Chirag Tomar Coinbase Phishing
Chirag Tomar Coinbase Phishing
AFFIDAVIT IN SUPPORT OF
APPLICATION FOR ARREST WARRANT
I, Michael S. Hackney, a Special Agent with the United States Secret Service, being duly sworn,
depose and say:
1. I am a Special Agent with the United States Secret Service (“USSS”) and have been so
duly employed as a Special Agent since May 2011. I have received specialized training
include Wire Fraud, Bank Fraud, Conspiracy and Money Laundering. I am currently
assigned to USSS Charlotte Field Office Cyber Fraud Task Force (“CFTF”) as the Crypto
Currency Group Leader. I have previously completed extensive training at both the Federal
Law Enforcement Training Center, Glynco, GA and the USSS training facility Beltsville,
MD. During my time with the USSS, I have completed over 200 hours of training in cyber
2. This Affidavit is intended to show only that there is sufficient probable cause for the
requested Warrant and does not set forth all my knowledge about this matter.
conveyed by other law enforcement officers, victims identified herein, and publicly
available information.
4. Your Affiant submits that there is probable cause to believe that from on or about August
22, 2020 and continuing through present, in the Western District of North Carolina and
INTRODUCTION
5. The USSS and the Federal Bureau of Investigation (“FBI”) have been investigating a
cryptocurrency theft and money laundering scheme which involved subjects gaining
unlawful access to the victims’ cryptocurrency exchange accounts and using that access to
6. Beginning as late as August 22, 2020, TOMAR and known and unknown coconspirators
cryptocurrency exchange Coinbase to trick Coinbase users into providing their log-in
credentials to the fraudsters. The fraudsters then used the victims’ log-in credentials to
access the victims’ Coinbase accounts and transfer the account holdings out of the
VICTIM PC 3 of Mooresville, North Carolina; and VICTIM PAC 4 of West Palm Beach,
Florida. After the cryptocurrency funds were transferred out of the victims’ Coinbase
techniques with the stolen funds, including: (1) receiving the funds in accounts set up with
fictitious or stolen identities; (2) rapidly moving the stolen funds in various amounts
including commingling with other funds; (3) layering the transactions through multiple
accounts at various exchanges, and (4) converting the funds to other forms of
DEFINITIONS
peer, network-based medium of value or exchange that may be used as a substitute for fiat1
currency to buy goods or services or exchanged for fiat currency or other cryptocurrencies.
run by the decentralized network, containing an immutable and historical record of every
1 Fiat currency is currency issued and regulated by a government such as the U.S. dollar, euro, or
Japanese yen.
allow customers to buy, sell, or trade virtual currency. Many VCEs also store currency on
behalf of their customers. VCEs doing business in the United States are regulated by the
U.S. Department of Treasury and are required to establish anti-money laundering (“AML”)
9. Coinbase, Binance, MEXC are exchanges: online platforms for buying, selling,
California. Binance is located in the Cayman Islands. MEXC is a Chinese owned company
headquartered in Singapore.
10. Wallet: Cryptocurrency is stored in a virtual account called a wallet. Wallets are software
programs that interface with blockchains and generate and/or store public and private keys
used to send and receive cryptocurrency. A public key or address is akin to a bank account
number, and a private key is akin to a PIN number or password that allows a user the ability
to access and transfer value associated with the public address or key.
2 Some cryptocurrencies operate on blockchains that are not public and operate in such a way to obfuscate
transactions, making it difficult to trace or attribute transactions.
11. CHIRAG TOMAR is a thirty-year-old male citizen of the Republic of India. Based on the
evidence contained herein, I believe that Defendant, CHIRAG TOMAR, is the account
owner for an email account used in this scheme (the “TOMAR EMAIL ACCOUNT”).
First, the TOMAR EMAIL ACCOUNT username begins with “chirag.tomar.” Further,
identification card and a Republic of India Passport belonging to CHIRAG TOMAR. The
apply for a travel visa to the United States for TOMAR. Additionally, within the records
of the TOMAR EMAIL ACCOUNT, investigators identified emails from ICICI Bank
with statements in the name of Chirag Tomar and emails with TOMAR’s personal
information used to book hotels and receive food deliveries, among other personal
activities.
12. Investigators confirmed that TOMAR was granted a travel visa to the United States and
have compared the visa photo to that contained in the TOMAR EMAIL ACCOUNT, and
determined that it is the same Chirag Tomar. This United States visa application for
TOMAR provided a work telephone number for TOMAR ending in 3999 (the “TOMAR
email containing a booking confirmation for the Holiday Inn New Delhi International
Airport which was in the name of Chirag Tomar and provided the TOMAR PHONE as
TOMAR’s contact number. Finally, the TOMAR EMAIL ACCOUNT received a bill on
March 31, 2022 for a mobile phone account in TOMAR’s name which was for the
TOMAR PHONE.
identified pursuant to this investigation, was registered as having the TOMAR PHONE
as the account phone number. However, although this account was linked to the TOMAR
the true account holder. Investigators believe that TOMAR’s use of a fictitious name for
the TOMAR MEXC ACCOUNT is indicative of an attempt to conceal the true identity
of the account holder and obfuscate the nature and source of the cryptocurrency
14. A review of TOMAR EMAIL ACCOUNT Google search history shows searches
between June 29, 2021 and October 26, 2022 associated with the cryptocurrency fraud
scheme described herein. Those searches by TOMAR included: “Fake coinbase page,”
“Coinbase scam,” “How to take money from coinbase without OTP,3” “need coinbase
traffic,” “Scams in the USA,” and others. The review indicates there were more than 25
PROBABLE CAUSE
15. At the times set forth herein, Coinbase, the publicly traded exchange that serves legitimate
an advanced trading platform advertised for Coinbase customers who frequently trade
such as the victims identified herein), would access Coinbase Pro and Coinbase services to
3
OTP is a One Time Passcode, which sends a code to a device of your choosing to authenticate that the true owner
is seeking to access the account. This search indicates that TOMAR was seeking to gain unauthorized access to
Coinbase accounts without having to acquire the OTP two-factor authentication.
legitimate Coinbase Pro website in order to “phish” for victims’ log-in credentials. These
or were the landing pages from redirections from such sites, including the following:
Phishing Sites”). Fraudsters commonly create phishing websites, that is, websites designed
by fraudsters to mimic the appearance of legitimate websites, to falsely gain the trust of
users, and fraudulently obtain users’ personal and private information, including sensitive
account information. In this case, the CBP Phishing Sites appear to have been designed to
capture Coinbase users’ log-in credentials. Based on the similar URLs and website design,
victims who were searching for the legitimate Coinbase Pro website were tricked into
Pro website. However, the URL coinbasepro.com would redirect victims to the CBP
Phishing Sites. At all relevant times, the CBP Phishing Sites consisted of a well-
featuring high-quality graphics and a login screen that prompted the user to provide their
Coinbase username and password, consistent with the real Coinbase site. The following is
18. Most icons and links featured on the CBP Phishing Sites were inoperable. The CBP
Phishing Sites were essentially a single page without functioning links. Some links would
only display an “account is disabled”-type pop up screen regardless of the context of the
possible indication that the creators are not native English speakers and/or are based outside
the country and is certainly not indicative of a website operated by an organized publicly
19. The CBP Phishing Sites were designed to trick each victim into changing his or her
password by initiating a series of steps described herein. When a victim would accidentally
visit the CBP Phishing Sites and attempt to login with their valid Coinbase credentials, the
victim would be notified that their account was locked and prompted to call a phone
representative. The phone number connected the victims to a coconspirator who purported
link would then be sent to the victim and the fraudulent Coinbase representative would
request that the victim provide the real password-reset link in the chat. The provided link
by the victim was a legitimate link from Coinbase allowing the actor to change the victim’s
account password. By tricking the victim into providing the password reset link, the actor
was then able to use the link to change the victim’s Coinbase password and gain control of
the victim’s Coinbase account. The fraudsters then used their control over the Coinbase
accounts to transfer funds to accounts they controlled. Investigators accessed the CBP
Phishing Sites and observed the above-described steps of the fraud scheme. Investigators
further determined that no matter what login information was entered on the CBP Phishing
Sites, the website always indicated that a user’s account was disabled or locked.
VICTIM MB 1
21. On September 25, 2021, while attempting to access his Coinbase account online, VICTIM
MB 1 was unable to log in. VICTIM MB 1 then attempted to change his password, and
VICTIM MB 1 utilized the live chat feature on (what VICTIM MB 1 believe to be) the
Coinbase website to do so. The support employee advised VICTIM MB 1 that he would
receive a phone call to execute the password change. VICTIM MB 1 then had an incoming
call and the other party verified VICTIM MB 1’s identity. The caller, purportedly a
from Coinbase in the chat window. Based on my knowledge of the investigation and
experience with Coinbase, I believe that VICTIM MB 1 had accidentally directed their
browser to coinbasepro.com, the CBP Phishing Site. Accordingly, shortly after providing
approximately 63.11323345 Ethereum (“ETH”) and 0.8 Bitcoin (“BTC”) out of their
22. Coinbase records of VICTIM MB 1’s account reflect that on September 25, 2021, the
23. Records reflect that the Binance account that received VICTIM MB 1’s stolen funds was
in the name of an individual, R.A., and registered with an email account, EMAIL
ACCOUNT 1.
10
August 11, 2021, the TOMAR EMAIL ACCOUNT sent two emails to EMAIL
ACCOUNT 1. The first email had an attached photo of the identification card of R.A.
from the Election Commission of India. The second email had a photo of R.A’s Indian
passport. I believe based on my experience and the order of events, these identification
receiving the identification document photos, EMAIL ACCOUNT 1 received two emails
from Binance confirming identity verification for the account opening of the Binance
account which received the victim funds. Based on the above, it appears that TOMAR
ACCOUNT 1 for the purposes of opening an Binance account in R.A.’s name to receive
cryptocurrency stolen from VICTIM MB 1. On September 25, 2021, the day of the
unauthorized transfer of BTC and ETH from VICTIM MB 1’s Coinbase account, Binance
sent emails to EMAIL ACCOUNT 1 confirming the stolen 63 ETH and 0.8 BTC fund
25. In an email sent on January 24, 2022, another email account, EMAIL ACCOUNT 2, sent
the TOMAR EMAIL ACCOUNT a .txt file with the filename of notepad 2.txt. VICTIM
MB 1’s phone number, name, and amount of funds stolen was located in this file, alongside
the date of September 25, 2021. This coincides with the fraudulent transaction from
VICTIM MF 2
26. On January 26, 2022, VICTIM MF 2 attempted to login to his Coinbase account using his
internet browser. VICTIM MF 2 was unknowingly redirected to a site that looked exactly
11
accidentally directed his browser to the CBP Phishing Sites. VICTIM MF 2 attempted to
log in with his account credentials, but the website said his account had been locked and to
call customer support to access his account. VICTIM MF 2 spoke on the phone with a
thereafter, an unauthorized transfer of .3396 BTC was executed from VICTIM MF 2’s
27. In an email sent on February 16, 2022, another email account, EMAIL ACCOUNT 3, sent
the TOMAR EMAIL ACCOUNT a .txt file with the filename of New Text Document.txt.
Victim MF 2’s phone number, name, and amount of funds stolen was located in this file,
alongside the date January 26, 2022. This coincides with the fraudulent transactions from
VICTIM PC 3
28. On April 16, 2022, VICTIM PC 3 attempted to access his Coinbase account using his
internet browser. VICTIM PC 3 was unknowingly redirected to a site that looked exactly
like Coinbase, and I believe based on the knowledge of this investigation that he had
accidentally directed his browser to the CBP Phishing Sites. VICTIM PC 3 attempted to
log in with his account credentials and the website refreshed with a new screen that
indicated that VICTIM PC 3’s account was locked and to call a number or communicate
with Coinbase customer service via a pop-up screen. A purported Coinbase customer
12
was told that his account was unlocked and to access it. VICTIM PC 3 accessed his account
and saw his expected balance of $132,515.51 in U.S. Currency in his account for a few
moments. At this time, VICTIM PC 3 received emails that transactions were taking place
observed that his balance of $132,515.51 was converted to 44.09 ETH in his Coinbase
account and also received a notification that there was an attempt to exchange the ETH for
USDT, but that the exchange was cancelled. On April 16, 2022, the 44.09 ETH was
before being sent to the TOMAR MEXC ACCOUNT without VICTIM PC 3’s
authorization. Furthermore, it was determined that 8.81 ETH was transferred from two
other victims and consolidated into VICTIM PC 3’s transfer, for a total of 52.90 ETH.
29. VICTIM PC 3’s funds were converted from fiat currency to ETH by the fraudsters and sent
to the TOMAR MEXC ACCOUNT on April 16, 2022. The next day, April 17, 2022,
TOMAR, via the TOMAR MEXC ACCOUNT, executed a “chain hop” of the funds by
converting the stolen funds from 52.9 ETH to 164,626.58 USDT and transferred the funds
out of his account to an address ending in G91RL, a decentralized address,4 before being
4
A decentralized address is an address on the blockchain that does not belong to an exchange or other avenue that
identifies the true owner. This address is able to facilitate transfers to other addresses with the appropriate public
and private keys.
13
VICTIM PAC 4
30. On June 6, 2022, VICTIM PAC 4 sought to access his Coinbase account but accidentally
entered coinbasepro.com into his web browser, which guided him to the CBP Phishing
Sites. VICTIM PAC 4 entered his username and password, which initiated a banner along
the top of the webpage, which indicated that there was a security issue and instructed him
to call the displayed Coinbase customer service phone number. VICTIM PAC 4 called the
number provided and a purported Coinbase representative answered that he could help
VICTIM PAC 4 execute an account reset over the phone. VICTIM PAC 4 was instructed
14
PAC 4 was asked to provide the impostor Coinbase representative with authentication
codes that had been sent to his phone. VICTIM PAC 4 provided the codes. VICTIM PAC
4 also uploaded copies of his Driver’s License to the web chat, as instructed by individual.
Later, after checking his account, VICTIM PAC 4 observed that the fraudsters had accessed
his Coinbase account and converted his cryptocurrency to 138.5 ETH, and then, after
bypassing account verification with his own submitted ID, transferred the ETH out of his
Coinbase account. On or about June 6, 2022, the 138.5 ETH was subsequently transferred
out of VICTIM PAC 4’s Coinbase wallet to multiple decentralized cryptocurrency wallets.
On or about June 7, 2022, the 138.5 ETH of VICTIM PAC 4’s stolen funds were
commingled with other victim funds, totaling 161.36 ETH. The 161.36 ETH were
31. On or about June 8, 2022, 200,000 USDT of the victim funds were sent to the TOMAR
MEXC ACCOUNT. On or about June 9, 2022, TOMAR executed a “chain hop” with the
victim funds, by switching the 200,000 USDT from its Ethereum block chain to another
blockchain known as the TRX network and transferred the funds out of the account.
CONCLUSION
VICTIM PAC 4 were victims of the same fraud conspiracy. An analysis of the victim
TOMAR and known and unknown coconspirators revealed phone numbers, names, and
amount of funds stolen of approximately 542 victims between July 1, 2021 to February 24,
2022. The records reflect a total victim loss of $19.9 million USD.
15
activity committed by TOMAR through this account. The account shows deposits, among
other cryptocurrencies, of 4,401,727 USDT and 66.83 BTC and frequent “chain hop”
34. Based on the foregoing, your Affiant submits that there is probable cause to believe that
CHIRAG TOMAR violated 18 U.S.C. § 1956(h), which makes it a crime in relevant part
to conspire to transmit or transfer funds from a place in the United States to a place outside
the United States knowing that the funds involved in the transmission or transfer
represented the proceeds of some form of specified unlawful activity and knowing that
nature, location, source, ownership, or control of the proceeds of the specified unlawful
activity. For the purposes of this section, specified unlawful activity includes wire fraud,
35. Your Affiant submits there is also probable cause to believe that CHIRAG TOMAR
violated 18 U.S.C. § 1349, which makes it a crime in relevant part to conspire to commit
wire fraud, 18 U.S.C. § 1343, which is obtaining money or property by means of false or
/S/_Michael S. Hackney
Michael S. Hackney
Special Agent
United States Secret Service
Western District of North Carolina
16
17