A California man who lost $100,000 in a 2021 SIM-swapping attack is suing the unknown holder of a cryptocurrency wallet that harbors his stolen funds. The case is thought to be the first in which a federal court has recognized the use of information included in a bitcoin transaction — such as a link to a civil claim filed in federal court — as reasonably likely to provide notice of the lawsuit to the defendant. Experts say the development could make it easier for victims of crypto heists to recover stolen funds through the courts without having to wait years for law enforcement to take notice or help.
Ryan Dellone, a healthcare worker in Fresno, Calif., asserts that thieves stole his bitcoin on Dec. 14, 2021, by executing an unauthorized SIM-swap that involved an employee at his mobile phone provider who switched Dellone’s phone number over to a new device the attackers controlled.
Dellone says the crooks then used his phone number to break into his account at Coinbase and siphon roughly $100,000 worth of cryptocurrencies. Coinbase is also named as a defendant in the lawsuit, which alleges the company ignored multiple red flags, and that it should have detected and stopped the theft. Coinbase did not respond to requests for comment.
Working with experts who track the flow of funds stolen in cryptocurrency heists, Dellone’s lawyer Ethan Mora identified a bitcoin wallet that was the ultimate destination of his client’s stolen crypto. Mora says his client has since been made aware that the bitcoin address in question is embroiled in an ongoing federal investigation into a cryptocurrency theft ring.
Mora said it’s unclear if the bitcoin address that holds his client’s stolen money is being held by the government or by the anonymous hackers. Nevertheless, he is pursuing a novel legal strategy that allows his client to serve notice of the civil suit to that bitcoin address — and potentially win a default judgment to seize his client’s funds within — without knowing the identity of his attackers or anything about the account holder.
In a civil lawsuit seeking monetary damages, a default judgment is usually entered on behalf of the plaintiff if the defendant fails to respond to the complaint within a specified time. Assuming that the cybercriminals who stole the money don’t dispute Dellone’s claim, experts say the money could be seized by cryptocurrency exchanges if the thieves ever tried to move it or spend it.
The U.S. courts have generally held that if you’re going to sue someone, you have to provide some kind of meaningful and timely communication about that lawsuit to the defendant in a way that is reasonably likely to provide them notice.
Not so long ago, you had track down your defendant and hire someone to physically serve them with a copy of the court papers. But legal experts say the courts have evolved their thinking in recent years about what constitutes meaningful service, and now allow notification via email.
On Dec. 14, 2023, a federal judge in the Eastern District of California granted Dellone permission to serve notice of his lawsuit directly to the suspected hackers’ bitcoin address — using a short message that was attached to roughly $100 worth of bitcoin Mora sent to the address.
Bitcoin transactions are public record, and each transaction can be sent along with an optional short message. The message uses what’s known as an “OP RETURN,” or an instruction of the Bitcoin scripting language that allows users to attach metadata to a transaction — and thus save it on the blockchain.
In the $100 bitcoin transaction Mora sent to the disputed bitcoin address, the OP RETURN message read: “OSERVICE – SUMMONS, COMPLAINT U.S. Dist. E.D. Cal. LINK: t.ly/123cv01408_service,” which is a short link to a copy of the lawsuit hosted on Google Drive.
“The courts are adapting to the new style of service of process,” said Mark Rasch, a former federal prosecutor at the U.S. Department of Justice. “And that’s helpful and useful and necessary.”
Rasch said Mora’s strategy could force the government to divulge information about their case, or else explain to a judge why the plaintiff shouldn’t be able to recover their stolen funds without further delay. Rasch said it could be that Dellone’s stolen crypto was seized as part of a government asset forfeiture, but that either way there is no reason Uncle Sam should hold some cybercrime victims’ life savings indefinitely.
“The government doesn’t need the crypto as evidence, but in a forfeiture action the money goes to the government,” Rasch said. “But it was never the government’s money, and that doesn’t help the victim. The government should be providing information to the victims of cryptocurrency theft so that their attorneys can go get the money back themselves.”
Nick Bax is a security researcher who specializes in tracing the labyrinthine activity of criminals trying to use cryptocurrency exchanges and other financial instruments to launder the proceeds of cybercrime. Bax said Mora’s method could allow more victims to stake legitimate legal claims to their stolen funds.
“If you get a default judgment against a bitcoin address, for example, and then down the road that bitcoin gets sent to an exchange that complies with or abides by U.S. court orders, then it’s yours,” Bax said. “I’ve seen funds with a court order on them get frozen by the exchanges that decided it made sense to comply with orders from a U.S. federal court.”
Bax’s research was featured in a Sept. 2023 story here about how experts now believe it’s likely hackers are cracking open some of the password vaults stolen in the 2022 data breach at LastPass.
“I’ve talked to a lot victims who have had life-changing amounts of money being seized and would like that money back,” Bax said. “A big goal here is just making civil cases more efficient. Because then people can help themselves and they don’t need to rely solely on law enforcement with its limited resources. And that’s really the goal: To scale this and make it economically viable.”
While Dellone’s lawsuit may be the first time anyone has obtained approval from a federal judge to use bitcoin to notify another party of a civil action, the technique has been used in several recent unrelated cases involving other cryptocurrencies, including Ethereum and NFTs.
The law firm DLAPiper writes that in November 2022, the U.S. District Court for the Southern District of Florida “authorized service of a lawsuit seeking the recovery of stolen digital assets by way of a non-fungible token or NFT containing the text of the complaint and summons, as well as a hyperlink to a website created by the plaintiffs containing all pleadings and orders in the action.”
In approving Dellone’s request for service via bitcoin transaction, the judge overseeing the case cited a recent New York Superior Court ruling in a John Doe case brought by victims seeking to unmask the crooks behind a $1.3 million cyberheist.
In the New York case, the state trial court found it was acceptable for the plaintiffs to serve notice of the suit via cryptocurrency transactions because the defendants regularly used the Blockchain address to which the tokens were sent, and had recently done so. Also, the New York court found that because the account in question contained a significant sum of money, it was unlikely to be abandoned or forgotten.
“Thus the court inferred the defendants were likely to access the account in the future,” wrote Judge Helena M. March-Kuchta, for the Eastern District of California, summarizing the New York case. “Finally, the plaintiff had no alternative means of contacting these unknown defendants.”
Experts say regardless of the reason for a cryptocurrency theft or loss — whether it’s from a romance scam or a straight-up digital mugging — it’s important for victims to file an official report both with their local police and with the FBI’s Internet Crime Complaint Center (ic3.gov). The IC3 collects reports on cybercrime and sometimes bundles victim reports into cases for DOJ/FBI prosecutors and investigators.
The hard truth is that most victims will never see their stolen funds again. But sometimes federal investigators win minor victories and manage to seize or freeze crypto assets that are known to be associated with specific crimes and criminals. In those cases, the government will eventually make an effort to find, contact and in some cases remunerate known victims.
It might take many years for this process to unfold. But if and when they do make that effort, federal investigators are likely to focus their energies and attention responding to victims who staked a claim and can support it with documentation.
But have no illusions that any of this is likely to happen in a timeframe that is meaningful to victims in the short run. For example, in 2013 the U.S. government seized the assets of the virtual currency Liberty Reserve, massively disrupting a major vehicle for laundering the proceeds of cybercrime and other illegal activities.
When the government offered remuneration to Liberty Reserve account holders who wished to make a financial loss claim and supply supporting documentation, KrebsOnSecurity filed a claim. There wasn’t money much in my Liberty Reserve account; I simply wanted to know how long it would take for federal investigators to follow up on my claim, or indeed if they would at all.
In 2020 KrebsOnSecurity was contacted by an investigator with the U.S. Internal Revenue Service (IRS) who was seeking to discuss my claim. The investigator said they would have called sooner, but that it had taken that long for the IRS to gain legal access to the funds seized in the 2013 Liberty Reserve takedown.
As a user of coinbase, why did not have TOTP based 2FA enabled for all transactions, seems like a you problem.
sim-swap here… 2FA usually involves the phone as the 2nd factor, so…
TOTP is immune to SIM swapping attacks so what the OP is trying to say is that the victim should have used TOTP instead of phone number-based 2FA.
Nowadays BTW, Coinbase also supports passkeys which are also immune to SIM swapping.
Good stuff. Thanks, Brian.
If you haven’t already written it, an article on best practices for protecting cryptocurrency would be appreciated.
I do know that Coinbase supports Duo MFA, which is MUCH more secure than using SMS/Texting. I haven’t tested it as to the fallback methods (i.e. if you can do a ‘recovery’ and force a SMS authentication), but at least they have something better available.
HTH
Nowadays they also support passkeys which are also immune to SIM-swapping.
Transfer it all to a bank account!
Use a physical wallet or a separate machine 100% dedicated to holding your funds. So long as the dedicated machine stays secure your funds will be safe. I’d encrypt it with a strong password and have encrypted backups on a flashdrive if it gets stolen.
It sounds to me that he should also include the phone company as it was their employee who instigated the crime. I don’t see any mention of this action being taken. Given this is California, he probably would receive his money back as well as another $1,000,000 for his obvious pain and emotional distress.
After spending ~half that on lawyers and waiting ~5+ years, maybe. Emphasis on maybe.
“the courts have evolved their thinking in recent years about what constitutes meaningful service, and now allow notification via email.” This is trouble. e-mail is too low in reliability for any purpose as serious as this.
Not to mention the email possibly being flagged as spam and never being seen by the recipient. Dog knows how much email I get that I never see let alone bother to open. While I’m happy for the plaintiff in the case in question, this does seem rife with opportunities of abuse and defendants having default judgements made against them without their knowledge.
There’s a recent story about Luke Combs suing Nicol Harness and like most lawsuits started with a very high number that they would probably negotiate down. But it was served over email and the woman didn’t respond and so he got a default judgement for 250k.
So I guess you gotta just click on any ills link sent to your bitcoin wallet or risk default judgements? Nothing could go wrong here…
Slick, slick move in a legal sense, and because of the static nature of the information in a bitcoin transaction, the owner of the wallet will get notification if the wallet is ever opened again. The catch, if I’m reading correctly, is in the mode of recovery. This will not work for the victim if the bitcoin wallet gets frozen. Nor if recovery has to wait for a transaction to occur. Recovery has to happen when a court, having found that reasonable notice has occurred, defaults the respondents and orders the bitcoin exchange to remove the funds from the perps bitcoin account and returns the funds to the victim’s account.
However, IMHO, don’t waste your money on the lawyers if the bitcoin exchange where the funds reside doesn’t respond to US court orders. If the order can’t be enforced, it’s then just a very expensive piece of paper.
And what about *coin markets outside of US court jurisdictions?
Sorry for being off-topic, but is there an entry on yesterday’s Windows update, same as we get monthly? Have a question.
If the question is failing update 5034441, you have to resize the WinRE recovery partition by 250MB.
I can confirm it’s fairly painless and does allow you to install the update in question.
It does require folks open (as administrator) a command prompt & follow directions exactly.
There’s definitely room to bork your install if you make a typo/etc in the partition manager.
bleepingcomputer dot com/news/microsoft/windows-10-kb5034441-security-update-fails-with-0x80070643-errors/
Apparently Win11 switched to a larger WinRE partition size 6 months ago, so “of course” MS lost the script on supporting the older partition size in the product it wants users to move away from, 10. “oops”
Basic QA would have caught this, but that doesn’t help force the rabble to upgrade. Typical.
Thanks for the detailed response. There was no indication of what update # caused the problem, just a blue screen with the message I quote below. BTW, it was W10.
In the meantime I read on the net from a couple of people that just waiting it out worked for them. So the screen would say “Windows is getting ready … Do not shut off” with a little circle spinning.
I let it run, checking from time to time. Somewhere between one and one half hours it completed the install.
The “Windows is getting ready” screen is the OS update screen, as opposed to a “Blue Screen of Death” (BSOD) you can get when it hard crashes and displays some debug codes and whatnot. Sometimes you can get stuck in a loop during the update screen where it never resolves or progresses to boot, but you did the right thing by giving it at least a couple hours to resolve itself rather than getting impatient and hard rebooting it. On crufty older systems it can really drag on.
The 5034441 update fail I mentioned is a different issue as it would download the update but fail to install after about a minute of trying, not ever getting to the blue “windows is getting ready” screen. In that case it gives a 0x80070643 error right in the “update” page in Settings (gear cog in start menu). It doesn’t sound like that’s what caused your delay – so make sure you run “disk cleanup” (as admin, so you can delete the previous updates’ cruft) then “disk defrag”, especially if your OS drive is a spinning hard drive. If it took 1-2 hours I assume that’s what’s going on, and you’d be well served upgrading to SSD for the OS drive. Cheers.
I’m not very sure how would that guy get his money back? Ok, he wins the court case. But then what? What if the crooks don’t transfer anything from that bitcoin address, or do it through some exchange that doesn’t follow US regulations?
Let’s think about this for a second. We now can be served via an email that: inspires urgent action, cites consequences, is from an unknown/untrusted sender and, apparently, can use shortened links. Isn’t that EXACTLY the sort of thing we’ve all been telling our parents to be skeptical of?
I see similar situations all the time. Take my bank, for instance. Emails from them never link directly to bank-name[.]com, but through some click tracking website–making it impossible for me to tell the difference between legitimate links or malicious links without clicking. Or when my credit card gets locked for potential fraud, the notice I get tells me to call a number that’s different from the number on the back of my card. I’m sure the banks have an explanation for all of this–it probably makes/saves them money, somehow–but it has the effect of making their behavior indistinguishable from bad actors’.
This sort of ethernet money which is what I call it can attract all sorts of unscrupulous people. Since none of your money is insured by any institution your sort of on your own if you get taken. Good luck if the taker is in another country that could care less about your lost ethernet money. The avoidance of government regulations can be a double edged sword.
“$100 bitcoin transaction” to serve? Why not $0.01?
Probably because $100 is enough for someone to go, “Hrm. Wonder where that came from?” $0.01 wouldn’t even cover the fees for transferring the money.
Serving a defendant via email will likely never hold up. How many people do you know have emails they’ve created solely to accept spam? Almost everyone I know. If the courts allow defendants to be served via email, anyone would be able to sue for any reason and likely be guaranteed to win a default judgement. Collecting the monies may be the challenge though, but debt collectors are happy to buy that debt from you. It’s a win/win for the plaintiff.
I work primarily in IT to an older clientele mostly. I have hundreds of clients. Maybe 1% has an email account especially for spam. Never think the people you know are representative of the public at large. It’s one of the biggest mistakes IT people make, IMO.
Brian,
Here’s my ignorance showing(I don’t work in IT; I’m not smart enough). When you talk about setting up an email for spam, would that be an address to give out to sites that might be questionable? I use DuckDuckGO’s forwarding service which includes an option for generating private addresses which I use for such places.
There are lots of options, Larry. No one way is the best for everyone, IMO. But it’s not a bad idea to have multiple email addresses. Some use their alternative addresses for signing up to commercial sites/loyalty programs, etc. As you know these will likely be used for marketing purposes and sold to others. Some make a special box for every place they sign into, to help track which sites are the most abusive.
IMO having at least one for personal use and one for use for “commercial” uses is a good idea. Another for your business use isn’t a bad idea, either.
Good stuff, thanks for the reply. Basically, TNO!
I think you’re on the right track with the DuckDuckGo email. I’ve got multiple addresses, including one I use for logging into spammy websites. I also started generating gmail accounts for various websites, and have them redirected to my “spammy” email account. But I’ve found the DDG emails have the added advantage in that you can use them for a one time login/registration/whatever (DoorDash order?), and then once your transaction is fullfilled, you can easily delete that DDG email address and never get any spam from that vendor.
Please people, stop storing your Bitcoin on exchanges! Take the extra five minutes to learn how to use a self hosted wallet and send your exchange purchased Bitcoin to that wallet ASAP after you’ve purchased it.
Then after that, yes, enable 2FA on your exchange, preferably OTP with an OTP app on your phone.
I know it feels hard at the outset, but truly, it’s not once you understand what you’re doing….it could save you $100K one day.
Your choice of word ‘urgently’ sounds a little bit scary cause if you rush to recover your money you might possibly end up losing your money again. There are a lot of scam recovery agents that have zero expertise in tracking or getting money back from scammers. Exercising patience is key when trying to apprehend a thief, even police departments takes as much as two years in unravelling some cases. When you get scammed endeavor to document every detail you have of the scammer. Seek help with your local law enforcement before resulting to find help elsewhere.
Funds recovering experts will attend to you with some regard of urgency when compared to your local law enforcement, but still don’t expect it to be very swift to avoid getting scammed again. Recovery takes a process and won’t take as soon as you might want it. A company Bryan Recovery helped me in recovering my money and the expertise they exhibited in apprehending my scammer is recommendable, I visited their office and met with their officials before trusting them with my case. They successfully helped me in getting 90% of what I lost.
(“NAME”)
Bitcoin was originally devised by the “bad guys”. It allowed them to move move (ill-gotten gains) around without governmental or financial institution interference.
Blockchain was supposed tokeep track of bitcoin transactions and (I thought) a way to reverse certain transactions..
Some who decided to join the crowd have found out that the protections were mainly on the side of bitcoin (secrecy, etc.), with little recourse in the courts. Not withstanding the difficulties of dealing with multiple jurisdictions, some of whom might not be too interested in helping foreigners recover money from their citizens.
Somehow bitcoin became a ‘commercial’ product. People wanting to obscure certain transactions to avoid penalties and taxes. They thought they could make money somehow by the limited number of bitcoins and wild speculation of the “worth” of their holdings.
In my opinion, it was a flaky risky bet from the start.
My 2cents worth.
No, it wasn’t.
Is it too late to re-label Crypto as “Magic Internet Money”?
No.
As a user of coinbase, why did not have TOTP based 2FA enabled for all transactions
It’s not often you feel the ground disappear beneath your feet, but when my online investment platform froze and my $200,000 savings vanished into thin air, that’s exactly what happened. Panic, disbelief, and a crushing sense of helplessness washed over me. My life savings are gone. Then Muyern Trust Hacker appeared, offering a ray of hope. Finally, the news arrived. My funds, all $200,000 of them, were recovered. Tears of relief streamed down my face as I read the confirmation email. It felt like a miracle, a second chance at life. My experience with Muyern Trust Hacker wasn’t just about getting my money back. It was about regaining my faith in humanity, the possibility of justice, and the existence of good people who fight for what’s right. Today, I stand here, no longer a victim, but a survivor.
I sympathize with the plaintiff, however the legal precedent that I need to regularly check my wallets for legal notices and click random links is a bad expectation.
Hey………