Anatomy of a Heist: Dissecting the $240 Million Social Engineering Attack
With over a decade in the digital asset space as a coder, participant, and educator, I’ve witnessed countless exploits and rug-pulls, but recently we’ve experienced one of the largest yet — perpetrated by a group of hackers on U.S. soil who displayed surprisingly limited technical competence. It’s a stark reminder of how even unsophisticated actors can cause major disruptions in the crypto world.
International hacking groups are increasingly common, with the North Korean-linked Lazarus Group notorious for large-scale cyber thefts, including the 2014 Sony Pictures hack and the $620 million Axie Infinity breach in 2022. Lazarus uses phishing and malware to infiltrate crypto platforms, funding North Korea’s nuclear program, while its subgroup APT38 focuses on financial thefts from banks using malware like FASTCash. Other groups like Russia’s Conti and Fancy Bear also target cryptocurrency exchanges through ransomware attacks and espionage.
Greavys (Malone Iam), Wiz (Veer Chetal), and Box (Jeandiel Serrano) executed a social engineering attack last month, stealing around $240M from a single individual.
Social engineering is the manipulation of people into divulging confidential information or performing actions that compromise security, typically through deceptive techniques like phishing or impersonation.
Here’s how the social engineering attack unfolded:
1) The attackers called the victim posing as Google Support using a spoofed number, tricking them into compromising their personal accounts.
2) They followed up by calling again, this time pretending to be from Gemini support, claiming the victim's account was hacked.
3) They manipulated the victim into resetting their two-factor authentication (2FA) and transferring their Gemini funds to a compromised wallet.
4) Finally, they convinced the victim to use AnyDesk for screen sharing, allowing the attackers to access and leak private keys from the victim's Bitcoin Core wallet.
After successfully landing the ultimate "whale," their euphoric celebration is something straight out of a movie—a delirious thrill that captures the audacity and scale of their heist.
The preferred communication tool is Telegram, which provides a level of anonymity that even the Kremlin has struggled to breach. Many crypto developers in the U.S. are aware that their Initial Coin Offerings or crypto activities could violate securities laws, allowing them to obscure their identities. This creates an environment where they can operate without fear of consequences, often leading to a fluid sense of morality.
Crypto investigator ZachXBT has carried out vital investigations that greatly benefit law enforcement efforts. His meticulous and thorough approach to uncovering fraud and misconduct in the cryptocurrency space provides invaluable insights, allowing authorities to better understand complex cases. By shedding light on these issues, ZachXBT helps streamline the investigative process, making it easier for law enforcement to take action against financial crime.
These hackers were careless, revealing their identities during screen shares that could be traced back to their social media accounts. Their extravagant spending of stolen funds included purchasing over ten cars and partying in clubs in LA and Miami, where they would drop between $250,000 and $500,000 per night. They even gifted Birkin bags to women, which range from $10,000 to $2 million—a gesture likely to earn them a favorable response from any young woman they approached.
Driving a pink Lamborghini and flaunting extravagant jewelry at the club is the antithesis of discretion. Authorities are certainly monitoring such displays of opulence, not to commend you for your success, but to question how you earned your money and ensure that all taxes have been paid. At worst, they aim to trace every dollar spent.
While I acknowledge the advantages of cryptocurrency payment rails for global commerce, the ecosystem is still too vulnerable for me to confidently recommend that my parents create a Metamask wallet. I typically guide people toward centralized exchanges like Coinbase for additional layers of security, although it's important to remember that if someone falls victim to social engineering, Coinbase may not be able to help.
I’ve also noticed that more institutional investors are turning to custodians like BitGo, which offer Lloyd’s of London coverage against exploits, providing reassurance that their investments won’t disappear. From my experience, many reported “hacks” of crypto projects or funds are often insider jobs, with partners pretending to be victims before making a swift exit to places like Belize—or even arranging for a distant hospital to issue a death certificate so they can start anew.
While phone number spoofing attacks are frustrating due to the ability to mask any number, I’ve also encountered exploits from domain hijacking. In these cases, you may be typing the correct domain name of a project only to find yourself on a phishing site, which prompts you for an authentication step that could grant them full access to your crypto wallet. Given these vulnerabilities, I firmly believe that projects offering secure wallets will prevail as the internet continues to be rife with threats.
For techies over 40, like me, it’s reminiscent of the early AOL days when people were reluctant to venture beyond the safe confines of the AOL interface.
I believe we’ll see a similar trend in the crypto space, where users will prefer a comprehensive experience within a single wallet or platform, granting that platform the same level of influence as Apple has with its App Store to set terms. - Robert Mowry
The perceived risks of diving into the open sea of unregulated options will outweigh the benefits, leading people to stick with familiar interfaces like Metamask, Coinbase, Binance, or their preferred wallet.
It's already happening, as MetaMask reportedly generated approximately $1 billion in revenue from crypto swaps in 2022, which, in two clicks, allow you to swap whatever compatible crypto with another.
The recent high-profile hacks in the cryptocurrency space underscore the urgent need for enhanced security measures and user education to protect against the exploitation of both technology and human vulnerabilities. That said, user adoption will truly scale only if cryptocurrency becomes more approachable, safe, and accessible, as these exploits and social engineering attacks illustrate the double-edged sword of anonymity.