- On Jan 10, 2026 a holder lost over $282M in BTC and LTC via a hardware wallet social engineering scam; ZachXBT traced swaps to Monero and Thorchain routing.
- The case echoes the $243M Genesis creditor theft tied to Greavys, Wiz, and Box, with arrests and asset freezes following on-chain work.
- Reports cite fake Zoom schemes exceeding $300M, a $50M address poisoning loss, a $27.3M multisig key leak, and $3.4B stolen in 2025.
On January 10, 2026, blockchain investigator ZachXBT reported what appears to be the largest individual crypto theft of the year so far, after a single holder lost more than $282 million in Bitcoin and Litecoin through a hardware wallet social engineering scam. The theft surpassed the previous social engineering record of $243 million from August 2024, underscoring how human-focused attacks keep outpacing many technical defenses in the digital asset space. As details surface through on-chain tracing and earlier investigative patterns, the case highlights evolving tactics used by scammers to target even experienced users, and it reinforces calls from researchers like ZachXBT for strict verification habits and improved personal security practices among crypto owners worldwide.
Largest 2026 crypto theft and how ZachXBT traced the funds
The latest incident unfolded on January 10, 2026, at around 11 p.m. UTC, when a victim lost more than $282 million worth of Litecoin and Bitcoin in what has been described by ZachXBT as a hardware wallet social engineering scam that bypassed typical technical safeguards.
Instead of exploiting smart contract bugs or exchange vulnerabilities, the attacker focused on manipulating the user, convincing them to reveal or indirectly expose control over their hardware wallet in a way that allowed full access to their LTC and BTC holdings in a short window. Once the attacker gained control of the assets, they moved quickly to reduce traceability, taking steps that matched some of the same laundering methods observed in earlier high-value cases documented by the investigator. Immediately after seizing the funds, the attacker began converting large portions of the stolen Litecoin and Bitcoin into Monero using several instant exchange services that specialize in rapid, often less regulated swapping between assets. This selling pressure and conversion activity coincided with a sharp, sudden spike in the price of XMR, suggesting that heavy buy-side demand arose from the laundering process itself rather than organic market interest. At the same time, some of the stolen Bitcoin moved through Thorchain and bridged to Ethereum, Ripple, and Litecoin networks, adding further complexity to the trail and forcing analysts like ZachXBT to follow multiple cross-chain paths while tracking the suspect addresses. The use of Monero, a privacy-focused cryptocurrency with strong on-chain obfuscation, remains a common step for criminals seeking to hide the origin of funds, and the way the thief structured the trades through multiple instant exchanges implied a deliberate attempt to fracture the flow of money into smaller, harder-to-follow chunks. Thorchain, which enables native swaps between chains, served as another tool in this process, helping move BTC value into different ecosystems without centralized exchange order books that authorities and researchers can easily review. Despite these measures, the quick disclosure by ZachXBT of the incident and the addresses involved gave the broader community information that may help exchanges flag deposits or withdrawals tied to the theft, though the irreversibility of crypto transactions means full recovery remains unlikely once private keys or signing control have been compromised.
ZachXBT and the 2024 Genesis creditor social engineering case
The scale of the January 2026 theft drew immediate comparisons with the August 2024 social engineering attack against a Genesis creditor, which resulted in a loss of $243 million and had previously stood as one of the largest single-victim crypto thefts on record. In that earlier case, threat actors known as Greavys, Wiz, and Box carried out an elaborate scheme that took advantage of trust in major companies, posing as support representatives from Google and Gemini in order to gain access to sensitive information. They used spoofed phone calls that appeared to originate from legitimate channels, then guided the victim through seemingly routine security procedures that ultimately weakened account protection instead of strengthening it. The attackers convinced the victim to reset two-factor authentication and install remote access software, including AnyDesk, under the pretense of solving account issues and preventing supposed unauthorized activity. During a shared-screen session, the criminals observed and collected key details associated with Bitcoin Core wallets, including information needed to extract private keys and move the funds. Once they secured control, they transferred assets away from the victim’s control and started dispersing them across various addresses and services. This operation demonstrated how social engineering can bypass even strong technical setups if the user can be persuaded to override or reveal their own defenses. In that 2024 incident, an extensive on-chain and off-chain investigation by ZachXBT played a central role in identifying suspects and mapping the flow of stolen funds. The research and subsequent collaboration with enforcement agencies led to several arrests and asset freezes. Authorities arrested Box and Greavys in Miami and Los Angeles, and US Marshals later apprehended Wiz, reflecting a multi-jurisdictional response to the crime. In total, twelve people faced charges linked to the $243 million theft, with a superseding indictment confirming the arrest of Danny Zulfiqar Khan in Dubai, illustrating how social engineering schemes often involve broader networks rather than lone individuals. The success of that investigation gave many in the industry hope that persistent tracking and cooperation could deter similar attacks, yet the new $282 million case reported by ZachXBT shows that organized groups still find profitable opportunities by targeting user behavior rather than code.
Expanding social engineering threats, North Korean tactics, and ongoing crypto losses tracked
Social engineering has solidified itself as one of the leading threats in the crypto ecosystem, often outranking protocol-level exploits in total value stolen, and investigators like ZachXBT continue to highlight that scammers increasingly impersonate staff from major exchanges, wallets, or technology companies to gain trust. Recent charges against Brooklyn resident Ronald Spektor added another example, with prosecutors alleging he stole about $16 million from around 100 Coinbase users by pretending to be company personnel and using urgent language to push victims into quick, poorly considered actions. These cases share a common pattern, as criminals use fear, time pressure, and convincing technical jargon to steer users into revealing codes, clicking malicious links, or installing remote access tools that hand over wallet control. Alongside these individual operations, state-linked actors also keep refining their methods. Security researchers such as MetaMask’s Taylor Monahan have warned about North Korean hacking groups that now focus heavily on fake video conferencing, where they contact people they have messaged before and propose Zoom or Teams calls that appear professional. Instead of a live discussion, the attackers send links that open pre-recorded videos of recognizable contacts to build trust, then distribute supposed software “patches” or updates, which are actually Remote Access Trojans designed to capture passwords and private keys. Reports indicate that North Korean cybercriminals have stolen more than $300 million through this kind of fake Zoom and fake Teams strategy, which shows how traditional phishing has evolved into multi-step social engineering tailored to remote work tools. Industry data highlights the scale of the problem. Between January and early December 2025, crypto theft reached about $3.4 billion, according to aggregated reports, while Americans alone lost a record $9.3 billion to crypto-related crimes in 2024. Investment fraud made up about $5.7 billion of those losses, with victims over 60 years old reporting the highest individual losses at roughly $2.8 billion, indicating that older investors remain a primary target for scammers who offer high-yield opportunities or pretend to represent regulated platforms. Analysts and investigators, including figures like ZachXBT, have also pointed to a rise in more subtle scams such as address poisoning, where attackers send tiny test transactions from addresses that visually resemble a user’s frequent recipients. In December, one such trick led a victim to lose $50 million after copying a spoofed address that looked almost identical to the intended one, while another December incident involving a leaked key to a multi-signature wallet caused losses of about $27.3 million. Despite a reported 60 percent decline in exploit-related losses in December, down to about $76 million according to data from firms like PeckShield, these social and operational failures keep causing major damage because once funds move out of a wallet under valid signatures, reversing the transaction becomes practically impossible. That irreversibility gives criminals a strong incentive to focus on the human layer, where no smart contract fix or protocol upgrade can fully close the gap if the user decides to sign or reveal something sensitive.
Risk mitigation, user behavior, and lessons from ZachXBT investigations
The recurring appearance of high-value thefts, from the $243 million Genesis creditor case to the more recent $282 million loss reported by ZachXBT, points toward a central conclusion: technical tools reduce risk, but they cannot fully protect users who do not maintain strict habits and skepticism in day-to-day interactions. Security experts continue to emphasize that anyone who holds significant crypto should assume every unsolicited message, call, or meeting request may be part of a social engineering attempt, especially when it references account issues, urgent security warnings, or investment opportunities that require quick approval. Navin Gupta, CEO of blockchain analytics platform Crystal, explained in an interview with Cryptonews that adopting this mindset filters out most threat vectors before they even pass the first step, because users simply refuse to engage with unknown or unverified outreach. Practical defenses focus on small, consistent behaviors that reduce the attack surface. Users should avoid SMS-based two-factor authentication whenever possible, instead relying on hardware security keys or authenticator apps that limit SIM-swap risks. Before sending any transaction, holders need to verify each character of the destination address and avoid copying from old transaction histories when recent address poisoning might have introduced near-identical decoy addresses. When dealing with supposed support staff, investors should independently reach out through official websites or app channels, rather than using numbers or links provided in unsolicited communications. They should also treat any request for remote access, screen sharing, or seed phrase disclosure as a direct red flag, since no legitimate service needs that information to resolve typical account issues. Cases investigated by ZachXBT show that once a victim reveals private keys, provides remote access to a device storing wallet data, or authorizes a transaction under false pretenses, options for recovery become extremely limited. Some funds can occasionally be frozen at centralized exchanges if investigators track them quickly and work with authorities, as seen in parts of the 2024 Genesis-related case where millions were locked and several suspects were detained. However, when criminals convert assets into privacy coins, route them through decentralized cross-chain protocols, or move them through jurisdictions with weak enforcement cooperation, clawing back value becomes far more challenging. The January 2026 theft that moved LTC and BTC into Monero through instant exchanges and Thorchain illustrates how well-planned laundering exploits the open, borderless structure of the crypto ecosystem. In response, the community continues to rely on independent analysts, law enforcement, and educational campaigns to minimize future damage, while recognizing that no central authority can roll back transactions or guarantee refunds. The ongoing work by researchers such as ZachXBT demonstrates that transparency, public reporting of suspect addresses, and detailed reconstructions of past attacks can deter some criminals and help platforms implement better monitoring. Yet the most effective protection still lies with individual users, whose daily choices about which links to click, which calls to trust, and which files to install determine whether sophisticated social engineers can turn technical strength into a false sense of security.
Conclusion
The January 10, 2026 theft of more than $282 million in Bitcoin and Litecoin, revealed through on-chain analysis by ZachXBT, shows that social engineering remains one of the most damaging risks for crypto holders despite improvements in protocol security and declining exploit losses. By instantly converting stolen assets into Monero and routing Bitcoin through Thorchain to Ethereum, Ripple, and Litecoin, the attacker followed laundering patterns that have grown more complex since the $243 million Genesis creditor case in August 2024, which also involved social manipulation, spoofed support calls, and remote access tools like AnyDesk. Ongoing incidents, from the $16 million Coinbase user scam to over $300 million lost to North Korean fake Zoom campaigns, confirm that attackers continue refining psychological techniques and technical delivery mechanisms to bypass user defenses. Across 2025, total crypto theft reached about $3.4 billion, while US losses to crypto-related crime in 2024 climbed to $9.3 billion, with investment fraud and older victims bearing a large share of the damage. These figures, combined with recent address poisoning events that cost one user $50 million and a separate multi-signature key leak that caused $27.3 million in losses, indicate that irreversible transactions turn even small lapses in judgment into permanent financial hits. Investigations from analysts like ZachXBT provide valuable insight into how these operations function and sometimes lead to arrests and asset freezes, as shown by the twelve people charged in the Genesis-related case and the cross-border detention of suspects from Miami to Dubai. Still, the central lesson remains that users must treat every unsolicited message as suspect, verify all transaction details carefully, avoid weak authentication methods, and refuse any request for remote control or seed phrases, because once control over a wallet slips away, no blockchain upgrade or legal remedy can guarantee the return of what has been lost.
Disclaimer
The information provided in this article is for informational purposes only and should not be considered financial advice. The article does not offer sufficient information to make investment decisions, nor does it constitute an offer, recommendation, or solicitation to buy or sell any financial instrument. The content is opinion of the author and does not reflect any view or suggestion or any kind of advise from CryptoNewsBytes.com. The author declares he does not hold any of the above mentioned tokens or received any incentive from any company.
Featured image created by AI
Subscribe To Our Newsletter
Join our mailing list to receive the latest news and updates from our team.