Ethereum

Two Russians Charged in $17M Cryptocurrency Phishing Spree

U.S. authorities today announced criminal charges and financial sanctions against two Russian men accused of stealing nearly $17 million worth of virtual currencies in a series of phishing attacks throughout 2017 and 2018 that spoofed websites for some of the most popular cryptocurrency exchanges.


The Justice Department unsealed indictments against Russian nationals Danil Potekhin and Dmitirii Karasavidi, alleging the duo was responsible for a sophisticated phishing and money laundering campaign that resulted in the theft of $16.8 million in cryptocurrencies and fiat money from victims.

Separately, the U.S. Treasury Department announced economic sanctions against Potekhin and Karasavidi, effectively freezing all property and interests of these persons (subject to U.S. jurisdiction) and making it a crime to transact with them.

According to the indictments, the two men set up fake websites that spoofed login pages for the currency exchanges Binance, Gemini and Poloniex. Armed with stolen login credentials, the men allegedly stole more than $10 million from 142 Binance victims, $5.24 million from 158 Poloniex users, and $1.17 million from 42 Gemini customers.

Prosecutors say the men then laundered the stolen funds through an array of intermediary cryptocurrency accounts — including compromised and fictitiously created accounts — on the targeted cryptocurrency exchange platforms. In addition, the two are alleged to have artificially inflated the value of their ill-gotten gains by engaging in cryptocurrency price manipulation using some of the stolen funds.

For example, investigators alleged Potekhin and Karasavidi used compromised Poloniex accounts to place orders to purchase large volumes of “GAS,” the digital currency token used to pay the cost of executing transactions on the NEO blockchain — China’s first open source blockchain platform.

“Using digital crurency in one victim Poloniex account, they placed an order to purchase approximately 8,000 GAS, thereby immediately increasing the market price of GAS from approximately $18 to $2,400,” the indictment explains.

Potekhin and others then converted the artificially inflated GAS in their own fictitious Poloniex accounts into other cryptocurrencies, including Ethereum (ETH) and Bitcoin (BTC). From the complaint:

“Before the Eight Fictitious Poloniex Accounts were frozen, POTEKHIN and others transferred approximately 759 ETH to nine digital currency addresses. Through a sophisticated and layered manner, the ETH from these nine digital currency addresses was sent through multiple intermediary accounts, before ultimately being deposited into a Bitfinex account controlled by Karasavidi.”

The Treasury’s action today lists several of the cryptocurrency accounts thought to have been used by the defendants. Searching on some of those accounts at various cryptocurrency transaction tracking sites points to a number of phishing victims.

“I would like to blow your bitch ass away, if you even had the balls to show yourself,” exclaimed one victim, posting in a comment on the Etherscan lookup service.

One victim said he contemplated suicide after being robbed of his ETH holdings in a 2017 phishing attack. Another said he’d been relieved of funds needed to pay for his 3-year-old daughter’s medical treatment.

“You and your team will leave a trail and will be found,” wrote one victim, using the handle ‘Illfindyou.’ “You’ll only be able to hide behind the facade for a short while. Go steal from whales you piece of shit.”

There is potentially some good news for victims of these phishing attacks. According to the Treasury Department, millions of dollars in virtual currency and U.S. dollars traced to Karasavidi’s account was seized in a forfeiture action by the United States Secret Service.

Whether any of those funds can be returned to victims of this phishing spree remains to be seen. And assuming that does happen, it could take years. In February 2020, KrebsOnSecurity wrote about being contacted by an Internal Revenue Service investigator seeking to return funds seized seven years earlier as part of the governments 2013 seizure of Liberty Reserve, a virtual currency service that acted as a $6 billion hub for the cybercrime world.

Today’s action is the latest indication that the Treasury Department is increasingly willing to use its authority to restrict the financial resources tied to various cybercrime activities. Earlier this month, the agency’s Office of Foreign Asset Control (OFAC) added three Russian nationals and a host of cryptocurrency addresses to its sanctions lists in a case involving efforts by Russian online troll farms to influence the 2018 mid-term elections.

In June, OFAC took action against six Nigerian nationals suspected of stealing $6 million from U.S. businesses and individuals through Business Email Compromise fraud and romance scams.

And in 2019, OFAC sanctioned 17 members allegedly associated with “Evil Corp.,” an Eastern European cybercrime syndicate that has stolen more than $100 million from small businesses via malicious software over the past decade.

A copy of the indictments against Potekhin and Karasavidi is available here (PDF).

Developer faces prison time for giving blockchain talk in North Korea

A white dude with seriously thick hair.

Enlarge / Virgil Griffith.

The prominent hacker and Ethereum developer Virgil Griffith was arrested by the US government Friday after he spoke at an April conference on blockchain technologies in North Korea. The US government considers his presentation to be a transfer of technology—and therefore a violation of US sanctions.

But Griffith’s defenders, including Ethereum founder Vitalik Buterin, describe the arrest as a massive overreaction. Griffith worked for the Ethereum Foundation, and Buterin called him a friend.

“I don’t think what Virgil did gave the DPRK [Democratic People’s Republic of Korea] any kind of real help in doing anything bad,” Buterin tweeted on Sunday. “He delivered a presentation based on publicly available info about open source software.”

But federal prosecutors argue that Griffith, a US citizen residing in Singapore, knew full well that his trip violated US sanction laws. They say he sought approval for the trip from the US State Department, and his request was denied. Griffith made the trip anyway, traveling through China to evade US travel restrictions.

In a charging document, an FBI agent wrote that Griffith “discussed how blockchain and cryptocurrency technology could be used by the DPRK to launder money and evade sanctions, and how the DPRK could use these technologies to achieve independence from the global banking system.”

Griffith made little effort to hide his travel plans. He tweeted out a photo of his travel documents and voluntarily talked to the FBI after his trip. He even allowed the authorities to inspect his cell phone.

The feds say Griffith’s electronic communications show a clear intention to violate US sanctions laws. When a friend asked why the North Korean regime was interested in cryptocurrency, he wrote: “probably avoiding sanctions… who knows.”

Later, he told a friend of his plan to help send 1 unit of cryptocurrency (presumably ether) between South and North Korea. The friend asked “Isn’t that violating sanctions?” Griffith replied “it is,” according to the US government.

“Minor public-relations disasters”

Griffith was a well-known figure in the hacking world for more than a decade before this year’s trip to North Korea. He was featured by The New York Times in a 2008 article that focused on his creation of WikiScanner—software that helped uncover people and organizations making surreptitious changes to Wikipedia.

He told the Times that he aspires to “create minor public-relations disasters for companies and organizations I dislike.”

In 2003, Griffith was sued by education-software maker Blackboard to stop him from presenting research on security flaws in Blackboard’s software. A 2006 paper demonstrated how easy it was to guess people’s mothers’ maiden names from public records—highlighting the downside of using this information to authenticate consumers.

According to his LinkedIn page, Griffith received a Ph.D. in computation and neural systems in 2014. Since then, he has been involved in a variety of cryptocurrency projects. He has been a research scientist at the Ethereum Foundation since 2016.