The most sophisticated cryptocurrency theft scheme: what it is and how it works

WIRED magazine published a story about a fraudulent bitcoin theft scheme that has stumped many security experts. It remains unclear how exactly the attackers got hold of the cryptocurrency. GetBlock AML Research provides details of the incident.

An almost Hollywood-esque story

When Kent Halliburton stood in the bathroom of the Rosewood Hotel in central Amsterdam, thousands of kilometers from home, counting €10 000 in cash in an envelope, he began to wonder what he had gotten himself into.

Halliburton is the co-founder and head of Sazmining. This company operates special equipment that mines bitcoins for clients. This format is called “mining as a service.” Kent himself lives in Peru, but Sazmining’s equipment operates at sites in Norway, Paraguay, Ethiopia, and the United States.

According to Halliburton, he flew to Amsterdam on August 5 to meet with Even and Maxim, representatives of a wealthy family from Monaco. The family offered to purchase a large batch of bitcoin mining equipment from Sazmining, valued at approximately $4 million. It was to be installed at a site under construction in Ethiopia. Before signing the contract, the family wanted to meet in person.

When Halliburton arrived at the hotel, he saw Even and Maxim in the bar area. They struck him as people who loved luxury and generous spending — especially Maxim: in a light beige three-piece suit, with perfectly styled long hair and a Rolex watch.

Over a three-course lunch — ceviche with caviar, Chilean sea bass, and cherry cake — they discussed the details of the deal and shared stories about themselves. Evan was cheerful and talkative, reminiscing about parties in Marrakesh. Maxim was cold and spent most of the time silently staring at Kent, as if assessing him.

To build trust, Even suggested that Halliburton sell them some bitcoin — about $3000 worth. Kent was skeptical at first, but decided it was just a strange gesture in their style. One of the men handed him an envelope with cash and told him to count it in the bathroom. “It felt like something out of a James Bond movie,” Halliburton recalls. “It was all very exotic to me.”

After the meeting, he left in a taxi. His impressions were strange, but Kent hoped that the big contract would still go through. For a small company with 15 employees, it could have been a huge breakthrough. Less than two weeks later, Halliburton lost more than $200 000 worth of bitcoins — all because of Even and Maxim. He didn’t know if the company would survive such a blow, or how the scammers had managed to pull the wool over his eyes.

The culmination of the deception

After the meeting in Amsterdam, Halliburton flew to Latvia for a bitcoin conference and then traveled to Ethiopia to inspect the construction site. While he was there, Even wrote to him on WhatsApp and said that they were ready to move forward, but there was one condition: the family wanted to buy even more bitcoins from Sazmining as part of the deal — approximately $400 000 worth. This was one-tenth of the total contract.

Even asked Kent to fly to Amsterdam again to sign the documents. Kent tried to refuse, tired of traveling, but Even was adamant: “Remotely doesn’t work for me that’s not how I do business at the moment,” he wrote in a message. Halliburton flew back on August 16. In the evening, he was supposed to meet with Maxim at a Japanese restaurant in the five-star Okura Hotel. The restaurant’s interior was decorated in a traditional Japanese style — wood, paper walls, a Zen garden, and crane figurines.

Maxim was waiting for him on the sofa in a shiny silver suit. While they were waiting for their table, Maxim asked to see proof that Sazmining really had the required amount in bitcoin. He asked for half — $220 000 — to be transferred to a special wallet app “trusted by the family office.” The money remained under Kent’s control, but the family could verify its existence by opening the transaction details.

Halliburton took out his iPhone. The Atomic Wallet app had thousands of positive reviews and had been in the App Store for many years. Right next to Maxim, he downloaded the app and created a new wallet. Halliburton says:

“I was trying to earn this guy’s trust. Again, a $4 million contract. I’m still looking at that carrot.”

Dinner went smoothly. Maxim was more talkative, discussing watches and finding deals for his family. Halliburton was tired of constant travel and wanted to end the meeting. They agreed that Maxim would send the signed documents to his family office, and Kent would send $220 000 in bitcoin to a new wallet address.

Back at the hotel, Halliburton made a small test transfer, then deleted and restored the wallet using backup words (a secret code).

“Had to take some security measures but almost ready. Thanks for your patience,” he wrote to Even.

“No worries take your time,” he responded.

At 10:45 p.m., Halliburton instructed his colleague to send $220 000 worth of bitcoins to the new wallet address. After receiving the money, he sent Even a screenshot of the balance. A minute later, the reply came: “Thank yiu [sic].” Kent wrote again, asking about the documents, but there was no response. Then he looked at the app. The bitcoins were gone.

Kent gasped. He could barely keep from vomiting. “It was like being punched in the gut,” he says. “It was just shock and disbelief.” He frantically tried to figure out how he had been deceived. At 11:30 p.m., he wrote to Even: “That was the most sophisticated scam I’ve ever experienced. I know you probably don’t give a shit but my business may not survive this. I’ve worked four years of my life to build it.”

Even replied that he was not guilty of anything and did not respond to further communications. His Telegram account became inactive on the same day. A few hours later, the stolen funds began to be split up, transferred between multiple addresses, and sent to services where cryptocurrency can be exchanged for regular money, according to analysis by Chainalysis and CertiK.

Some of the bitcoins went through instant exchange services. A large amount ended up at one address, where it was mixed with other “dirty” funds — similar to money stolen from startups through fraud. Most likely, the fraudsters withdrew some of the money through an exchange, and the rest was converted into another cryptocurrency and sent through “bridges” to another network where it could be easily cashed out.

At some point, the transaction trail ends. To identify the real criminals, law enforcement agencies need to request data from the services through which the money passed. It is unclear how exactly the fraudsters managed to steal money from Halliburton’s wallet. But there are some guesses.

Questions remain

At first, Halliburton thought the problem was related to the old Atomic Wallet hack in 2023, when attackers stole $100 million from its users. But experts believe he was the victim of a “personalized” attack — when attackers specifically target people who store large amounts of money.

To steal bitcoins, the scammers needed to obtain a secret code — the recovery phrase for a new wallet. Anyone with this phrase can completely control the wallet. One theory is that the scammers used fake Wi-Fi in a hotel and intercepted the data. But Halliburton says he used mobile internet.

Another, more likely version is that someone filmed his phone screen when he first created his wallet in Atomic Wallet — for example, with a camera with a powerful zoom. Most likely, even before receiving the $220 000, the scammers set up a special “bot” that automatically empties the wallet as soon as a large amount appears in it.

People like Even and Maxim are usually not the main fraudsters — they are the executors. The real organizers can be anywhere. For several days, it was unclear whether the company would survive. The stolen $220 000 represents six weeks of the company’s work. “I’m trying to keep the business afloat,” says Kent. In the end, he managed to negotiate a loan extension and a delay in payments to suppliers.

The director’s office reported the incident to law enforcement agencies in the Netherlands, the UK, and the US. Only the British agency Action Fraud and the US Secret Service responded.

The amount of crypto fraud is now so enormous that the police physically cannot keep up with every case. It is only possible to recover the money if the police expose an entire criminal network. In such cases, the funds can be returned to the victims.