 |
| Lamborghini Urus Alexander Migl, CC BY-SA 4.0 |
There is no need to wait while the semiconductor industry develops quantum computers in order to defeat the cryptography protecting the HODL-ers wallets. Several effective techniques are already available. North Korea's recent record-breaking $1.5B heist illustrates that deploying malware via a Software Supply Chain Attack is capable of compromising even industrial-strength multi-signature wallets.
The North Korean's haul was big, but slightly smaller heists are routine. For example, Molly White reports that on 27th April 2025 $330 million in Bitcoin apparently stolen; laundering spikes Monero price by over 40%:
3,250 BTC (~$330 million) were apparently stolen from a bitcoin holder and then quickly moved through multiple exchanges and swapped for the Monero privacycoin. Such a massive swap into Monero was apparently enough to cause the Monero price to spike from around $230 to as high as around $330, before retracting somewhat.Another remarkably effective technique is social engineering. A group of scammers used it last August 18th, posing as members of Google's and Gemini's security teams to social-engineer "an early investor in cryptocurrency" into downloading malware. He lost more than 4,100BTC, then "worth" about $230M. Mitch Moxley has a fascinating, detailed account of what happened over the next month in They Stole a Quarter-Billion in Crypto and Got Caught Within a Month. The scammers immediately started laundering the loot through a series of mixers and sketchy exchanges. These transactions attracted attention from a famed cryptocurrency sleuth:
Minutes after the D.C. resident’s funds were liquidated, ZachXBT was walking through the airport on his way to catch a flight when he received an alert on his phone about an unusual transaction. Crypto investigators use tools to monitor the global flows of various coins and set alerts for, say, any transaction over $100,000 that goes through certain exchanges that charge a premium for having few security safeguards. The initial alert that day was for a mid-six-figure transaction, followed by higher amounts, all the way up to $2 million. After he cleared airport security, ZachXBT sat down, opened his laptop and began tracing transactions back to a Bitcoin wallet with roughly $240 million in crypto. Some of the Bitcoin in the wallet dated back to 2012. “At that point it didn’t make sense,” he told me. “Why is a person who held their Bitcoin for this long using a sketchy service that typically sees a lot of illicit funds flow through it?”It turned out that one of the group of scammers couldn't resist showing off:
He added the wallets associated with the transactions to his tracking and boarded the plane. Once he connected to in-flight internet, more alerts arrived. Throughout the day, the Bitcoin traced to the wallet was being liquidated through more than 15 different high-fee cryptocurrency services.
The source sent ZachXBT several screen-share recordings, which he said were taken when one of the scammers livestreamed the heist for a group of his friends. The videos, which totaled an hour and a half, included the call with the victim. One clip featured the scammers’ live reaction when they realized they’d successfully stolen $243 million worth of the D.C. resident’s Bitcoin. A voice can be heard yelling: “Oh, my god! Oh, my god! $243 million! Yes! Oh, my god! Oh, my god! Bro!”Chetal lived in Danbury, CT. His father Sushil Chetal was a vice-president at Morgan Stanley. He was an incoming freshman at Rutgers. In his senior year he had developed a lavish lifestyle:
In private chats they used screen names like Swag, $$$ and Meech, but they made a crucial mistake. One of them flashed his Windows home screen, which revealed his real name in the start icon pop-up at the bottom of the screen: Veer Chetal, an 18-year-old from Danbury
Classmates remember Chetal as shy and a fan of cars. “He just kind of kept to himself,” says Marco Dias, who became friends with Chetal junior year. According to another classmate named Nick Paris, this was true of Chetal until one day in the middle of his senior year, when he showed up at school driving a Corvette. “He just parked in the lot. It was 7:30 a.m., and everyone was like, What?” Paris says. Soon Chetal rolled up in a BMW, and then a Lamborghini Urus. He started wearing Louis Vuitton shirts and Gucci shoes, and on Senior Skip Day, while Paris and many of his classmates went to a nearby mall, Chetal took some friends, including Dias, to New York to party on a yacht he had rented, where they took photos holding wads of cash.On 25th August, a week after the $230M heist, Chetal's parents were house-hunting in Danbury in the Lamborghini Urus he had driven to school when:
the Lamborghini was suddenly rammed from behind by a white Honda Civic. At the same time, a white Ram ProMaster work van cut in front, trapping the Chetals. According to a criminal complaint filed after the incident, a group of six men dressed in black and wearing masks emerged from their vehicles and forced the Chetals from their car, dragging them toward the van’s open side door.
When Sushil resisted, the assailants hit him with a baseball bat and threatened to kill him. The men bound the couple’s arms and legs with duct tape. They forced Radhika to lie face down and told her not to look at them, even as she struggled to breathe, pleading that she had asthma. They wrapped Sushil’s face with duct tape and hit him several more times with the bat as the van peeled off.
 |
| XKCD #538 |
Fortunately:
Several witnesses saw the attack and called 911. Some of them, including an off-duty F.B.I. agent who lived nearby and happened to be at the scene, trailed the van and the Honda, relaying the vehicles’ movements to the police. The F.B.I. agent managed to obtain partial license plate numbers.In this case the "$5 wrench" technique was applied indirectly. It appears that Chetal and his accomplices were part of the Com, a group that started scamming on Minecraft servers:
Danbury police officers soon located the van. A patrol vehicle activated its emergency lights and tried to make a stop, but the driver of the van accelerated, swerving recklessly through traffic.
About a mile from where the chase began, the driver careered off the road and struck a curb. Four suspects fled on foot. The police found one hiding under a bridge and apprehended him after a brief chase. Within a couple of hours, the other three were located hiding in a wooded area nearby. The police, meanwhile, found the shaken Chetals bound in the back of the van.
In an affidavit from an unrelated case, an F.B.I. agent described the Com as “a geographically diverse group of individuals, organized in various subgroups, all of whom coordinate through online communication applications such as Discord and Telegram to engage in various types of criminal activity.”The kidnappers clearly:
...
When the price of Bitcoin began to rise rapidly in 2017, Com members made an easy shift from Minecraft fraud to crypto theft.
targeted the Chetals to hold them ransom for the money their son had. Independent investigators think that at least one member of the group, Reynaldo (Rey) Diaz, who they say went by the alias Pantic, was a member of the Com; ZachXBT speculates that the thieves might have made themselves targets by sharing stories of their spending with other Com members.
 |
| Source |
On Sept. 10, after a 23-day party spree in Los Angeles, Lam headed to Miami on a private jet with a group of friends. There, he rented multiple homes, including a 10-bedroom, $7.5 million estate. Within a few days, Lam had filled the driveway with more luxury cars, including multiple Lamborghinis, one with the name “Malone” printed on the side.ZachXBT and others were easily able to track Lam's activities on social media:
Malone was filmed wearing a white Moncler jacket and what appeared to be diamond rings and diamond-encrusted sunglasses. He stood up on the table and began showering the crowd with hundred-dollar bills. As money rained down, servers paraded in $1,500 bottles of Champagne topped with sparklers and held up signs that read “@Malone.” He spent $569,528 in one evening alone.According to the authorities Serrano made a mistake:
neglecting to use a VPN when he created an account with TradeOgre, a digital currency exchange, which connected to an I.P. address that was registered to a $47,500-per-month rental home in Encino, Calif. It was leased to Jeandiel Serrano, ... By the time the authorities identified Serrano, he was on vacation in the Maldives with his girlfriend.Lam and others were arrested when:
On Sept. 18, Serrano flew back from the Maldives to Los Angeles International Airport, where the authorities were waiting for him. He was wearing a $500,000 watch at the time of his arrest. ... Serrano admitted that he owned five cars, two of which were gifts from one of his co-conspirators, given to him with proceeds from a previous fraud. He also confessed to having access to approximately $20 million of the victim’s crypto on his phone and agreed to transfer the funds back to the F.B.I.
Later that day, a team of F.B.I. agents working with the Miami police raided a mansion near Miami Shores. Agents blew open the front metal gate while another group entered by boat via a small saltwater canal in the rear. The sound of flashbangs rang in the neighborhood as the agents entered the home.In an instance of synchronicity, while I was writing this Nate Anderson was writing We have reached the “severed fingers and abductions” stage of the crypto revolution:
French gendarmes have been busy policing crypto crimes, but these aren't the usual financial schemes, cons, and HODL! shenanigans one usually reads about. No, these crimes involve abductions, (multiple) severed fingers, and (multiple) people rescued from the trunks of cars—once after being doused with gasoline.Anderson fails to credit Lopp, who has been tracking the problem for more than a decade. He does note the root of the problem:
This previous weekend was particularly nuts, with an older gentleman snatched from the streets of Paris' 14th arrondissement on May 1 by men in ski masks. ... The abducted man was apparently the father of someone who had made a packet in crypto. The kidnappers demanded a multimillion-euro ransom from the man's son.
According to Le Monde, the abducted father was taken to a house in a Parisian suburb, where one of the father's fingers was cut off in the course of ransom negotiations. Police feared "other mutilations" if they were unable to find the man, but they did locate and raid the house this weekend, arresting five people in their 20s.
Or there's the Belgian man who posted online that "his crypto wallet was now worth €1.6 million." His wife was the victim of an attempted abduction within weeks.HODL-ers need to understand that the speed, immutability and (pseudo) anonymity of cryptocurrency transactions eliminates many of the difficulties in applying the "$5 wrench" technique. Once it is known that you (or your son) hold the key to a cryptocurrency wallet with even a few tens of Bitcoin, you (or your son) become a target for theft. You (or your son) should hope that the threat comes from social engineers like Veer Chetal and his accomplices, in which case your loss will be expensive but painless. But, as Jamison Lopp records, it may well come from people like Rey Diaz.
The solution is "security through obscurity". If you (or your son) rarely transact and maintain a modest lifestyle, lacking Lamborghinis and $569,528 bar bills, it isn't likely that your wallet address will be deemed worth deanonymizing. But what is the point of HODL-ing for HODL-ings sake alone? The temptation to "buy the Lambo" is really hard to resist, and the risk seems remote.
8 comments:
The broader picture of cryptocurrency-enabled crime is depressing, too. Michael Tabone's Crypto crime in 2024 likely exceeded $51B, far higher than reported: Chainalysis reports that:
"Crypto crime has entered a professionalized era dominated by AI-driven scams, stablecoin laundering and efficient cyber syndicates, the 2025 “Crypto Crime Report” by Chainalysis reveals, with the past year witnessing a staggering $51 billion in illicit transaction volume — shattering previous records and assumptions.
...
Bitcoin was the currency of choice for cybercriminals for years, but this changed in 2022. The 2025 Chainalysis report shows a seismic shift to stablecoins that now account for 63% of all illicit crypto transactions.
Criminals are abandoning Bitcoin in favor of stablecoins because they offer speed, liquidity and regulatory blind spots that make illicit transactions easier to execute and harder to trace. Unlike Bitcoin, which can experience longer confirmation times, stablecoins provide near-instantaneous transactions and US dollar-pegged stability."
Apart from anything else, that has to be the ugliest Lamborghini ever.
Emily Nicolle catches up with the "wrench attack" trend in aCrypto High-Rollers Go Big on Bodyguards to Deter Kidnappers:
"Even before Coinbase Global Inc. disclosed that hackers had stolen the home addresses and account balances of its customers, Jethro Pijlman was seeing an uptick in interest from concerned clients with large crypto holdings who were looking for bodyguards and other forms of protection.
Pijlman works for an Amsterdam-based firm that provides physical security and intelligence services to cryptocurrency holders who have become worried about the wave of kidnappings that have hit the industry — the most recent of which occurred last week, when assailants tried to abduct the daughter and grandson of a French cryptocurrency executive.
...
Criminals have already used the information to trick some Coinbase customers into handing over access to their accounts or transferring their tokens. As with data leaks from traditional banks, personal information can be used for online fraud and identity theft. But the physical threats are of particular concern to crypto investors, many of whom have long operated anonymously to avoid threats."
And Nicolle credited Jamison Lopp!
Connor Jones reports on the size and the timescale of the deanonymization in Coinbase confirms insiders handed over data of 70K users:
"Coinbase says the data of nearly 70,000 customers was handed over by overseas support staff who were bribed by criminals to give up the goods.
The crypto giant confirmed 69,461 users would be receiving direct communications from the company about the attack in a notification filed with Maine's Attorney General on Tuesday.
According to the filing, the breach took place on December 26, 2024, but wasn't discovered until May 11.
Coinbase publicly acknowledged the attack via a Form 8-K filing with the Securities and Exchange Commission (SEC) on May 15, adding that the crooks behind it tried extorting the company for $20 million."
Issue 84 of Molly White's Citation Needed is Rogue overseas support agents and Molly is all over the Coinbase insider attack:
"Crypto security researchers have been warning for months about Coinbase’s evidently poor security practices and lack of attention to customer complaints, and describing hacks in which victims reported being scammed by attackers who seemed to have access to private Coinbase data [I76]. In February, zachxbt wrote: “Coinbase needs to urgently make changes as more and more users are being scammed for tens of millions every month. ... Coinbase is in a position where they have the power to make these changes and set a good example but they have chosen to do little to nothing.”
According to Coinbase, the data thieves bribed some members of Coinbase’s poorly paid offshore customer support team, who they described as “rogue overseas support agents”, who are reportedly earning less than $5,000 annually. Coinbase’s cybersecurity disclosure filing with the SEC admitted that they had been grappling with this issue for months: “The threat actor appears to have obtained this information by paying multiple contractors or employees working in support roles outside the United States to collect information from internal Coinbase systems to which they had access in order to perform their job responsibilities. These instances of such personnel accessing data without business need were independently detected by the Company’s security monitoring in the previous months.” Bloomberg later reported that “the hackers did have near-constant access to some of Coinbase Global Inc.’s most valuable customer data since January”, citing an anonymous source familiar with the incident."
The link to Issue 76 is to Coinbase accused of allowing $300 million a year in social engineering attacks on its customers from 5th February this year, a month after the compromise but 3 months before Coinbase fessed up.
Crypto Investor Charged With Kidnapping and Torturing Man for Weeks by Maia Coleman and Chelsia Rose Marcius illustrates the downsides of buying the Lambo:
"A 37-year-old cryptocurrency investor was charged on Saturday with kidnapping a man and beating, shocking and torturing him for weeks inside a luxury townhouse in downtown Manhattan, all in a scheme to get the man’s Bitcoin password, the authorities said.
The crypto investor, John Woeltz, was taken into custody on Friday after the man managed to escape the townhouse and notify the police.
...
Mr. Woeltz, who is originally from Kentucky, had been renting the eight-bedroom home for at least $30,000 a month, the official said.
But when he arrived at the house, Mr. Woeltz and the “unapprehended male” stole his electronic devices and his passport and demanded that he tell Mr. Woeltz his Bitcoin password so they could steal his cryptocurrency, according to a criminal complaint against Mr. Woeltz.
When the victim refused, the two men took him captive and subjected him to weeks of torture, which included beating him, shocking him with electric wires, hitting him with a gun and pointing the gun at his head. At one point, Mr. Woeltz and his accomplice carried the man to the top of the stairs in the five-story home, suspended him over the ledge and threatened to kill him if he did not give Mr. Woeltz his password, the complaint says."
Chelsia Rose Marcius and Maia Coleman continue their reporting with Another Suspect Is Charged in Bitcoin Kidnapping and Torture Case:
"The police identified the man, who has connections to Switzerland and Miami, as William Duplessie, 33. He spent days negotiating his surrender with the Police Department after the arrest on Friday of two other suspects, according to two law enforcement officials briefed on the matter.
Mr. Duplessie was arraigned in Manhattan Criminal Courthouse on Tuesday night and charged with kidnapping, a crime that carries a maximum sentence of 25 years to life in prison. He was also charged with assault, unlawful imprisonment and criminal possession of a weapon. He was held without bail."
Matt Levine wonders about the wrench attack business model:
"I have not found a ton of information about Woeltz online, and he does not yet seem to have his own crypto treasury company, so I’m not entirely sure what makes him a “cryptocurrency investor.” (Though the New York Post reports that he and an alleged accomplice were “known for dropping $100,000 in a single night partying it up at an exclusive erotic nightclub.”) But I would naively have assumed that if you are renting a NoLIta townhouse you are probably rich enough that you do not need to kidnap and torture people for their Bitcoins. But “behind every great fortune is a crimei,” I guess, and one way to become a crypto investor is to torture some passwords out of other crypto investors."
Post a Comment