Danny Khan Arrest: 3,670 ETH Seized in Dubai Raid

Picture this: it’s a warm Friday night in one of Dubai’s flashiest neighborhoods. A convoy of unmarked SUVs rolls up to a sprawling villa, lights off. Seconds later, doors fly open and the place is swarming with tactical officers. Inside, screens still glow with wallet addresses and transaction histories. And right then, 3,670 ETH – worth roughly $12 million at today’s prices – finishes consolidating into a single address that every on-chain sleuth in the game has been watching for months.

If you’re deep enough into crypto Twitter, you already felt the ripple when ZachXBT dropped the bomb. The address? 0xb37d617716e46511E56FE07b885fBdD70119f768. The pattern? Classic law-enforcement seizure choreography. And the name attached to it all? Danny Khan, also known in certain dark corners of the internet as Danish Zulfiqar.

The Dubai Takedown That Sent Shockwaves Through Crypto

I’ve been following ZachXBT’s work for years, and when he posts something like this, you drop everything and read. The guy doesn’t cry wolf. So when he casually mentioned that multiple wallets he’d been tracking suddenly funneled everything into one address – the same way funds move right before authorities slap a seizure label on them – the community knew something massive had just gone down.

Hours later came the confirmation nobody saw coming: a superseding indictment out of the United States naming Danny Khan explicitly, stating he’d been picked up in Dubai. The villa raid story started making the rounds in private Telegram groups – luxury cars still warm in the driveway, passports scattered on marble floors, and hard drives being bagged and tagged.

Who Exactly Is Danny Khan?

To most retail traders, the name probably doesn’t ring a bell yet. But ask anyone who’s been drained by a fake support agent or lost everything in the FTX/BlockFi/Genesis fallout, and you’ll get a very different reaction.

Khan, operating under various aliases, allegedly ran with a tight crew that specialized in social engineering at an industrial level. We’re not talking random phishing emails here. These guys were reportedly impersonating Google support, Gemini support, even going as far as faking entire login portals and convincing victims to install AnyDesk while they watched the robbery unfold in real time.

“Several hours ago multiple addresses tied to him I was tracking consolidated funds to 0xb37d… in a similar pattern to other law enforcement seizures.”

– ZachXBT, December 9, 2025

The Genesis Creditor Heist – A Masterclass in Cruelty

Let’s talk about August 19, 2024. For one Genesis creditor, it probably started with a simple email that looked exactly like it came from Gemini. Two-factor acting weird? No problem, sir, we’ll help you reset it. Just verify a few things.

Twenty minutes later, the victim was watching helplessly as their entire Bitcoin position – private keys willingly handed over under the guise of “screen sharing to fix the issue” – vanished into wallets controlled by Khan’s crew. The worst part? There’s video, allegedly recorded by the perpetrators themselves in a private Discord, celebrating as the transactions confirm.

In my opinion, this is where crypto theft crosses from crime into something almost psychological. These weren’t opportunistic hackers exploiting a smart-contract bug. They looked their victim in the eye (virtually) and lied until the person handed over everything they’d managed to salvage from the Genesis bankruptcy.

• Fake Google/Gemini support portal (identical visuals)
• Convincing victim to disable 2FA “temporarily”
• Requesting AnyDesk access “to fix the login issue”
• Live transfer of funds while victim watches
• Immediate splitting and laundering across 15+ exchanges

That Time Kroll Got SIM-Swapped

Remember August 2023 when suddenly everyone’s phone number from the FTX, BlockFi, and Genesis creditor lists started getting bombarded with phishing attempts? Yeah, that wasn’t random.

A Kroll employee had their T-Mobile account SIM-swapped. The attacker got access to files containing names, addresses, phone numbers, and in some cases partial account balances of thousands of bankruptcy claimants. Within days, sophisticated social-engineering attacks were hitting these exact people.

ZachXBT and others in the investigative community have been connecting dots between that breach and Khan’s group for over a year now. The indictment appears to confirm what many suspected – the same network that harvested the data was weaponizing it.

How Do You Even Launder That Much Crypto in 2025?

Here’s where it gets technically impressive, in a twisted way. The crew allegedly developed a laundering pipeline that would make 2019 money-launderers weep with envy:

1. Hit victim accounts for BTC/ETH
2. Immediate conversion to LTC and XMR on non-KYC exchanges
3. Multiple hops through privacy tools and mixers
4. Re-conversion to ETH on fresh addresses
5. Distribution to cold storage across the crew

They reportedly used more than fifteen different exchanges, some of which have since been shut down or had their banking cut off. The constant conversion between BTC → LTC → XMR → ETH wasn’t random – each step added another layer of obfuscation while taking advantage of different blockchain analytics blind spots.

I’ve always said Monero gets an unfairly bad rap because of cases exactly like this, but the reality is that sophisticated actors will always find privacy tools. The difference now is that chain analysis firms and investigators like ZachXBT have gotten scary good at pattern recognition even when parts of the trail go dark.

The Seizure Address – A New Kind of Tombstone

That wallet – 0xb37d…9f768 – is now what the community calls a “tombstone address.” Once funds consolidate there in that specific pattern, they’re effectively gone. Law enforcement has the keys, or they’re burned forever. Either way, the thief isn’t getting them back.

What’s fascinating is how quickly the community recognized the pattern. We’ve seen it with the Ronin hacker funds, with certain DPRK Lazarus wallets, with various ransomware recoveries. When 3,670 ETH starts moving in chunks that perfectly mirror previous seizures, everyone knows the game is up.

What Happens Next?

Dubai isn’t exactly known for extraditing cybercrime suspects quickly, but the superseding indictment suggests U.S. authorities have been building this case for a while. The fact that they’re naming Khan directly means they feel confident about the evidence chain.

For the victims – especially that Genesis creditor who lost everything to the AnyDesk scam – this might finally bring some closure. There’s talk of potential restitution if the seized funds can be proven to come from specific thefts.

And for the rest of us? Another reminder that in crypto, your biggest vulnerability is still the wetware between the chair and the keyboard. No matter how bulletproof your hardware wallet is, if someone convinces you to give them remote access or share your seed phrase “just to verify,” it’s game over.

The most sophisticated hack is still the one where the victim helps the attacker.

The Danny Khan saga isn’t just another theft story. It’s the evolution of crypto crime meeting its match in on-chain forensics and international cooperation. And honestly? Watching ZachXBT and investigators methodically close the net over months, sometimes years, has been one of the most satisfying developments in this space.

Somewhere tonight, there’s a villa in Dubai that’s a lot quieter than it was last week. And 3,670 ETH just became the latest chapter in the slow, methodical justice that’s finally catching up with crypto’s most wanted.

Stay safe out there. Verify everything. And maybe, just maybe, don’t install AnyDesk when someone claiming to be Google support asks you to.