16
Sep 20

Two Russians Charged in $17M Cryptocurrency Phishing Spree

U.S. authorities today announced criminal charges and financial sanctions against two Russian men accused of stealing nearly $17 million worth of virtual currencies in a series of phishing attacks throughout 2017 and 2018 that spoofed websites for some of the most popular cryptocurrency exchanges.


The Justice Department unsealed indictments against Russian nationals Danil Potekhin and Dmitirii Karasavidi, alleging the duo was responsible for a sophisticated phishing and money laundering campaign that resulted in the theft of $16.8 million in cryptocurrencies and fiat money from victims.

Separately, the U.S. Treasury Department announced economic sanctions against Potekhin and Karasavidi, effectively freezing all property and interests of these persons (subject to U.S. jurisdiction) and making it a crime to transact with them.

According to the indictments, the two men set up fake websites that spoofed login pages for the currency exchanges Binance, Gemini and Poloniex. Armed with stolen login credentials, the men allegedly stole more than $10 million from 142 Binance victims, $5.24 million from 158 Poloniex users, and $1.17 million from 42 Gemini customers.

Prosecutors say the men then laundered the stolen funds through an array of intermediary cryptocurrency accounts — including compromised and fictitiously created accounts — on the targeted cryptocurrency exchange platforms. In addition, the two are alleged to have artificially inflated the value of their ill-gotten gains by engaging in cryptocurrency price manipulation using some of the stolen funds.

For example, investigators alleged Potekhin and Karasavidi used compromised Poloniex accounts to place orders to purchase large volumes of “GAS,” the digital currency token used to pay the cost of executing transactions on the NEO blockchain — China’s first open source blockchain platform.

“Using digital crurency in one victim Poloniex account, they placed an order to purchase approximately 8,000 GAS, thereby immediately increasing the market price of GAS from approximately $18 to $2,400,” the indictment explains.

Potekhin and others then converted the artificially inflated GAS in their own fictitious Poloniex accounts into other cryptocurrencies, including Ethereum (ETH) and Bitcoin (BTC). From the complaint:

“Before the Eight Fictitious Poloniex Accounts were frozen, POTEKHIN and others transferred approximately 759 ETH to nine digital currency addresses. Through a sophisticated and layered manner, the ETH from these nine digital currency addresses was sent through multiple intermediary accounts, before ultimately being deposited into a Bitfinex account controlled by Karasavidi.”

The Treasury’s action today lists several of the cryptocurrency accounts thought to have been used by the defendants. Searching on some of those accounts at various cryptocurrency transaction tracking sites points to a number of phishing victims.

“I would like to blow your bitch ass away, if you even had the balls to show yourself,” exclaimed one victim, posting in a comment on the Etherscan lookup service.

One victim said he contemplated suicide after being robbed of his ETH holdings in a 2017 phishing attack. Another said he’d been relieved of funds needed to pay for his 3-year-old daughter’s medical treatment.

“You and your team will leave a trail and will be found,” wrote one victim, using the handle ‘Illfindyou.’ “You’ll only be able to hide behind the facade for a short while. Go steal from whales you piece of shit.”

There is potentially some good news for victims of these phishing attacks. According to the Treasury Department, millions of dollars in virtual currency and U.S. dollars traced to Karasavidi’s account was seized in a forfeiture action by the United States Secret Service.

Whether any of those funds can be returned to victims of this phishing spree remains to be seen. And assuming that does happen, it could take years. In February 2020, KrebsOnSecurity wrote about being contacted by an Internal Revenue Service investigator seeking to return funds seized seven years earlier as part of the governments 2013 seizure of Liberty Reserve, a virtual currency service that acted as a $6 billion hub for the cybercrime world.

Today’s action is the latest indication that the Treasury Department is increasingly willing to use its authority to restrict the financial resources tied to various cybercrime activities. Earlier this month, the agency’s Office of Foreign Asset Control (OFAC) added three Russian nationals and a host of cryptocurrency addresses to its sanctions lists in a case involving efforts by Russian online troll farms to influence the 2018 mid-term elections.

In June, OFAC took action against six Nigerian nationals suspected of stealing $6 million from U.S. businesses and individuals through Business Email Compromise fraud and romance scams.

And in 2019, OFAC sanctioned 17 members allegedly associated with “Evil Corp.,” an Eastern European cybercrime syndicate that has stolen more than $100 million from small businesses via malicious software over the past decade.

A copy of the indictments against Potekhin and Karasavidi is available here (PDF).

Tags: , , , , , , ,

22 comments

  1. I wonder if the two named individuals will ever face any consequences. AFAIK Putin has declared that hackers will not be prosecuted as long as their activities’ targets are outside Russia.

    I also need to read up on how the DoJ and other government agencies seize cryptocurrency, given than the original purpose of Bitcoin, etc., was to make transactions anonymous.

  2. I love the comment posted in the article by a victim of the scam. “I would like to blow your ***** *** away, if you even had the balls to show yourself,” exclaimed one victim.” That would probably be my own personal reaction if something like this ever happened to me. But I truly have no interest in getting involved in cryptocurrency anything. A small liquor store in Los Angeles once had a sign painted on their outside wall facing the street which stated that bitcoin could be bought, used and sold there. It just didn’t seem like a good idea to me…

  3. The Sunshine State

    Russian miscreants !

  4. “Using digital crurency in one victim Poloniex account, they placed an order to purchase approximately 8,000 GAS, thereby immediately increasing the market price of GAS from approximately $18 to $2,400,” the indictment explains.’

    Why micro-currencies without real controls are so much fun!
    Talk about current’cy, don’t blink.

    “If you’re keeping your coin in online hot wallets, are poised to fall for spearphishing even on your most carefully watched financial dealings, well, I mean I hate to say it’s bound to happen.” -Sun Tzu AFAIK

    • Well if those exchanges and people enabled 2FA on withdrawals maybe this would not have been an issue. I think more exchanges should absolutely force device based 2FA for everything seeing as how many bad actors target crypto owners.

  5. You’d be nuts to use crypto currency; it’s utterly unregulated but hey, it’s your money… Give me bricks and mortar any day.

  6. Good work fellas. Edgar is pleased.

  7. Cryptocurrency…. market manipulation, stealing, money laundering, all in one nice easy neat package! Crime has never been so good!

  8. Hey, Valadimier Putin had probably given those two a Medal of Honor by now. So yeah, justice will be served 🙂

  9. I would show these two how to party hardy in panties bought on the silk road that were made of….can you guess??

    You can go for it to my site where the answer will be in literally free ETH pool… Sorry but I had to say it like this as to not get removed… Yes literally haha it is free of charge ETH just go now it’s a mad house.

  10. By now, all these ineffective USDOJ indictments of Russian and Chinese hackers most likely serve as a badge of honor among the hackers.

  11. Restitution, even if it occurs, is going to be something like $10 or $20/month for 100 years.

  12. ~sudo -give a f su node gekko –ui //winning @dice ++1046999.50945 :} [✓] trc20 Sun

  13. no wonder why europe is full of bitcoin exchangers,lol
    russians washing machine europe lol:D

  14. The indictments are an interesting read. So much money from a relatively small base of individual victims.

  15. Where most of the people get scammed is in Telegram Crypto Coins groups. There are many claiming to be official support and many times they seem to be the only resource where you can get in touch with support. So, be aware!