Cryptohack Roundup: It’s Raining Crypto Fraud

Every week, ISMG rounds up cybersecurity incidents in digital assets. This week, a guilty plea in $577M fraud scheme, Nigeria sues Binance for $79.5B, charges in a $24M fraud case, a $400K Cardex hack, seizure in BitConnect Ponzi scheme, CluCoin founder sentenced, hacked Phemex funds laundered, Argentine President charged with fraud, new malware affected digital wallets and 2024 romance scam stats.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

Estonian nationals Sergei Potapenko and Ivan Turõgin pleaded guilty to orchestrating a $577 million cryptocurrency fraud scheme through their company HashFlare. They falsely claimed between 2015 and 2019 that they were operating a large-scale crypto mining operation, fabricating data on customer dashboards while misusing investor funds to purchase real estate and luxury vehicles. When investors attempted withdrawals, they either refused or used newly acquired virtual currency to pay them. They also launched a fraudulent investment venture Polybius in 2017, raising $25 million for a non-existent virtual bank.

Potapenko and Turõgin laundered funds using shell companies and fake contracts, acquiring 75 properties, luxury cars and crypto wallets. In a plea deal, they agreed to forfeit over $400 million in assets. Arrested in 2022 and extradited to the U.S., they now face up to 20 years in prison.

Nigeria reportedly filed a lawsuit demanding Binance pay $79.5 billion for economic losses allegedly caused by its operations and $2 billion in back taxes. Authorities blame Binance for Nigeria’s currency issues and detained two of its executives in 2024 after crypto platforms became a primary channel for trading the naira. Nigeria’s Federal Inland Revenue Service argues Binance has a “significant economic presence” and must pay corporate income taxes for 2022 and 2023, along with penalties and interest. Binance was already facing tax evasion charges, including non-payment of VAT and corporate income tax, failure to file returns, and allegedly helping customers evade taxes. The company, which halted naira transactions in March 2024, also faces money laundering allegations, which it denies.

U.S. federal prosecutors charged 58-year-old Las Vegas resident Brent Kovar with 12 counts of wire fraud, three counts of mail fraud and three counts of money laundering for his alleged role in a fraudulent cryptocurrency scheme. Kovar owned a company called Profit Connect from late 2017 to July 2021. Prosecutors say he asserted that the firm used AI-powered supercomputers to mine cryptocurrency, promising investors up to a 30% annual return and a 100% money-back guarantee. Kovar instead used investor funds to operate the company, buy real estate and repay earlier investors in a Ponzi-like manner, prosecutors say. He allegedly defrauded more than 400 investors out of $24 million.

Officials said that some victims were misled into believing their investments were FDIC-backed. Kovar faces a jury trial on April 8, and a maximum sentence of 330 years in prison along with a $4.5 million fine.

Layer 2 blockchain Abstract released a post-mortem of a security breach that affected thousands of wallets connected to Cardex, a blockchain-based game on its network. The attack, identified as a “session key hack,” allowed a malicious actor to exploit a compromised session signer wallet shared by all Cardex users. A leaked key in Cardex’s frontend code enabled the attacker to conduct unauthorized transactions, draining $400,000 from 9,000 wallets.

Abstract said that the incident was not a systemic flaw in its Global Wallet or network but stemmed from Cardex mishandling session keys, which grant temporary wallet access for app functionality. To mitigate risks, Abstract advised users to revoke active sessions and announced audits for projects using session keys.

Indian authorities have seized more than $250 million in assets linked to the BitConnect crypto-Ponzi scheme. The Directorate of Enforcement recovered cryptocurrency worth $190 million and an additional $56 million in properties, including a black Lexus. Investigators tracked transactions across multiple crypto wallets, some routed through the dark web, to pinpoint the physical locations of digital devices holding the stolen funds. BitConnect, which promised 40% monthly returns through an alleged trading bot, was exposed as a Ponzi scheme in 2022. While U.S. authorities secured guilty pleas from promoter Glenn Arcaro, founder Satish Kumbhani vanished after leaving India in 2022.

Despite the recent seizures, authorities estimate that BitConnect originally controlled 325,000 Bitcoin, worth around $2 billion at the time, meaning much of the stolen crypto remains unaccounted for. The Indian government has secured the recovered funds but is yet to announce further actions, as international investigations continue.

A U.S. federal judge sentenced the founder of Miami-based CluCoin to two years and three months in prison after pleading guilty to wire fraud. Austin Michael Taylor will also pay $1.14 million in restitution and asset forfeiture.

Taylor admitted to misusing funds intended for CluCoin activities to fuel his online gambling addiction. Starting in 2022, he repeatedly diverted investor money for personal gambling losses. Using his social media following, Taylor promoted CluCoin’s ICO with promises of a charitable focus. After launching the CLU token on BNB Chain in 2021, he expanded into NFTs, play-to-earn gaming, and the metaverse. He also hosted NFTCon to attract more investment. Taylor in early 2023 publicly confessed to losing investor funds to gambling.

At its peak, CluCoin had a $17 million market cap, now reduced to $54,133. Taylor, who initially faced up to 20 years in prison, requested leniency due to his veteran status.

Blockchain data shows that stolen funds from January’s $85 million Phemex hack are being laundered through various onchain services. Hackers on Wednesday began splitting up funds, transferring more than 2,080 ETH or $6 million to 14 new addresses before sending some assets to crypto mixer Tornado Cash. Swiss blockchain analytics firm Global Ledger reported that the attackers used complex transaction patterns, including cross-chain token bridges like Across Protocol, multiple mixers such as eXch and Tornado Cash, and trading platforms like THORChain and DLN Trade to obfuscate their movements. Some funds also flowed to custodial platforms such as OKX and CoinEx, likely for cashing out.

Phemex has resumed trading and enhanced security by shifting funds into cold storage. Analysts, including security researcher SomaXBT.eth, suggest the attack bears hallmarks of North Korean cybercriminals.

Argentinian lawyers have reportedly charged President Javier Milei with fraud over his involvement in the $LIBRA token project, which collapsed by 95% after his endorsement. The lawsuit, led by economist Claudio Lozano and lawyer Jonatan Baldiviezo, alleges Milei’s role was “essential” in misleading investors. While Milei denies prior knowledge of the project, his administration has launched its own investigation.

$LIBRA advisor Hayden Davis blamed the token’s crash on Milei’s sudden withdrawal of support. But blockchain data suggests insiders had already cashed out $107 million before Milei’s reversal. Davis now claims he will reinvest “as much as $100 million” into the project.

A new variant of the XCSSET macOS malware has surfaced, targeting sensitive user data, including digital wallets and Apple’s Notes app. Microsoft researchers uncovered the updated strain, which features enhanced code obfuscation, improved persistence techniques and new infection strategies. The malware, typically spread through infected Xcode projects, now uses two persistence mechanisms – zshrc modifications and a signed dockutil tool – to execute its payload stealthily. By embedding itself in Xcode projects, XCSSET can compromise developers and spread across multiple Apple platforms. The malware exfiltrates credentials, chat data, browser information and system files. Microsoft advises developers to scrutinize Xcode projects sourced from unofficial repositories to mitigate infection risks.

Romance scams raked in nearly 40% more illicit revenue in 2024, with deposits into scam wallets skyrocketing 210%, said Chainalysis. Scammers are evolving, now luring victims through fake work-from-home offers alongside traditional romance scams. Despite more victims, the average deposit per scam fell 55%, signaling a shift in strategy. Scammers increasingly use Huione Guarantee, a shadow P2P platform linked to laundering illicit funds. Since 2021, Huione has processed $70 billion, with AI-powered scam services growing 1,900% last year.