The Dumbest Thing In Security: The Cute Things Hackers Do

In a week in which Kaspersky awkwardly exited the U.S. market, a background check company left a massive database completely exposed, and an overhyped Linux vulnerability failed to impress, it’s always the crazy things hackers do that get our attention.

The U.S. Justice Department late last week unsealed an indictment against two people – Malone Lam, 20, of Miami, FL and Los Angeles, CA, and Jeandiel Serrano, 21, of Los Angeles – that alleges that they and others conspired to steal and launder over $230 million in cryptocurrency from a victim in Washington, D.C. As for the missteps that led a cyber sleuth to track them down, we’ll get to those in a minute.

A Big Score – And a Big Celebration

According to the Justice Department and a court document, in August 2024, Lam, a citizen of Singapore who goes by the online monikers “Anne Hathaway” and “$$$,” and Serrano, who goes by “VersaceGod” and “@SkidStar,” and unnamed co-conspirators allegedly contacted a victim in D.C. and, through “fraudulent pretenses, representations, and promises,” stole 4,100 Bitcoin, worth over $230 million at the time.

Lam and Serrano used peel chains, pass-through wallet addresses and VPNs to obscure the funds and their location, the government said.

So far so good. And quite a score, too. But like others before them, they celebrated a little too hard.

“International travel, nightclubs, luxury automobiles, watches, jewelry, designer handbags, and rental homes in Los Angeles and Miami” followed. And then a few big slip-ups allowed a sleuth to track them down.

‘Highly Sophisticated Social Engineering Attack’

According to self-described “scam survivor turned 2D investigator” Zach XBT on X, the “highly sophisticated social engineering attack” involved calls masquerading as Google support to compromise private accounts, as Gemini support claiming the account was hacked, resetting 2FA and sending Gemini funds to a compromised wallet, and using AnyDesk to screenshare and leak private keys.

But then came the mistakes. Ten or more cars purchased, $250,000-$500,000 a night spent going out to clubs with friends, and “giving out Birkin bags to girls,” who then apparently shared pics of their gifts on social media. Multiple real names got leaked in private videos and chats, and one of the defendants was seen “flexing stolen funds on Discord.”

He was then “located via OSINT in LA/Miami due to friends/girls posting his location on social media each night. He also has an Instagram account where he posted photos of himself using his name earlier this year.”

Another actor apparently linked clean funds to dirty funds by accidentally reusing a deposit address, and another actor during a screenshare “showed an address he sent funds to for designer clothes which had millions in exposure.”

$9 Million Frozen So Far

According to Zach XBT, $9 million had been frozen as of Sept. 19 and more was expected to follow, and $500,000 had been returned to the victim.

“I would expect law enforcement seized additional funds during the arrests due to large transfers around that period of time,” Zach XBT wrote.

A painful lesson for crypto investors, no doubt. And as we always note, arrests and indictments are not the same thing as guilt. As the Justice Department stated:

An indictment is merely an allegation and all defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

In the meantime, be careful out there, folks. Sophisticated attacks are becoming much easier to pull off.

This post was originally published on this site be sure to check out more of their content.