Cryptohack Roundup: 2024’s Biggest Heist

Every week, ISMG rounds up cybersecurity incidents in digital assets. This week, hackers stole $112.5M from Ripple co-founder, the U.S. courts saw guilty pleas in three crypto-related cases and handed out sentencing in two, Finnish feds reportedly traced “untraceable” monero, no revival for FTX , Somesing hacked for $11.5M, Ozys may have a rogue CISO, Germany may have made its largest crypto seizure and Mexican crypto firms see RAT attack.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

Ripple co-founder Chris Larsen divulged that $112.5 million had been stolen from his personal accounts, temporarily causing a dip in his company’s XRP token value. Crypto sleuth ZachXBT originally reported the theft. Initially thought to be a company hack, Ripple later clarified that it was a personal attack. The hacker transferred the stolen funds through multiple exchanges, but law enforcement has since frozen the accounts. This is the largest crypto hack of 2024 – so far.

The U.S. Department of Justice announced charges and guilty pleas in a $1.89 billion cryptocurrency fraud scam. Australian citizen Sam Lee, 35, of Dubai, has been charged with allegedly co-founding HyperFund. Rodney Burton, 54, of Miami, and Brenda Chunga, 43, of Severna Park, Maryland, allegedly promoted the scam fund. The defendants allegedly defrauded investors by falsely claiming substantial returns from nonexistent cryptocurrency mining operations, the indictment says. Between June 2020 and Nov. 2022, Lee and his co-conspirators offered investment contracts, promising daily passive rewards, it says.

Prosecutors said HyperFund lacked the claimed large-scale crypto mining operations and began to block investor withdrawals in July 2021. Lee faces conspiracy charges with a maximum five-year prison penalty, Burton faces charges for operating an unlicensed money-transmitting business, and Chunga pleaded guilty to conspiracy with a maximum penalty of five years in prison. Chunga is set to be sentenced on May 1.

The Securities and Exchange Commission filed a separate lawsuit against Lee and Chunga for violating the anti-fraud and registration provisions of the federal securities laws. The agency seeks permanent injunctive relief and conduct-based injunctions to prevent the defendants from participating in multilevel marketing or crypto asset offerings, disgorgement of ill-gotten gains, prejudgment interest and civil penalties. Chunga agreed to settle, and the agency will litigate the charges against Lee.

Indian national Banmeet Singh, 40, pleaded guilty in federal court to running a dark web narcotics conspiracy that distributed controlled substances in the United States, establishing a multimillion-dollar drug enterprise. The case involves the largest single cryptocurrency and cash seizure in DEA history. Singh forfeited accounts worth $150 million. He created vendor sites on dark web marketplaces, including Silk Road and Alpha Bay, and sold substances such as fentanyl and LSD. Operating from 2012 to July 2017, Singh controlled distribution cells in multiple U.S. states and international locations. Authorities arrested him in London in 2019, and British courts approved his extradition to the United States in 2023. Singh is one of eight people convicted in connection to the drug trafficking organization.

Niselio Barros Garcia Jr., a 50-year-old man from Florida, pleaded guilty in federal court to money laundering. He played a key role in channeling the proceeds of scams targeting American consumers and businesses to co-conspirators in Nigeria. Garcia provided bank accounts to accomplices for receiving funds from romance scams, business email compromises and other fraudulent schemes. Using a cryptocurrency exchange, he concealed and transferred over $2.3 million in bitcoin to co-conspirators and earned significant fees. Garcia is set to be sentenced on April 23 and faces a maximum penalty of 20 years in prison. Four other defendants implicated in the scheme are still at large.

Lawyer Mark Scott was convicted of bank fraud and money laundering in connection with the OneCoin digital asset scam and faces a sentence of 10 years in federal prison. Judge Edgardo Ramos of the U.S. District Court for the Southern District of New York found Scott guilty of conspiring to commit money laundering and bank fraud in 2019, and prosecutors sought a minimum sentence of 17 years. Scott’s defense recommended a five-year sentence. Fraudulent digital asset OneCoin began operating in 2014 and was responsible for more than $4 billion in investor losses. Scott joined OneCoin in 2015, laundered around $400 million and allegedly pocketed $50 million. His lawyers intend to request bail pending an appeal of the sentencing. OneCoin co-founder Karl Greenwood received a 20-year prison sentence in September. OneCoin co-founder Ruja Ignatova – “Cryptoqueen,” remains at large.

Portland resident Daniel James Junk, 22, will spend 72 months in federal prison for his involvement in a conspiracy to steal millions of dollars in cryptocurrency using SIM swaps. The scam involves taking over victims’ cellphone accounts and using that access to obtain sensitive personal information. From December 2019 to March 2022, Junk participated in an online fraud scam in which he engaged in SIM swapping to steal from victims’ cryptocurrency exchange accounts. He was part of an online SIM-swapping community and played various roles in executing the scam, including finding victims, porting phone numbers and physically possessing phones for the swap.

The FBI executed a search warrant on Junk’s apartment in March 2022, and seized electronic equipment and 71 bitcoins worth around $3 million. Two months later, Junk surrendered an additional 33 bitcoins worth approximately $1 million. In January 2024, while Junk was awaiting sentencing, law enforcement found additional evidence of fraud that led to his release revocation and custody pending sentencing. Junk was ordered to pay over $3 million in restitution to his victims.

Aleksanteri Kivimäki, the alleged perpetrator of a hack and leak attack on Finland’s now-defunct Vastaamo psychotherapy clinic, was reportedly identified by tracing supposedly untraceable monero transactions, according to local media. In 2018, Vastaamo suffered a breach and the hacker demanded 40 bitcoins worth $450,000 to not release stolen patient records. After failed extortion attempts, the hacker turned to individual patients, asking for up to 500 euros in bitcoin to delete their records. Finnish investigators, with the assistance of the Binance crypto exchange, tracked payments to Kivimäki, who allegedly exchanged the funds for monero and then back to bitcoin.

Despite monero’s privacy features, investigators claim heuristic analysis based on patterns and probabilities enabled them to trace the most likely path of the funds. Kivimäki faces charges of data breach, attempted blackmail, dissemination of private information and extortion, and a prosecutor is demanding a seven-year imprisonment sentence. Kivimäki denies the allegations. The methods used for tracing monero transactions remain undisclosed to protect investigative techniques (see: Prosecutors Add to Evidence Against Alleged Vastaamo Hacker).

Bankrupt cryptocurrency exchange FTX reportedly abandoned plans to restart the company, due to a lack of interested buyers – despite having valuable customer data to monetize. FTX lawyer Andrew Dietderich said during a hearing that the company intends to repay its former customers in full as they potentially have sufficient funds to pay all allowed customer and creditor claims, The Block reported. FTX, which had been led by now-imprisoned CEO Sam Bankman-Fried, filed for bankruptcy in late 2022. Bankman-Fried was found guilty of defrauding customers, lenders and investors.

South Korean blockchain-based social karaoke platform Somesing experienced a security breach on Saturday that resulted in the loss of 730 million of its native token SSX, equivalent to $11.58 million. The compromised amount includes 504 million undistributed SSX tokens planned for circulation by 2025 and 226 million SSX tokens held by the Somesing Foundation that were already in circulation. Somesing reported the incident to the National Police Agency and asked major South Korean crypto exchanges – including Upbit, Bithumb and Coinone – to suspend deposit and withdraw services for SSX.

South Korean blockchain technology company Ozys accused its former CISO of deliberately weakening the company’s firewall before an $81.5 million hack on its cross-chain protocol, Orbit Bridge. It did not disclose the ex-employee’s name but said it had filed a lawsuit for damages and requested a police investigation into the former CISO’s potential involvement in the hack, local media reported. The company alleges the former CISO made changes to the internal firewall on Nov. 22, two days after submitting a voluntary resignation request. The individual left the company on Dec. 6 without notifying Ozys about the security settings changes, which the company discovered on Jan. 10. On Jan. 1, an unidentified user sent $50 million in stablecoins, 231 wrapped bitcoin and 9,500 ethereum from Orbit Bridge to eight new wallets. Ozys is also investigating the potential involvement of the North Korea-backed Lazarus Group.

German law enforcement seized 50,000 bitcoins, valued at around $2.1 billion, that allegedly had been earned through the operation of an illegal movie streaming website. This seizure could be the largest crypto confiscation by German authorities. The suspect, associated with the movie streaming website identified as Movie2k, voluntarily transferred the bitcoins to the Federal Criminal Police Office’s wallet to compensate for the damage caused. The seized funds will remain in the police agency’s crypto account until a court determines their use.

Movie2k, active from 2008 to 2013, was one of Germany’s most-visited websites and distributed over 880,000 copies of pirated films. Two suspects, a 40-year-old German citizen and a 37-year-old Polish citizen, are believed to have acquired the bitcoin with revenues from the website. One of the operators, a Berlin-based programmer and real estate entrepreneur, cooperated with the police and has been in custody since November 2019. The second operator’s whereabouts are unknown. The ongoing investigation, assisted by the U.S. FBI, focuses on illegal sharing of copyrighted work and money laundering.

Blackberry’s research and intelligence division identified a financially motivated attacker targeting high-net-worth Mexican cryptocurrency exchanges and banks. The attack involves using the AllaKore remote access Trojan, an open-source tool designed to steal sensitive user information from banks and crypto trading services. The tool is installed in company-run computers and databases and often evades suspicion by using official naming schemes and links.

The attackers primarily target large companies with gross revenues exceeding $100 million and report directly to the Mexican Social Security Institute. They are traced back to Mexico Starlink IP addresses, and the use of Spanish-language instructions in the RAT payload suggests a Latin American-based threat actor. The newer iterations of AllaKore RAT use a more complex installation process and confirm Mexico as the victim’s location before execution. The threat extends beyond banks and crypto services, targeting large Mexican corporations across sectors.