A cryptocurrency wallet allegedly controlled by a threat actor known as “John” has been linked to more than $90 million in suspected illicit funds, including assets tied to a prior U.S. government seizure related to the Bitfinex hack, according to blockchain investigator ZachXBT.
In a thread published on X, ZachXBT said the individual — who uses the alias “John” or “Lick” — was recorded “flexing” control over roughly $23 million in crypto during a heated online exchange with another alleged threat actor.
The funds were later traced back to wallets associated with government-controlled seizure addresses and other suspected victims.
The incident stemmed from a dispute between John and another threat actor in an online group chat. The two engaged in what is known in cybercrime circles as a “band for band” a contest to prove control over cryptocurrency holdings. The entire exchange was recorded.
8/ 0xd8bc is tied to $63M+ inflows from suspected victims and government seizure addresses in Q4 2025.
Dec 2025
$13.5M
0x77a722bf33787c3512d0f4fc36412140057f4223
$15.4M
0xf51b044f998277b17467cd713d72b403e16fad48
Nov 2025
$3M
TACZPnbg2Fi2ppC3cGxQxZb95SqwAZVAw9
$1M… pic.twitter.com/3BjyLGXYhP— ZachXBT (@zachxbt) January 23, 2026
In one portion of the recording, John screen-shares an Exodus wallet showing a Tron address holding about $2.3 million. In another segment, an additional $6.7 million in ether is transferred live into an Ethereum address later identified as 0xd8bc. By the end of the exchange, approximately $23 million had been consolidated into that wallet. ZachXBT said the footage demonstrates John’s control over multiple addresses.
Tracing the funds backward, ZachXBT linked 0xd8bc to another wallet, 0x8924, which John allegedly confirmed owning. That address received 1,066 wrapped ether (WETH) in November 2025 from 0xc7a2, a wallet that ZachXBT said received $24.9 million in March 2024 from a U.S. government address tied to the Bitfinex hack seizure. Roughly $18.5 million remains in that wallet, he said.
ZachXBT added that 0xd8bc received more than $63 million in additional inflows during late 2025 from addresses associated with suspected victims. On Thursday, the wallet received another 4,170 ETH, worth roughly $12.4 million, from a centralized exchange.
The case draws parallels with a $243 million social engineering hack in 2024, where the two bad actors posed as Google support staff before flaunting their ill-gotten gains on social media. Miami police eventually arrested both suspects.
