The FBI arrested scammers who stole $243 million in Bitcoin. What exactly did the scammers do?

September 20, 2024 by cryptobreak

349

The US Federal Bureau of Investigation (FBI) has searched a luxury home in Miami, which according to preliminary information belongs to a secured cryptocurrency owner. The raid came as a result of an investigation by a well-known digital asset aficionado and investigative author under the pseudonym ZachXBT into an alleged $243 million heist. The event was in the crosshairs of local media, though they did not mention the suspects’ connection to crypto activity.

ZachXBT is well known for its frequent investigations into various crypto fraud situations, which have repeatedly resulted in their actual punishments. The day before, he published the results of analysing a fresh case on Twitter. According to him, it may well be considered "one of his best cases ever."

In a nutshell: it’s about scammers who previously managed to steal 4,064 BTC equivalent to $243 million from one of the lenders on the Gemini platform. Both the vector of their attack and the factors that helped law enforcers get on the trail deserve attention. Cointelegraph journalists wrote more about it in their piece.

How cryptocurrencies are stolen

According to ZachXBT, the suspects are users of digital assets under the aliases Greavys (Malone Iam), Wiz (Vir Chetal) and Box (Jandiel Serrano). They managed to conduct a successful social engineering attack in August 2024, which is relatively recent.

The amount of funds stolen by hackers in bitcoins

The attack itself was carried out in four stages, notes the author of the investigation.

First, the scammers contacted the victim on behalf of Google Support using a fake number. This was done to establish the victim’s personal account details;
They then conducted another call posing as Gemini Exchange tech support – the scammers claimed that the lender’s account had allegedly been hacked;
The scammers then convinced the victim to remove the two-factor authentication (2FA) protection and send the funds to a supposedly “safe address”;
Finally, they convinced the lender to conduct a video call via Anydesk with her screen broadcast. During it, the victim flashed the private keys to her Bitcoin coin wallet. This was enough for the fraudsters to gain access to the victim’s wallet and withdraw the digital assets from there.

What’s most interesting: the hackers recorded the hacking process, and ZachXBT not only got access to the video, but also shared a segment with the scammers’ reaction to the successful theft of funds. Here’s a link to the clip.

Then the next stage began – laundering the funds. The author is quoted by The Block.

Initial tracking showed that $243 million was distributed to each party, after which the funds quickly went to 15+ exchanges, changing instantly to BTC, LTC, ETH and XMR.

A diagram of how the hackers moved the stolen funds to get $243 million worth of bitcoins

And here’s a list of all the suspects. However, only the first two persons were actively involved in the scheme.

List of suspects in the $243 million bitcoin theft.

Vir Chetal received a large share of the stolen money, and he doomed himself to arrest by opening the Start menu on his personal computer. So he simply revealed his real name during the recording. In addition, other interlocutors in the conversation repeatedly referred to him as Vir, which is an important clue for law enforcement agencies.

The fraudster accidentally revealed his name

Chetal’s friend Light/Dark (Aakaash) similarly accidentally revealed his name on the recording. He has engaged in money laundering through eXch and Thorswap trading platforms. The goal in this case is to hide a trail of embezzled bitcoins by exchanging them for ETH and other digital assets.

Commentators on Twitter emphasised that the hackers were indeed negligent in hiding their own data. Still, they used not only their computers, but also personal accounts on various services, which eventually led to their capture.

The user under the pseudonym Greavys began to quickly spend the stolen money, leaving 250-500 thousand dollars a night in nightclubs in Los Angeles and Miami. He also gave expensive gifts to girls, purchased luxury cars and bragged about his wealth on Discord. Of course, this is the worst tactic for those wishing to remain anonymous.

The following screenshot shows the correspondence of a user with a girl he liked. He bought her a pink Lamborghini and wanted to present the car as a future birthday present. However, the girl replied that she already has someone, that is, she refused him further communication.

Correspondence of the hacker who stole $243 million worth of bitcoins and offered a pink Lamba to a girl he liked

Greavys was found through his own Instagram photo. In addition, his friends regularly published geolocations from hangouts in nightclubs, which also allowed to identify the scammer.

The hacker under the pseudonym Greavys in the Instagram photo.

The suspect alias Box, who went by the alias Jeandiel/John, conducted calls on behalf of Gemini tech support as part of the scheme. Box uses the same avatar on Discord, Telegram and other platforms, which helped link the different accounts.

Profile of the hacker alias Box

A fourth member, Danny Trauma (Danish), was active in the internal Telegram chat as Meech, although his exact role is not immediately clear. What is known is that he has access to several bankrupt databases across various platforms. And that allows access to wealthy users of digital assets.

Box’s ex-girlfriend leaked all his photos on social media, so that information about him became public.

The “punctures” of the scammers do not end there: ZachXBT noted that Box and Wiz repeatedly accidentally showed wallet addresses associated with the transfer of stolen funds on the recording. That is, even if they didn’t show their names, this data could have been enough for a successful investigation.

FBI raid with arrest of cryptocurrency hackers in the news

This week, we broke down an advanced scammer scheme that allows them to make hundreds of thousands of dollars. And it was quite difficult to understand the essence of the deception. We recommend reading the lengthy article to better understand what's going on.

Part of the funds worth about $9 million was frozen with the cooperation of the Binance security team and other investigators of the case. More than $500,000 has already been returned to the victim. As a result of what happened, Box and Greavys were arrested in Miami and Los Angeles, respectively.

Photo of one of the suspects after arrest

ZachXBT promises to post updates to the story on its Twitter thread as the investigation and other news progresses. Overall, this news is a great example of just how much "free and easy" money there is in crypto for scammers. Even such grief scammers were able to pull off a major scheme and find a sufficiently gullible victim. It is also a reminder of the need to follow the rules of cybersecurity and protect your funds by using hardware wallets.