An Indian national has admitted guilt in the U.S. for orchestrating a massive cryptocurrency theft, amounting to over $37 million, through a fake website mimicking the Coinbase cryptocurrency exchange platform.
Details of the Crime
Chirag Tomar, 30, faced charges of wire fraud conspiracy, which carries a potential 20-year prison sentence and a $250,000 fine. His arrest took place on December 20, 2023, upon his arrival in the U.S.
“Tomar and his co-conspirators orchestrated a scheme to steal millions in cryptocurrency from hundreds of victims globally, including those in the Western District of North Carolina,” stated the Department of Justice (DoJ).
The fraudulent website, named “CoinbasePro[.]com,” was created around June 2021, designed to impersonate Coinbase Pro and trick users into thinking they were on the legitimate platform. Coinbase, however, discontinued Coinbase Pro in favor of Advanced Trade in June 2022, completing the transition on November 20, 2023.
Victims who entered their credentials on the counterfeit site had their information stolen. Some were further deceived into granting remote desktop access, allowing criminals to access their real Coinbase accounts.
“The fraudsters also posed as Coinbase customer service representatives, convincing users to divulge their two-factor authentication codes over the phone,” the DoJ noted. “This allowed the criminals to transfer the victims’ cryptocurrency to wallets they controlled.”
Impact on Victims
One significant case highlighted by prosecutors involved a victim from the Western District of North Carolina who lost over $240,000 worth of cryptocurrency after contacting a fake Coinbase representative to supposedly secure their trading account.
Tomar managed multiple cryptocurrency wallets receiving stolen funds, converting them into different cryptocurrencies or transferring them to other wallets, ultimately cashing out to support a lavish lifestyle. This included purchasing luxury watches like Rolex, high-end cars such as Lamborghinis and Porsches, and financing trips to Dubai and Thailand.
Broader Context
This case is part of a larger trend of cybercrime linked to cryptocurrency thefts. In a related development, a special investigation team in Karnataka, India, arrested Srikrishna Ramesh (alias Sriki) and his alleged accomplice Robin Khandelwal for stealing 60.6 bitcoins from Unocoin in 2017.
In the U.S., authorities have also arrested several individuals involved in a scheme to help North Korean IT workers secure remote jobs at over 300 U.S. companies, aiding North Korea’s weapons program against international sanctions. Among the arrested was Oleksandr Didenko, a 27-year-old Ukrainian, accused of creating fake accounts for IT job search platforms.
Didenko ran a now-defunct service, UpWorkSell, which allowed remote IT workers to purchase or rent accounts under false identities on various freelance platforms. According to court documents, he managed about 871 “proxy” identities and provided proxy accounts for several U.S.-based money service transmitters.
North Korean IT Worker Scheme
Didenko’s partner, Christina Marie Chapman, 49, was also arrested for operating a “laptop farm,” hosting multiple laptops for North Korean IT workers to appear as if they were based in the U.S. These workers secured employment at numerous U.S. companies, generating significant revenue and exfiltrating data from at least two companies.
Minh Phuong Vong of Maryland faced charges for conspiring to commit wire fraud. Vong, a Vietnamese national and naturalized U.S. citizen, collaborated with a North Korean individual posing as her to work on a government software development project. While Vong worked at a nail salon, the North Korean used her credentials to access a secure government website.
Government Action and Implications
The DoJ has seized 12 websites used by these IT workers to masquerade as U.S.-based firms, offering services in AI, blockchain, and cloud computing. These efforts are part of a broader strategy by the Workers’ Party of Korea’s Munitions Industry Department to generate revenue for North Korea by evading international sanctions.
“North Korea is bypassing U.S. and U.N. sanctions by targeting private companies to illicitly generate substantial revenue,” stated the FBI in an advisory. North Korean IT workers employ various techniques to hide their identities, including using U.S.-based individuals to fraudulently gain employment and network access.
A Reuters report revealed that North Korean cyber actors have been linked to 97 suspected attacks on cryptocurrency firms between 2017 and 2024, amassing $3.6 billion in illicit profits. These actors laundered $147.5 million stolen from the HTX cryptocurrency exchange through Tornado Cash in March 2024.
The case of Chirag Tomar highlights the growing sophistication of cybercriminals in exploiting the cryptocurrency sector. With international collaboration and increased vigilance, authorities continue to crack down on such fraudulent activities, aiming to protect digital assets and ensure the integrity of financial systems.
Found this news interesting? Follow us on Twitter and Telegram to read more exclusive content we post.