In a case highlighting the vulnerabilities of even the most secure cryptocurrency platforms, two men have been charged with the theft of over 4,100 Bitcoin — worth approximately $230 million — from a creditor of Genesis, the bankrupt cryptocurrency lending firm. The audacious heist, carried out in August 2024, exposes the growing threat of social engineering in the digital currency world, even as blockchain technology itself remains highly secure.
The Heist: How It Happened
The criminals, identified as Malone Lam, 20, and Jeandiel Serrano, 21, allegedly used a blend of technical expertise and psychological manipulation to gain access to the victim’s cryptocurrency holdings. The attackers posed as support staff from Google and Gemini, a prominent cryptocurrency exchange, in a highly sophisticated phishing operation. The thieves convinced the victim to reset their two-factor authentication (2FA) and install screen-sharing software, such as AnyDesk. Consequently, they were able to gain control over the victim’s private keys stored in a Bitcoin Core wallet.
Once they obtained access to the private keys, Lam and Serrano transferred more than 4,100 Bitcoin into accounts they controlled. This heist, targeting a creditor of Genesis, adds to the mounting list of challenges faced by creditors of the bankrupt crypto lender. Genesis has been in financial distress following its exposure to FTX and other collapsed entities.
The Role of Blockchain Forensics
Lam and Serrano made significant efforts to cover their tracks using privacy-focused cryptocurrencies like Monero. However, despite laundering the stolen assets through a network of crypto mixers and exchanges, they were eventually caught. Blockchain investigator ZachXBT played a crucial role in tracking the stolen funds across multiple wallets. His forensic work uncovered a complex web of transactions involving over 15 exchanges. The stolen Bitcoin was repeatedly swapped between various cryptocurrencies in an attempt to evade detection.
The criminals also used “peel chains” and pass-through wallets to launder the funds. That made it more difficult to trace the origin and destination of the assets. However, the attackers made critical operational security (OPSEC) mistakes. For example, they linked their activities to real-world identities via social media posts that flaunted their newfound wealth. Investigators were able to follow the trail of laundered funds to luxury purchases, such as high-end cars, watches, and nightclubs in Miami and Los Angeles, ultimately leading to their arrests.
Implications for Crypto Security
This case underscores the growing risks of social engineering in the cryptocurrency space. While blockchain technology itself remains highly secure, the human element continues to be a significant point of vulnerability. Social engineering attacks — wherein criminals trick victims into revealing sensitive information or credentials — are increasingly becoming the preferred method for accessing high-value cryptocurrency accounts.
The attackers were able to bypass strong security measures like two-factor authentication. However, they did not crack the underlying encryption but exploited the victim’s trust. This highlights the need for enhanced user education and more robust account recovery and support procedures within the cryptocurrency ecosystem.
A Warning for the Crypto Industry
The $230 million heist is not just a warning to individual cryptocurrency holders. It is also a red flag for exchanges and platforms that support them. It points to the need for better internal security measures and training to prevent social engineering attacks from succeeding. In addition, the case demonstrates how, even after the theft has occurred, blockchain forensics can play a vital role in tracking down stolen assets and apprehending cybercriminals.
As the cryptocurrency industry matures, it must continue to address these weaknesses in user authentication processes and improve collaboration between exchanges, law enforcement, and blockchain analysts. The industry can only hope to prevent future attacks of this scale by closing these security gaps.
>>> Read more: Bankrupt Genesis Settles with SEC, Seeks $1.6B GBTC Sale
The arrest of Malone Lam and Jeandiel Serrano after their $230 million Bitcoin theft offers a significant victory for blockchain forensics and law enforcement. However, the underlying issue remains: social engineering attacks are a growing threat in the cryptocurrency world. As this heist shows, even the most secure digital assets are vulnerable to human error and manipulation. The industry must adapt to this new reality and invest in protecting not just the technology, but the users who rely on it.
Readers’ frequently asked questions
How did the attackers bypass two-factor authentication (2FA), a method often considered secure?
In this case, the attackers did not directly crack or break the encryption of the 2FA process itself. Instead, they employed a sophisticated social engineering technique. The perpetrators posed as Google and Gemini support staff, tricking the victim into believing their account had been compromised. They convinced the victim to reset their 2FA and disclose sensitive information while using screen-sharing software like AnyDesk. This allowed the attackers to view and steal the private keys to the victim’s Bitcoin wallet. This method highlights a critical flaw in 2FA. While it strengthens account security, it can be undermined by manipulating the user into voluntarily disabling or resetting the mechanism. The human element, rather than a technical vulnerability, was the weak link exploited in this heist.
Can stolen cryptocurrency be recovered once it has been laundered through mixers and exchanges?
While the attackers used cryptocurrency mixers and multiple exchanges to launder the stolen funds, blockchain forensics can still trace the transactions. Blockchain technology’s transparent nature allows investigators to follow the trail of funds, even when attempts are made to obscure the source and destination through mixers and peel chains. In this case, blockchain analyst ZachXBT played a pivotal role in tracking the movement of the stolen Bitcoin. Although some of the stolen assets were converted into Monero, a privacy-focused coin that is harder to trace, investigators managed to identify key addresses and transactions linked to the suspects. As of the latest reports, portions of the funds were frozen or recovered, though the full amount has not been retrieved. This case illustrates that while laundering adds complexity, skilled forensic teams can often recover or at least trace some of the stolen assets, particularly when attackers make mistakes in hiding their tracks.
What role did Genesis’ bankruptcy play in this heist, and was it a contributing factor to the attack?
Genesis’ bankruptcy, stemming from its exposure to the FTX collapse and the broader crypto market downturn, put creditors in a vulnerable position. The specific creditor targeted in this heist was likely dealing with significant financial uncertainty. That made them an ideal target for a social engineering attack. While Genesis’ bankruptcy did not directly cause the attack, it created an environment where its creditors may have been less vigilant or more susceptible to scams involving claims of compromised accounts. The attackers capitalized on this situation by pretending to be legitimate representatives from major platforms like Gemini. That could have seemed plausible to a creditor seeking to protect their remaining assets. The Genesis bankruptcy, in this sense, was an indirect contributing factor. It left individuals exposed to potential scams and heightened anxiety about their assets.
What Is In It For You? Action Items You Might Want to Consider
Strengthen Your 2FA and Be Wary of Social Engineering Attempts
Even though two-factor authentication (2FA) provides a strong layer of security, this heist reveals how social engineering can easily undermine it. Always be cautious when contacted by someone claiming to be support staff, especially if they ask you to reset your 2FA or install screen-sharing software. Verify communications directly through official channels, and never share sensitive details over the phone or online chats. In high-risk environments, consider using hardware-based 2FA devices like YubiKeys for added protection. They offer more security than app-based 2FA.
Use Multiple Wallets and Limit Exposure
Rather than keeping all your assets in a single wallet, consider spreading your holdings across multiple wallets. Use different levels of security (e.g., cold wallets for long-term storage). This will limit the potential damage if one wallet is compromised. Additionally, use different exchanges for different purposes to prevent a single point of failure. As seen in this case, attackers accessed and laundered the stolen funds through several platforms.
Monitor Transactions and Use Blockchain Analytics Tools
Make it a habit to regularly monitor your wallets and the transactions happening within the blockchain ecosystem. There are numerous blockchain analytics tools available, such as Chainalysis or CipherTrace, that allow you to flag suspicious activity. Many of these tools provide real-time alerts when abnormal movements are detected. Additionally, consider working with services that offer insurance on digital assets or employ advanced tracking in case your funds ever get compromised.
