UK Cybercriminal Busted: Authorities Seize $18.6M in Crypto Assets
Another digital bandit gets the handcuffs—and the blockchain doesn't forget.
The Takedown: How They Got Caught
Forget offshore accounts and numbered safety deposit boxes. Today's high-stakes heists play out on the ledger, but the old rules still apply: leave a trail, get caught. A recent international operation culminated in the arrest of a British national linked to significant cybercrime, with law enforcement clawing back a staggering $18.6 million in digital currency. The seizure sends a clear message—crypto's transparency is a double-edged sword.
The Seizure: Following the Digital Breadcrumbs
The recovery of such a massive sum wasn't magic; it was forensic accounting on steroids. Investigators traced the illicit flow of funds across wallets and exchanges, proving that while crypto can cross borders in seconds, those transactions are permanently etched in a public record. This isn't about cracking encryption; it's about following the money, a game regulators are getting dangerously good at playing.
The Bigger Picture: A Win for Legitimacy
For the serious crypto investor, headlines like this are paradoxically bullish. Every high-profile bust and asset forfeiture drains the swamp a little more, scrubbing the ecosystem of its rogue element. It forces a maturation—pushing projects to build real utility beyond speculation and darknet deals. It's the financial equivalent of cleaning up a trendy neighborhood; property values (and credibility) go up.
Sure, the traditional finance crowd will smugly point to this as proof crypto is just for criminals—conveniently ignoring the trillions laundered through their own banks every year. The real story is the system working. As enforcement sharpens its tools, the space becomes safer for institutional capital and mainstream adoption. The wild west is getting a sheriff, and that's the first step to building a real economy.
ID Photo of Danny Khan. Source: Investigations by ZachXBT Telegram.
“Several hours ago multiple addresses tied to him I was tracking consolidated funds to 0xb37d in a similar pattern to other law enforcement seizures,” ZachXBT wrote.
Dubai villa allegedly raided to arrest Khan, associates went silent
ZachXBT’s sources claimed that Danny Khan was last reported to be in Dubai, and they alleged that a villa he resided in was raided. Several other individuals were reportedly arrested during the operation, and people close to Khan have been unresponsive to communications for the past several days.
The cybersecurity analyst had been tracking Meech since 2024, linking him to the $243 million theft from a Genesis creditor in August that year. The operation was conducted with co-conspirators Malone Lam, Veer Chetal, Chen, and Jeandiel Serrano through a social engineering attack on an unnamed individual.
On August 19, 2024, the group impersonated Google and Gemini support and convinced the victim to reset two-factor authentication, transfer Gemini funds to a wallet they could access, and even share private Bitcoin keys through the remote desktop app AnyDesk.
Per Gemini transaction records shared in a Discord video of the three boasting about their score, 59.34 BTC and 14.88 BTC were transferred to addresses under the control of the thieves.
“Oh my God! We are done! Do you know how much money that is?” Veer Chetal was recorded saying in a video Zach shared on his X thread. Chetal, who received a significant portion of the funds, exposed his full identity in the screen-sharing session.
The stolen $243 million was divided among the group and moved back-and-forth among more than 15 crypto exchanges and converted between Bitcoin, Litecoin, Ethereum, and Monero.
Later on in the year, the US Department of Justice unsealed an indictment on the Genesis theft charging Malone Lam, 20, of Miami and Los Angeles, and Jeandiel Serrano, 21, of Los Angeles, with conspiracy to steal and launder over $230 million in cryptocurrency.
Both were arrested last night and appeared in the US District Court in the Southern District of Florida and the Central District of California in September last year, although Danny Khan was not identified as part of the perpetrators then.
Khan was part of the T-Mobile Kroll SIM swap
ZachXBT also placed the Danish Zulfiqar among the bad actors of the Kroll SIM swap in August 2023, which exposed the personal information of BlockFi, Genesis, and FTX creditors. The attack reportedly led to over $300 million in losses swindled through social engineering, much like the Genesis one.
Kroll provided a statement confirming the breach and revealed that a hacker had compromised an employee’s T-Mobile account using a SIM swapping attack.
SIM swapping, also known as port-out or SIM-jacking, is where a threat actor impersonates a mobile account holder to transfer their phone number to a new SIM card. T-Mobile transferred the employee’s phone number without authorization from Kroll, which helped the threat actor to access personal information of BlockFi, FTX, and Genesis bankruptcy claimants.
“Never forget Kroll had an employee SIM swapped in Aug 2023, resulting in breaches for Blockfi, FTX, Genesis creditors, which led to 8-9 figs stolen by cybercriminals via email phishing campaigns and social engineering scams. Idk how your company has not been sued to oblivion for the security incident,” Zach bashed Kroll on social platform X in January this year.
Throughout his criminal activity, Khan reportedly worked with a tight-knit network of co-conspirators. While official confirmation of Khan’s arrest has not yet been released by law enforcement agencies, several sources have insinuated authorities are actively pursuing the case.
Get up to $30,050 in trading rewards when you join Bybit today
