Crypto security experts are the first responders of the blockchain world, tracing stolen millions across wallets, mixers and obscure bridges before the trail goes cold.
They operate in war rooms that form within minutes of a breach, using open-source intelligence, internal alert systems and private networks that span borders and languages.
When a major hack breaks, the crypto community turns to its pseudonymous detectives, whose social accounts are often the first to translate blockchain trails.
What began as hobbyists decoding suspicious transactions has evolved into a global web of digital sleuths who track the flow of stolen funds faster than most authorities. Their tools are open-source, their networks informal and their reputations built on credibility earned in public.
The night shift crypto detectives
The industry’s most recognized blockchain sleuth is ZachXBT. He’s built a reputation for precise onchain forensics cited by government bodies and investigations that have led to arrests.
Elsewhere in the ecosystem, an army of veteran researchers and self-taught hobbyists are doing similar work in the digital shadows. One of them is 0xSaiyanGod, a security researcher who built a bot to detect malicious sites and spent years tracing drainer groups.
“I introduce myself as a legendary Super Saiyan, Prince of all Saiyans — or other crazy nicknames — but I’m 0xSaiyanGod,” he tells Magazine. “Most people just call me Saiyan.”
Saiyan works under a pseudonym but he repeatedly emphasized the importance of sharing credit with the teams he works with. He requested that his interview with Magazine be conducted with the video turned off citing security concerns.
Like many of his peers, Saiyan has a life outside the screen. He works a regular job by day and hunts crypto scams by night under his digital alias.
“I still have a nine-to-five. Then I come home, open Telegram, check the reports and start tracing wallets. It’s the same rhythm every night,” he says.
He began as a bug bounty hunter in the Web2 scene and brought that skillset into crypto security in 2022. Early on, he tracked SIM-swapping phishing campaigns and the social engineering tactics behind wallet drainer operations with groups such as Wallet Guard and the security collective BlockMage.
One of the key cases he worked on was the Blur browser extension scam with researcher NFT_Dreww — where Inferno Drainer tricked victims into installing a malicious add-on.
Saiyan’s first encounter with drainer activity was during the period when Monkey Drainer–style phishing kits were spreading across Telegram. Saiyan mapped the infrastructure behind such campaigns, including reused phishing templates, shared hosting setups and recurring wallet-chaining patterns. His work has since expanded to successor clusters associated with Inferno Drainer, where small code overlaps helped researchers flag new phishing domains.
Read also
Features
The FBI’s takedown of Virgil Griffith for breaking sanctions, firsthand
Features
Agents of Influence: He Who Controls The Blockchain, Controls The Cryptoverse
To scale detection, he built Doom Bot, a Discord-based phishing and drainer detection bot that flagged suspicious links and forwarded them into private channels. Doom Bot and its peers were early movers in the space before larger teams such as SEAL took on that function.
“The intel provided to those teams at that time was definitely helpful,” Saiyan says.
“I can reference one tool of my buddy that was — maybe still — doing the same and reporting to Pocket Universe. Between us, we could catch most links and provide the intel to teams.”
The tracing work that follows is still manual. Saiyan took part in identifying and flagging wallets tied to North Korean–linked activity during the $1.5 billion Bybit incident, publicly marking addresses on Etherscan. He uses tooling such as blockchain explorers, Arkham, MetaSleuth and Breadcrumbs. High-end forensics platforms like Chainalysis are typically reserved for law enforcement and institutional teams.
The human side of crypto investigations
While most crypto detectives use pseudonyms, Heiner Garcia does not. A former security analyst for Colombia’s Ministry of Defense, he spent years in human intelligence operations tied to criminal networks before joining Telefónica’s security division.
“I’ve dealt with real risk,” he says. “Narcos,…
cointelegraph.com