Theft of $37 million of cryptocurrency by an Indian national

An Indian citizen has claimed blameworthy in the U.S. over accusations of embezzling more than $37 million by setting up a website that imitated the Coinbase cryptocurrency exchange medium. Chirag Tomar, 30, pleaded guilty to a wire fake scheme, which maintains the highest sentence of 20 years in jail and a $250,000 fine. He was arrested on December 20, 2023, upon entering the nation.

"Tomar and his co-conspirators committed in a scheme to rob millions in cryptocurrency from hundreds of sufferers found worldwide and in the United States, including in the Western District of North Carolina," the Department of Justice (DoJ) spoke previous week. The website, built around June 2021, was called "CoinbasePro[.]com" to masquerade as Coinbase Pro and deceive unsuspecting users into accepting that they were accessing the fair version of the virtual currency exchange.

It's worth mentioning that Coinbase stopped the offering in favor of Advanced Trade in June 2022. The phased migration of Coinbase Pro clients to Coinbase Advanced was achieved on November 20, 2023. Victims who entered the credentials on the spoofed site had their login data robbed by the fraudsters, and in some cases were fooled into giving remote desktop access that permitted the criminal actors to achieve access to their honest Coinbase accounts.

"The fraudsters also simulated Coinbase customer service agents and duped the users into supplying their two-factor authentication codes to the fraudsters over the phone," the DoJ stated. "Once the fraudsters acquired access to the victims' Coinbase accounts, the fraudsters quickly transferred the victims' Coinbase cryptocurrency holdings to cryptocurrency wallets under the fraudsters' power."

 In one example emphasized by the prosecutors, an anonymous victim found in the Western District of North Carolina had more than $240,000 cost of cryptocurrency robbed in this way after they were tricked into reaching a phony Coinbase model to regain access to their trading account. Tomar is believed to have had several cryptocurrency wallets that obtained looted accounts totaling tens of millions of dollars, which were thereafter transformed into other forms of cryptocurrency or shifted to other wallets and eventually cashed out to fund a luxurious lifestyle.

This retained pricey watches from brands like Rolex, buying luxury automobiles such as Lamborghinis and Porsches, and making several journeys to Dubai and Thailand. 

The result comes as a special investigation team (SIT) associated with the Criminal Investigation Department (CID) in the Indian state of Karnataka arrested Srikrishna Ramesh (aka Sriki) and his alleged co-conspirator Robin Khandelwal for robbing 60.6 bitcoins from a crypto exchange firm called Unocoin in 2017.

North Korea's IT Freelance Army has taken action against the U.S.

It also tracks a recent wave of arrests in the U.S. in link with an intricate multi-year system planned to help North Korea-linked IT employees get remote-work jobs at more than 300 U.S. businesses and increase the nation's weapons of mass devastation program in contravention of global sanctions. Among the known parties is a 27-year-old Ukrainian national Oleksandr Didenko, who is blamed for making phony accounts at U.S. IT job tracking media and marketing them to overseas IT staffers to get a profession.

He even expressed having used a now-dismantled service named UpWorkSell that announced the "capacity for small IT employees to purchase or lease accounts in the phrase of uniqueness other than their own on different online freelance IT job tracking media." According to the affidavit supporting the complaint, Didenko composed about 871 "proxy" identities, supplied proxy accounts for three freelance U.S. IT hiring media, and proposed proxy accounts for three other U.S.-based money service transmitters.

Didenko's partner-in-crime, Christina Marie Chapman, 49, has also been arrested for running what's named a "laptop farm" by hosting numerous laptops at her home for North Korean IT employees to give the impression that they were in the U.S. and using for small workplaces in the nation. "The intrigue [...] resulted in at least $6.8 million of income to be generated for the overseas IT employees," Chapman's accusation stated, adding the staff landed work at multiple blue-chip U.S. businesses and exfiltrated information from at least two of them, counting an international restaurant chain and a traditional American clothing brand.

Charges have also been filed against Minh Phuong Vong of Maryland, a Vietnamese national and a naturalized U.S. local, for conniving with an anonymous group to commit wire fraud by acquiring work at U.S.-based organizations when, in fact, remote IT worker(s) found in China were posing as Vong to work on the government software growth project. There are signs to indicate that the second person, who is referred to as a "John Doe," is North Korean and works as a software designer in Shenyang, China.

"Vong [...] did not perform software effect work," the DoJ stated. "Instead, Vong operated at a nail salon in Bowie, Maryland, while an individual or people found in China used Vong's access credentials to link to a protected government website, perform the software development work, and attend traditional online business arrangements."

In duo, the DoJ declared it took control of as many as 12 websites that were operated by the IT employees to ensure small contract work by masquerading as U.S.-based IT services companies delivering artificial intelligence, blockchain, and cloud computing resolutions. As earlier announced in court documents late last year, these IT workers – part of the Workers' Party of Korea's Munitions Industry Department – are known to be sent to nations like China and Russia, from where they are employed as freelancers with the highest goal of generating income for the recluse kingdom.

"North Korea is avoiding U.S. and U.N. sanctions by targeting personal businesses to illicitly generate substantial income for the government," the U.S. Federal Bureau of Investigation (FBI) declared in an advisory. "North Korean IT employees use a variety of strategies to obscure their uniqueness, including leveraging U.S.-based people, both witting and unwitting, to achieve dishonest work and access to U.S. business networks to generate this income."

Recent news from Reuters showed that North Korean danger actors have been connected to 97 supposed cyberpunks on cryptocurrency firms between 2017 and 2024, earning them $3.6 billion in illegal gains. This contains an estimated $147.5 million looted from the HTX cryptocurrency exchange hack the previous year that the opponents laundered via virtual currency medium Tornado Cash in March 2024.