Cryptohack Roundup: BitMEX’s $100M Penalty

Every week, ISMG rounds up cybersecurity incidents in digital assets. This week, BitMEX fined $100M, U.S. federal prosecutors sought return of hacked funds to Bitfinex, Mango Markets shut, a new Web3 attack method was discovered, a pastor was indicted in a “dream” scam, the U.S. Consumer Financial Protection Bureau proposed crypto firms refund hack victims, 2024 crime stats, Wolf Capital co-founder’s guilty plea, Thai Bitcoin miners seized and New York AG’s lawsuit in a job scam.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

U.S. authorities fined Bitcoin derivatives exchange BitMEX with a $100 million following a multi-year legal battle related to violations of anti-money laundering regulations. The firm previously pleaded guilty to violating the Bank Secrecy Act.

BitMEX generated around $1.3 billion in global revenue while disregarding U.S. regulations over five years. BitMEX parent company HDR Global Trading will also face a two-year probationary period.

BitMEX failed between 2015 and 2020 to establish and maintain an adequate anti-money laundering program, as required by the Bank Secrecy Act. The exchange also failed to implement an adequate know-your-customer program and illicitly allowed U.S. users onto its platform. At the time, U.S. users made up about 11.5% of the exchange’s user base.

The fine is separate from another $100 million fine assessed in 2021 by the Commodity Futures Trading Commission and the Financial Crimes Enforcement Network. The agencies alleged similar violations and named several senior executives, including co-founder Arthur Hayes.

The U.S. government filed a motion requesting the return of approximately 94,643 BTC and other cryptocurrencies, including Bitcoin Cash and Bitcoin Gold, to Bitfinex. These funds were forfeited following the 2016 Bitfinex hack, in which Ilya Lichtenstein stole 119,754 BTC, enlisting the help of his wife Heather Morgan to launder stolen funds. Bitcoin was then worth $72 million but has jumped in valuation to more than $11.8 billion.

Following the hack, Bitfinex implemented a recovery plan that distributed losses across all accounts, reducing account balances by 36%. Users received BFX tokens, redeemable for fiat losses or iFinex shares. All tokens were redeemed within eight months, meeting government requirements for victim reimbursement. The government in October 2024 acknowledged Bitfinex as the likely reimbursement recipient due to its compensation plan but noted unresolved claims from thousands of affected users. Victims were invited to submit impact statements and legal notices were issued to notify potential claimants.

Mango Markets, a decentralized exchange built on the Solana blockchain, wound down its operations following an U.S. Securities and Exchange Commission settlement that required the destruction of its MNGO tokens and their delisting from all exchanges. Mango Markets posted on its X account that “Mango v4 & Boost are winding down,” adding that borrowing on the platform would become economically unfeasible.

Mango Markets faced a similar turmoil in an October 2022 exploit by Avraham “Avi” Eisenberg, who drained $110 million after manipulating the price of the MNGO token. Eisenberg was convicted of fraud in April 2024. In September 2024, Mango Markets’ governance DAO reached a settlement with the SEC after being charged with selling unregistered crypto assets and acting as an unregistered broker. Mango Markets’ situation worsened in late 2024 when co-founders and contributors filed a lawsuit over locked MNGO tokens bought from the FTX estate. Mango co-founder Maximilian Schneider said in a Discord announcement early January that contributors had expressed a desire to stop working on the protocol, leading to the decision to shut down operations.

Threat actors devised a new tactic called “transaction simulation spoofing” to exploit vulnerabilities in Web3 wallet features, stealing approximately 143.45 Ethereum, worth $460,000, in a single attack, said Scam Sniffer. Transaction simulation allows users to preview the expected outcome of a blockchain transaction before signing it, offering insights into transferred amounts, gas fees and data changes. Attackers lure victims to malicious websites mimicking legitimate platforms. These sites initiate a deceptive “claim” function, which the transaction simulation falsely portrays as rewarding a small amount of ETH. A time delay between the simulation and execution lets attackers modify the on-chain contract state, changing the transaction’s outcome. Unsuspecting victims, trusting the simulation, approve the transaction, allowing attackers to drain their wallets. Security experts at Scam Sniffer advise reducing simulation refresh rates, enforcing updates before critical operations and adding expiration warnings.

A Washington pastor Francier Obando Pinillo, 51, has been indicted on 26 counts of fraud for allegedly orchestrating a cryptocurrency scam that defrauded at least 1,500 investors of $5.9 million between 2021 and 2023. Pinillo exploited his role as a pastor to convince congregation members and others to invest in Solano Fi, a cryptocurrency venture he claimed was revealed to him in a dream and guaranteed high returns with no risk. Promising monthly returns of 34.9%, he directed victims to transfer cryptocurrency to wallets he controlled, which he allegedly used for personal expenses. To expand the scheme, Pinillo created a Facebook page and a Telegram group named Multimillionarios SolanoFi, which attracted 1,500 members. Victims accessed a fraudulent web app displaying fake balances and returns, but withdrawal attempts consistently failed. When confronted, Pinillo cited technical issues or market conditions and even demanded additional payments to “repair” the system. If convicted, he faces up to 20 years in prison.

The U.S. Consumer Financial Protection Bureau has proposed a new rule to extend fraud protection to users of cryptocurrency services. The rule would require crypto asset providers to reimburse users for funds lost to hacks or other illicit activities. The CFPB aims to classify crypto assets such as stablecoins and similar fungible tokens used as a medium of exchange under the same consumer protections provided by the Electronic Fund Transfer Act, which currently safeguard fiat bank account transactions against fraud and errors. The proposed rule interprets the term “funds” under EFTA to include assets functioning as money, such as stablecoins or other payment mechanisms. According to the CFPB, this broader definition reflects its market monitoring and legal reasoning.

Global crypto transaction volumes surged to $10.6 trillion last year, a 56% increase from the year before, said TRM Labs. Illicit activities accounted for $45 billion, or 0.4% of total transactions – a 51% decline from the prior year. Sanctions, blocklisted funds and scams were the top drivers of illicit activity, with TRON witnessing the most substantial drop in unlawful transactions. Sanction-related inflows also dropped, largely targeting Russia-linked entities and Middle Eastern groups, though terrorist financing through stablecoins persisted. Fraud volumes fell 40%, driven by fewer Ponzi schemes and financial grooming scams. Ransomware attacks rose, with escalating ransom demands peaking at $75 million in 2024. Hacks also increased by 17%, totaling $2.2 billion, with North Korea responsible for 35% of stolen funds. Drug-related crypto transactions grew by 20%, fueled by decentralized marketplaces and vendor adaptability, despite enforcement efforts.

Travis Ford, the co-founder and head trader of Wolf Capital, pleaded guilty to wire fraud conspiracy charges after raising $9.4 million from 2,800 investors under pretenses between January and August 2023. The U.S. Department of Justice said that Ford falsely claimed he could generate daily returns of 1-2%, promising an average annual yield of 547%. He attracted investors through Wolf Capital’s website, social media and online promotions but misappropriated the funds for personal gain, leaving investors at a financial loss. The DOJ said Ford admitted that the promised returns were unrealistic and not achievable. His guilty plea carries a maximum penalty of five years in prison. A sentencing date is yet to be announced.

Thai police and energy authorities have reportedly confiscated 996 Bitcoin mining devices from JIT Co., a digital asset trading firm based in Thailand, amid allegations of large-scale electricity theft. The raid, conducted by the Crime Suppression Division and the Provincial Electricity Authority, followed suspicions over abnormal energy consumption patterns at the company’s premises, Nation Thailand reported. CSD commander Maj. Gen. Montree Theskhan said the firm tampered with its power meters to mine Bitcoin without paying the associated electricity costs. PEA officials estimate the operation consumed electricity valued at hundreds of millions of baht. A staff member reportedly admitted that the theft occurred at night, while the power meter was used normally during the day to evade detection.

New York Attorney General Letitia James has filed a lawsuit to recover $2.2 million in frozen USDT and USDC stablecoins from an alleged network of scammers targeting New Yorkers with fake remote job opportunities. The unidentified scammers used a sophisticated scheme to lure victims by offering remote work, the lawsuit said. Victims were required to deposit stablecoins into scammer-controlled wallets under the pretense of creating “working accounts” necessary for their jobs. The compensation promised in stablecoins was, however, entirely fabricated. Victims named in the lawsuit include individuals who lost over $100,000, such as a hotel receptionist from Nassau County and a teacher from Queens.

A new approach will be used to serve the lawsuit: a non-fungible token airdropped into the scammers’ wallets, directing them to a website containing the legal documents. This method, a first for U.S. regulators, ensures the scammers are notified despite their anonymity.

The lawsuit seeks to recover the frozen funds, legal fees and damages.