Four arrested in Poland over crypto SIM-swap attacks; ZachXBT links 'Merry' to case
Quick Take
- Polish authorities arrested four members of a criminal group accused of SIM swap attacks on cryptocurrency exchanges, digital asset theft, and money laundering, with FBI and HSI agents supporting the operation.
- Onchain investigator ZachXBT has alleged that one of those detained may be social engineering threat actor Wojtek Kulisz, known online as ‘Merry,’ based on designer items in seized footage matching his public Instagram.
We'd love your feedback.
Polish authorities have arrested four members of an organized criminal group accused of conducting SIM swap attacks on cryptocurrency exchanges, stealing digital assets, and laundering the proceeds, with onchain sleuth ZachXBT claiming a popular threat actor identified in past analysis was among the detained.
The joint operation supported by the U.S. FBI and Homeland Security Investigations agents found that group members breached the IT infrastructure of entities that cooperate with telecommunications operators, using specialized software and social engineering to access employees' email accounts, according to a press release published Thursday by Poland's Central Bureau for Combating Cybercrime, known by its Polish acronym CBZC.
That access enabled SIM swap attacks, or the illegal cloning and hijacking of victims' phone numbers, which the group then used to seize control of user accounts on cryptocurrency exchanges and drain the digital assets held there, according to the CBZC statement.
Stolen funds were then laundered through a distributed financial network spanning personal bank accounts in Poland and abroad, international payment platforms, and multi-currency digital wallets.
The total value of funds laundered is estimated to exceed tens of millions of Polish zlotys, according to the CBZC.
All four suspects were remanded into pre-trial detention at the request of the prosecutor's office. The suspects face charges including participation in an organized criminal group, theft by hacking, and money laundering, carrying penalties of up to 25 years' imprisonment, according to court documents.
Threat actor 'Merry' among suspects
Onchain investigator ZachXBT alleged separately that one of those detained is Wojtek Kulisz, a Polish social engineering threat actor known online as "Merry." On this official Telegram channel, ZachXBT said designer clothing and jewelry items visible in the CBZC's footage of the raid match items Kulisz had publicly displayed on his Instagram account.
Polish authorities have not confirmed the identity of any of the four suspects, citing the ongoing international nature of the investigation.
ZachXBT, whose real identity remains unknown, has a track record of identifying suspects in crypto theft cases before formal law enforcement disclosures. His prior investigations have contributed to arrests and asset recoveries across multiple jurisdictions, as The Block has previously reported.
The CBZC said detailed information on the targets of the attacks and secured accounts will not be disclosed at this stage.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
