"The $243M Bitcoin Heist: How Malone Lam Stole and Lost a Fortune"

2026-02-26 [bitcoin heist blockchain-forensics zachxbt social-engineering]

On August 18–19, 2024, a single phone call set in motion what would become one of the largest cryptocurrency thefts in history — a meticulously orchestrated social engineering attack that stripped a Washington D.C. resident of 4,064 Bitcoin, worth approximately $243 million at the time. Within days, the funds were racing through privacy protocols, cross-chain bridges, and Monero conversions. Within weeks, the suspects were spending half a million dollars in a single night at Miami nightclubs. Within months, they were in handcuffs.

This is the story of how it happened, how it unraveled, and what it means for crypto security.

The Target

The victim was a creditor of Genesis Global Capital, the crypto lending firm that collapsed in the wake of the FTX implosion and filed for bankruptcy in January 2023. As part of the bankruptcy proceedings, creditors were set to receive distributions from the estate — substantial sums in Bitcoin. The victim held a significant position, and that made them a target.

Someone in the criminal network had done their homework.

The Attack: Two Calls, One Catastrophe

The theft was a textbook example of vishing (voice phishing) combined with impersonation fraud. The attackers called the victim posing first as Google support, warning of a supposed security breach on their account. This established fear and urgency.

Then came the second call: someone claiming to be Gemini exchange customer support, following up on the "breach." The fake Gemini rep explained that the victim's account had been compromised and that their funds needed to be moved immediately to a "safe wallet" to prevent loss.

To make the deception convincing, the attackers convinced the victim to share their screen — giving the criminals a live view of the victim's credentials, wallet interface, and critically, their seed phrase. With that, they had everything they needed.

The victim, believing they were protecting their funds, transferred all 4,064 BTC directly to attacker-controlled wallets.

The Suspects

Malone Lam — "Greavys" / "Anne Hathaway" / "DOGE"

Malone Lam, approximately 20 years old at the time, was born in Singapore and was living in Miami when arrested. He was the apparent ringleader and most visible spender. On social media and in encrypted chats, he went by multiple aliases — "Greavys," "Anne Hathaway," and "DOGE" — names that appeared across the on-chain and OSINT trail traced by investigators.

Lam was arrested in Miami in August 2024 after blockchain analyst ZachXBT published a detailed thread linking his real identity to the stolen funds through a combination of on-chain analysis and open-source intelligence.

Jeandiel Serrano — "VersaGod" / "Box"

Jeandiel Serrano, approximately 21, based in Los Angeles, was the alleged voice on the Gemini impersonation call — the man who convinced the victim to move their funds. His aliases "VersaGod" and "Box" appeared in communications tied to the heist. Serrano was arrested in Los Angeles in August 2024, the same time as Lam.

Marlon Ferro and Others

Marlon Ferro was later charged as a co-conspirator. DOJ filings reference multiple unnamed co-conspirators who played roles in the laundering operation. The criminal network extended well beyond the two initial arrests.

The Laundering Chain

What happened after the theft was almost as sophisticated as the theft itself. The conspirators ran the funds through a multi-stage obfuscation pipeline designed to break the blockchain trail.

Stage 1 — The Peel Chain

Immediately after receipt, the 4,064 BTC was split across numerous wallets in what blockchain analysts call a "peel chain" — funds are progressively divided into smaller amounts across many wallets, making the trail harder to follow and enabling parallel laundering paths.

Stage 2 — Privacy Protocols

Different portions of the funds were routed through separate privacy mechanisms:

RailGun: An Ethereum-based zero-knowledge privacy protocol. Some BTC was first swapped to ETH and then pushed through RailGun, which shields transaction graphs from standard blockchain analysis.
THORSwap / THORChain: A decentralized cross-chain bridge used to swap BTC into other assets across chains, further obfuscating the origin.
Bitcoin mixers / CoinJoin: Traditional mixing techniques were also employed to break transaction linkage at the Bitcoin layer.

Stage 3 — Monero Conversion

Perhaps the most aggressive privacy measure: a portion of the funds was converted into Monero (XMR). Monero uses ring signatures and stealth addresses as native privacy features, making individual transaction tracing essentially impossible without additional off-chain information. Once funds enter Monero, they effectively disappear from standard blockchain forensics.

Stage 4 — Cashout

Eventually, layered wallets funneled funds to centralized exchanges including Binance and OKX, where some amounts were liquidated to fiat. This was ultimately their downfall — exchanges have KYC records, and blockchain analysts were watching.

ZachXBT's Investigation

The key to unraveling the heist wasn't law enforcement databases — it was ZachXBT, the pseudonymous on-chain detective who has become one of crypto's most important forensic investigators.

Within days of the theft, ZachXBT published a detailed thread on X (Twitter) tracing the movement of the stolen funds through the peel chain, identifying exchange deposits, and — crucially — connecting on-chain activity to real-world identities through open-source intelligence. He identified Lam's aliases appearing in social media posts showing luxury spending that was conspicuously timed with the theft.

ZachXBT alerted exchanges to the incoming tainted funds, helping freeze a portion before it could be fully cashed out. He also collaborated directly with DOJ investigators, providing the on-chain roadmap that led to the arrests.

For specific wallet addresses: see the original ZachXBT analysis at zachxbt.mirror.xyz — addresses are verified there and attributed to the investigation.

The Arrests

August 2024: Malone Lam arrested in Miami, Jeandiel Serrano arrested in Los Angeles. Both charged with conspiracy to steal and launder cryptocurrency.
September 2024 (reported): Lam indicted on money laundering charges in Washington D.C. federal court.
Later 2024: Marlon Ferro and additional co-conspirators charged.

The DOJ case (United States v. Lam et al., D.D.C.) proceeded through the federal courts in Washington D.C., where the victim resided.

What Was Recovered

While the full picture of recoveries remains partially under seal, DOJ filings indicate that a portion of the funds were frozen by exchanges following ZachXBT's alerts and subpoenas. Some assets were seized as part of the arrests. However, a significant amount — particularly funds that passed through Monero — is (alleged to be) unrecoverable.

The luxury goods purchased — cars, watches, clothing — were subject to asset forfeiture proceedings.

Key Takeaways

For individuals

No legitimate support service will call you unsolicited and ask you to move funds or share your screen.
Seed phrases are sacred. No exchange, wallet provider, or support agent will ever need your seed phrase.
Screensharing with anyone = full access. Treat it like handing someone your keys.
Hardware wallets with air-gapped signing make this class of attack dramatically harder.

For the industry

ZachXBT's investigation proved that on-chain forensics can outpace traditional law enforcement — exchanges acted on his alerts before official subpoenas arrived.
THORChain and RailGun came under scrutiny for their role as laundering infrastructure, raising regulatory questions about privacy protocols.
Monero remains a blind spot in regulated financial system tracing.

For regulators

The case accelerated conversations about mandatory travel rule compliance for decentralized bridges.
It demonstrated both the power and the limits of blockchain transparency: transparent chains can be traced, but the tools exist to defeat that tracing — at least temporarily.

On-Chain Money Flow Timeline

Every known address, every chain, every actor — plotted against time. Horizontal bands = blockchains. Nodes = wallets/addresses (hover for details). Colored by gang member. Curved arrows = cross-chain bridges/swaps. Horizontal arrows = same-chain transfers.

ℹ️ Addresses abbreviated for display — hover nodes for full context. Sources: ZachXBT investigation thread (zachxbt.mirror.xyz), DOJ complaint United States v. Lam et al. (D.D.C. 2024), public blockchain data.

Sources

DOJ Press Release: U.S. Attorney's Office, District of Columbia — Two Individuals Charged with Stealing $230+ Million in Cryptocurrency (August 2024)
ZachXBT: On-chain investigation thread at zachxbt.mirror.xyz — wallet traces, OSINT, exchange alerts
Court Documents: United States v. Lam et al., D.D.C. (2024)
Public blockchain data: Bitcoin and Ethereum blockchains (verified transaction hashes available via ZachXBT thread)
CoinDesk / Blockworks / Decrypt: August–September 2024 coverage

Note: Specific wallet addresses are not reproduced here as they are subject to ongoing court proceedings. Refer to the ZachXBT investigation thread for verified on-chain addresses.