A new ZachXBT investigation has put a sharper point on one of crypto's most uncomfortable risks: the person trying to drain a wallet may not be a technical hacker, but a persuasive social engineer with a Discord screen share.
The latest crypto security story is not really about an 18-year-old showing off money online. It is about how quickly social-engineering crews can turn support impersonation, stolen account access and weak custody habits into eight-figure losses, while on-chain investigators and federal prosecutors race to connect the same trail from different ends.
On May 12, ZachXBT alleged that Dritan Kapllani Jr. was tied to roughly $19 million in crypto thefts, including a March 14 theft of 185 BTC worth about $13 million at the time. The on-chain investigator said Kapllani had shown an Exodus wallet with about $3.68 million during a Discord band-for-band call, the kind of reckless status contest that has become strangely useful evidence in crypto crime investigations.
The claim matters because it arrived one day after a more formal legal development in Florida. According to the DOJ's Southern District of Florida, a federal grand jury charged Trenton Richard David Johnston, 19, and Brandon Michael Tardibone, 28, in a cryptocurrency fraud and money-laundering case that prosecutors say caused more than $13 million in losses. Johnston is accused of impersonating support representatives from a popular search engine and crypto-related companies to gain access to victims' digital accounts and wallets.
That is the real custody warning. These attacks do not require breaking Bitcoin or Ethereum. They require persuading someone that a fake support agent is real, that a recovery step is urgent, or that moving funds is safer than staying still. Once a victim gives away access, a wallet can be emptied in minutes and the stolen assets can begin moving through bridges, exchanges, mixers or other laundering routes before the victim fully understands what happened.
The DOJ said Johnston, a Canadian national, had overstayed his visa and was living in the Miami area while allegedly operating the fraud scheme with other co-conspirators. Prosecutors also accused Tardibone of harboring Johnston at a luxury Miami-area residence and helping launder proceeds. Both men are presumed innocent unless proven guilty, but the allegations describe a familiar pattern in crypto cybercrime: identity trickery first, luxury spending after.
Federal prosecutors said more than $1 million in illicit proceeds was used to lease luxury vehicles, buy high-end jewelry and fund nightlife and entertainment. That detail may sound like color, but it is operationally important. Public flexing has become part of the ecosystem around young online threat actors, and that same hunger for proof can leave investigators with screenshots, wallet addresses, social handles and transaction trails to compare.
ZachXBT's allegation goes further than the indictment by tying Kapllani to the 185 BTC theft and to other alleged theft activity, while also saying Kapllani has not been charged in that matter. That distinction is important. An on-chain attribution is not a criminal conviction, and public investigators can be wrong. But when public blockchain data, Discord behavior, wallet flows and court filings begin pointing toward the same cluster of activity, the market should pay attention.
On-Chain Investigators Are Moving Earlier
Crypto has always had a strange advantage in financial crime investigations. The assets can move quickly, but they often move in public. A bank wire trail may sit behind subpoenas and compliance teams. A Bitcoin or Ethereum trail can be watched in real time by anyone with the skill, patience and context to follow it.
That is why investigators like ZachXBT have become unusually influential. They do not replace law enforcement, but they often surface names, wallets and behavioral links before the legal system is ready to speak publicly. In some cases, their work helps victims understand where funds went. In others, it creates pressure on exchanges and stablecoin issuers to freeze assets or explain why obvious suspicious flows were allowed to continue.
The broader enforcement backdrop is also getting heavier. The DOJ announced on April 29 that an international operation led to at least 276 arrests and the dismantling of at least nine scam centers used for cryptocurrency investment fraud schemes. Those cases are not the same as the Johnston indictment or ZachXBT's Kapllani allegation, but together they show where the industry is heading. Crypto crime is becoming less like a lone hacker story and more like a networked fraud business.
For ordinary holders, the practical lesson is blunt. Hardware wallets, seed phrase discipline, withdrawal allowlists and skepticism toward support contacts are not optional extras. They are the line between owning an asset and merely hoping nobody talks you out of it. Even experienced users can be rushed into bad decisions when attackers sound informed, urgent and helpful.
The next phase of crypto security will not be solved only by better code. Wallet makers, exchanges and users will have to treat social engineering as a core custody risk, not a side issue. If young crews can keep turning fake support calls and online bravado into millions of dollars, the industry will have to get much better at stopping the conversation before the transaction happens.
Also read: Square is turning bitcoin payments into a Main Street test • Anthropic is clamping down on gray market trading in its shares • The Senate crypto bill is starting to look like an operating manual.
