How crypto users robbed a casino or the story of the extortionists’ failure

Fraud and extortion in the crypto sphere are so widespread that people of all generations and ages fall victim to it. But there are some unique cases. GetBlock AML Research exclusively reveals the details of a casino heist using cryptocurrencies.

Victim

This time in the crosshairs of extortionists were not pensioners, but one of the world’s largest real estate and gaming companies — Caesars Entertainment. It owns the largest and most famous casinos in the United States, such as Caesars Palace, Flamingo, Eldorado, and others.

Caesars Palace hotel and casino in Las Vegas. Source: caesars.com

How the attack happened

The incident occurred on August 18, 2023. On that day, the Scattered Spider ransomware group carried out a social engineering attack on a company that provided outsourcing services to Caesars Entertainment for organizing customer support services.

As early as August 23, the attackers gained access to the database of the loyalty system of all Caesars Entertainment customers, which stored social security numbers in addition to personal data.

Caesars Entertainment employees discovered traces of hacking only on September 7. On September 14, the company publicly admitted the fact of hacking and reported to the SEC about the transfer of $15 million to the extortionists, although initially, the attackers made demands of $30 million.

During the same period, another casino operator — MGM Resort was attacked by Scattered Spider. The company refused to pay the ransom and suffered more than $100 million in losses as a result of large-scale software failures that disrupted the organization’s operations.

How the extortionists were tracked

The funds received from Caesars Entertainment as ransom were first identified in January 2024. At that time, a suspicious transfer of 402 BTC across the Avalanche Bridge was recorded. The US Federal Bureau of Investigation sent Ava Labs a demand to freeze the assets. As a result of the cooperation, 277,56 BTC was frozen, another 125 BTC the extortionists managed to conduct through the protocol and successfully withdraw to other platforms.

Soon after, another suspicious transfer of $690 000 was detected. The cryptocurrency was sent to one of the wallets belonging to the Gate exchange. The platform complied with the US authorities’ order and blocked $519 845 in stablecoins and 1135 Monero (XMR).

On-chain trail

The cryptocurrency received from Caesars Entertainment was initially transferred to two addresses intended for asset splitting.

A scheme to move cryptocurrency stolen from Caesars Entertainment. Data: Chainalysis

Two more new addresses were then created and used to obfuscate the transaction chain.

A scheme to move cryptocurrency stolen from Caesars Entertainment. Data: Chainalysis

After the secondary transfer, the funds were directed to Avalanche Bridge, where a part of them was blocked by the Ava Labs team. The remaining cryptocurrency from the extortionists was directed to the Stargate protocol before being moved to the Gate exchange, where the assets were also blocked.