The fifth-largest Bitcoin transaction in computing history has so far netted $330 million and reportedly targeted an elderly U.S. resident. The social engineering attack, which is the sophisticated attack disclosed by onchain investigator, ZachXBT, in an April 30 post on X (formerly Twitter), involved advanced social engineering to compromise the victim’s wallet.
This occurred on April 28, 2025, when ZachXBT tweeted about a possible Bitcoin transaction worth 3,520 Bitcoin, which was worth around $330.7 million. Blockchain data revealed that the victim had some 3,000 BTC since 2017 and no significant volume transfers in their history.
The illicit transfer was quickly followed by skimming the funds through more than six instant crypto exchanges before swiftly switching to the privacy-minded token Monero (XMR), which gains its anonymity from its obfuscated code. This conversion affected tracking efforts and contributed to a brief 50% spike in Monero’s price (from $167 to $239), which helped the token reach a cost of $339.
Over 300 Wallets and 20 Exchanges Involved
Hacken onchain researcher Yehor Rudytsia said the attacker used a peel chain laundering method, splitting large chunks of Bitcoin into smaller, more challenging-to-trace portions. $330M BTC was received in 2 transactions and then immediately distributed via peel chains.
Extractor, Hacken’s internal monitoring tool, traced around $284m in Bitcoin through these chains. Since then, the amount has dwindled to $60 million, having been ‘peeled’ and redistributed across upwards of 300 hacker-controlled wallets and 20 different exchanges or payment platforms, including Binance.
Its operation shows a perfect level of thought through. The volume of BTC quickly converted into Monero made it further difficult to have any recovery efforts. “After the funds get ‘swapped’ to Monero, tracing is almost impossible due to the privacy-preserving architectural guarantees desirable to cryptocurrency users.” However, it turns out that after this step, the chance of recovery significantly decreases,” Hakan Unal, senior security operations lead at Cyvers Alerts.
Unal said it was likely premeditated because the attacker set up accounts in advance in multiple exchanges and OTC (over the counter) trading desks. Investigators also bridged a small fraction of the stolen BTC to the Ethereum network to circulate across various decentralized platforms, prompting the exchanges to be alerted in an attempt to freeze some of the funds obtained illicitly.
Experts Recommend Protection for High-Value Bitcoin
ZachXBT dismissed a claim that the hackers were North Korea’s Lazarus Group. However, he indicated suspicions of independent threat actors and a lack of identifiable laundering signatures.
However, the laundering methods used ‘so far,’ Unal said, are still too sophisticated to ‘give us such confidence’ that this activity can be linked to some known hacker group.
The hackers’ tactics were ‘automated and coordinated in large-scale crypto hacks,’ experts analyze the breach and agree. They were well coordinated and unusual for such large-scale crypto hacks. In the case of high-value Bitcoin holders, Unal recommended a few protective measures, such as multi-signature wallets to prevent single points of failure, key rotations, minimizing hot wallets, and using cold hardware storage.
That is another incident in a growing wave of crypto crimes. According to an April report from blockchain security firm PeckShield, hackers in Q1 2025 alone managed to pinch over $1.6 billion worth of digital assets out of exchanges and on-chain smart contracts. Significantly, the losses in nearly all cases amounted to more than 90% of a $1.5 billion breach of the centralized exchange Bybit, which was blamed on North Korea’s Lazarus Group.
