signer on three LAB multisigs.

These four BSC tokens have experienced market manipulation incidents on centralized exchanges.

I peviously highlighted LAB & RIVER however earlier today ESPORTS crashed 93% in a single red candle.

Would you say the entity is just lucky or are they an insider?

Bitget deposit address
0x5f04a53bff7ae409140f35cf1804892aac295be5
Kraken deposit address
0xba898b422932783c7a3cb57b641922b84daa24f2
LAB signer
0xcea722a1a812ebdfa5bbd8130531cf1d1956ebc9

Update: I have helped freeze 6 figures.

StablR team appears to likely be asleep as the attack is still ongoing after 3 hours now.

EURR & USDR have both depegged by >20%.

Two contracts related to European stablecoin issuer StablR appears to have been potentially exploited for ~$10M (EURR & USDR)

The attacker address was funded via CCTP on Noble

Attacker address
0xea480c23d7b29a515856aafe0dc86f7519965a04
0x09BE1A36c2d7f9909eb3D6F9184c6e46A12B0ACA
0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1
0x6283558eB6948CA50A2bE942D98A41ca4d1Def40
0xf1f70d7461356f32b97ddc2cd54a490d4363340e
0x74b4621b82eb31c5fd9fbad5729bef1813e26dcf
0x8aaa93d06bf8de94c282f66a16effe6d9d94d038
0x5D2184d84b82B67c1818Bbec8ce81E7Df14F6bAb

Update: I collaborated with BitcoinVN & ChangeNOW to help successfully freeze $164K from the Polymarket private key compromise incident.

Community alert: A Polymarket admin address appears to have been compromised on Polygon

>$520K drained thus far

Attacker address: 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91

Related contracts
0x91430CaD2d3975766499717fA0D66A78D814E5c5

Address drained
0x871D7c0f9E19001fC01E04e6cdFa7fA20f929082
0xf61e39C7EB1E2Ff5af3A24bCA88D40fD11594805

Edit 1: Updated to reflect its an admin vs contract

Edit 2: Polymarket confirmed the compromised address

An unknown victim lost ~231 BTC ($18.8M) on May 14, 2026 due to private key compromise.

Social engineering threat actors from 'The Com' have tried taking credit for the theft however it appears they're larping due to unrelated Russian indicators on the laundering movements.

Theft address
bc1qmmfyekpkkuxryezpup7nw2x9qvr5avlfj3vvpc
bc1qrf02hgf9e3lypt8wm025g4waee47wjwz2at9az

It has come to my attention there are new accounts impersonating me and they are gaining views / engagement on Instagram* & YouTube.

Reminder my only two official accounts are x.com/zachxbt on X (Twitter) @investigations on Telegram.

Do not get scammed by these larps.

Update: The Spartans team immediately blocked me on X (Twitter) and hid my reply after I replied to their post asking for clarification.

Update: Following up on my earlier warnings about Gurhan Kiziloz, I completed onchain tracing which demonstrates commingling of at least $25M of presale funds between two investment schemes linked to him, which were then used to pay KOL streamers for his casino Spartans[.]com.

I have not seen any disclosure in the original BlockDAG Network or ZKP presale materials indicating that funds would be used to promote a separate venture, and retail investors continue to publish complaints on social media.

This is another red flag on top of the issues outlined in my earlier post. I advise everyone to stay away from BlockDAG, ZKP, and Spartans.

Spartans KOL payment address
TRa9KjECpmmBBr1GKTwEWmskdiEKyLnf3C
0xb8e55a329536f3e981c63567b7b1156533d1855a

Blockdag presale address
0x4c39ed0438d5e8913acf423db6d56cce78b2d367
Blockdag consolidation
TZENvWXqdkqQYT2om6yLC731Cphu57yKkY

ZKP presale address
0x3b224a7a5a7ee682a2597eaf2b1f61d153424f4b

See attached for my forensics graph: BlockDAG & ZKP presale wallets → consolidation → bridge from Ethereum to Tron → CEX deposits and withdrawals (HTX, BTSE) → Spartans hot wallet and KOL payment address.

Offering up to $10K bounty for intel about the Hong Kong market maker Heisenberg Guru aka HSBG linked to multiple CEX market manipulation incidents such as $RIVER.

Sion & Chao are two core team members.

Chat logs, contracts, internal comms, etc are the types of evidence I will consider rewarding.

Send me a DM on X (Twitter) if you can assist: x.com/zachxbt

Earlier today the threat actor 'Dritan Kapllani Jr' transferred $2.59M (1.99M DAI, 259 ETH) three hops from: 0x4487db847db2fc99372a985743a26f46e0b2bba6
to:
0x67ec1d405e53ed13a19eb77a9db19186723d125d where stolen funds currently sit dormant.

On May 12 I published my investigation on X (Twitter) detailing Dritan's involvement with Trenton (Trent) Johnson in a 185 BTC ($13M) social engineering theft.

You can read my investigation below:
https://x.com/zachxbt/status/2054170002945987029

Community alert: It appears Thorchain was likely exploited on Bitcoin, Ethereum, BSC, Base for $10.7M+

The protocol paused trading as a result.

Theft address
bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37
0x82fc0d5150f3548027e971ec04c065f3c93154eb
0xd477b69551f49c0519f9b18c55030676138890bd

Edit 1: Changed amount stolen from $7.4M to $10.7M

If you enjoy my research please consider participating in the current TheDAO × Giveth 500 ETH matching round and voting for me if you enjoy the pulic goods research I publish regularly on X (Twitter) & Telegram.

It's quadratic funding, so smaller contributions are worth considerably more thanks to the matching pool.

Example: Currently a $10 crypto donation = >$3K matched

Link to donation to my future research projects:
https://qf.giveth.io/project/zachxbt?roundId=16

I also want to highlight four other projects deserving of your donations:

1). Tanuki42 - DPRK IT worker research
https://qf.giveth.io/project/tanuki42?roundId=16

2). dobs - Pig butchering and human trafficking research
https://qf.giveth.io/project/fight-human-trafficking-and-crypto-fraud-with-dobs?roundId=16

3). Pcaversaccio - Safe multisig transaction hash verification
https://qf.giveth.io/project/safe-multisig-transaction-hashes?roundId=16

4). Spectre - Threat intel & onchain insights
https://qf.giveth.io/project/specter-on-chain-security-research-and-investigator?roundId=16

Update: DPRK began laundering $1.5M from the $290M KelpDAO/LZ exploit from Ethereum mainnet to Bitcoin via Thorchain and another $78K via Umbra

Thorchain transactions:
0x99e09424a28873145f0f4d2ad2cedaebe788df5fab25ba87a06057c457ac31ef
0x171b08024347b5cb7399761b1d6836649f9cbfaf8e94bcbb42625874db5dc206
0x2909e93741e9fe32286dafc8769be5089de0bad4cfcc9ad4b715124f50307171

Umbra transactions:
0xa2a6cc54afd2dd487ea052cd712ed0e1889f2886d857d46c266014173caa7509

Just hit 1M followers on X (Twitter) and it's been an insane ride from May 2021 to now.

I don't usually post about this type of stuff, but I cannot say I anticipated ever reaching this follower milestone.

Thanks to everyone who has supported my work over the years.

KelpDAO appears to have had $280M+ stolen one hour ago on Ethereum and Arbitrum.

The attack addresses were funded via Tornado Cash.

Theft addresses
0x5d3919F12bCc35c26Eee5F8226A9bee90c257Ccc|
0xBb6A6006Eb71205e977eCeb19FCaD1C8d631C787
0x1F4C1c2e610f089D6914c4448E6F21Cb0db3adeF
0xeBA786C9517a4823A5cFD9c72e4E80BF8168129B
0xCBb24A6B4DAfaAA1a759A2F413eA0eB6AE1455CC
0x8d11AeAC74267DD5C56D371bf4AE1AFA174C2d49

(Edited to update the victim later identified as KelpDAO)

Community alert: A fake Ledger Live app on the Apple App Store is tied to $9.5M stolen from 50+ suspected victims between April 7–13 across Bitcoin, EVM, Tron, Solana, & Ripple.

Stolen funds were laundered via 150+ KuCoin deposit addresses tied to AudiA6, a centralized mixing service that charges high fees to launder illicit funds.

Theft addresses
bc1qf7wdsx03xdwkqxznjzfhz2q98law46yyje5rvy
bc1q34u3g5r0m00a9dk6trhj6e69vgzvdaw8xnt6dl
0x6876e75730125618d09df064091a1094275bda39
0x2cddfc496c9ba7765955773f4dcc5920cc147d72
TLPgiPEniadnUNKMApu4oGZynwzvUbUUTs
2bmPSvwCYnQAeJW115vuLDgKSdf5Nn3sBqgYTpTwxKiV
FCPwCE4TNuQKwLwPJrfvSTfSdhN6a7Nc6mtHi8yuFt7p
rnrQZFpVCUcNgi9dBrSd7BcEnLNooGcBUQ

Kucoin has seen a sharp increase in illicit activity over the past year. Kucoin was banned from onboarding new EU users by Austrian regulators in February 2026 after only receiving its MiCA permit in November 2025. Kucoin previously paid fines of $300M+ to the US government to settle its case for violating AML laws in January 2025.

I'd be curious to see if this presents grounds for a class action against Apple.

The fake app was removed by Apple yesterday. The three largest victims lost seven figures each.

Apr 9 Victim: $3.23M (3.23M USDT)
TFsLWCYxj4aVUdjKg6Vnz5RtDe1AFWzmYK

Apr 11 Victim: $2.079M (2.079M USDC)
GZWb4arrwVPzdEDrK5MwTNN5zsXNpKUK2yeYu9SA5S18

Apr 8 Victim: $1.95M total (20.64 BTC, 211 stETH, 70 ETH)
96ccf116c95d9ad0065ec2529dd1761eb93dd504cbf2ac9298c60bf7b5984b4b
0x98bc748eb4451417f7259190675ea565dbd5ed85