ZachXBT cracks Railgun privacy to expose Bittensor hacker

Crypto sleuth ZachXBT has managed to deanonymise withdrawals from crypto mixer Railgun while identifying a suspect linked to NFT wash trading and the $28 million Bittensor hack.

Decentralized protocol Bittsensor suffered a supply chain attack in 2024 that resulted in the theft of $28 million from 32 holders of its TAO token.

In an investigation revealed today, ZachXBT showed how he was able to trace these funds to instant exchanges where they were swapped for privacy-focused cryptocurrency monero.

5/ I deanonymized the Railgun withdrawals to three addresses (0x1d7, 0x87d8, 0x1fbc) by applying timing / amount heuristics.
Total deposits: 1249.68 ETH, 277.2K USDC, 22.35 WETH
Total withdrawals: 1246.16 ETH, 276.4K USDC, 19.83 WETH
The unique denominations and short deposit… pic.twitter.com/6jZ2yrqLQw
— ZachXBT (@zachxbt) October 15, 2025

A snippet of ZachXBT’s full Bittsensor investigation.

Read more: Did the US government hack a scam network for $15B in bitcoin?

Almost $5 million worth of these funds was transferred to Railgun in batches of ether, USDC, and wrapped ether.

ZachXBT claims to have then deanonymized the withdrawals from Railgun by applying timing and amount “heuristics.”

According to the sleuth, “The unique denominations and short deposit time makes the demix high confidence.”

Railgun is a rival to Tornado Cash, and has seen the likes of Ethereum creator Vitalik Buterin use its service.

In some instances, Railgun has utilised protocol policy to return stolen funds, for example from the $9.5 million exploit of the Starknet network. On the flip side, it’s also popular with North Korean hacking collective Lazarus Group.

This is a solid demonstration of Railgun’s privacy pools mechanism ( https://t.co/DekkatsMR5 ) working in practice, allowing Railgun to avoid serving proceeds of crime without using any snooping / backdoors.
How it works:
* Anyone can deposit into Railgun.
* After you deposit,… https://t.co/SqclMS3SzO
— vitalik.eth (@VitalikButerin) February 13, 2025

Vitalik Buterin praising the crypto mixer Railgun.

Read more: What does Roman Storm’s guilty verdict mean for the wider DeFi sector?

Crypto mixers are designed to make funds untraceable once they’ve been withdrawn. ZachXBT’s research, however, appears to undermine this completely.

Wash trading NFT anime girls

Once the crypto was obfuscated, the suspects sent the funds to three more addresses and made various bridged transactions.

The funds were then used to purchase some anime-themed NFTs and, through various overpriced sales and fund transfers, they were laundered.

The crypto sleuth noted that, “It’s extremely rare to see exploits/hacks involve NFT wash trading.”

One address that received the funds was funded by an address belonging to a Bittensor user who went by the alias “Rusty,” and created “Skrtt racing,” a crypto project that took bets on live-streamed Hot Wheels races.

ZachXBT linked this individual to a lawsuit launched against suspects of the Bittensor hack, and noted that Rusty, giving a statement in the lawsuit as Ayden B, denies involvement in the scam, but admitted to owning the wallets ZachXBT managed to identify in his investigation.

“Hopefully law enforcement eventually moves forward with a criminal case in the future,” he said.

Protos has reached out to ZachXBT to find out more and will update this piece should we hear back.

Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.

Source: https://protos.com/zachxbt-deanonymizes-withdrawals-from-crypto-mixer-railgun/