US authorities today announced criminal charges and financial penalties against two Russian men accused of stealing nearly $ 17 million in virtual currency in a spate of phishing attacks in 2017 and 2018 that spoofed websites for some of the most popular cryptocurrency exchanges.
The Ministry of Justice unsealed indictments against Russian nationals Danil Potekhin and Dmitirii karasavidi, alleging the duo were responsible for a sophisticated phishing and money laundering campaign that resulted in the theft of $ 16.8 million in cryptocurrencies and fiat money from victims.
Separately, the US Department of the Treasury announced economic sanctions against Potekhin and Karasavidi, effectively freezing all property and interests of these people (under U.S. jurisdiction) and making it an offense to deal with them.
According to the indictments, the two set up bogus websites that spoofed login pages for exchange bureaus. Binance, Gemini and Poloniex. Armed with stolen login credentials, the men are said to have stolen more than $ 10 million from 142 Binance victims, $ 5.24 million from 158 Poloniex users and $ 1.17 million from 42 Gemini customers.
Prosecutors say the men then laundered the stolen funds through an array of intermediary cryptocurrency accounts – including compromised and fictitious created accounts – on the targeted cryptocurrency exchange platforms. Further, the two are said to have artificially inflated the value of their ill-gotten gains by engaging in cryptocurrency price manipulation using some of the stolen funds.
For example, investigators alleged that Potekhin and Karasavidi used compromised Poloniex accounts to place purchase orders for large volumes of “GAS”, the digital currency token used to pay the cost of executing transactions on the NEO blockchain – China’s first open source blockchain platform.
“Using digital currency from a victim Poloniex account, they placed a buy order for around 8,000 GAS, immediately raising the market price of GAS from around $ 18 to $ 2,400,” explains the ‘indictment.
Potekhin and others then converted the artificially inflated GAS in their own fictitious Poloniex accounts into other cryptocurrencies, including Ethereum (ETH) and Bitcoin (BTC). From the complaint:
“Before the freezing of the eight fictitious Poloniex accounts, POTEKHIN and others transferred around 759 ETH to nine digital currency addresses. In a sophisticated and layered fashion, the ETH from these nine digital currency addresses was sent through multiple intermediary accounts, before ultimately being deposited into a Bitfinex account controlled by Karasavidi.
The Treasury action today lists several of the cryptocurrency accounts allegedly used by the defendants. Researching some of these accounts on various cryptocurrency transaction tracking sites indicates a number of phishing victims.
“I would like to blow your ass, if you even had the balls to show yourself,” one victim exclaimed, posting a comment on the Etherscan research service.
One victim said he was considering suicide after being deprived of his ETH holdings in a phishing attack in 2017. Another said he was offloaded with funds to pay for his medical treatment. 3 year old girl.
“You and your team will leave a trail and be found,” wrote one victim using the “Illfindyou” handle. “You will only be able to hide behind the facade for a short time. Go fly to the whales, you shit.
There is potentially good news for the victims of these phishing attacks. According to the Treasury Department, millions of dollars in virtual currency and US dollars allocated to Karasavidi’s account were seized as part of a confiscation action by the US Secret Service.
It remains to be seen whether any of these funds can be returned to the victims of this phishing wave. And assuming that happens, it could take years. In February 2020, KrebsOnSecurity wrote about being contacted by an Internal Revenue Service investigator seeking to return funds seized seven years earlier in connection with the 2013 government seizure of Liberty Reserve, a virtual currency service that served as a $ 6 billion hub for the cybercrime world.
Today’s action is the latest indication that the Treasury Department is increasingly willing to use its authority to restrict financial resources related to various cybercrime activities. Earlier this month, the agency’s Office of Foreign Assets Control (OFAC) added three Russian nationals and a host of cryptocurrency addresses to its sanctions lists in a case involving efforts by farms to Russian online trolls to influence the 2018 midterm elections.
In June, OFAC took action against six Nigerian nationals suspected of stealing $ 6 million from U.S. businesses and individuals through business email fraud and romance scams.
And in 2019, OFAC sanctioned 17 members allegedly associated with “Evil Corp.,” an Eastern European cybercrime syndicate that stole more than $ 100 million from small businesses via malware over the course of the last decade.
A copy of the indictments against Potekhin and Karasavidi is available here (PDF).
Tags: Binance, Danil Potekhin, Dmitirii Karasavidi, Ethereum, Gemini, Poloniex, US Justice Department, US Treasury Department