Dossier
Gafoor Khan
aka Gafoor K, Gafoor Khan Hafiz Khan, gafoorkhan, @GafoorKhan
Co-Founder, Technical Architect — Deployer Infrastructure
Photographs
Charges
- Count 2: Securities Fraud
- Count 4: Computer Fraud
- Count 5: Conspiracy
What this defendant knew
As listed co-founder and technical architect, Khan possessed knowledge of: (1) the protocol's technical architecture including the PT-LBTC oracle vulnerability, (2) the deployer wallet hierarchy and Safe multisig infrastructure, (3) the May 2024 Blast exploit that revealed the vulnerability the team chose not to patch across deployments.
Intent indicators
- Maintained co-founder role despite knowledge of the May 2024 Blast exploit vulnerability that was not patched on Base
- Participated in decisions to retain deployer wallet admin privileges while marketing "decentralization"
- Never publicly disclosed the technical vulnerability that led to $5.5M Blast loss (which was then exploited for $371K on Base)
- Architect of the cross-chain deployer hierarchy that enabled centralized control despite "decentralized" claims
- Active on Telegram as recently as 15.05.2026 — continued online presence while victims remained uncompensated
- Digital footprint spans 16+ platforms (LinkedIn, Twitter since 2009, GitHub, Telegram, YouTube, TikTok, Twitch, Clubhouse, Freelancer, Envato, Behance, Picsart, Duolingo, Chess.com, Linktree) — easily identifiable, no attempt to hide
Public identity traces
- LinkedIn: Gafoor Khan
- Crunchbase: Gafoor Khan
- Linktree: gafoorkhann (verified, active)
- X/Twitter: @GafoorKhan (since Nov 2009)
- GitHub: gafoorkhan (since Feb 2020)
- Telegram: @GafoorKhan (last seen 15.05.2026)
- YouTube: @gafoorkhan
- TikTok: @GafoorKhan (11 followers, since 2017)
- Twitch: gafoorkhan (since Sep 2020)
- Clubhouse: @gafoorkhan (80 followers)
- Behance: Gafoor Khan (since Oct 2018)
- Freelancer: gafoorkhan (since 2010)
- Envato: gafoorkhan (ThemeForest/Codecanyon/Audiojungle)
- Picsart: gafoorkhan (42 followers)
- Duolingo: gafoorkhan (Hindi, since Dec 2016)
- Chess.com: gafoorkhan (India, since Feb 2020)
Prosecution's theory
Khan was the technical co-architect who knew the vulnerability existed but chose silence. The prosecution will show that as co-founder, he participated in the decision to: (1) not patch the PT-LBTC oracle flaw across deployments after discovering it in May 2024, (2) maintain deployer wallet control over protocol parameters, (3) preserve the infrastructure that made the February 2025 exploit possible. His technical expertise makes his silence more culpable, not less — he was in a position to prevent the exploit but chose not to.
Incriminating exhibits
- Exhibit D-11: Cross-deployment vulnerability comparison
May 2024 Blast flaw identical to Feb 2025 Base exploit
- Exhibit D-12: Org chart evidence
Co-founder status on operational pages
Proofs & Evidence Collection
The following evidentiary items are preserved in this repository. Each item is timestamped, verifiable on public block explorers or web archives, and subpoena-ready for law enforcement. File paths reference the local evidence archive; URLs link to live public sources.
Co-founder org chart evidence
Operational pages, Crunchbase listings, and org charts listing Gafoor Khan as co-founder and technical architect. Establishes his formal role and knowledge of protocol architecture — as co-founder, he cannot claim ignorance of the vulnerability or the decision to keep the deposit UI open.
📁 team/forensic-deployer-tracing.json
Deployer infrastructure and admin roles
Technical analysis of the deployer hierarchy across 10+ chains. As the listed technical architect, Khan was responsible for the architecture that enabled centralized control while marketing claimed "decentralization." Documents that proxy admin ownership was never transferred to community governance.
📁 team/forensic-old-deploys-audits.json
Admin role assignment log
Complete ACLManager role assignment history showing which addresses held DEFAULT_ADMIN_ROLE, ASSET_LISTING_ADMIN_ROLE, and RISK_ADMIN_ROLE across all chains. Documents that Khan's technical team retained all admin privileges with zero community transfer.
📁 team/forensic-admin-role-events.json
Cross-deployment vulnerability comparison
Technical comparison of the PT-LBTC oracle vulnerability across Base and Blast deployments. The identical code flaw existed on both chains — the team patched Blast after the May 2024 exploit but left Base vulnerable for 10 more months. As technical architect, Khan knew or should have known about both deployments.
📁 team/forensic-may2024-exploit-separate.json
Telegram activity during concealment
OSINT documentation of Khan's Telegram activity showing last seen 15.05.2026 — he remained active on messaging platforms while victims received no compensation. Activity during the fraud period contradicts any claim of unawareness or non-participation.
📁 team/forensic-identity-matrix.json
16-platform digital footprint
Maigret OSINT sweep documenting Khan's presence across 16+ platforms (LinkedIn, Twitter since 2009, GitHub, Telegram, YouTube, TikTok, Twitch, Clubhouse, Freelancer, Envato, Behance, Picsart, Duolingo, Chess.com, Linktree, Crunchbase). This extensive public footprint demonstrates he was easily identifiable and made no attempt to conceal his identity — yet never issued a public statement about the protocol insolvency.
📁 team/forensic-identity-matrix.json