Garry Tan, president, chief executive officer and co-founder of Y Combinator, during an interview on an episode of “The Circuit” at Y Combinator offices in Mountain View, California, US, on Monday, March 20, 2023. Silicon Valley’s premier business incubator has received 44,000 applications so far this year, the most ever, and the acceptance rate for its summer batch was less than 1%, the lowest in the organization’s history. Photographer: Philip Pacheco/Bloomberg
© 2023 Bloomberg Finance LP
Axiom hit $100 million in cumulative revenue faster than any company in Y Combinator’s 20-year history. Faster than Cursor, the AI coding tool that previously held the record. Two 22-year-old founders, a $500,000 seed check, and a Solana trading terminal that went from 2% to 72% market share in under a year, according to Dune Analytics data.
On Wednesday, blockchain investigator ZachXBT published a 10-post thread on X alleging that a senior Axiom employee had been using internal company tools to surveil users’ wallets since early 2025. Within hours, Axiom confirmed it: “We are shocked and disappointed to learn that some members of our team misused internal customer support tools to query users’ wallets.”
The gap between Axiom’s revenue trajectory and its internal controls is not a coincidence. It is the predictable result of how crypto startups get built: ship fast, capture market share, worry about governance later. And Axiom is the latest and most striking example of a pattern the industry keeps repeating. Companies scale to hundreds of millions in revenue before implementing access controls that a $10 million fintech would consider table stakes. The misconduct that Axiom itself has confirmed, not the unproven insider trading allegation, is the real story. It reveals what gets skipped when growth is the only metric.
The fastest company in YC history
Henry Zhang and Preston Ellis were 22 when they built Axiom in 2024. Zhang, who goes by “Mist” online, had worked on generative AI for ads at TikTok. Ellis, known as “Cal,” had interned at DoorDash. Zhang had graduated from UC San Diego; Ellis studied EECS at UC Berkeley. Neither had run a startup before.
They joined Y Combinator’s Winter 2025 cohort with a $500,000 pre-seed, the only outside funding Axiom has ever raised. What followed was the kind of growth story that makes founders’ eyes widen during Demo Day.
Axiom is a browser-based trading terminal for Solana, the blockchain that hosts the majority of memecoin activity. It aggregates liquidity from decentralized exchanges like Raydium and Pump.fun, bundles in perpetual futures via Hyperliquid, and offers sub-400-millisecond execution. Within five months of launch, cumulative revenue crossed $100 million — a record in YC’s portfolio, where crypto platforms are now generating real revenue. Cursor, the AI coding tool, had previously held the mark at 12 months.
By mid-2025, Axiom had already processed over $15 billion in trading volume across more than 650,000 wallets. Cumulative revenue exceeded $390 million. DefiLlama ranked it the third most profitable platform in all of decentralized finance, behind only stablecoin issuers Tether and Circle. Solana’s official account posted: “The fastest growing company in YC history is an AI company a Solana company.”
The $500,000 seed meant no outside board seats, no institutional investor governance requirements, and no compliance mandates. The team was small enough to fit on a couch. The revenue was large enough to outpace the vast majority of publicly traded fintech companies.
What ZachXBT found
ZachXBT, the pseudonymous blockchain investigator whose past work includes attributing the $1.5 billion Bybit hack to North Korea’s Lazarus Group and helping recover funds from a $243 million theft, published his Axiom investigation on February 26. He disclosed that he had been retained, meaning paid, to investigate after receiving reports of misconduct. His 10-post thread on X drew 578,000 views, 6,500 likes, and 1,200 reposts within the first day.
The thread named Broox Bauer, a senior business development employee based in New York, as the central figure. ZachXBT published audio recordings in which Bauer describes being able to look up any Axiom user by referral code, wallet address, or user ID and “find out anything to do with that person.” In one clip, Bauer discusses scaling the number of monitored wallets gradually, “so it does not look that suspicious.”
ZachXBT also published screenshots of Axiom’s internal dashboard from April and August 2025, showing private wallet data for individual traders. A Google Sheet compiled by Bauer’s group listed wallet addresses for prominent crypto influencers, sourced from the internal system. Multiple influencers named in the spreadsheet independently confirmed that the wallet data attributed to them was accurate.
A separate recording from February 2026 allegedly captures Bauer outlining a plan for a colleague to earn $200,000 by exploiting the same access.
But ZachXBT was careful to flag the limits of his evidence. In Post 7, he wrote that “pinpointing high-confidence examples of insider trading from his wallets alone is difficult without access to Axiom’s internal logs to review the timing of trades placed.” The distinction matters: data misuse is confirmed. Insider trading is alleged but unproven.
Axiom responded quickly. “We have revoked access to these tools and will continue our investigation, holding those responsible accountable,” the company said in a statement posted to X. “This does not represent us as a team.”
ZachXBT’s structural critique went beyond any one employee. “Regardless of whether Cal or Mist were aware,” he wrote, “there was little to no monitoring or access controls in place to mitigate this abuse from happening in the first place.”
Why Axiom’s data access had no guardrails
The most damning detail in ZachXBT’s thread is not what Bauer allegedly did with the data. It is what the data access itself reveals about how Axiom was built.
According to the investigation, business development employees — not engineers, not security staff — had access to an internal dashboard that allowed them to look up any user’s wallet address, view full transaction histories, see linked accounts and registration data, and monitor wallets in real time. There was, in ZachXBT’s words, “little to no monitoring or access controls.”
Consider what a traditional financial services firm generating $390 million in annual revenue would be expected to have. A broker-dealer at that scale operates with information barriers between departments, role-based access permissions, automated logging of every data query, a compliance team reviewing access patterns, and regular third-party audits. Coinbase, which is publicly traded and regulated, maintains compliance headcounts in the hundreds. Robinhood, which serves a similar retail trading demographic, paid $70 million to settle FINRA charges related to platform failures and misleading information. That kind of regulatory enforcement imposes discipline.
Axiom had none of this. The company raised $500,000 in total. It has no disclosed compliance function. Its internal tools, designed for customer support, were accessible to business development staff with no audit trail, or at least no monitored one.
The failure is not specific to Axiom’s founders. It is structural to how crypto startups operate. The memecoin trading window is unpredictable. When volume arrives, it arrives fast: Axiom went from 2% to 72% of the Solana trading bot market in months, per Dune Analytics. The imperative is to ship product, onboard users, and capture revenue. Governance infrastructure (access controls, compliance teams) gets deferred because it slows things down. And because no regulator requires it and no investor demands it, the deferral becomes permanent.
Until someone is watching.
Crypto’s recurring governance failure
Axiom is not FTX. That distinction is worth making clearly. Nobody is alleging that the founders stole user funds. The platform’s wallet architecture uses Turnkey’s non-custodial key management via AWS Nitro Enclaves, meaning private keys are never exposed to Axiom employees. The core product is technically sound.
But the data layer — who can see what users are doing — had no protections. And on a trading platform, data access is the attack surface.
The pattern is familiar. FTX reached a $32 billion valuation with no board of directors and a compliance department that, according to testimony in Sam Bankman-Fried’s criminal trial, consisted of a single employee. Celsius accumulated over $3 billion in user deposits while its CEO personally directed trading strategies with customer funds, as the SEC’s complaint later detailed. Terraform Labs built a $60 billion network without reserve audits or circuit breakers. In each case, the sequence was the same: hypergrowth, deferred governance, then failure.
Axiom’s version is milder than any of those. No user funds appear to have been lost. The platform still works. But the underlying conviction, that governance can wait, is identical. And the question it raises has no obvious answer: at what revenue threshold should a crypto startup be expected to have basic access controls? $10 million? $100 million? $390 million? Without a regulator to impose the requirement and with only $500,000 in outside funding, who enforces the standard?
The Polymarket sideshow
There is a final irony. Before ZachXBT published his findings, he teased on X that a “major investigation” would drop on Thursday. The post went viral, drawing millions of views. On Polymarket, the prediction market platform, a contract titled “Which crypto company will ZachXBT expose for insider trading?” attracted nearly $38 million in trading volume.
Allegations of insider trading were myriad. One trader bet $65,800 on Axiom when the odds stood at 13.8%. When ZachXBT published and the contract resolved, that trader walked away with $411,000.
ZachXBT acknowledged that his teaser post may have “unintentionally leaked” the target. He called it “a learning moment.” But the scene is hard to miss: an investigation into information asymmetry at a trading platform was itself front-run by traders exploiting information asymmetry about the investigation.
What comes next
Axiom will probably survive this. The product works, the revenue is real, and user wallets are architecturally secure. ZachXBT himself could not prove the insider trading allegation from public data, and Axiom has already revoked the tools in question.
But the incident reveals something about crypto’s startup culture that the industry has been reluctant to confront. The same conditions that produce record-breaking growth (small teams, no outside investors, no compliance overhead, the conviction that shipping fast matters more than governing well) also produce the governance gaps that erode user trust. Every crypto startup founder knows the FTX story. Very few have built their companies as if the lesson applies to them.
Axiom’s founders built the fastest-growing company in Y Combinator’s history. They just forgot to lock the door.
