Hook
Over 80% of incoming investigation requests now get rejected. Not due to lack of evidence, but by design. ZachXBT, the pseudonymous on-chain detective, posted a formal set of acceptance criteria on July 6, 2024. The post is short — five bullet points. Yet it reshapes the entire landscape of who gets help and who is left stranded. The numbers are stark: only losses above $250,000 qualify. Memecoins and prediction markets are explicitly excluded. The investigator must support the blockchain in question. And the legal jurisdiction must be favorable. From a single announcement, the supply of on-chain justice becomes bottlenecked, rationed by a single individual’s preferences.
Context
ZachXBT is not a company. He is a lone operator with a track record of tracing stolen funds from high-profile hacks — Axie Infinity, Euler Finance, and others. His work is cited by law enforcement, security firms, and mainstream media. He operates through public addresses for donations and a Telegram channel for tips. Until now, he accepted requests on a case-by-case basis without published rules. The new standards are an explicit gatekeeping mechanism. They signal maturation of a cottage industry into a structured service, but also expose its fragility. The protocol of one man now defines who gets access to the most visible on-chain detective in crypto.
Core
Let’s break down each criterion into its technical and economic implications.
Criterion 1: Exploit or hack only. Must have lost a minimum of $250,000 in value.
This is a pure filter for scale. By setting a floor, ZachXBT ensures his time is spent on cases that maximize impact. The $250k threshold is arbitrary — it aligns with the point at which a hack becomes newsworthy and likely to trigger insurance claims or legal action. From an efficiency standpoint, this is rational. His marginal utility of investigating a $10k rug pull is zero compared to a $10M bridge exploit. But it creates a blind spot: attacks that are small individually but aggregated over time (e.g., a series of $50k exploits) fall through the crack. The math holds until the incentive breaks — here, the incentive is to prioritize high-value incidents, but the security of smaller protocols deteriorates without recourse.

Criterion 2: Must be on a blockchain I support.
This is not just about preference — it reflects technical capability. ZachXBT likely maintains a set of RPC nodes, custom indexing scripts, and address clusters for Ethereum, BSC, Polygon, and a few other EVM chains. Supporting a new chain requires time to build on-chain awareness. The list is undisclosed. This introduces a geographic-like disparity within the crypto world: chains not on his list become de facto safe havens for attackers. A $1M hack on an unsupported chain may never be investigated. Risk is a feature, not a bug, until it isn’t — and the missing feature here is universal support.
Criterion 3: No memecoins or prediction markets.
This is the most controversial. Memecoins and prediction markets are, by nature, high-risk and often unregulated. Excluding them sends a signal: these projects are not worth the effort. But it also removes a deterrent. Attackers know that even if they steal funds, the most visible investigator will not touch the case. This could embolden more rug pulls in these categories. The exclusion is not based on technical difficulty — tracing stolen DAI from a memecoin is the same as tracing it from a DeFi protocol. It is a brand decision. ZachXBT distances himself from the taint of degenerate gambling. But in doing so, he abandons a segment that arguably needs investigation the most.
Criterion 4: It must be something I find interesting.
Leave this to the investigator’s discretion. It is a wild card. “Interesting” likely means technical novelty: new exploit patterns, zero-day vulnerabilities, or complex cross-chain maneuvers. Standard phishing attacks may be boring. This introduces non-determinism into the acceptance process. Two identical losses may yield different outcomes based on novelty. The lack of objectivity undermines the predictability that victims need.
Criterion 5: You must be in a jurisdiction where it is safe to do this work.
This is a legal hedge. ZachXBT likely operates from a country with strong free speech protections and weak mutual legal assistance treaties. He avoids jurisdictions that could force him to testify or reveal his identity. The criterion effectively excludes victims from countries where whistleblowing is criminalized. Justice becomes geography-dependent.
Contrarian Angle
The conventional wisdom is that these standards professionalize on-chain investigation. But the real story is the creation of a new class of uninvestigated exploits. By excluding memecoins and prediction markets, ZachXBT inadvertently encourages attackers to target those sectors. The expected cost of being caught drops to near zero. Meanwhile, protocols on unsupported chains face a similar moral hazard. The standards do not just filter — they steer malicious behavior toward gaps in coverage. The centralized nature of this gatekeeping is a systemic risk. If ZachXBT disappears tomorrow, the entire standard collapses. There is no backup, no DAO, no insurance. The community becomes dependent on a single human’s schedule and whims.
During my own analysis of protocol vulnerabilities—specifically the Curve v2 invariant audit where I identified rounding edge cases—I learned that the most dangerous failures are not the ones you see, but the ones you design out of scope. ZachXBT’s rules are his design scope. They make his work efficient, but they also define the perimeter of his responsibility. Everything outside that perimeter is left to the wolves. The math holds until the incentive breaks — and here, the incentive to ignore entire categories of events is now publicly codified.

Takeaway
The future of on-chain security is fragmentation. Investigators will establish their own territories, preferred chains, and pet sectors. The result is a patchwork of coverage with black holes for memecoins, small hacks, and jurisdictions outside the West. The community must either build decentralized investigation protocols—perhaps using zero-knowledge proofs to share evidence without revealing identity—or accept that some corners of crypto are lawless by design.
Audits verify logic, not intent. ZachXBT’s intent is clear: maximize impact for his time. But the logic of his standards creates a predictable pattern of neglect. The next major memecoin rug pull over $250k will test whether the market cares more about the principle of exclusion or the volume of loss. History repeats in the ledger, not the news — and the ledger will show which exploits were never traced.