IN THE UNITED STATES DISTRICT COURT

FOR THE WESTERN DISTRICT OF NORTH CAROLINA

CHARLOTTE DIVISION

IN RE APPLICATION OF THE UNITED )

STATES OF AMERICA FOR A CRIMINAL )) CASE NO. 3:23-mj-00453-WCM
COMPLAINT AND AN ARREST )
WARRANT FOR CHIRAG TOMAR )
) UNDER SEAL
)
)

AFFIDAVIT IN SUPPORT OF
APPLICATION FOR ARREST WARRANT

I, Michael S. Hackney, a Special Agent with the United States Secret Service, being duly sworn,
depose and say:

1. I am a Special Agent with the United States Secret Service (“USSS”) and have been so

duly employed as a Special Agent since May 2011. I have received specialized training

and have experience in conducting investigations involving violations of federal law, to

include Wire Fraud, Bank Fraud, Conspiracy and Money Laundering. I am currently

assigned to USSS Charlotte Field Office Cyber Fraud Task Force (“CFTF”) as the Crypto

Currency Group Leader. I have previously completed extensive training at both the Federal

Law Enforcement Training Center, Glynco, GA and the USSS training facility Beltsville,

MD. During my time with the USSS, I have completed over 200 hours of training in cyber

and computer-related investigations and have completed an additional 50 hours of training

specific to cryptocurrency and cryptocurrency investigations to include Crypto Orientation

for Law Enforcement, Crypto Fundamentals Certification, Crypto Certified Investigator,

Case 3:23-mj-00453-WCM Document 3-1 Filed 12/20/23 Page 1 of 17

 and the Advanced Crypto Investigator Training Courses. Prior to my employment with the

USSS, I was a Virginia State Police Trooper for six years.

2. This Affidavit is intended to show only that there is sufficient probable cause for the

requested Warrant and does not set forth all my knowledge about this matter.

3. The information contained herein comes from my personal knowledge, information

conveyed by other law enforcement officers, victims identified herein, and publicly

available information.

4. Your Affiant submits that there is probable cause to believe that from on or about August

22, 2020 and continuing through present, in the Western District of North Carolina and

elsewhere, Defendant CHIRAG TOMAR (“TOMAR”), a citizen of the Republic of India,

committed the following offenses: Wire Fraud Conspiracy, in violation of 18 U.S.C. §

1349; and Money Laundering Conspiracy, in violation of 18 U.S.C. § 1956(h).

INTRODUCTION

5. The USSS and the Federal Bureau of Investigation (“FBI”) have been investigating a

cryptocurrency theft and money laundering scheme which involved subjects gaining

unlawful access to the victims’ cryptocurrency exchange accounts and using that access to

conduct unauthorized transfers of cryptocurrency to cryptocurrency exchange accounts

located abroad which were controlled by the fraudsters or their coconspirators.

6. Beginning as late as August 22, 2020, TOMAR and known and unknown coconspirators

conducted the cryptocurrency scheme by using a website designed to resemble the

cryptocurrency exchange Coinbase to trick Coinbase users into providing their log-in

credentials to the fraudsters. The fraudsters then used the victims’ log-in credentials to

access the victims’ Coinbase accounts and transfer the account holdings out of the

Case 3:23-mj-00453-WCM Document 3-1 Filed 12/20/23 Page 2 of 17

 accounts. Investigators have identified at least 542 victims of this scheme, including

VICTIM MB 1 of Franklin, Tennessee; VICTIM MF 2 of Charlotte, North Carolina;

VICTIM PC 3 of Mooresville, North Carolina; and VICTIM PAC 4 of West Palm Beach,

Florida. After the cryptocurrency funds were transferred out of the victims’ Coinbase

accounts, the coconspirators, including TOMAR, employed numerous money laundering

techniques with the stolen funds, including: (1) receiving the funds in accounts set up with

fictitious or stolen identities; (2) rapidly moving the stolen funds in various amounts

including commingling with other funds; (3) layering the transactions through multiple

accounts at various exchanges, and (4) converting the funds to other forms of

cryptocurrency, a practice known as “chain hopping,” among other techniques.

DEFINITIONS

7. Cryptocurrency: Cryptocurrency, a type of virtual currency, is a decentralized, peer-to-

peer, network-based medium of value or exchange that may be used as a substitute for fiat1

currency to buy goods or services or exchanged for fiat currency or other cryptocurrencies.

Examples of cryptocurrency are Bitcoin (“BTC”), Ethereum (“ETH”) and Tether

(“USDT”). Cryptocurrency can exist digitally on the Internet, in an electronic storage

device, or in cloud-based servers. Cryptocurrency can be exchanged directly person to

person, through a cryptocurrency exchange, or through other intermediaries. Generally,

cryptocurrency is not issued by any government, bank, or company; it is instead generated

and controlled through computer software operating on a decentralized peer-to-peer

network. Most cryptocurrencies have a “blockchain,” which is a distributed public ledger,

run by the decentralized network, containing an immutable and historical record of every

1 Fiat currency is currency issued and regulated by a government such as the U.S. dollar, euro, or
Japanese yen.

Case 3:23-mj-00453-WCM Document 3-1 Filed 12/20/23 Page 3 of 17

 transaction.2 Cryptocurrencies are sent to and received from “addresses.” A

cryptocurrency address is somewhat analogous to a bank account number and is

represented as a 26-to-35-character-long case-sensitive string of letters and numbers. Each

address is controlled through the use of a unique corresponding private key.

8. Virtual Currency Exchanges: Cryptocurrency “exchanges” or “VCEs” are businesses that

allow customers to buy, sell, or trade virtual currency. Many VCEs also store currency on

behalf of their customers. VCEs doing business in the United States are regulated by the

U.S. Department of Treasury and are required to establish anti-money laundering (“AML”)

programs—that is, controls designed to detect and deter money laundering.

9. Coinbase, Binance, MEXC are exchanges: online platforms for buying, selling,

transferring, and storing cryptocurrency. Coinbase is headquartered in San Francisco,

California. Binance is located in the Cayman Islands. MEXC is a Chinese owned company

headquartered in Singapore.

10. Wallet: Cryptocurrency is stored in a virtual account called a wallet. Wallets are software

programs that interface with blockchains and generate and/or store public and private keys

used to send and receive cryptocurrency. A public key or address is akin to a bank account

number, and a private key is akin to a PIN number or password that allows a user the ability

to access and transfer value associated with the public address or key.

2 Some cryptocurrencies operate on blockchains that are not public and operate in such a way to obfuscate
transactions, making it difficult to trace or attribute transactions.

Case 3:23-mj-00453-WCM Document 3-1 Filed 12/20/23 Page 4 of 17

 DEFENDANT IDENTIFICATION

11. CHIRAG TOMAR is a thirty-year-old male citizen of the Republic of India. Based on the

evidence contained herein, I believe that Defendant, CHIRAG TOMAR, is the account

owner for an email account used in this scheme (the “TOMAR EMAIL ACCOUNT”).

First, the TOMAR EMAIL ACCOUNT username begins with “chirag.tomar.” Further,

the TOMAR EMAIL ACCOUNT contained multiple photos of a Republic of India

identification card and a Republic of India Passport belonging to CHIRAG TOMAR. The

TOMAR EMAIL ACCOUNT emailed these photos on several occasions, including to

apply for a travel visa to the United States for TOMAR. Additionally, within the records

of the TOMAR EMAIL ACCOUNT, investigators identified emails from ICICI Bank

with statements in the name of Chirag Tomar and emails with TOMAR’s personal

information used to book hotels and receive food deliveries, among other personal

activities.

12. Investigators confirmed that TOMAR was granted a travel visa to the United States and

have compared the visa photo to that contained in the TOMAR EMAIL ACCOUNT, and

determined that it is the same Chirag Tomar. This United States visa application for

TOMAR provided a work telephone number for TOMAR ending in 3999 (the “TOMAR

PHONE”). Further, on April 1, 2022, the TOMAR EMAIL ACCOUNT received an

email containing a booking confirmation for the Holiday Inn New Delhi International

Airport which was in the name of Chirag Tomar and provided the TOMAR PHONE as

TOMAR’s contact number. Finally, the TOMAR EMAIL ACCOUNT received a bill on

March 31, 2022 for a mobile phone account in TOMAR’s name which was for the

TOMAR PHONE.

Case 3:23-mj-00453-WCM Document 3-1 Filed 12/20/23 Page 5 of 17

 13. A MEXC exchange account ending in 7727 (the “TOMAR MEXC ACCOUNT”)

identified pursuant to this investigation, was registered as having the TOMAR PHONE

as the account phone number. However, although this account was linked to the TOMAR

PHONE, it was registered under a different name. Investigators believe TOMAR to be

the true account holder. Investigators believe that TOMAR’s use of a fictitious name for

the TOMAR MEXC ACCOUNT is indicative of an attempt to conceal the true identity

of the account holder and obfuscate the nature and source of the cryptocurrency

transactions that took place therein.

14. A review of TOMAR EMAIL ACCOUNT Google search history shows searches

between June 29, 2021 and October 26, 2022 associated with the cryptocurrency fraud

scheme described herein. Those searches by TOMAR included: “Fake coinbase page,”

“Coinbase scam,” “How to take money from coinbase without OTP,3” “need coinbase

traffic,” “Scams in the USA,” and others. The review indicates there were more than 25

such searches in the above time frame.

PROBABLE CAUSE

15. At the times set forth herein, Coinbase, the publicly traded exchange that serves legitimate

purposes, maintained a legitimate website at https://pro.coinbase.com. Coinbase Pro was

an advanced trading platform advertised for Coinbase customers who frequently trade

cryptocurrency. According to the Coinbase Pro website, users of cryptocurrency (users

such as the victims identified herein), would access Coinbase Pro and Coinbase services to

buy, sell, and manage cryptocurrency.

3
OTP is a One Time Passcode, which sends a code to a device of your choosing to authenticate that the true owner
is seeking to access the account. This search indicates that TOMAR was seeking to gain unauthorized access to
Coinbase accounts without having to acquire the OTP two-factor authentication.

Case 3:23-mj-00453-WCM Document 3-1 Filed 12/20/23 Page 6 of 17

16. Investigators identified a family of websites that were designed to mimic or “spoof” the

legitimate Coinbase Pro website in order to “phish” for victims’ log-in credentials. These

lookalike websites could be found at URLs that featured variations of “coinbasepro.com”

or were the landing pages from redirections from such sites, including the following:

“coinbasepro.com,” “fastsupport.gotoassist.com,” “autho.coinbasepro.com,”

“primetoyking.com,” and “coimdrazeprogogicsecure.com” (collectively, the “CBP

Phishing Sites”). Fraudsters commonly create phishing websites, that is, websites designed

by fraudsters to mimic the appearance of legitimate websites, to falsely gain the trust of

users, and fraudulently obtain users’ personal and private information, including sensitive

account information. In this case, the CBP Phishing Sites appear to have been designed to

capture Coinbase users’ log-in credentials. Based on the similar URLs and website design,

victims who were searching for the legitimate Coinbase Pro website were tricked into

accessing the CBP Phishing Sites.

Case 3:23-mj-00453-WCM Document 3-1 Filed 12/20/23 Page 7 of 17

17. At all relevant times, pro.coinbase.com was a legitimate URL to route to the true Coinbase

Pro website. However, the URL coinbasepro.com would redirect victims to the CBP

Phishing Sites. At all relevant times, the CBP Phishing Sites consisted of a well-

constructed webpage purporting to be the legitimate Coinbase cryptocurrency exchange,

featuring high-quality graphics and a login screen that prompted the user to provide their

Coinbase username and password, consistent with the real Coinbase site. The following is

an image depicting the CBP Phishing Sites:

18. Most icons and links featured on the CBP Phishing Sites were inoperable. The CBP

Phishing Sites were essentially a single page without functioning links. Some links would

only display an “account is disabled”-type pop up screen regardless of the context of the

Case 3:23-mj-00453-WCM Document 3-1 Filed 12/20/23 Page 8 of 17

 link. The CBP Phishing Sites also featured several instances of improper terminology and

grammatical errors, such as words lacking proper capitalization or structure. This is a

possible indication that the creators are not native English speakers and/or are based outside

the country and is certainly not indicative of a website operated by an organized publicly

traded company such as the legitimate Coinbase.

19. The CBP Phishing Sites were designed to trick each victim into changing his or her

password by initiating a series of steps described herein. When a victim would accidentally

visit the CBP Phishing Sites and attempt to login with their valid Coinbase credentials, the

victim would be notified that their account was locked and prompted to call a phone

number that was provided in a chat window to speak to a purported Coinbase

representative. The phone number connected the victims to a coconspirator who purported

to be an employee of Coinbase. At this point in the fraud scheme, a real password-reset

link would then be sent to the victim and the fraudulent Coinbase representative would

request that the victim provide the real password-reset link in the chat. The provided link

by the victim was a legitimate link from Coinbase allowing the actor to change the victim’s

account password. By tricking the victim into providing the password reset link, the actor

was then able to use the link to change the victim’s Coinbase password and gain control of

the victim’s Coinbase account. The fraudsters then used their control over the Coinbase

accounts to transfer funds to accounts they controlled. Investigators accessed the CBP

Phishing Sites and observed the above-described steps of the fraud scheme. Investigators

further determined that no matter what login information was entered on the CBP Phishing

Sites, the website always indicated that a user’s account was disabled or locked.

Case 3:23-mj-00453-WCM Document 3-1 Filed 12/20/23 Page 9 of 17

20. Investigators have determined using open-source domain registration website,

www.whois.com, that the fraudulent website Coinbasepro.com was first registered on

August 22, 2020.

VICTIM MB 1

21. On September 25, 2021, while attempting to access his Coinbase account online, VICTIM

MB 1 was unable to log in. VICTIM MB 1 then attempted to change his password, and

VICTIM MB 1 utilized the live chat feature on (what VICTIM MB 1 believe to be) the

Coinbase website to do so. The support employee advised VICTIM MB 1 that he would

receive a phone call to execute the password change. VICTIM MB 1 then had an incoming

call and the other party verified VICTIM MB 1’s identity. The caller, purportedly a

representative from Coinbase, then instructed VICTIM MB 1 to provide an emailed link

from Coinbase in the chat window. Based on my knowledge of the investigation and

experience with Coinbase, I believe that VICTIM MB 1 had accidentally directed their

browser to coinbasepro.com, the CBP Phishing Site. Accordingly, shortly after providing

the link in the chat window, VICTIM MB 1 noticed an unauthorized transfer of

approximately 63.11323345 Ethereum (“ETH”) and 0.8 Bitcoin (“BTC”) out of their

Coinbase account to an external account, worth approximately $170,955.

22. Coinbase records of VICTIM MB 1’s account reflect that on September 25, 2021, the

transfer of approximately 63.11323345 ETH and 0.8 BTC occurred to an account at

Binance from the victim’s Coinbase account.

23. Records reflect that the Binance account that received VICTIM MB 1’s stolen funds was

in the name of an individual, R.A., and registered with an email account, EMAIL

ACCOUNT 1.

10

Case 3:23-mj-00453-WCM Document 3-1 Filed 12/20/23 Page 10 of 17

24. Email records acquired by investigators pursuant to search warrants reflected that on

August 11, 2021, the TOMAR EMAIL ACCOUNT sent two emails to EMAIL

ACCOUNT 1. The first email had an attached photo of the identification card of R.A.

from the Election Commission of India. The second email had a photo of R.A’s Indian

passport. I believe based on my experience and the order of events, these identification

documents appear to be stolen or fraudulently obtained. Approximately ten minutes after

receiving the identification document photos, EMAIL ACCOUNT 1 received two emails

from Binance confirming identity verification for the account opening of the Binance

account which received the victim funds. Based on the above, it appears that TOMAR

provided stolen or fraudulently obtained identification documents of R.A. to EMAIL

ACCOUNT 1 for the purposes of opening an Binance account in R.A.’s name to receive

cryptocurrency stolen from VICTIM MB 1. On September 25, 2021, the day of the

unauthorized transfer of BTC and ETH from VICTIM MB 1’s Coinbase account, Binance

sent emails to EMAIL ACCOUNT 1 confirming the stolen 63 ETH and 0.8 BTC fund

deposits into that Binance account.

25. In an email sent on January 24, 2022, another email account, EMAIL ACCOUNT 2, sent

the TOMAR EMAIL ACCOUNT a .txt file with the filename of notepad 2.txt. VICTIM

MB 1’s phone number, name, and amount of funds stolen was located in this file, alongside

the date of September 25, 2021. This coincides with the fraudulent transaction from

VICTIM MB 1’s Coinbase account.

VICTIM MF 2

26. On January 26, 2022, VICTIM MF 2 attempted to login to his Coinbase account using his

internet browser. VICTIM MF 2 was unknowingly redirected to a site that looked exactly

11

Case 3:23-mj-00453-WCM Document 3-1 Filed 12/20/23 Page 11 of 17

 like Coinbase, and I believe based on the knowledge of this investigation that he had

accidentally directed his browser to the CBP Phishing Sites. VICTIM MF 2 attempted to

log in with his account credentials, but the website said his account had been locked and to

call customer support to access his account. VICTIM MF 2 spoke on the phone with a

purported Coinbase customer support representative. Similar to the scheme perpetrated on

VICTIM MB 1, VICTIM MF 2 provided a link to the impostor Coinbase representative,

which resulted in VICTIM MF 2’s Coinbase account being compromised. Shortly

thereafter, an unauthorized transfer of .3396 BTC was executed from VICTIM MF 2’s

Coinbase account to an external account.

27. In an email sent on February 16, 2022, another email account, EMAIL ACCOUNT 3, sent

the TOMAR EMAIL ACCOUNT a .txt file with the filename of New Text Document.txt.

Victim MF 2’s phone number, name, and amount of funds stolen was located in this file,

alongside the date January 26, 2022. This coincides with the fraudulent transactions from

VICTIM MF 2’s Coinbase account.

VICTIM PC 3

28. On April 16, 2022, VICTIM PC 3 attempted to access his Coinbase account using his

internet browser. VICTIM PC 3 was unknowingly redirected to a site that looked exactly

like Coinbase, and I believe based on the knowledge of this investigation that he had

accidentally directed his browser to the CBP Phishing Sites. VICTIM PC 3 attempted to

log in with his account credentials and the website refreshed with a new screen that

indicated that VICTIM PC 3’s account was locked and to call a number or communicate

with Coinbase customer service via a pop-up screen. A purported Coinbase customer

service representative convinced VICTIM PC 3 to provide access to his account to the

12

Case 3:23-mj-00453-WCM Document 3-1 Filed 12/20/23 Page 12 of 17

 representative. After VICTIM PC 3 provided his two-factor authorization password, he

was told that his account was unlocked and to access it. VICTIM PC 3 accessed his account

and saw his expected balance of $132,515.51 in U.S. Currency in his account for a few

moments. At this time, VICTIM PC 3 received emails that transactions were taking place

in his Coinbase account without the authorization of VICTIM PC 3. VICTIM PC 3 then

observed that his balance of $132,515.51 was converted to 44.09 ETH in his Coinbase

account and also received a notification that there was an attempt to exchange the ETH for

USDT, but that the exchange was cancelled. On April 16, 2022, the 44.09 ETH was

transferred out of VICTIM PC 3’s Coinbase wallet to multiple cryptocurrency addresses

before being sent to the TOMAR MEXC ACCOUNT without VICTIM PC 3’s

authorization. Furthermore, it was determined that 8.81 ETH was transferred from two

other victims and consolidated into VICTIM PC 3’s transfer, for a total of 52.90 ETH.

29. VICTIM PC 3’s funds were converted from fiat currency to ETH by the fraudsters and sent

to the TOMAR MEXC ACCOUNT on April 16, 2022. The next day, April 17, 2022,

TOMAR, via the TOMAR MEXC ACCOUNT, executed a “chain hop” of the funds by

converting the stolen funds from 52.9 ETH to 164,626.58 USDT and transferred the funds

out of his account to an address ending in G91RL, a decentralized address,4 before being

4
A decentralized address is an address on the blockchain that does not belong to an exchange or other avenue that
identifies the true owner. This address is able to facilitate transfers to other addresses with the appropriate public
and private keys.

13

Case 3:23-mj-00453-WCM Document 3-1 Filed 12/20/23 Page 13 of 17

 sent to the Binance account of another individual. The below graph depicts the assets being

stolen and moved through the block chain:

VICTIM PAC 4

30. On June 6, 2022, VICTIM PAC 4 sought to access his Coinbase account but accidentally

entered coinbasepro.com into his web browser, which guided him to the CBP Phishing

Sites. VICTIM PAC 4 entered his username and password, which initiated a banner along

the top of the webpage, which indicated that there was a security issue and instructed him

to call the displayed Coinbase customer service phone number. VICTIM PAC 4 called the

number provided and a purported Coinbase representative answered that he could help

VICTIM PAC 4 execute an account reset over the phone. VICTIM PAC 4 was instructed

14

Case 3:23-mj-00453-WCM Document 3-1 Filed 12/20/23 Page 14 of 17

 to click the chat icon on the bottom right corner of his screen. Later in the chat, VICTIM

PAC 4 was asked to provide the impostor Coinbase representative with authentication

codes that had been sent to his phone. VICTIM PAC 4 provided the codes. VICTIM PAC

4 also uploaded copies of his Driver’s License to the web chat, as instructed by individual.

Later, after checking his account, VICTIM PAC 4 observed that the fraudsters had accessed

his Coinbase account and converted his cryptocurrency to 138.5 ETH, and then, after

bypassing account verification with his own submitted ID, transferred the ETH out of his

Coinbase account. On or about June 6, 2022, the 138.5 ETH was subsequently transferred

out of VICTIM PAC 4’s Coinbase wallet to multiple decentralized cryptocurrency wallets.

On or about June 7, 2022, the 138.5 ETH of VICTIM PAC 4’s stolen funds were

commingled with other victim funds, totaling 161.36 ETH. The 161.36 ETH were

converted to 325,152 USDT in a decentralized address ending in 02d1b.

31. On or about June 8, 2022, 200,000 USDT of the victim funds were sent to the TOMAR

MEXC ACCOUNT. On or about June 9, 2022, TOMAR executed a “chain hop” with the

victim funds, by switching the 200,000 USDT from its Ethereum block chain to another

blockchain known as the TRX network and transferred the funds out of the account.

CONCLUSION

32. Investigators have determined that VICTIM MB 1, VICTIM MF 2, VICTIM PC 3 and

VICTIM PAC 4 were victims of the same fraud conspiracy. An analysis of the victim

spreadsheets located in the TOMAR EMAIL ACCOUNT sent between CHIRAG

TOMAR and known and unknown coconspirators revealed phone numbers, names, and

amount of funds stolen of approximately 542 victims between July 1, 2021 to February 24,

2022. The records reflect a total victim loss of $19.9 million USD.

15

Case 3:23-mj-00453-WCM Document 3-1 Filed 12/20/23 Page 15 of 17

 33. An analysis of the TOMAR MEXC ACCOUNT revealed frequent money laundering

activity committed by TOMAR through this account. The account shows deposits, among

other cryptocurrencies, of 4,401,727 USDT and 66.83 BTC and frequent “chain hop”

conversions and rapid transfers of cryptocurrencies out of the account.

34. Based on the foregoing, your Affiant submits that there is probable cause to believe that

CHIRAG TOMAR violated 18 U.S.C. § 1956(h), which makes it a crime in relevant part

to conspire to transmit or transfer funds from a place in the United States to a place outside

the United States knowing that the funds involved in the transmission or transfer

represented the proceeds of some form of specified unlawful activity and knowing that

such transmission or transfer is designed in whole or in part to conceal or disguise the

nature, location, source, ownership, or control of the proceeds of the specified unlawful

activity. For the purposes of this section, specified unlawful activity includes wire fraud,

in violation of 18 U.S.C. § 1343.

35. Your Affiant submits there is also probable cause to believe that CHIRAG TOMAR

violated 18 U.S.C. § 1349, which makes it a crime in relevant part to conspire to commit

wire fraud, 18 U.S.C. § 1343, which is obtaining money or property by means of false or

fraudulent pretenses through the use of interstate or foreign commerce.

/S/_Michael S. Hackney
Michael S. Hackney
Special Agent
United States Secret Service
Western District of North Carolina

Affidavit Reviewed by Assistant United States Attorney Matthew T. Warren

16

Case 3:23-mj-00453-WCM Document 3-1 Filed 12/20/23 Page 16 of 17

In accordance with Rule 4.1(b)(2)(A), the Affiant attested under oath to the contents of this
Affidavit, which was submitted to me by reliable electronic means, on this 20th day of December
2023, at 8:34 AM.

Signed: December 20, 2023

17

Case 3:23-mj-00453-WCM Document 3-1 Filed 12/20/23 Page 17 of 17