An Indian national has pleaded guilty in the U.S. over charges of stealing more than $37 million by setting up a website that impersonated the Coinbase cryptocurrency exchange platform.
Chirag Tomar, 30, pleaded guilty to wire fraud conspiracy, which carries a maximum sentence of 20 years in prison and a $250,000 fine. He was arrested on December 20, 2023, upon entering the country.
“Tomar and his co-conspirators engaged in a scheme to steal millions in cryptocurrency from hundreds of victims located worldwide and in the United States, including in the Western District of North Carolina,” the Department of Justice (DoJ) said last week.
The website, created around June 2021, was named “CoinbasePro[.]com” in an effort to masquerade as Coinbase Pro and deceive unsuspecting users into believing that they were accessing the legitimate version of the virtual currency exchange.
It’s worth noting that Coinbase discontinued the offering in favor of Advanced Trade in June 2022. The phased migration of Coinbase Pro customers to Coinbase Advanced was completed on November 20, 2023.
Victims who entered the credentials on the spoofed site had their login information stolen by the fraudsters, and in some cases were tricked into granting remote desktop access that allowed the criminal actors to gain access to their legitimate Coinbase accounts.
“The fraudsters also impersonated Coinbase customer service representatives and tricked the users into providing their two-factor authentication codes to the fraudsters over the phone,” the DoJ said.
“Once the fraudsters gained access to the victims’ Coinbase accounts, the fraudsters quickly transferred the victims’ Coinbase cryptocurrency holdings to cryptocurrency wallets under the fraudsters’ control.”
In one instance highlighted by the prosecutors, an unnamed victim located in the Western District of North Carolina had more than $240,000 worth of cryptocurrency stolen in this manner after they were duped into calling a fake Coinbase representative under the pretext of locking their trading account.
Tomar is believed to have been in possession of several cryptocurrency wallets that received stolen funds totaling tens of millions of dollars, which were subsequently converted to other forms of cryptocurrency or moved to other wallets, and ultimately cashed out to fund a lavish lifestyle.
This included expensive watches from brands like Rolex, buying luxury vehicles such as Lamborghinis and Porsches, and making several trips to Dubai and Thailand.
The development comes as a special investigation team (SIT) associated with the Criminal Investigation Department (CID) in the Indian state of Karnataka arrested Srikrishna Ramesh (aka Sriki) and his alleged co-conspirator Robin Khandelwal for stealing 60.6 bitcoins from a crypto exchange firm named Unocoin in 2017.
It also follows a new wave of arrests in the U.S. in connection with an elaborate multi-year scheme engineered to help North Korea-linked IT workers obtain remote-work jobs at more than 300 U.S. companies and advance the country’s weapons of mass destruction program in contravention of international sanctions.
Among the apprehended parties is a 27-year-old Ukrainian national Oleksandr Didenko, who is accused of creating fake accounts at U.S. IT job search platforms and selling them to overseas IT workers in order to obtain employment.
He is also said to have operated a now-dismantled service called UpWorkSell that advertised “ability for remote IT workers to buy or rent accounts in the name of identities other than their own on various online freelance IT job search platforms.”
According to the affidavit supporting the complaint, Didenko managed about 871 “proxy” identities, provided proxy accounts for three freelance U.S. IT hiring platforms, and provided proxy accounts for three different U.S.-based money service transmitters.
Didenko’s partner-in-crime, Christina Marie Chapman, 49, has also been arrested for running what’s called a “laptop farm” by hosting multiple laptops at her residence for North Korean IT workers to give the impression that they were in the U.S. and apply for remote work positions in the country.
“The conspiracy […] resulted in at least $6.8 million of revenue to be generated for the overseas IT workers,” Chapman’s indictment said, adding the workers landed employment at numerous blue-chip U.S. companies and exfiltrated data from at least two of them, counting a multinational restaurant chain and a classic American clothing brand.
Charges have also been filed against Minh Phuong Vong of Maryland, a Vietnamese national and a naturalized U.S. citizen, for conspiring with an unknown party to commit wire fraud by gaining employment at U.S.-based companies when, in reality, remote IT worker(s) located in China were posing as Vong to work on the government software development project.
There are indications to suggest that the second individual, who is referred to as a “John Doe,” is North Korean and works as a software developer in Shenyang, China.
“Vong […] did not perform software development work,” the DoJ said. “Instead, Vong worked at a nail salon in Bowie, Maryland, while an individual or individuals located in China used Vong’s access credentials to connect to a secure government website, perform the software development work, and attend regular online company meetings.”
In tandem, the DoJ said it seized control of as many as 12 websites that were used by the IT workers to secure remote contract work by masquerading as U.S.-based IT services firms offering artificial intelligence, blockchain, and cloud computing solutions.
As previously disclosed in court documents late last year, these IT workers – part of the Workers’ Party of Korea’s Munitions Industry Department – are known to be sent to countries like China and Russia, from where they are hired as freelancers with the ultimate goal of generating income for the hermit kingdom.
“North Korea is evading U.S. and U.N. sanctions by targeting private companies to illicitly generate substantial revenue for the regime,” the U.S. Federal Bureau of Investigation (FBI) said in an advisory.
“North Korean IT workers use a variety of techniques to obfuscate their identities, including leveraging U.S.-based individuals, both witting and unwitting, to gain fraudulent employment and access to U.S. company networks to generate this revenue.”
A recent report from Reuters revealed that North Korean threat actors have been linked to 97 suspected cyber attacks on cryptocurrency companies between 2017 and 2024, netting them $3.6 billion in illicit profits.
The adversaries are estimated to have laundered the $147.5 million stolen from the HTX cryptocurrency exchange hack last year through virtual currency platform Tornado Cash in March 2024.