ZachXBT tracks 3,670 ETH as Danny Khan arrest ties to Genesis, Kroll hacks

On-chain sleuth ZachXBT traces 3,670 ETH to suspect Danny Khan as Dubai raid, Genesis creditor theft and Kroll SIM swap links surface amid U.S. indictment.

British cybercrime suspect Danny Khan, also known online as Danish Zulfiqar, has reportedly been detained in Dubai, with authorities allegedly seizing cryptocurrency after approximately 3,670 Ethereum were transferred to a tracked wallet, according to reports.

On-chain investigator ZachXBT reported via Telegram channel that approximately 3,670 Ethereum were transferred into Ethereum wallet 0xb37d6…9f768 on Friday, where the funds were subsequently identified. “Several hours ago multiple addresses tied to him I was tracking consolidated funds to 0xb37d in a similar pattern to other law enforcement seizures,” the investigator stated.

ZachXBT tracks scammers from Lagos to Dubai

ZachXBT reported that Khan was last seen in Dubai, where authorities allegedly raided a villa and arrested others present. Multiple sources indicate those involved have not responded to messages in recent days, according to the report.

A superseding indictment issued hours later confirmed that Danny Khan, also known as Danish Zulfiqar, was arrested in Dubai, according to the investigator.

The on-chain investigator had been tracking Khan since 2024, linking him to a theft from a Genesis creditor in August 2024. The alleged scheme involved co-conspirators Malone Lam, Veer Chetal, Chen, and Jeandiel Serrano, who executed a social engineering attack on an unnamed individual, according to the report.

On August 19, 2024, the group allegedly impersonated Google and Gemini support staff, convincing the victim to reset two-factor authentication, transfer Gemini funds to wallets they controlled, and share private Bitcoin keys via the remote desktop application AnyDesk, according to the investigator’s findings.

Gemini transaction records, featured in a Discord video purportedly showing the conspirators celebrating, displayed Bitcoin moved to addresses controlled by the group, according to the report.

The stolen funds were reportedly divided among the conspirators and cycled through over 15 cryptocurrency exchanges, with conversions made between Bitcoin ( BTC ), Litecoin ( LITE ), Ethereum ( ETH ), and Monero ( XMR ), according to ZachXBT.

ZachXBT also linked Khan to the August 2023 Kroll SIM swap incident, which exposed personal data of BlockFi, Genesis, and FTX creditors and resulted in significant losses via social engineering. Kroll confirmed the breach, stating a hacker had accessed an employee’s T-Mobile account through SIM swapping.

Authorities have not officially confirmed Khan’s arrest, though multiple sources indicate the case is actively being pursued, according to reports.