Brother
Professional
- Messages
- 2,590
- Reaction score
- 533
- Points
- 113
The investigation revealed details of a large-scale scam with cryptocurrency.
In a joint investigation of the publication 404 Media with the independent analytical center Court Watch, a large-scale scheme of cyber fraud was discovered, affecting more than 500 users of the Coinbase cryptocurrency exchange in excess of $20 million.
Scam Template
Riccardo, one of the victims of the scam, was confronted with the hacking of his Coinbase account in 2021. When trying to log in to the Coinbase Pro platform for traders, he was confronted with a message about the compromise of his account and the need to immediately contact customer service by phone. Scammers convinced Riccardo to enter a verification code sent via SMS in a chat on a fake site that pretended to be Coinbase, which led to the theft of funds.
According to the investigation, the scammers used phishing sites, including coinbasepro[.]com, to redirect victims to fake Coinbase pages.
Phishing page that Riccardo went to (top) and fake login form and chat with support (bottom)
Indian criminal arrested
Chirag Tomar, a 30-year-old Indian national, was arrested by the United States Secret Service (USSS) as part of the case. Tomar is believed to be one of the participants in the scheme, although it is unclear if he was the one who spoke to Ricciardo on the phone.
Each theft identified in the affidavit left behind digital footprints that USSS investigators could track down the perpetrators. After the victim's stolen funds were transferred to a Binance account, investigators obtained a search warrant for the email address associated with that account. The email address contained identity documents that were used to verify Binance and were sent via email from another address (chirag. tomar). Officers believe that the documents were stolen or obtained fraudulently.
Inside the detected mail (chirag.tomar) were txt files containing the phone numbers, name and amount of stolen funds of the victims. Information from the mailbox helped identify the suspect. The data included several photos of his Indian passport, bank statements in his name, and photos sent as part of his application to travel to the US.
Investigators compared the photo on Tomar's U.S. tourist visa with the photos on his email account and confirmed that they were the same person. In his visa application, Tomar used a specific phone number, which authorities then linked to a specific account on the MEXC cryptocurrency exchange under an assumed name. Investigators believe that the use of an assumed name in MEXC indicates an attempt to conceal the true identity of the account holder and confuse the nature and source of cryptocurrency transactions. However, the officers traced the movement of some of the stolen funds to the MEXC account, despite the fact that Tomar allegedly performed chain-hopping ("jumping between networks"), when he converts one cryptocurrency into another several times in a short period of time on different crypto exchanges in order to confuse the tracks.
Versatile activities
The investigation covers a wide range of fraudsters ' activities, including theft of cryptocurrencies, attempts to launder money through accounts registered with fake identities, and transfer of funds to other types of cryptocurrencies. The court documents also mention other victims who lost hundreds of thousands of dollars, including one user who lost more than $250,000.
The Coinbase service, in cooperation with law enforcement agencies, stated the priority of user security and the use of hardware keys for verification instead of codes that can be intercepted. The company also gained control of the coinbasepro domain[.] com in June 2022, almost 2 years after the phishing attack started.
Riccardo, who lost his funds and contacted the FBI and Coinbase, was left shocked by what happened. Scammers operating anonymously and with impunity continue to pose a serious threat in the cryptocurrency world.
In a joint investigation of the publication 404 Media with the independent analytical center Court Watch, a large-scale scheme of cyber fraud was discovered, affecting more than 500 users of the Coinbase cryptocurrency exchange in excess of $20 million.
Scam Template
Riccardo, one of the victims of the scam, was confronted with the hacking of his Coinbase account in 2021. When trying to log in to the Coinbase Pro platform for traders, he was confronted with a message about the compromise of his account and the need to immediately contact customer service by phone. Scammers convinced Riccardo to enter a verification code sent via SMS in a chat on a fake site that pretended to be Coinbase, which led to the theft of funds.
According to the investigation, the scammers used phishing sites, including coinbasepro[.]com, to redirect victims to fake Coinbase pages.
Phishing page that Riccardo went to (top) and fake login form and chat with support (bottom)
Indian criminal arrested
Chirag Tomar, a 30-year-old Indian national, was arrested by the United States Secret Service (USSS) as part of the case. Tomar is believed to be one of the participants in the scheme, although it is unclear if he was the one who spoke to Ricciardo on the phone.
Each theft identified in the affidavit left behind digital footprints that USSS investigators could track down the perpetrators. After the victim's stolen funds were transferred to a Binance account, investigators obtained a search warrant for the email address associated with that account. The email address contained identity documents that were used to verify Binance and were sent via email from another address (chirag. tomar). Officers believe that the documents were stolen or obtained fraudulently.
Inside the detected mail (chirag.tomar) were txt files containing the phone numbers, name and amount of stolen funds of the victims. Information from the mailbox helped identify the suspect. The data included several photos of his Indian passport, bank statements in his name, and photos sent as part of his application to travel to the US.
Investigators compared the photo on Tomar's U.S. tourist visa with the photos on his email account and confirmed that they were the same person. In his visa application, Tomar used a specific phone number, which authorities then linked to a specific account on the MEXC cryptocurrency exchange under an assumed name. Investigators believe that the use of an assumed name in MEXC indicates an attempt to conceal the true identity of the account holder and confuse the nature and source of cryptocurrency transactions. However, the officers traced the movement of some of the stolen funds to the MEXC account, despite the fact that Tomar allegedly performed chain-hopping ("jumping between networks"), when he converts one cryptocurrency into another several times in a short period of time on different crypto exchanges in order to confuse the tracks.
Versatile activities
The investigation covers a wide range of fraudsters ' activities, including theft of cryptocurrencies, attempts to launder money through accounts registered with fake identities, and transfer of funds to other types of cryptocurrencies. The court documents also mention other victims who lost hundreds of thousands of dollars, including one user who lost more than $250,000.
The Coinbase service, in cooperation with law enforcement agencies, stated the priority of user security and the use of hardware keys for verification instead of codes that can be intercepted. The company also gained control of the coinbasepro domain[.] com in June 2022, almost 2 years after the phishing attack started.
Riccardo, who lost his funds and contacted the FBI and Coinbase, was left shocked by what happened. Scammers operating anonymously and with impunity continue to pose a serious threat in the cryptocurrency world.
