FTX Files Lawsuits to Recover Funds

Every week, ISMG rounds up cybersecurity incidents in digital assets. This week, FTX sued to recover money, FTX’s Caroline Ellison began her prison sentence, South Korea arrested hundreds in $232M scam, a guilty plea in a $73M pig-butchering case, BlueNoroff launched a new attack campaign, GodFather malware and WonderFi CEO kidnapped and released after ransom payment.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

FTX filed lawsuits targeting more than 20 individuals and entities over investments made under ex-CEO Sam Bankman-Fried, seeking to recover millions lost through allegedly irresponsible and exploitative practices.

FTX filed a $1.76 billion lawsuit against Binance and co-founder Changpeng Zhao, seeking to reclaim funds allegedly transferred in a fraudulent deal. The suit said that in July 2021, FTX transferred cryptocurrency worth $1.76 billion to Binance as part of a share buyback. Binance purchased a 20% stake in FTX in 2019, paying with over one million BNB tokens. FTX in 2021 bought back the shares, but the filing claims this repurchase was fraudulent, alleging that its sister company Alameda Research was insolvent and funded the deal using $1 billion of FTX customer deposits. The filing also accuses Zhao of triggering a “bank run” on FTX, leading to its collapse. The suit cites a series of tweets from Zhao in November 2022, which announced Binance’s intention to sell its FTX holdings. The filing argues that these tweets created a market panic, resulting in a massive sell-off that ultimately led to FTX’s downfall.

The company is pursuing over $100 million from Anthony Scaramucci and SkyBridge Capital, alleging that Bankman-Fried funneled money into SkyBridge funds including a $12 million sponsorship for a conference. The suit also targets bitcoin and Solana token sales by SkyBridge that reportedly lacked proper approval. FTX argues the investments provided no meaningful benefit, while Scaramucci’s firm continues to seek a $45 million bankruptcy claim – funds FTX says were previously transferred.

FTX filed a lawsuit identifying Nawaaz Mohammad Meerun as a high-level exploiter, responsible for manipulating its trading platform and gaining over $1 billion. Meerun, allegedly linked to organized crime, allegedly continued exploits even after FTX’s collapse, including a governance attack on Compound in June 2024 under the alias Humpy the Whale. FTX seeks to recover hundreds of millions in stolen funds and to block Meerun’s own bankruptcy claim, totaling $13 million.

FTX also invested $25 million into Storybook Brawl, developed by Good Luck Games, a company led by personal connections of Bankman-Fried. Despite never officially launching the game, GLG reportedly received additional funds totaling millions in salaries and bonuses. Following FTX’s bankruptcy, an attempt to repurchase the game failed, and development ceased in April 2023. FTX is attempting to recover over $24 million invested.

FTX is challenging an $11.5 million investment in Bahamian bank Deltec, owned by Jean Chalopin, who allegedly positioned the bank to attract crypto business, branding itself “Moonstone.” Federal authorities seized $50 million of FTX’s funds held by Moonstone, and regulatory violations followed. FTX’s lawsuit aims to recoup its investment, citing the bank’s substantial devaluation.

Former co-CEO of Alameda Research Caroline Ellison began a two-year prison sentence at the Federal Correctional Institution Danbury, a low-security facility in Connecticut. Ellison was implicated in the collapse of cryptocurrency exchange FTX, pleading guilty in December 2022 to multiple counts, including conspiracy and wire fraud. She agreed to forfeit around $11 billion as part of her sentencing. She cooperated with prosecutors and testified against FTX ex-CEO Sam Bankman-Fried, saying that he directed her to commit the crimes contributing to the company’s downfall. Ellison disclosed that Alameda Research had unrestricted access to FTX customer funds, which were sometimes routed directly to Alameda’s “fiat@” bank account. Bankman-Fried received a nearly 25-year prison sentence in March for his role and was ordered to repay up to $11 billion to investors and lenders.

Other FTX executives sentenced in connection with the scandal include Nishad Singh, FTX’s former engineering director, who was given supervised release after cooperating with authorities, and former FTX Digital Markets co-CEO Ryan Salame, who began his seven-and-a-half-year sentence last month. FTX co-founder Gary Wang’s sentencing is scheduled for Nov. 20.

South Korean authorities reportedly arrested 215 individuals involved in a cryptocurrency scam ring that defrauded tens of thousands of investors, resulting in losses exceeding 325 billion Korean won, about $232 million. The Gyeonggi Southern Provincial Police Agency identified 12 core members, including the suspected ringleader, who also managed a YouTube channel with over 620,000 subscribers. The scam, which ran from December 2021 to March 2023, targeted victims with promises of “private sale” opportunities and “advanced information” about unlisted cryptocurrencies. They sold 28 fraudulent tokens, six of which were created by the crime ring. They listed the self-issued tokens on foreign exchanges and manipulated their prices through market-making teams. Promoters, posing as experienced traders, encouraged investors to make extreme financial commitments, such as selling their homes to invest in the tokens. The group allegedly used the popularity and credibility of its ringleader’s YouTube platform to lure victims. After fleeing to Australia, the police apprehended the ringleader, referred to as “A,” and moved to seize around $34 million he holds in a hard wallet.

China and St. Kitts and Nevis dual citizen Daren Li pleaded guilty to a charge of conspiracy to commit money laundering in connection with a $73 million pig-butchering cryptocurrency scheme, said the U.S. Department of Justice. The 41-year-old admitted that he and his co-conspirators laundered at least $73.6 million in victim funds by setting up U.S. bank accounts for shell companies, where they converted victim funds into the stablecoin USDT. They transferred funds to crypto wallets controlled by Li and his associates. Although Li orchestrated the operation outside the United States, he was apprehended in April at Hartsfield-Jackson Atlanta International Airport and transferred to the Central District of California. He faces up to 20 years in prison, with sentencing scheduled for March 3.

North Korean threat actor BlueNoroff launched a new macOS-targeted attack campaign dubbed Hidden Risk, aimed at crypto businesses. SentinelLabs said the malware uses a multi-stage infection strategy, beginning with phishing emails that share fake cryptocurrency news, made to appear credible by mimicking crypto influencers. The emails link to a malicious app disguised as an academic paper PDF titled “Hidden Risk Behind New Surge of Bitcoin Price.app.” The app, signed with a valid Apple Developer ID later revoked by Apple, opens a decoy PDF while secretly downloading a secondary payload. This malware achieves persistence by exploiting a macOS file to evade detection, an unusual technique first seen in use here. Once installed, it communicates with a command-and-control server, checking every 60 seconds for additional commands to download payloads or exfiltrate data. This approach bypasses the typical alerts macOS issues with LaunchAgent installations, dodging Apple’s persistence-detection security measures.

GodFather malware is targeting over 500 banking and cryptocurrency apps globally, said Cyble Research and Intelligence Labs. A variant of the malware incorporates advanced techniques, including native code and minimal permissions, making it harder to detect and more dangerous. One notable tactic involves phishing sites, such as a counterfeit Australian MyGov website that distributes a malicious APK, disguised as the official MyGov app, to steal banking credentials. The fake app, once installed, connects to an external URL to track installations, capture IP addresses, and store data on the attacker’s server. GodFather’s latest version uses the Android Accessibility service to automate gestures, to load injection URLs into WebView and to communicate with its command-and-control server. A shift from Java to native code adds sophisticated malicious capabilities such as keylogging, making the malware harder to analyze. After detecting a target app, the malware shuts down the legitimate app and displays a fake login page, intercepting credentials from unsuspecting users.

Unknown assailants reportedly kidnapped a Toronto crypto company’s CEO for $1 million ransom before releasing him. Police said that suspects forced WonderFi CEO Dean Skurka into a vehicle and demanded a $1 million ransom, which the kidnappers received electronically. Police found Skurka later, uninjured in a park. Skurka in an email told clients that WonderFi’s funds and data were not impacted. Security expert Jameson Lopp told the Canadian Broadcasting Corporation that Skurka’s case marks the 171st instance of physical violence targeting crypto holders, with rates correlating to bitcoin’s price, which often increases the appeal of such crimes to criminals.