ZachXBT exposes Axiom insider scandal: how do internal employees abuse their authority?

Author: Chloe, ChainCatcher

In recent days, the event that has captured market attention and accumulated tens of millions of dollars in bets on Polymarket—“Which Crypto Company will ZachXBT expose for insider trading?”—finally came to an end. On February 26, on-chain investigator ZachXBT officially released an investigative report directly targeting DeFi trading platform Axiom Exchange.

The report accuses the platform’s senior staff of abusing internal management permissions, repeatedly accessing users’ private wallet data illegally, and turning this sensitive information into tools for insider trading. This article will delve into the evidence chain revealed by ZachXBT, illustrating how “on-chain transparency” is hijacked by “off-chain black box management.”

ZachXBT Exposes Insider Trading Scandal at Axiom Exchange

Axiom Exchange was founded by Mist and Cal, and in early 2025, it was selected for Y Combinator Winter Batch (W25). The platform achieved an astonishing revenue of over $390 million within just a year. However, behind this impressive financial performance, a senior business development employee named Broox Bauer was turning Axiom’s backend tools into a private hunting ground.

According to ZachXBT’s investigation, Broox Bauer was not working alone. He established an organized “information monetization” process centered around Axiom’s internal control dashboard, which allowed him to query any user’s private information via referral codes, wallet addresses, or UID at will. In a recording, Broox stated he could “find out anything about that person,” and his operations demonstrated a strong awareness of anti-investigation measures:

2. Initially querying only 10 to 20 wallets to avoid triggering system alerts.

3. Targeted individuals were not randomly chosen. For example, a KOL named Marcell, who had been purchasing large amounts of meme coins with a private wallet for a long time and was promoting liquidity exit to fans, became a key target. Such traders’ private wallets are rarely public, and address reuse is low, making this information highly valuable for arbitrage.

4. Organized efforts and rules were established, such as another Axiom employee Ryan (Ryucio) assisting in user information searches, hiring Gowno as a moderator, and consolidating these private wallets into Google Sheets for tracking.

These illegal operations persisted for over ten months (starting from April 2025). The evidence chain includes screenshots of backend management from victims like “Jerry” and “Monix.” These materials also raise questions: why does a business development staff member have cross-functional access rights? The expected monitoring alerts and permission segregation clearly did not function.

Axiom Official Response Fails to Cover Structural Failures

After ZachXBT’s report was released, Axiom’s official response followed a standard crisis management approach: issuing a statement expressing “shock and disappointment,” revoking permissions, and launching an investigation. However, this could not conceal the underlying systemic failures. Such incidents reveal a breakdown in platform permission controls, rather than just individual misconduct.

1. Missing Audit Logs

In traditional finance or mature Web2 tech companies, any operation accessing sensitive user data must leave an audit trail. If a business development employee can query hundreds of wallets unrelated to their work, the system should trigger an alert immediately. Axiom’s ten-month regulatory vacuum suggests its internal system may lack “anomaly detection mechanisms,” and even whether such logs are retained is questionable.

2. Scope of Victims Still Unclear

Axiom’s statement did not specify how many users were affected. This raises deeper concerns: if Broox Bauer could access this data, what about other employees? The report mentions moderators like Gowno and another business development staff member Ryan as accomplices, implying that such permission abuse might be relatively easy. When an organization’s governance relies on “trust” rather than “systematic controls,” the marginal cost of internal corruption is extremely low.

Are Permissions Virtually Useless? Data Governance Black Hole in Web3 Startups

Further examining the core of this scandal, the data accessible through Axiom’s backend is staggering: complete wallet lists, wallets being tracked, full transaction histories, user-set wallet labels, and linked accounts. This list covers not just transaction data but enough to reconstruct a user’s entire on-chain behavior pattern.

In traditional finance institutions, access to such data is strictly constrained by the “minimum necessary information” principle. Employees without explicit business needs are not allowed to access sensitive customer data; all access actions must be logged for audit purposes, with regular checks by compliance departments. The design logic is simple: it doesn’t rely on employee morality but uses technical and institutional constraints to minimize damage before problems occur.

Axiom’s backend clearly does not meet this standard. More concerning is that such issues are not unique to Web3 startups. Rapidly expanding teams often focus engineering resources on product iteration, while compliance and data governance frameworks are postponed or viewed as “listing prerequisites.” However, once a platform reaches Axiom’s scale, the sensitivity of accessible data far exceeds early-stage levels, yet protective mechanisms often remain at startup standards.

This case also reveals a paradox unique to Web3: on-chain transparency does not equal off-chain transparency. Blockchain provides “anonymous transparency”: everyone can see address flows but cannot easily identify the entities behind them. The real risk occurs at the moment users register, link wallets, and set labels: they hand over the critical “address owner is me” relationship to a centralized database.

After that, anonymity becomes an illusion. Once this identity is linked to more information, tagged with labels, or misused, on-chain transparency no longer protects users; instead, it becomes the most precise tool in the hands of perpetrators.

Protocol-Level Decentralization Is Never the Same as Company Decentralization

Axiom’s scandal exposes more than just individual misconduct. It reflects a long-standing contradiction in the Web3 industry’s “decentralization” narrative: protocol-level decentralization is never equivalent to operational decentralization at the company level.

When a platform’s core business still relies on centralized backend systems, manual customer service, and employee judgment, the labels of “DeFi” or “Web3” are more like superficial decorations. Users trust the immutability of smart contracts but forget that at the moment of inputting personal information and linking wallets, they have already handed over their most critical data to a fully centralized organization.

Trust is never free. In immature systems, the cost of trust is borne by the party with the least information asymmetry.