On-chain detective ZachXBT tracks down 3,670 ETH as suspect Danny Khan as Dubai attack, Genesis creditor theft, and Kroll SIM swap link surface amid US indictment.
summary
- ZachXBT flagged 3,670 ETH consolidated in a tracked wallet, reflecting past law enforcement seizures related to Danny Khan.
- Khan and his alleged co-conspirators are facing priority charges in the Genesis creditor theft case that used fake Google and Gemini support and AnyDesk access.
- The group allegedly laundered BTC, LTC, ETH, and XMR on more than 15 exchanges and is linked to the 2023 Kroll SIM swap affecting BlockFi, Genesis, and FTX data.
British cybercrime suspect Danny Khan, also known online as Denmark Zulfiqar, has been detained in Dubai and authorities are suspected of confiscating the cryptocurrency after approximately 3,670 Ethereum was transferred to a tracked wallet, according to reports.
Update: A superseding indictment from a few hours ago confirms my analysis that Dany/Danish Zulfiqar (Khan) was arrested in Dubai.
seized address
0xb37d617716e46511E56FE07b885fBdD70119f768 pic.twitter.com/rvX5U38nBW— ZachXBT (@zachxbt) December 9, 2025
On-chain researcher ZachXBT reported through his Telegram channel that approximately 3,670 Ethereum was transferred to Ethereum wallet 0xb37d6…9f768 on Friday, and the funds were subsequently identified. “Hours earlier, I had traced consolidated funds to 0xb37d, with multiple addresses associated with him and a pattern similar to seizures by other law enforcement agencies,” the investigator said.
ZachXBT tracks scammers from Lagos to Dubai
ZachXBT reports that Khan was last seen in Dubai, where authorities searched his villa and arrested others who were present. Sources said officials have not responded to messages in recent days.
Investigators said a superseding indictment issued hours later confirmed that Danny Khan, also known as Denmark Zulfiqar, had been arrested in Dubai.
On-chain investigators have been tracking Khan since 2024 and linked him to the theft from Genesis creditors in August 2024. The report said the scheme involved co-conspirators Malone Lam, Veer Chetal, Chen, and Jandiel Serrano, and carried out social engineering attacks against anonymous individuals.
According to investigators’ findings, on August 19, 2024, the group impersonated Google and Gemini support staff and convinced victims to reset their two-factor authentication, transfer Gemini funds to wallets they controlled, and share their private Bitcoin keys via the remote desktop application AnyDesk.
According to the report, transaction records from Gemini, which appeared in a Discord video in which the co-conspirators were said to be celebrating, showed bitcoins being moved to addresses controlled by the group.
You may also like: Tajikistan faces 8 years in prison for Bitcoin mining using stolen electricity
According to ZachXBT, the stolen funds were reportedly distributed among the co-conspirators, converted between Bitcoin (BTC), Litecoin (LITE), Ethereum (ETH), and Monero (XMR) and circulated on more than 15 crypto exchanges.
ZachXBT also linked Khan to the August 2023 Kroll SIM swap scandal. In this incident, the personal data of BlockFi, Genesis, and FTX creditors were leaked and caused significant losses through social engineering. Kroll acknowledged the breach and said hackers gained access to employees’ T-Mobile accounts through a SIM swap.
According to reports, authorities have not officially confirmed Khan’s arrest, but multiple sources suggest the case is being actively investigated.
read more: ETH whale scoops up 934,000 tokens in 3 weeks, while small holders release supply
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
