"The $243M Bitcoin Heist: How Malone Lam Stole and Lost a Fortune"

On August 18–19, 2024, a single phone call set in motion what would become one of the largest cryptocurrency thefts in history β€” a meticulously orchestrated social engineering attack that stripped a Washington D.C. resident of 4,064 Bitcoin, worth approximately $243 million at the time. Within days, the funds were racing through privacy protocols, cross-chain bridges, and Monero conversions. Within weeks, the suspects were spending half a million dollars in a single night at Miami nightclubs. Within months, they were in handcuffs.

This is the story of how it happened, how it unraveled, and what it means for crypto security.


The Target

The victim was a creditor of Genesis Global Capital, the crypto lending firm that collapsed in the wake of the FTX implosion and filed for bankruptcy in January 2023. As part of the bankruptcy proceedings, creditors were set to receive distributions from the estate β€” substantial sums in Bitcoin. The victim held a significant position, and that made them a target.

Someone in the criminal network had done their homework.


The Attack: Two Calls, One Catastrophe

The theft was a textbook example of vishing (voice phishing) combined with impersonation fraud. The attackers called the victim posing first as Google support, warning of a supposed security breach on their account. This established fear and urgency.

Then came the second call: someone claiming to be Gemini exchange customer support, following up on the "breach." The fake Gemini rep explained that the victim's account had been compromised and that their funds needed to be moved immediately to a "safe wallet" to prevent loss.

To make the deception convincing, the attackers convinced the victim to share their screen β€” giving the criminals a live view of the victim's credentials, wallet interface, and critically, their seed phrase. With that, they had everything they needed.

The victim, believing they were protecting their funds, transferred all 4,064 BTC directly to attacker-controlled wallets.


The Suspects

Malone Lam β€” "Greavys" / "Anne Hathaway" / "DOGE"

Malone Lam, approximately 20 years old at the time, was born in Singapore and was living in Miami when arrested. He was the apparent ringleader and most visible spender. On social media and in encrypted chats, he went by multiple aliases β€” "Greavys," "Anne Hathaway," and "DOGE" β€” names that appeared across the on-chain and OSINT trail traced by investigators.

Lam was arrested in Miami in August 2024 after blockchain analyst ZachXBT published a detailed thread linking his real identity to the stolen funds through a combination of on-chain analysis and open-source intelligence.

Jeandiel Serrano β€” "VersaGod" / "Box"

Jeandiel Serrano, approximately 21, based in Los Angeles, was the alleged voice on the Gemini impersonation call β€” the man who convinced the victim to move their funds. His aliases "VersaGod" and "Box" appeared in communications tied to the heist. Serrano was arrested in Los Angeles in August 2024, the same time as Lam.

Marlon Ferro and Others

Marlon Ferro was later charged as a co-conspirator. DOJ filings reference multiple unnamed co-conspirators who played roles in the laundering operation. The criminal network extended well beyond the two initial arrests.


The Laundering Chain

What happened after the theft was almost as sophisticated as the theft itself. The conspirators ran the funds through a multi-stage obfuscation pipeline designed to break the blockchain trail.

Stage 1 β€” The Peel Chain

Immediately after receipt, the 4,064 BTC was split across numerous wallets in what blockchain analysts call a "peel chain" β€” funds are progressively divided into smaller amounts across many wallets, making the trail harder to follow and enabling parallel laundering paths.

Stage 2 β€” Privacy Protocols

Different portions of the funds were routed through separate privacy mechanisms:

Stage 3 β€” Monero Conversion

Perhaps the most aggressive privacy measure: a portion of the funds was converted into Monero (XMR). Monero uses ring signatures and stealth addresses as native privacy features, making individual transaction tracing essentially impossible without additional off-chain information. Once funds enter Monero, they effectively disappear from standard blockchain forensics.

Stage 4 β€” Cashout

Eventually, layered wallets funneled funds to centralized exchanges including Binance and OKX, where some amounts were liquidated to fiat. This was ultimately their downfall β€” exchanges have KYC records, and blockchain analysts were watching.


ZachXBT's Investigation

The key to unraveling the heist wasn't law enforcement databases β€” it was ZachXBT, the pseudonymous on-chain detective who has become one of crypto's most important forensic investigators.

Within days of the theft, ZachXBT published a detailed thread on X (Twitter) tracing the movement of the stolen funds through the peel chain, identifying exchange deposits, and β€” crucially β€” connecting on-chain activity to real-world identities through open-source intelligence. He identified Lam's aliases appearing in social media posts showing luxury spending that was conspicuously timed with the theft.

ZachXBT alerted exchanges to the incoming tainted funds, helping freeze a portion before it could be fully cashed out. He also collaborated directly with DOJ investigators, providing the on-chain roadmap that led to the arrests.

For specific wallet addresses: see the original ZachXBT analysis at zachxbt.mirror.xyz β€” addresses are verified there and attributed to the investigation.


The Arrests

The DOJ case (United States v. Lam et al., D.D.C.) proceeded through the federal courts in Washington D.C., where the victim resided.


What Was Recovered

While the full picture of recoveries remains partially under seal, DOJ filings indicate that a portion of the funds were frozen by exchanges following ZachXBT's alerts and subpoenas. Some assets were seized as part of the arrests. However, a significant amount β€” particularly funds that passed through Monero β€” is (alleged to be) unrecoverable.

The luxury goods purchased β€” cars, watches, clothing β€” were subject to asset forfeiture proceedings.


Key Takeaways

For individuals

For the industry

For regulators


On-Chain Money Flow Timeline

Every known address, every chain, every actor β€” plotted against time. Horizontal bands = blockchains. Nodes = wallets/addresses (hover for details). Colored by gang member. Curved arrows = cross-chain bridges/swaps. Horizontal arrows = same-chain transfers.

ℹ️ Addresses abbreviated for display β€” hover nodes for full context. Sources: ZachXBT investigation thread (zachxbt.mirror.xyz), DOJ complaint United States v. Lam et al. (D.D.C. 2024), public blockchain data.

Sources

Note: Specific wallet addresses are not reproduced here as they are subject to ongoing court proceedings. Refer to the ZachXBT investigation thread for verified on-chain addresses.

← All posts