This article narrates a criminal incident triggered by a cryptocurrency theft. ZachXBT tracked the suspect Lam's lavish lifestyle through social media and assisted law enforcement in the investigation. Lam and his accomplices used sophisticated money laundering techniques but were eventually captured by the police. Meanwhile, another kidnapping case was also related to this criminal group, involving several Florida men. The case reveals how cybercrime is gradually evolving into more violent real-world crimes, and ultimately, the police successfully recovered the stolen Bitcoin and related evidence.

On August 25, 2024, on a sweltering afternoon, Sushil and Radhika Chetal were house-hunting in an upscale neighborhood in Danbury, Connecticut. The lawns were meticulously trimmed, and the pools were equipped with heating systems. Sushil, a vice president at Morgan Stanley's New York branch, was driving a newly purchased matte gray Lamborghini Urus, an SUV with a starting price of about $240,000.

As they turned a corner, a white Honda Civic suddenly collided with the Lamborghini from behind. At the same time, a white Ram ProMaster van cut in from the front, blocking the Chetals' path. According to a criminal complaint filed afterward, six men dressed in black and wearing masks emerged from the vehicles, forcibly dragging the Chetals out of their car and pushing them into the side door of the van.

When Sushil resisted, the attackers hit him with a baseball bat and threatened to kill him. The couple was bound with duct tape, and Radhika was forced to lie face down, warned not to look at them, even as she struggled to breathe due to her asthma, pleading for mercy. They also taped Sushil's face and beat him again with a baseball bat as the van sped away.

Several witnesses saw the attack and called 911. One of them was an off-duty FBI agent living nearby, who happened to be at the scene. He followed the van and Honda Civic, reporting their movements to the police in real-time. This FBI agent also managed to record part of the license plate number.

Soon, the Danbury police located the van. A patrol car turned on its lights to intercept, but the van driver sped away, weaving recklessly through traffic. About a mile into the chase, the driver veered off the road and hit the curb. Four suspects abandoned the vehicle and ran. The police found one of them under a bridge and arrested him after a brief pursuit. Over the next few hours, the other three were also found and apprehended in nearby woods. Meanwhile, the police discovered the Chetals, still bound and shaken, in the back of the van.

Danbury Police Detective Sergeant Steve Castrovinci was off duty that day when he received a call from the shift commander informing him of the incident. He recalled that the commander told him, "We have a kidnapping case, a real one." Castrovinci gathered a few detectives to understand the situation, visited the crime scene, and then rushed to the station to interrogate the suspects. Based on information from one of the arrested suspects, two more suspects were found and arrested the next morning in an Airbnb in Roxbury, a 30-minute drive from Danbury, along with the white Honda Civic.

For Castrovinci, this was an unusual and dramatic case. Danbury is a wealthy and quiet place, and although the police occasionally deal with kidnapping cases, they are almost always disputes over child custody. A violent kidnapping in broad daylight was unheard of. What was even stranger was that the suspects—ranging in age from 18 to 26—were found to have traveled to Connecticut from Miami specifically for this.

They also rented the van through the Turo app. "A case like this, a police officer might encounter one or two in a lifetime," Castrovinci, who has 20 years of law enforcement experience and worked for the New York Police Department for five years, told me. "Especially in our area, this kind of thing is just not common."

The police revealed very little information to the public in the following weeks. Castrovinci and his team were working hard to piece together the motive. It was hard to believe that the Chetals were targeted because of Sushil's executive position at the investment bank. As a vice president of Morgan Stanley, his salary was enviable but not unusual in Danbury. If the kidnappers' motive was money, it was very strange that they abandoned the Chetals' Lamborghini (which was later found abandoned in the woods). All the clues seemed to make no sense.

However, a few days after the attempted kidnapping, Castrovinci said their team received a tip from the FBI that turned the entire case in an unexpected direction: the case might be related to a massive cryptocurrency theft that occurred a week before the attack.

Several young people (some of whom met on Minecraft servers) are suspected of stealing $250 million from an unsuspecting victim, triggering an incredible series of events involving a cybercrime gang composed of teenagers, several independent cyber detectives tracking their actions, and multiple law enforcement agencies. Now it appears that all of this ultimately led to the kidnapping of the Chetals—the rampant disorder of the digital dark world and its surrounding culture, for the first time, has seeped into the real world in such a brutally real way.

This series of events began a few weeks earlier when a resident of Washington, D.C., began receiving unusual login notifications from his Google account, indicating that these logins seemed to come from overseas. Then, on August 18, he received a call from someone claiming to be from Google's security team. The caller stated that his email account had been compromised. The call sounded very authentic—the caller had personal information about the D.C. resident. The caller asked him to verify some personal information over the phone, or the account would be closed, and the resident did as requested.

Shortly after speaking with the alleged Google staff, the Washington, D.C. resident (whose identity was concealed in federal court documents) received another call from someone claiming to be a representative of the well-known cryptocurrency exchange Gemini.

Similarly, the caller had his personal information and told him that his Gemini account (containing about $4.5 million in cryptocurrency) had been hacked and needed to immediately reset the two-factor authentication and transfer the Bitcoin in the account to another wallet to ensure the funds' safety.

The person on the phone then suggested that the account holder download a program that could "enhance security." The man agreed, not realizing that what he downloaded was a remote desktop application, which would allow the caller to remotely control his computer—and thus gain access to his other cryptocurrency account, exposing his assets to an even more staggering theft risk. It turned out that the Washington, D.C. resident was an early investor in cryptocurrency, holding a total of over 4,100 Bitcoins. A decade ago, these Bitcoins were worth about $1 million; on that day, their market value exceeded $243 million.

There is a core paradox in the cryptocurrency world: although the holders of the coins are usually anonymous, all transaction records are publicly recorded in a ledger called the blockchain. This means that once funds are transferred, anyone can see them. This paradox has given rise to a new type of investigator who specializes in tracking suspicious transactions on the blockchain. One of the most famous is ZachXBT, an independent cryptocurrency crime investigator.

In the crypto world, ZachXBT is a well-known but elusive figure. He often posts lengthy investigative threads on X (formerly Twitter), exposing people suspected of wrongdoing, sometimes even naming them directly. He has about 850,000 followers on the platform. He also often shares his investigative results with law enforcement agencies. Wired magazine called him "the world's most active independent cryptocurrency crime investigator." He has never revealed his real identity online.

Just minutes after the Washington, D.C. resident's crypto assets were liquidated, ZachXBT was catching a flight at the airport when he suddenly received an unusual transaction alert on his phone. Crypto investigators typically use tools to monitor the flow of global cryptocurrencies and set alerts for specific situations, such as transactions exceeding $100,000 that pass through exchanges with extremely lax security measures.

At that time, the initial alert was a mid-six-figure transaction, which then continued to climb, reaching up to $2 million. After passing through security, ZachXBT found a seat, opened his laptop, and began tracking the transaction, ultimately tracing it to a wallet holding about $240 million in cryptocurrency. Some of the Bitcoins could even be traced back to 2012. "I knew something was off," he told me, "Why would someone who has been holding Bitcoin for so many years use such a suspicious service that often flows into illegal funds?"

He then added the wallet addresses associated with these transactions to his tracking list and boarded the plane. Once connected to the cabin Wi-Fi, more transaction alerts kept pouring in. Throughout the day, the Bitcoin from the large wallet was continuously cashed out through more than 15 high-fee cryptocurrency service platforms.

After landing, ZachXBT contacted several peers who specialize in investigating cryptocurrency theft cases. One of them was Josh Cooper-Duckett, the head of investigations at Cryptoforensic Investigators. This company is one of the growing number of independent organizations focused on tracking cryptocurrency theft and fraud and assisting law enforcement in recovering funds for victims. Cooper-Duckett, 26, from London, became interested in cryptocurrencies early on. After working as a security consultant at Deloitte for three and a half years, he began to focus on investigating cryptocurrency theft cases, especially those with losses of at least $100,000—which are now very common.

ZachXBT shared his findings with Cooper-Duckett and other investigators, and everyone agreed that emptying a wallet worth nearly $250 million at once was extremely suspicious. "Someone with this much money couldn't just wake up on a weekend and decide, 'I'm going to transfer my money in batches to a bunch of exchanges and then exchange it for Monero and Ethereum'—normal people don't do that."

The group of crypto investigators then contacted the relevant exchanges and service platforms, informing them that the funds were stolen and hoping they could freeze the funds and cooperate with the police investigation. Some platforms cooperated, but others did not. "This situation was a bit like a game of Whac-A-Mole," Cooper-Duckett said. "They kept trying to transfer the money to various different exchanges and service platforms to see where they could successfully launder it out. After all, they were laundering $240 million, which is an astronomical figure."

In the meantime, ZachXBT also warned his followers on X: "About seven hours ago, a suspicious transaction occurred, with the possible victim's account transferring out 4064 Bitcoins (about $238 million)." He wrote. The funds then flowed to cryptocurrency platforms such as THORChain, eXch, KuCoin, ChangeNOW, RAILGUN, and Avalanche Bridge.

ZachXBT also noted that the victim had previously received bankruptcy compensation from Genesis. Genesis is a lending platform that filed for bankruptcy in 2023 due to Sam Bankman-Fried's FTX collapse.

Through his network, ZachXBT eventually managed to contact the victim via email. The shocked Washington, D.C. resident then hired ZachXBT, Cryptoforensic Investigators, and another cryptocurrency investigation company to help track his stolen assets.

On the same day, he also filed a police report with the FBI's Internet Crime Complaint Center, and ZachXBT immediately contacted his acquaintances in law enforcement. (The FBI and the Department of Justice declined to be interviewed on this matter.)

The rapid increase in cryptocurrency theft cases has overwhelmed federal investigators. According to the latest report, the Internet Crime Complaint Center (IC3) received over 69,000 complaints involving cryptocurrency financial fraud in 2023, with total losses exceeding $5.6 billion, a 45% increase from 2022.

Although cryptocurrency-related complaints account for only 10% of all financial fraud cases, the losses they cause account for nearly half of the total amount. The report points out that the decentralized nature of cryptocurrencies, the irreversibility of transactions, and the ability of funds to be freely transferred globally make them extremely attractive to criminals and also make it difficult for the FBI to recover funds. To this end, the FBI established the Virtual Assets Unit (V.A.U.) in 2022, specifically to combat cryptocurrency theft.

Due to the large scale and high difficulty of solving the case, experts say that government agencies—including the FBI, Department of Homeland Security, Secret Service, and even the IRS—have to rely on private companies and individual investigators who have an in-depth understanding of the digital crime underworld. "Josh and Zach, they are really fast and accurate in tracking," said Nick Bax, founder of cryptocurrency analysis firm Five I's.

Bax has collaborated with ZachXBT on multiple cases but has never met him in person. In their early calls, ZachXBT even used voice-changing software to make himself sound like Mickey Mouse. "To be honest, I'm pretty good myself, but I can never catch up with them," Bax said, "and I think their brains are really modified because they have been doing this since they were very young."

Crypto investigators usually use fake accounts to infiltrate forums where hackers and scammers gather, such as Telegram and Discord, to observe their communications, planning, and boasting. They find that these criminals are often very young and act quite recklessly, often inadvertently leaving clues.

After ZachXBT posted about the theft on X, a source contacted him through a temporary account, providing some clues that might point to the identity of the thieves. The informant sent ZachXBT several screen recording videos, allegedly recorded when one of the scammers was live-streaming the theft to his friends. The total duration of the videos was about an hour and a half, including footage of the calls with the victim. In one of the videos, you could hear the scammers excitedly shouting after learning that they had successfully stolen $243 million in Bitcoin: "Oh my God! Oh my God! $243 million! This is amazing! Oh my God! Oh my God! Dude!"

In private chats, the group of scammers used aliases such as Swag, $$$, and Meech, but they made a fatal mistake: one of them accidentally exposed his real name—Veer Chetal, an 18-year-old from Danbury—while live-streaming. He was the son of the previously mentioned kidnapped couple.

Veer Chetal was a quiet honor student who had recently graduated from Immaculate High School in Danbury and was about to attend Rutgers University in New Jersey. In 2022, he completed a "Future Lawyer" program, and his photo was published on the school's website that year—a boy with glasses, wearing a Tommy Hilfiger windbreaker and a red polo shirt, smiling brightly.

Classmates recalled that Chetal was always shy and loved cars. "He was basically a loner," said Marco Dias, who became friends with Chetal in his senior year. Another classmate named Nick Paris also said that Chetal was very low-key until halfway through his senior year when he suddenly showed up at school in a Corvette sports car. "He just parked in the parking lot at 7:30 a.m., and everyone was stunned," Paris said.

Soon, Chetal switched to a BMW, then a Lamborghini Urus. He started wearing Louis Vuitton shirts and Gucci shoes. On Senior Skip Day, when Paris and other classmates were just hanging out at a nearby mall, Chetal took some friends, including Dias, to New York, rented a yacht for a party, and everyone took photos on the deck with bundles of cash.

Chetal claimed he made this money by trading cryptocurrencies; Dias said that one morning in study hall, Chetal even showed him trading records on his phone as proof. Once, Chetal also rented a big house in Stamford, Connecticut, and invited friends for a three-day party. "I was once playing around with friends in the basement when I suddenly saw him lying on the couch playing with his phone, basically avoiding everyone," Dias recalled, "I thought, this is really strange at the time." Paris also remembered that during a school parade, the police pulled over Chetal's Lamborghini Urus for a traffic violation, "He immediately called his lawyer on the spot, before the police even asked any questions. Everyone at the time thought: wow, this guy really has something, he is really rich."

Independent investigators pointed out that Chetal was actually a secret member of an organization called Com (also known as Comm or Community). This organization originated in the hacker underground of the 1980s and has now evolved into a social network for cybercriminals and aspirants.

According to an unrelated case FBI affidavit, an agent described Com as "a geographically dispersed alliance of subgroups collaborating through online communication software such as Discord and Telegram, engaging in various criminal activities."

According to this affidavit and experts who study Com, the activities of these subgroups include: swatting (falsely reporting emergencies to police or schools to trigger a response); SIM swapping (usually stealing target phone numbers by deceiving customer service representatives); ransomware attacks (using malicious programs to prevent users or organizations from accessing their computer files); cryptocurrency theft, and penetration attacks on corporate systems, among others.

Allison Nixon is the Chief Research Officer of the cybersecurity expert group Unit 221B and has been monitoring this expanding online corner since 2011. She is now widely considered one of the top experts in the field of Com organization research.

She said that most members of Com are young men from Western countries. In group chats, many people talk about college life and the cybersecurity courses they are taking, and this knowledge has become a boost for their criminal activities. Nixon pointed out that many people's initial entry into this circle was through video games like RuneScape, Roblox, and Grand Theft Auto.

By the mid-2010s, a darker world was also quietly emerging in Minecraft—a game centered on creative construction—and this transformation was largely due to the appearance of online servers. These servers are owned and operated by users, allowing players to team up for battles, also known as "factions." On these servers, Minecraft evolved into a competitive battlefield, bringing with it opportunities for profit and fraud.

Soon, servers began to introduce in-game purchase mechanisms, allowing players to spend money to purchase upgrade features, such as flight capabilities, stronger weapons and armor. Some in-game purchases could also unlock fashionable character costumes, becoming a way for players to show off their status online.

As players became more inclined to participate in these competitive servers, a large black market emerged on Discord, Since Minecraft players are mostly teenagers, this black market quickly became a breeding ground for fraud.

Users often agreed to exchange real money for in-game items via PayPal, but after receiving the money, scammers would block the other party's account. This behavior was so rampant that people began to offer "escrow services" to solve the trust issue—these intermediaries would charge a certain fee to hold the money and items and then transfer them to both parties respectively.

In this circle, some high-value usernames became hot collectibles, usually no more than four letters, such as Tree, OK, Mark, YOLO, or G, with prices even reaching over ten thousand dollars.

As Minecraft's "faction" servers and black markets flourished, virtual currencies also began to gain popularity in these communities and eventually replaced PayPal as the mainstream transaction method. This competitive, gambling, and fraud training ground, coupled with players' increasing familiarity with cryptocurrencies, gradually turned Minecraft servers into a "hotbed" for breeding new cybercriminals.

By 2017, as Bitcoin prices soared rapidly, Com members also seamlessly transitioned from Minecraft fraud to cryptocurrency theft. One of Com's most popular forums, called "OGUsers," initially a platform for discussing and purchasing social media accounts and usernames, later evolved into a breeding ground for cybercrime, involving SIM swapping, Twitter account hacking, and other activities.

Nixon explained: "These antisocial communities quickly turned into a group of overnight rich 'hacker tycoons' and spread this culture, because people see others suddenly becoming millionaires and also want to know how they did it." This also led to the rapid expansion of Com.

Com now uses a popular cryptocurrency theft method called "social engineering," which refers to inducing users to disclose sensitive information by manipulating people's minds. Com members compile a list of potential victims obtained through data breaches and then carry out precise attacks one by one—the Washington D.C. victim's case was just such a case. Sometimes, they also post "job advertisements" online to recruit people willing to assist them in fraud.

Cryptocurrency investigator Nick Bax once shared a job posting on Telegram, promising "5 figures a week" (i.e., a five-figure salary per week)—as long as "you're not slow"—to call potential targets. The ad also required "a professional customer service voice with an American accent." After the theft, Com members sometimes return to the Minecraft black market to use the stolen cryptocurrency to buy rare in-game items and then sell these items for real cash through PayPal, thus "laundering" the money.

When ZachXBT identified Veer Chetal's real identity, he and other investigators quickly targeted more people involved in the case. In the recordings obtained by ZachXBT, the thieves referred to each other by their Com nicknames, sometimes also directly stating each other's real names. One name repeatedly mentioned was Malone, also known as Malone Lam.

Malone Lam is a 20-year-old Singaporean and a notorious member of the Com circle, with online names including Greavys and Anne Hathaway. He is also a seasoned Minecraft player, with a side-swept bang, often banned by servers, but always manages to return. In the spring of 2023, after a conflict with administrators on the Minecadia server, resulting in the loss of some in-game items, he conducted a "doxxing" on the administrators, publishing their home addresses and social security numbers online, and at least once, he called emergency services to harass them at their homes.

According to multiple user accounts and Discord chat logs at the time, Chetal and Lam met in Minecraft, where they played in a "faction" led by Lam.

In October 2023, Lam entered the United States on a 90-day visa. He basically stopped playing Minecraft. According to court documents, he then maintained his lifestyle through other cryptocurrency-related fraud methods.

After the cryptocurrency theft in August 2024, ZachXBT tracked Lam through so-called OSINT (open-source intelligence), that is, through social media. In Com's chat groups, everyone was talking about Lam's extravagant spending, no one knew the source of his money, but they mentioned his luxurious life in Los Angeles nightclubs.

ZachXBT investigated the city's most popular nightclubs and looked at Instagram posts from partygoers and the clubs themselves. In one post, Malone was wearing a white Moncler jacket, seemingly diamond rings, and diamond-encrusted sunglasses. He stood on the table and began throwing hundred-dollar bills into the crowd.

As money rained down, waiters carried $1,500 champagne bottles with fireworks attached, and held up signs reading "@Malone." He spent $569,528 in that nightclub alone that night. At another club, Lam and his group also playfully challenged ZachXBT, instructing nightclub patrons to hold up signs reading "TOLD U WE'D WIN" (told you we'd win), while another read "[expletive] ZACHXBT."

In the following weeks, Lam bought 31 cars, including custom Lamborghinis, Ferraris, and Porsches, some of which were worth up to $3 million. On August 24, he apparently sent a photo of a pink Lamborghini to a model. He texted, "I bought you a gift; let's consider it an early birthday present." She replied, "I have a boyfriend again." He responded with "idc" (I don't care).

On September 10, after 23 days of partying in Los Angeles, Lam flew to Miami with a group of friends on a private jet. There, he rented several properties, including a $7.5 million mansion with ten bedrooms. Within days, Lam filled the driveway with more luxury cars, including several Lamborghinis, one of which had the name "Malone" printed on the side.

Every few days, ZachXBT sent the intelligence he gathered to law enforcement. Information generally flowed one way, but federal authorities were also conducting their own investigations. According to court documents, the suspects allegedly involved in the conspiracy used sophisticated money laundering methods to hide funds and conceal their identities, trading through cryptocurrency exchanges like eXch, which do not require personal customer information, and using virtual private networks (VPNs) to mask their true locations.

However, according to the authorities, they made a mistake at least once. A suspect, when registering an account on the digital currency exchange TradeOgre, forgot to use a VPN, resulting in their connected IP address pointing to a $47,500-per-month rental property in Encino, California. The property was leased by 21-year-old Jeandiel Serrano, who has used aliases such as VersaceGod, @SkidStar, and Box online. By the time the authorities identified Serrano, he was on vacation in the Maldives with his girlfriend.

On September 18, when Serrano flew back to Los Angeles International Airport from the Maldives, law enforcement officers were waiting for him at the airport. He was wearing a $500,000 watch at the time of his arrest. Initially, Serrano denied knowing about the theft and agreed to talk to law enforcement without a lawyer. However, according to the court report, he quickly admitted his involvement, particularly in impersonating a Gemini employee.

Serrano admitted that he owned five cars, two of which were gifts from his co-conspirators, with the funds for these gifts coming from previous scams. He also admitted that he had about $20 million of the victim's cryptocurrency on his phone and agreed to return the funds to the FBI.

Meanwhile, agents in Miami were preparing to raid one of the mansions rented by Lam. Lam knew the raid was imminent: after Serrano's arrest, Serrano's girlfriend immediately called to warn Lam's co-conspirators. They then deleted their Telegram accounts and other evidence from their phones.

Later that day, a team of FBI agents, in cooperation with the Miami police, raided a mansion near the Miami coast. The agents used an explosive device to open the front metal gate, while another group of agents entered through a small saltwater canal at the back by boat. As the agents entered the house, the sound of flash grenades echoed through the neighborhood.

Soon after, an agent led Lam out of the house in handcuffs, wearing a long-sleeved white top, dark red basketball shorts, and sneakers, with smoke filling the air, followed by at least five others who were in the house with him. Serrano and Lam were charged with money laundering and conspiracy to commit wire fraud. Each charge could face up to 20 years in prison.

On the exact day one month after the heist, the party was over.

In Danbury, in the days and weeks following the Chetal family's kidnapping, Castrovinci and the police worked with federal investigators to build a case against the gang from Florida. They urgently obtained access to the suspects' phones, reviewed group chat records, and documented the gang members' actions.

They learned that the trip was partially funded and organized by a 23-year-old Miami man named Angel Borrero, known as Chi Chi. In the group chat, Borrero wrote to the others: "If this goes well, we'll head to California next." Federal investigators speculated that this meant the gang planned to carry out other operations in California. That day, Josue Alberto Romero (nicknamed Sway) sent a message to the gang: "Chi Chi, we are more prepared than ever." These chat records indicated that the gang began coordinating their actions as early as possible。

This article narrates a criminal incident triggered by a cryptocurrency theft. ZachXBT tracked the suspect Lam's lavish lifestyle through social media and assisted law enforcement in the investigation. Lam and his accomplices used sophisticated money laundering techniques but were eventually captured by the police. Meanwhile, another kidnapping case was also related to this criminal group, involving several Florida men. The case reveals how cybercrime is gradually evolving into more violent real-world crimes, and ultimately, the police successfully recovered the stolen Bitcoin and related evidence.

On August 25, 2024, on a sweltering afternoon, Sushil and Radhika Chetal were house-hunting in an upscale neighborhood in Danbury, Connecticut. The lawns were meticulously trimmed, and the pools were equipped with heating systems. Sushil, a vice president at Morgan Stanley's New York branch, was driving a newly purchased matte gray Lamborghini Urus, an SUV with a starting price of about $240,000.

As they turned a corner, a white Honda Civic suddenly collided with the Lamborghini from behind. At the same time, a white Ram ProMaster van cut in from the front, blocking the Chetals' path. According to a criminal complaint filed afterward, six men dressed in black and wearing masks emerged from the vehicles, forcibly dragging the Chetals out of their car and pushing them into the side door of the van.

When Sushil resisted, the attackers hit him with a baseball bat and threatened to kill him. The couple was bound with duct tape, and Radhika was forced to lie face down, warned not to look at them, even as she struggled to breathe due to her asthma, pleading for mercy. They also taped Sushil's face and beat him again with a baseball bat as the van sped away.

Several witnesses saw the attack and called 911. One of them was an off-duty FBI agent living nearby, who happened to be at the scene. He followed the van and Honda Civic, reporting their movements to the police in real-time. This FBI agent also managed to record part of the license plate number.

Soon, the Danbury police located the van. A patrol car turned on its lights to intercept, but the van driver sped away, weaving recklessly through traffic. About a mile into the chase, the driver veered off the road and hit the curb. Four suspects abandoned the vehicle and ran. The police found one of them under a bridge and arrested him after a brief pursuit. Over the next few hours, the other three were also found and apprehended in nearby woods. Meanwhile, the police discovered the Chetals, still bound and shaken, in the back of the van.

Danbury Police Detective Sergeant Steve Castrovinci was off duty that day when he received a call from the shift commander informing him of the incident. He recalled that the commander told him, "We have a kidnapping case, a real one." Castrovinci gathered a few detectives to understand the situation, visited the crime scene, and then rushed to the station to interrogate the suspects. Based on information from one of the arrested suspects, two more suspects were found and arrested the next morning in an Airbnb in Roxbury, a 30-minute drive from Danbury, along with the white Honda Civic.

For Castrovinci, this was an unusual and dramatic case. Danbury is a wealthy and quiet place, and although the police occasionally deal with kidnapping cases, they are almost always disputes over child custody. A violent kidnapping in broad daylight was unheard of. What was even stranger was that the suspects—ranging in age from 18 to 26—were found to have traveled to Connecticut from Miami specifically for this.

They also rented the van through the Turo app. "A case like this, a police officer might encounter one or two in a lifetime," Castrovinci, who has 20 years of law enforcement experience and worked for the New York Police Department for five years, told me. "Especially in our area, this kind of thing is just not common."

The police revealed very little information to the public in the following weeks. Castrovinci and his team were working hard to piece together the motive. It was hard to believe that the Chetals were targeted because of Sushil's executive position at the investment bank. As a vice president of Morgan Stanley, his salary was enviable but not unusual in Danbury. If the kidnappers' motive was money, it was very strange that they abandoned the Chetals' Lamborghini (which was later found abandoned in the woods). All the clues seemed to make no sense.

However, a few days after the attempted kidnapping, Castrovinci said their team received a tip from the FBI that turned the entire case in an unexpected direction: the case might be related to a massive cryptocurrency theft that occurred a week before the attack.

Several young people (some of whom met on Minecraft servers) are suspected of stealing $250 million from an unsuspecting victim, triggering an incredible series of events involving a cybercrime gang composed of teenagers, several independent cyber detectives tracking their actions, and multiple law enforcement agencies. Now it appears that all of this ultimately led to the kidnapping of the Chetals—the rampant disorder of the digital dark world and its surrounding culture, for the first time, has seeped into the real world in such a brutally real way.

This series of events began a few weeks earlier when a resident of Washington, D.C., began receiving unusual login notifications from his Google account, indicating that these logins seemed to come from overseas. Then, on August 18, he received a call from someone claiming to be from Google's security team. The caller stated that his email account had been compromised. The call sounded very authentic—the caller had personal information about the D.C. resident. The caller asked him to verify some personal information over the phone, or the account would be closed, and the resident did as requested.

Shortly after speaking with the alleged Google staff, the Washington, D.C. resident (whose identity was concealed in federal court documents) received another call from someone claiming to be a representative of the well-known cryptocurrency exchange Gemini.

Similarly, the caller had his personal information and told him that his Gemini account (containing about $4.5 million in cryptocurrency) had been hacked and needed to immediately reset the two-factor authentication and transfer the Bitcoin in the account to another wallet to ensure the funds' safety.

The person on the phone then suggested that the account holder download a program that could "enhance security." The man agreed, not realizing that what he downloaded was a remote desktop application, which would allow the caller to remotely control his computer—and thus gain access to his other cryptocurrency account, exposing his assets to an even more staggering theft risk. It turned out that the Washington, D.C. resident was an early investor in cryptocurrency, holding a total of over 4,100 Bitcoins. A decade ago, these Bitcoins were worth about $1 million; on that day, their market value exceeded $243 million.

There is a core paradox in the cryptocurrency world: although the holders of the coins are usually anonymous, all transaction records are publicly recorded in a ledger called the blockchain. This means that once funds are transferred, anyone can see them. This paradox has given rise to a new type of investigator who specializes in tracking suspicious transactions on the blockchain. One of the most famous is ZachXBT, an independent cryptocurrency crime investigator.

In the crypto world, ZachXBT is a well-known but elusive figure. He often posts lengthy investigative threads on X (formerly Twitter), exposing people suspected of wrongdoing, sometimes even naming them directly. He has about 850,000 followers on the platform. He also often shares his investigative results with law enforcement agencies. Wired magazine called him "the world's most active independent cryptocurrency crime investigator." He has never revealed his real identity online.

Just minutes after the Washington, D.C. resident's crypto assets were liquidated, ZachXBT was catching a flight at the airport when he suddenly received an unusual transaction alert on his phone. Crypto investigators typically use tools to monitor the flow of global cryptocurrencies and set alerts for specific situations, such as transactions exceeding $100,000 that pass through exchanges with extremely lax security measures.

At that time, the initial alert was a mid-six-figure transaction, which then continued to climb, reaching up to $2 million. After passing through security, ZachXBT found a seat, opened his laptop, and began tracking the transaction, ultimately tracing it to a wallet holding about $240 million in cryptocurrency. Some of the Bitcoins could even be traced back to 2012. "I knew something was off," he told me, "Why would someone who has been holding Bitcoin for so many years use such a suspicious service that often flows into illegal funds?"

He then added the wallet addresses associated with these transactions to his tracking list and boarded the plane. Once connected to the cabin Wi-Fi, more transaction alerts kept pouring in. Throughout the day, the Bitcoin from the large wallet was continuously cashed out through more than 15 high-fee cryptocurrency service platforms.

After landing, ZachXBT contacted several peers who specialize in investigating cryptocurrency theft cases. One of them was Josh Cooper-Duckett, the head of investigations at Cryptoforensic Investigators. This company is one of the growing number of independent organizations focused on tracking cryptocurrency theft and fraud and assisting law enforcement in recovering funds for victims. Cooper-Duckett, 26, from London, became interested in cryptocurrencies early on. After working as a security consultant at Deloitte for three and a half years, he began to focus on investigating cryptocurrency theft cases, especially those with losses of at least $100,000—which are now very common.

ZachXBT shared his findings with Cooper-Duckett and other investigators, and everyone agreed that emptying a wallet worth nearly $250 million at once was extremely suspicious. "Someone with this much money couldn't just wake up on a weekend and decide, 'I'm going to transfer my money in batches to a bunch of exchanges and then exchange it for Monero and Ethereum'—normal people don't do that."

The group of crypto investigators then contacted the relevant exchanges and service platforms, informing them that the funds were stolen and hoping they could freeze the funds and cooperate with the police investigation. Some platforms cooperated, but others did not. "This situation was a bit like a game of Whac-A-Mole," Cooper-Duckett said. "They kept trying to transfer the money to various different exchanges and service platforms to see where they could successfully launder it out. After all, they were laundering $240 million, which is an astronomical figure."

In the meantime, ZachXBT also warned his followers on X: "About seven hours ago, a suspicious transaction occurred, with the possible victim's account transferring out 4064 Bitcoins (about $238 million)." He wrote. The funds then flowed to cryptocurrency platforms such as THORChain, eXch, KuCoin, ChangeNOW, RAILGUN, and Avalanche Bridge.

ZachXBT also noted that the victim had previously received bankruptcy compensation from Genesis. Genesis is a lending platform that filed for bankruptcy in 2023 due to Sam Bankman-Fried's FTX collapse.

Through his network, ZachXBT eventually managed to contact the victim via email. The shocked Washington, D.C. resident then hired ZachXBT, Cryptoforensic Investigators, and another cryptocurrency investigation company to help track his stolen assets.

On the same day, he also filed a police report with the FBI's Internet Crime Complaint Center, and ZachXBT immediately contacted his acquaintances in law enforcement. (The FBI and the Department of Justice declined to be interviewed on this matter.)

The rapid increase in cryptocurrency theft cases has overwhelmed federal investigators. According to the latest report, the Internet Crime Complaint Center (IC3) received over 69,000 complaints involving cryptocurrency financial fraud in 2023, with total losses exceeding $5.6 billion, a 45% increase from 2022.

Although cryptocurrency-related complaints account for only 10% of all financial fraud cases, the losses they cause account for nearly half of the total amount. The report points out that the decentralized nature of cryptocurrencies, the irreversibility of transactions, and the ability of funds to be freely transferred globally make them extremely attractive to criminals and also make it difficult for the FBI to recover funds. To this end, the FBI established the Virtual Assets Unit (V.A.U.) in 2022, specifically to combat cryptocurrency theft.

Due to the large scale and high difficulty of solving the case, experts say that government agencies—including the FBI, Department of Homeland Security, Secret Service, and even the IRS—have to rely on private companies and individual investigators who have an in-depth understanding of the digital crime underworld. "Josh and Zach, they are really fast and accurate in tracking," said Nick Bax, founder of cryptocurrency analysis firm Five I's.

Bax has collaborated with ZachXBT on multiple cases but has never met him in person. In their early calls, ZachXBT even used voice-changing software to make himself sound like Mickey Mouse. "To be honest, I'm pretty good myself, but I can never catch up with them," Bax said, "and I think their brains are really modified because they have been doing this since they were very young."

Crypto investigators usually use fake accounts to infiltrate forums where hackers and scammers gather, such as Telegram and Discord, to observe their communications, planning, and boasting. They find that these criminals are often very young and act quite recklessly, often inadvertently leaving clues.

After ZachXBT posted about the theft on X, a source contacted him through a temporary account, providing some clues that might point to the identity of the thieves. The informant sent ZachXBT several screen recording videos, allegedly recorded when one of the scammers was live-streaming the theft to his friends. The total duration of the videos was about an hour and a half, including footage of the calls with the victim. In one of the videos, you could hear the scammers excitedly shouting after learning that they had successfully stolen $243 million in Bitcoin: "Oh my God! Oh my God! $243 million! This is amazing! Oh my God! Oh my God! Dude!"

In private chats, the group of scammers used aliases such as Swag, $$$, and Meech, but they made a fatal mistake: one of them accidentally exposed his real name—Veer Chetal, an 18-year-old from Danbury—while live-streaming. He was the son of the previously mentioned kidnapped couple.

Veer Chetal was a quiet honor student who had recently graduated from Immaculate High School in Danbury and was about to attend Rutgers University in New Jersey. In 2022, he completed a "Future Lawyer" program, and his photo was published on the school's website that year—a boy with glasses, wearing a Tommy Hilfiger windbreaker and a red polo shirt, smiling brightly.

Classmates recalled that Chetal was always shy and loved cars. "He was basically a loner," said Marco Dias, who became friends with Chetal in his senior year. Another classmate named Nick Paris also said that Chetal was very low-key until halfway through his senior year when he suddenly showed up at school in a Corvette sports car. "He just parked in the parking lot at 7:30 a.m., and everyone was stunned," Paris said.

Soon, Chetal switched to a BMW, then a Lamborghini Urus. He started wearing Louis Vuitton shirts and Gucci shoes. On Senior Skip Day, when Paris and other classmates were just hanging out at a nearby mall, Chetal took some friends, including Dias, to New York, rented a yacht for a party, and everyone took photos on the deck with bundles of cash.

Chetal claimed he made this money by trading cryptocurrencies; Dias said that one morning in study hall, Chetal even showed him trading records on his phone as proof. Once, Chetal also rented a big house in Stamford, Connecticut, and invited friends for a three-day party. "I was once playing around with friends in the basement when I suddenly saw him lying on the couch playing with his phone, basically avoiding everyone," Dias recalled, "I thought, this is really strange at the time." Paris also remembered that during a school parade, the police pulled over Chetal's Lamborghini Urus for a traffic violation, "He immediately called his lawyer on the spot, before the police even asked any questions. Everyone at the time thought: wow, this guy really has something, he is really rich."

Independent investigators pointed out that Chetal was actually a secret member of an organization called Com (also known as Comm or Community). This organization originated in the hacker underground of the 1980s and has now evolved into a social network for cybercriminals and aspirants.

According to an unrelated case FBI affidavit, an agent described Com as "a geographically dispersed alliance of subgroups collaborating through online communication software such as Discord and Telegram, engaging in various criminal activities."

According to this affidavit and experts who study Com, the activities of these subgroups include: swatting (falsely reporting emergencies to police or schools to trigger a response); SIM swapping (usually stealing target phone numbers by deceiving customer service representatives); ransomware attacks (using malicious programs to prevent users or organizations from accessing their computer files); cryptocurrency theft, and penetration attacks on corporate systems, among others.

Allison Nixon is the Chief Research Officer of the cybersecurity expert group Unit 221B and has been monitoring this expanding online corner since 2011. She is now widely considered one of the top experts in the field of Com organization research.

She said that most members of Com are young men from Western countries. In group chats, many people talk about college life and the cybersecurity courses they are taking, and this knowledge has become a boost for their criminal activities. Nixon pointed out that many people's initial entry into this circle was through video games like RuneScape, Roblox, and Grand Theft Auto.

By the mid-2010s, a darker world was also quietly emerging in Minecraft—a game centered on creative construction—and this transformation was largely due to the appearance of online servers. These servers are owned and operated by users, allowing players to team up for battles, also known as "factions." On these servers, Minecraft evolved into a competitive battlefield, bringing with it opportunities for profit and fraud.

Soon, servers began to introduce in-game purchase mechanisms, allowing players to spend money to purchase upgrade features, such as flight capabilities, stronger weapons and armor. Some in-game purchases could also unlock fashionable character costumes, becoming a way for players to show off their status online.

As players became more inclined to participate in these competitive servers, a large black market emerged on Discord, Since Minecraft players are mostly teenagers, this black market quickly became a breeding ground for fraud.

Users often agreed to exchange real money for in-game items via PayPal, but after receiving the money, scammers would block the other party's account. This behavior was so rampant that people began to offer "escrow services" to solve the trust issue—these intermediaries would charge a certain fee to hold the money and items and then transfer them to both parties respectively.

In this circle, some high-value usernames became hot collectibles, usually no more than four letters, such as Tree, OK, Mark, YOLO, or G, with prices even reaching over ten thousand dollars.

As Minecraft's "faction" servers and black markets flourished, virtual currencies also began to gain popularity in these communities and eventually replaced PayPal as the mainstream transaction method. This competitive, gambling, and fraud training ground, coupled with players' increasing familiarity with cryptocurrencies, gradually turned Minecraft servers into a "hotbed" for breeding new cybercriminals.

By 2017, as Bitcoin prices soared rapidly, Com members also seamlessly transitioned from Minecraft fraud to cryptocurrency theft. One of Com's most popular forums, called "OGUsers," initially a platform for discussing and purchasing social media accounts and usernames, later evolved into a breeding ground for cybercrime, involving SIM swapping, Twitter account hacking, and other activities.

Nixon explained: "These antisocial communities quickly turned into a group of overnight rich 'hacker tycoons' and spread this culture, because people see others suddenly becoming millionaires and also want to know how they did it." This also led to the rapid expansion of Com.

Com now uses a popular cryptocurrency theft method called "social engineering," which refers to inducing users to disclose sensitive information by manipulating people's minds. Com members compile a list of potential victims obtained through data breaches and then carry out precise attacks one by one—the Washington D.C. victim's case was just such a case. Sometimes, they also post "job advertisements" online to recruit people willing to assist them in fraud.

Cryptocurrency investigator Nick Bax once shared a job posting on Telegram, promising "5 figures a week" (i.e., a five-figure salary per week)—as long as "you're not slow"—to call potential targets. The ad also required "a professional customer service voice with an American accent." After the theft, Com members sometimes return to the Minecraft black market to use the stolen cryptocurrency to buy rare in-game items and then sell these items for real cash through PayPal, thus "laundering" the money.

When ZachXBT identified Veer Chetal's real identity, he and other investigators quickly targeted more people involved in the case. In the recordings obtained by ZachXBT, the thieves referred to each other by their Com nicknames, sometimes also directly stating each other's real names. One name repeatedly mentioned was Malone, also known as Malone Lam.

Malone Lam is a 20-year-old Singaporean and a notorious member of the Com circle, with online names including Greavys and Anne Hathaway. He is also a seasoned Minecraft player, with a side-swept bang, often banned by servers, but always manages to return. In the spring of 2023, after a conflict with administrators on the Minecadia server, resulting in the loss of some in-game items, he conducted a "doxxing" on the administrators, publishing their home addresses and social security numbers online, and at least once, he called emergency services to harass them at their homes.

According to multiple user accounts and Discord chat logs at the time, Chetal and Lam met in Minecraft, where they played in a "faction" led by Lam.

In October 2023, Lam entered the United States on a 90-day visa. He basically stopped playing Minecraft. According to court documents, he then maintained his lifestyle through other cryptocurrency-related fraud methods.

After the cryptocurrency theft in August 2024, ZachXBT tracked Lam through so-called OSINT (open-source intelligence), that is, through social media. In Com's chat groups, everyone was talking about Lam's extravagant spending, no one knew the source of his money, but they mentioned his luxurious life in Los Angeles nightclubs.

ZachXBT investigated the city's most popular nightclubs and looked at Instagram posts from partygoers and the clubs themselves. In one post, Malone was wearing a white Moncler jacket, seemingly diamond rings, and diamond-encrusted sunglasses. He stood on the table and began throwing hundred-dollar bills into the crowd.

As money rained down, waiters carried $1,500 champagne bottles with fireworks attached, and held up signs reading "@Malone." He spent $569,528 in that nightclub alone that night. At another club, Lam and his group also playfully challenged ZachXBT, instructing nightclub patrons to hold up signs reading "TOLD U WE'D WIN" (told you we'd win), while another read "[expletive] ZACHXBT."

In the following weeks, Lam bought 31 cars, including custom Lamborghinis, Ferraris, and Porsches, some of which were worth up to $3 million. On August 24, he apparently sent a photo of a pink Lamborghini to a model. He texted, "I bought you a gift; let's consider it an early birthday present." She replied, "I have a boyfriend again." He responded with "idc" (I don't care).

On September 10, after 23 days of partying in Los Angeles, Lam flew to Miami with a group of friends on a private jet. There, he rented several properties, including a $7.5 million mansion with ten bedrooms. Within days, Lam filled the driveway with more luxury cars, including several Lamborghinis, one of which had the name "Malone" printed on the side.

Every few days, ZachXBT sent the intelligence he gathered to law enforcement. Information generally flowed one way, but federal authorities were also conducting their own investigations. According to court documents, the suspects allegedly involved in the conspiracy used sophisticated money laundering methods to hide funds and conceal their identities, trading through cryptocurrency exchanges like eXch, which do not require personal customer information, and using virtual private networks (VPNs) to mask their true locations.

However, according to the authorities, they made a mistake at least once. A suspect, when registering an account on the digital currency exchange TradeOgre, forgot to use a VPN, resulting in their connected IP address pointing to a $47,500-per-month rental property in Encino, California. The property was leased by 21-year-old Jeandiel Serrano, who has used aliases such as VersaceGod, @SkidStar, and Box online. By the time the authorities identified Serrano, he was on vacation in the Maldives with his girlfriend.

On September 18, when Serrano flew back to Los Angeles International Airport from the Maldives, law enforcement officers were waiting for him at the airport. He was wearing a $500,000 watch at the time of his arrest. Initially, Serrano denied knowing about the theft and agreed to talk to law enforcement without a lawyer. However, according to the court report, he quickly admitted his involvement, particularly in impersonating a Gemini employee.

Serrano admitted that he owned five cars, two of which were gifts from his co-conspirators, with the funds for these gifts coming from previous scams. He also admitted that he had about $20 million of the victim's cryptocurrency on his phone and agreed to return the funds to the FBI.

Meanwhile, agents in Miami were preparing to raid one of the mansions rented by Lam. Lam knew the raid was imminent: after Serrano's arrest, Serrano's girlfriend immediately called to warn Lam's co-conspirators. They then deleted their Telegram accounts and other evidence from their phones.

Later that day, a team of FBI agents, in cooperation with the Miami police, raided a mansion near the Miami coast. The agents used an explosive device to open the front metal gate, while another group of agents entered through a small saltwater canal at the back by boat. As the agents entered the house, the sound of flash grenades echoed through the neighborhood.

Soon after, an agent led Lam out of the house in handcuffs, wearing a long-sleeved white top, dark red basketball shorts, and sneakers, with smoke filling the air, followed by at least five others who were in the house with him. Serrano and Lam were charged with money laundering and conspiracy to commit wire fraud. Each charge could face up to 20 years in prison.

On the exact day one month after the heist, the party was over.

In Danbury, in the days and weeks following the Chetal family's kidnapping, Castrovinci and the police worked with federal investigators to build a case against the gang from Florida. They urgently obtained access to the suspects' phones, reviewed group chat records, and documented the gang members' actions.

They learned that the trip was partially funded and organized by a 23-year-old Miami man named Angel Borrero, known as Chi Chi. In the group chat, Borrero wrote to the others: "If this goes well, we'll head to California next." Federal investigators speculated that this meant the gang planned to carry out other operations in California. That day, Josue Alberto Romero (nicknamed Sway) sent a message to the gang: "Chi Chi, we are more prepared than ever." These chat records indicated that the gang began coordinating their actions as early as possible。