OpSec mistakes helped investigators trace a suspected $90M crypto theft

A new chain-tracing report highlights how a simple operational mistake can turn into a major attribution lead. Blockchain investigator ZachXBT says a threat actor known as “John”, also called “Lick,” exposed wallet control during a recorded group chat dispute. ZachXBT links the wallets shown on-screen to more than $90 million in suspected stolen funds, including funds he says connect to a U.S. government seizure-related address. These claims remain unverified until law enforcement or impacted parties confirm them.

1/ Meet the threat actor John (Lick), who was caught flexing $23M in a wallet address directly tied to $90M+ in suspected thefts from the US Government in 2024 and multiple other unidentified victims from Nov 2025 to Dec 2025. pic.twitter.com/SBAFU5hTnE

— ZachXBT (@zachxbt) January 23, 2026

What happened and why defenders care

The key event was a “band for band” style argument inside a group chat tied to “The Com,” where participants show wallet balances to prove status. In this case, someone recorded the exchange. ZachXBT says “John” screen-shared an Exodus wallet linked to a TRON address holding about $2.3 million. Soon after, a separate Ethereum address received about $6.7 million in ETH during the same dispute. ZachXBT alleges “John” later consolidated roughly $23 million into that Ethereum wallet, which strengthened the control link between the person in the recording and the addresses on-chain.

From a cybersecurity perspective, this matters because it resembles “hands-on-keyboard” proof. It does not rely only on clustering heuristics. Instead, it uses live interaction evidence paired with transaction timing. That combination can create a stronger investigative trail than typical attribution by reuse patterns alone.

Technical tracing highlights

ZachXBT reportedly traced funds backward from the Ethereum wallet to additional addresses that he says “John” confirmed as his own. The report also claims one upstream wallet received $24.9 million from a U.S. government address in March 2024, and it ties that to a Bitfinex hack seizure context previously discussed by ZachXBT. It also states that a notable balance remains in one related address.

The post further notes over $63 million in inflows during Q4 2025 into wallets linked to the same cluster. This pattern suggests either ongoing victimization or active laundering operations that used multiple hops and consolidation points.

Exchange touchpoints and incident response value

The report also highlights a transfer of 4.17K ETH (about $12.4M) that allegedly flowed from MEXC into the tracked Ethereum wallet via an intermediate address. If accurate, exchange touchpoints are critical because they can become enforcement choke points. They enable KYC-based attribution, account linkage, and potential freeze actions, depending on jurisdiction and response speed.

The core lesson

This case shows a familiar truth in cyber investigations. OpSec failures often expose actors faster than technical mistakes. If investigators validate these links, the biggest takeaway will be simple: recording, screen-sharing, and real-time movement can collapse anonymity in minutes.