Investigation Appears to Link Stolen Bittensor TAO to NFT Wash Trades and Monero Conversions

  • $28M stolen; funds traced through NFT wash trades and Railgun mixing

  • Investigators identified wallet 0x09f and coordinated transfers of 1,246 ETH, 276,000 USDC and 19.8 WETH across chains.

  • 32 TAO holders were affected after a malicious PyPi package leaked private keys; Bittensor halted operations on July 2, 2024.

Bittensor hack: ZachXBT traced a $28M theft through anime NFT wash trades and Railgun mixing, linking funds to ex-employee wallets — read the forensic timeline.

What is the Bittensor hack?

The Bittensor hack refers to a mid‑2024 breach that resulted in roughly $28 million in stolen TAO and converted assets. Forensic analysis by blockchain investigators, notably ZachXBT, followed token movements from compromised wallets through cross‑chain bridges and privacy tools to identify wallets associated with former insiders.

How was the $28M Bittensor hack traced?

The investigation began after reports that 32 TAO holders lost funds between May and July 2024 following a malicious PyPi package that exposed private keys. Bittensor developers halted network operations on July 2, 2024 to contain the breach and begin remediation.

Blockchain tracing showed stolen TAO moved to Ethereum, then converted and aggregated. One wallet, identified as 0x09f in public forensic notes, sent approximately $4.94 million into the Railgun crypto mixer in June 2024. From there, investigators correlated timing and amounts to identify three extracting wallets. The trail recorded movements of 1,246 ETH, roughly 276,000 USDC, and 19.8 WETH. Funds were shifted onto Avalanche and returned to Ethereum using the Synapse Bridge before further obfuscation and conversion to Monero (XMR) via quick-swap platforms.

Crucial linking evidence came from anomalous NFT activity. Address 0x1d7 purchased four Killer GF NFTs for 18.64 ETH, a significant overpayment compared with the floor price. Two associated addresses, 0x0bc7 and 0x5e9c, exchanged NFTs among themselves using those same funds, consistent with wash trading patterns designed to launder proceeds. Those trades connected the on‑chain flows to an individual known publicly by the alias “Rusty” (otc_rusty), who was previously employed as an Opentensor engineer.

1/ An investigation into how I identified one of suspects tied to the $28M Bittensor hack from 2024 by identifying anime NFT wash trades linked to a former employee and earned a whitehat bounty for my efforts. pic.twitter.com/2utJ5AGtZy

— ZachXBT (@zachxbt) October 15, 2025

Following the crypto trail

ZachXBT’s chain analysis identified initial concentration into a wallet labeled 0x09f. That wallet funneled funds into Railgun and then to other wallets that matched withdrawal patterns. Investigators matched timestamps and amounts to narrow down suspects. The combination of large, atypical NFT purchases and inter‑wallet NFT transfers provided non‑standard links that complemented standard on‑chain tracing techniques.

In addition to Railgun mixing and bridge usage, the movement from Ethereum to Avalanche and back increased complexity but left sufficient metadata for pattern analysis. Public court filings and a civil lawsuit later disclosed admissions and denials related to ownership of several implicated wallets. Legal documents named an individual, Ayden B (referred to as “Rusty”), as having acknowledged ownership of some wallets while denying culpability for the hack. Another person identified as Jon L (0xJones) became a subject of inquiry after deactivating accounts and deleting messages following the incident.

Real‑world links and legal fallout

Public reporting of the case and subsequent civil litigation provide the basis for legal follow‑up. ZachXBT commented: “It’s extremely rare to see exploits or hacks involve NFT wash trading,” noting the coordination of addresses and transactional patterns. Investigators emphasized that the evidence could support criminal proceedings, pending review by law enforcement and prosecutors.

Official sources referenced in public summaries include blockchain transaction records, the Bittensor project’s incident response disclosures, and civil court filings. These sources, when combined with forensic blockchain analytics, formed the factual foundation for attribution and potential legal action.

Frequently Asked Questions

How much was stolen in the Bittensor hack and who was affected?

About $28 million in TAO and converted assets were stolen, impacting 32 TAO holders between May and July 2024. Transfers included large amounts converted to ETH, USDC and WETH and routed across multiple chains before being mixed and converted to privacy coins.

Can blockchain tracing always identify the perpetrators?

Blockchain tracing can reveal transaction flows, wallet links and behavioral patterns that support attribution, but definitive criminal liability requires corroborating off‑chain evidence and legal processes. Public forensic work by investigators like ZachXBT can produce leads for law enforcement.

Key Takeaways

  • Forensic chain tracing works: Coordinated on‑chain patterns—bridges, mixers and atypical NFT trades—helped map $28M of stolen funds.
  • Insider ties matter: Evidence connected wallet activity to a former Bittensor employee, highlighted in civil litigation and public statements.
  • Legal and technical follow‑up required: On‑chain evidence supports further law enforcement action, but prosecution depends on off‑chain corroboration and formal investigations.

Conclusion

This report documents how blockchain forensic work linked the Bittensor hack to specific wallet behaviors, NFT wash trades and mixing services. By combining transaction analysis with public records and legal filings, investigators—most notably ZachXBT—mapped complex flows across Ethereum, Avalanche and privacy chains. COINOTAG reports and will monitor legal developments and forensic updates. Published: October 16, 2025. Updated: October 16, 2025. Author: COINOTAG.

ZachXBT traces the $28M Bittensor hack through anime NFT trades, linking stolen crypto to ex-employee wallets and uncovering hidden flows.

Crypto sleuth ZachXBT uncovered how $28 million was stolen from Bittensor. He followed a trail through anime NFT trades and traced funds to a former Bittensor worker after identifying hidden transactions through the Railgun mixer. His findings were later referenced in civil filings and public forensic summaries.

According to public forensic notes, 32 TAO holders lost funds between May and July 2024 after a malicious PyPi package caused private key leaks. The Bittensor network halted operations on July 2, 2024 while developers investigated. Stolen TAO was routed to Ethereum, then exchanged and mixed before partial conversion to Monero.

Following the crypto trail

ZachXBT followed funds to wallet 0x09f, which moved about $4.94 million into Railgun in June 2024. He identified three wallets that extracted funds by comparing quantities, timings and on‑chain behavior. The trail recorded 1,246 ETH, 276,000 USDC, and 19.8 WETH shifted to Avalanche and then back to Ethereum via the Synapse Bridge.

Address 0x1d7 purchased four Killer GF NFTs for 18.64 ETH, far above the floor. Related wallets 0x0bc7 and 0x5e9c exchanged NFTs among themselves using stolen funds, exhibiting wash trading. These trades linked the theft to wallets tied to “Rusty” (otc_rusty), who formerly worked as an Opentensor engineer.

Real world links and legal fallout

ZachXBT reported that Rusty (Ayden B) later admitted ownership of identified wallets in a civil lawsuit, while denying involvement in the hack. Another individual, Jon L (0xJones), emerged as a suspect after removing messages and deactivating accounts. “It’s extremely rare to see exploits or hacks involve NFT wash trading,” ZachXBT said, stressing the coordinated nature of the addresses. He suggested that law enforcement could pursue criminal charges based on the compiled evidence.

ZachXBT’s investigation highlights that transparent on‑chain records, combined with careful analysis, can reveal complex laundering schemes and support legal action.

Also Read: MIT Brothers on Trial for $25M Crypto Theft Case

Follow The COINOTAG on Google News to Stay Updated!    Google News

Mobile Only Image

TAGGED:NFTs

BREAKING NEWS

Bitcoin Fear & Greed Index Plunges to 24 — Bitwise Urges “Buy the Dip” as Sentiment Hits Yearly Low

Weak Bitcoin performance has dampened investor enthusiasm, with Google...

Bitcoin October Performance: -4.74% Year-to-Date vs +21.89% Historical Average — Coinglass

Bitcoin is showing a negative mid‑month performance in October:...

Peter Schiff Warns: Gold “Eating Into Bitcoin” — Bitcoin Down 32% vs Gold, Urges Holders to Sell

COINOTAG reported that economist and cryptocurrency critic Peter Schiff...

Arkham: CI Global’s ETHX ETF Holds $6.206B in ETH — $1.3B Staked, $4.9085B Unstaked

According to Arkham analytics, CI Global Asset Management holds...

RIPPLE TO ACQUIRE GTREASURY FOR $1 BILLION – AXIOS

RIPPLE TO ACQUIRE GTREASURY FOR $1 BILLION - AXIOS $XRP...
spot_imgspot_imgspot_img

Related Articles

spot_imgspot_imgspot_imgspot_img

Popular Categories

spot_imgspot_imgspot_img