FBI Cleveland and US Attorney’s Office for Northern District of Ohio Freeze and Seize Illicit Crypto Proceeds

Last week, the US Department of Justice announced the civil forfeiture of 200,000 in USDT that was the proceeds of a fraud scheme involving cryptocurrency assets stolen from a victim, identified as "L.D.," located in Ohio. TRM Labs is proud to support the Department of Justice in this, and other cases, to identify and disrupt the illicit use of cryptocurrency.

The DOJ team, led by FBI Cleveland and the US Attorney’s Office for the Northern District of Ohio, was able to trace stolen bitcoin to an international exchange, work with the exchange to identify a swap of those funds to USDT and ETH, trace those proceeds to two TRON addresses, request Tether freeze those funds, then get Tether to remit newly minted USDT to return the USDT to the victim.

Additionally, the DOJ team used a novel technique for delivering “notice” to the foreign-based controllers of the frozen TRON addresses. The FBI sent a transaction to the address which included a note, with a link to the forfeiture, explaining that the funds had been forfeited by the US Government.

The complaint details how L.D. became a target of a sophisticated scam, resulting in the unauthorized transfer of Bitcoin (BTC) from his personal hardware wallet to multiple fraudulent addresses.

L.D. intended to use his Bitcoin for generating interest by engaging with what he believed was the legitimate platform “ThorSwap.” The platform had advertised an “earn” feature, encouraging users to lend Bitcoin to liquidity pools in exchange for interest payments. After following instructions online, L.D. transferred 1 BTC (approximately $50,000) from his hardware wallet to what he believed was a ThorSwap-associated address. However, the BTC was transferred to a separate address with no connection to ThorSwap.

Two days later, an additional 6.55813405 BTC (around $340,000) was taken from L.D.'s wallet in an unauthorized transaction. Unlike the initial transfer, this significant transfer was not initiated or authorized by L.D., suggesting that the fraudsters had gained access to his wallet or private key information. This entire balance was then transferred to an unhosted address, labeled “ADDRESS-I,” the first known recipient address used in the fraud.

The stolen BTC from ADDRESS-I was subsequently transferred in multiple transactions to addresses controlled by MEXC Global, a cryptocurrency exchange. MEXC Global accounts associated with email addresses based in Nigeria were then used to swap the BTC for Tether (USDT) and Ethereum (ETH). These accounts were created just before or after the fraudulent transactions and accessed via IP addresses traced to Lagos, Nigeria. The fraudsters’ tactics included splitting the BTC into smaller transactions, making it appear like legitimate activity.

After converting the BTC to USDT, fraudsters used various accounts on MEXC Global to consolidate the funds. The USDT was then transferred in two primary batches: a 98,000 USDT transaction to an address designated as ADDRESS-7 and a 100,000 USDT transaction to ADDRESS-8. Both transactions were conducted to keep the assets in private addresses, making recovery difficult. By March 2024, both addresses were frozen by Tether Limited upon law enforcement's request. Tether, according to the complaint, subsequently “burned” the USDT tokens in these addresses and reissued the equivalent amounts to a U.S. law enforcement-controlled wallet.

Analysis indicated that the BTC transfers to the Nigerian-associated accounts involved wash trades, which created an appearance of organic activity but concealed the funds’ true origins. The FBI investigation identified the unauthorized withdrawals from L.D.'s wallet and traced them using blockchain intelligence, confirming that they were indeed tied to the unauthorized transactions stemming from the ThorSwap impersonation scam.

‍

The government, in this action, claims that these 200,000 USDT tokens are proceeds of wire fraud and are subject to civil forfeiture under 18 U.S.C. § 981(a)(1)(C), as the assets are considered products of specified unlawful activity, including wire fraud and conspiracy to commit wire fraud.