TLDR
- $330M Bitcoin stolen in a social engineering attack on an elderly individual.
- Stolen Bitcoin was laundered using a peel chain method across 300+ wallets and 20 exchanges.
- Large portion of stolen funds converted to Monero, making them untraceable.
- Funds were further dispersed across Ethereum and decentralized platforms.
- Investigation points to an organized entity with security experts recommending better protection practices.
On April 28, 2025, a reported $330 million worth of Bitcoin was stolen from an elderly individual in the United States through a social engineering attack, according to an update shared by onchain investigator ZachXBT. The incident involved the unauthorized transfer of 3,520 Bitcoin (BTC), making it one of the largest individual crypto thefts in history.
Update: It is confirmed to be a social engineering theft from an elderly individual in the US.
— ZachXBT (@zachxbt) April 30, 2025
ZachXBT flagged the suspicious transfer and began tracking the flow of the stolen funds shortly after the incident. Blockchain data revealed that the BTC was moved in two separate transactions and quickly dispersed using a technique known as a peel chain. This laundering method breaks large amounts into smaller transactions to obscure the money trail.
The victim is believed to have held the Bitcoin since 2017, with no previous history of major outbound transfers. According to blockchain security firm Hacken, the funds were laundered through over six instant exchanges and swapped for Monero (XMR), a cryptocurrency known for its privacy features. This conversion led to a temporary 50% price surge in XMR due to the transaction volume and thin liquidity.
Laundering Method Involved Over 300 Wallets and 20 Exchanges
Investigators tracking the movement of the stolen funds noted that more than 300 wallet addresses and at least 20 centralized exchanges were involved in the laundering process. Hacken’s internal tracking system, Extractor, found that approximately $284 million of the stolen Bitcoin had been funneled through a peel chain and now only about $60 million remains traceable.
A significant portion of the funds was processed using low-credibility exchanges and payment platforms, some of which include Binance. The redistribution of the stolen BTC made it difficult to identify and freeze the assets in a timely manner due to the limitations of existing legal and regulatory processes. Hacken’s onchain researcher Yehor Rudytsia explained that the attacker dispersed the Bitcoin into smaller sums across many accounts and platforms to avoid detection.
Rudytsia highlighted that this case shared similarities with a previous 4,064 BTC theft from a Genesis creditor in 2024, where delays in legal intervention also hindered fund recovery efforts. Investigators have alerted exchanges to attempt freezing any assets that may be held in identifiable wallets.
Conversion to Monero and Use of Cross-Chain Bridges Complicate Recovery
After the initial laundering through exchanges, a large portion of the stolen BTC was converted to Monero. Due to its privacy-centric architecture, Monero transactions are effectively untraceable, significantly reducing the likelihood of fund recovery. The move to XMR was a key factor in frustrating efforts to trace the assets further.
In addition to the Monero swaps, a smaller amount of BTC was bridged to Ethereum and distributed across various decentralized platforms. This tactic added another layer of complexity to the laundering process by spreading the funds across multiple blockchains and systems with different privacy standards.
ZachXBT stated that no conclusive link has been established between this incident and any known hacker group. While North Korea’s Lazarus Group has been behind previous high-value crypto attacks, the tactics used in this case do not align with their typical methods. Investigators suggest a highly organized and independent entity likely carried out the attack.
Cybersecurity professionals recommend using hardware wallets, multi-signature security, and regular key rotation to protect against similar social engineering attacks in the future.
