IOC Investigations

🕵️‍♂️ It really feels great to help people during dark times Today we helped @NiwinEth, a proud owner of @cryptopunks #8832! Their wallet was compromised, which saw the theft of the Punk among other assets! 😱 This is how it started ⬇️ Then @lorepunk got in touch on Niwin's behalf and we didn't hesitate! 1️⃣ The first priority is always secure any remaining assets. 2️⃣ Then we set about doing what we do best - Tracing 3️⃣ We also need to try to understand the cause! 4️⃣ Next, we watch and wait. This is where the break came from. The Punk was sold for 40 ETH and that was deposited to @okx 5️⃣ Now it's all about timing and luck. Luckily on this occasion, we caught it in time. 6️⃣ OKX didn't hesitate either - they were successful in freezing the proceeds. 7️⃣ Now its all about law enforcement - They NEED to get involved. @NiwinEth is working hard to achieve this! Here is how it is now! Still work to do but Niwin now has a much higher chance of success. Best of luck @NiwinEth 💙

Has @rugpullfinder just found a major clue as to the identity behind the 'pre' satoshin@gmx.com email address?

🧵 How one trader drained $100M from DeFi… without hacking anything 1/ In 2022, Mango Markets lost $100M+. No exploit. No bug. No stolen keys. Just… a better understanding of the rules than everyone else.

@rugpullfinder's thread x.com/rugpullfinder/… Followed by our blog post: intelligenceonchain.com/f/a-z-of-crypt…

Oracle attacks and price manipulation! We've just release a new blog post along with @rugpullfinder's thread on the Mango Market price manipulation exploit by Avi Eisenberg! Check out the articles below 👇

@zachxbt Great work Zach

In late 2023, French streamer TeufeurS was extorted for a ransom after a family member was kidnapped in France. I can finally share that I helped lead efforts that resulted in an ~$800K freeze with the Binance Security team after a $2M ransom was paid. Six suspects tied to the incident were later arrested. Given the sensitivity of the case, I held off commenting until now. I have since assisted with asset freezes and identifying culprits in several of the recent France home invasion robberies, and hope to share details in the coming months. If you or someone you know falls victim, reach out as soon as possible rather than delay. I prioritize these types of cases as they have grown more frequent amidst this disturbing trend.

@Cyber_Sudo Legend

Most investigators stop their research when they see a Cloudflare IP That’s a mistake! Cloudflare hides the origin server’s real IP address but it doesn’t always make it impossible to find. With the right techniques, you can often uncover the actual hosting infrastructure behind a protected website. Here are 3 methods I regularly use: 🧠 Criminal IP Search Engine: One of the fastest ways to investigate infrastructure behind a domain. 🔎 Reverse Favicon Search: Some websites reuse the same favicon across multiple services or subdomains. Searching by favicon hash can reveal infrastructure that isn’t behind Cloudflare. 📜 WHOIS History: Older WHOIS records sometimes expose previous hosting providers or IP addresses used before Cloudflare protection was enabled. Using Criminal IP, you can pivot from a domain and uncover: ✅Possible origin server IPs ✅Passive DNS history ✅ Abuse records ✅Malware associations ✅Scanner activity ✅Related infrastructure Example: I searched a Cloudflare-protected domain inside Criminal IP and it immediately revealed the underlying server IP where the website was actually hosted. Most people never go this far but this step often unlocks the biggest findings in a website investigation. Try out the search engine: shorturl.at/yHwuJ

Our investigation is still ongoing. In the interim, we welcome any protocols who are concerned about contagion to reach out to your SEAL 911 point of contact or via the bot directly, where we can invite you to the relevant war rooms

During many cases that I've personally investigated, one of the many laundering techniques that are most commonly used is bridging - Moving crypto assets from one chain to another. This is one of the most fundamental skills any investigator should have, yet I know that many struggle! This weekend, we're sharing a bunch of information, resources and training, starting with our L1 class tonight, followed by a release of the FREE March Crypto Tracing Challenge (CTC) solution AND the brand new April CTC (also free). So if you want to have a go at tracing through bridges, in a safe, educational and professional setting, then please drop a comment below! I'll get you hooked up! Additionally, a number of investigators are looking to get certified tonight as they take part in our Level 1 Blockchain and OSInt Investigations class! Thank you to everyone who has participated in any of our events - your support is what pushes us to do more!

Submit your response: docs.google.com/forms/d/e/1FAI…

# We’re rethinking our entire model - and I’d really value your input. For a long time, people have come to us for help with serious, often difficult situations. And like many services in this space, we’ve charged for that work. But the more we’ve done it, the more something hasn’t sat right: The people who need help the most are often the ones least able to afford it. So we’re exploring a different approach. 👉 What if investigations were free for victims 👉 And instead funded by the community - through courses, memberships, and shared knowledge? The idea is simple: Those who can contribute, make it possible for those who can’t. But this only works if it’s built with the community - not just for it. So before we move forward, I want to open this up: • Would you support a model like this? • What would make a membership or course genuinely valuable to you? • What would you want to see in return for supporting real investigations? And there’s one more thing. If we do this properly, it feels like more than just a pricing change - it feels like a new chapter. So I’m considering renaming the business to reflect that shift. For those who choose to contribute early (whether through feedback, ideas, or early support), I’d love to open up the opportunity for you to help shape that - potentially even naming it. This isn’t finalised. It’s something I’ve been thinking about for 5 years, and want to get right! Appreciate any thoughts, ideas, or even challenges to this. 👇

@nft_dreww If you see any Discord related VCs, let me know

⚠️ VC's are scamming users..... ⚠️ In a bear market, scammers get creative. They develop convincing social engineering tactics. The latest involves compromising VCs or impersonating them to trick you into downloading malware. Let’s break down how it works and how you can stay safe ⤵️ 1/ How do they compromise or impersonate VCs? 2/ What’s the scam? 3/ How can you stay safe?

@nft_dreww @FBI Nope! It isn’t! 😢

@intell_on_chain @FBI Gosh damn this isn't getting any better....

@FBI just released their cyber crime report. Here are 10 shocking themes: 1/ The FBI’s 2025 IC3 report shows cybercrime has reached historic scale: over 1 million complaints and $20.8B in reported losses. Cybercrime is no longer a niche security issue. It is now a mass-market crime problem affecting every age group, sector, and state.

10/ There is some good news: intervention works. The FBI says its Recovery Asset Team helped freeze hundreds of millions of dollars, and Operation Level Up warned crypto scam victims before they lost more. The biggest lesson: report fast. In cyber fraud, speed can be the difference between loss and recovery.

9/ The threat is global and organized. IC3 received complaints from more than 200 countries. Many of the most destructive fraud schemes now appear tied to transnational criminal networks, including operations linked to scam centers in Southeast Asia and call-center fraud abroad.