Full Report
22-year-old Evan Tangeman of Newport Beach, California, was sentenced to 70 months in prison for laundering funds stolen in a massive $230 million cryptocurrency heist. [...]
Analysis Summary
# Incident Report: Multi-Million Dollar Cryptocurrency Social Engineering Heist and Laundering Operation
## Executive Summary
A criminal enterprise executed a sophisticated social engineering attack against a high-net-worth individual, stealing over 4,100 Bitcoin valued at approximately $230 million. The attackers utilized vishing (voice phishing) and remote desktop software to bypass security controls and gain access to private keys. Following the theft, a network of money launderers, including Evan Tangeman, utilized crypto-mixers and complex transaction chains to conceal the funds, which were used to finance extravagant lifestyles.
## Incident Details
- **Discovery Date:** August 2024 (Initial theft reporting/investigation)
- **Incident Date:** August 2024 (Theft); October 2023 – May 2025 (Laundering Period)
- **Affected Organization:** Genesis crypto exchange creditor (individual victim)
- **Sector:** Cryptocurrency / Financial Services
- **Geography:** Washington, D.C. (Victim); California and Florida (Suspects)
## Timeline of Events
### Initial Access
- **Date/Time:** August 2024
- **Vector:** Social Engineering / Vishing
- **Details:** Attackers used spoofed phone numbers to impersonate Google and Gemini (crypto exchange) support staff.
### Lateral Movement
- **Details:** After convincing the victim their account was compromised, attackers gained remote access to the victim’s machine via AnyDesk. This allowed them to navigate the local environment to locate Bitcoin Core private keys.
### Data Exfiltration/Impact
- **Details:** Unauthorized transfer of over 4,100 Bitcoin (approx. $230M) from the victim's wallet to attacker-controlled addresses.
### Detection & Response
- **Detection:** Discovered through victim reporting and subsequent blockchain analysis by investigators such as ZachXBT.
- **Response:** Federal law enforcement (FBI/DOJ) arrested key suspects in September 2024 and May 2025. Evan Tangeman was sentenced to 70 months in April 2026.
## Attack Methodology
- **Initial Access:** Vishing (Voice Phishing) and Spoofing.
- **Persistence:** Not applicable; incident focused on rapid theft rather than long-term network presence.
- **Privilege Escalation:** Tricked victim into resetting 2FA (Two-Factor Authentication).
- **Defense Evasion:** Used VPNs, crypto mixers, and "peel chains" to obfuscate the flow of stolen funds. Tangeman also attempted to destroy evidence/electronic devices following co-conspirator arrests.
- **Credential Access:** Screen sharing via AnyDesk to capture Bitcoin Core private keys.
- **Discovery:** Pre-attack reconnaissance on high-value Genesis creditors.
- **Lateral Movement:** Remote desktop access via AnyDesk.
- **Collection:** Identifying and accessing sensitive wallet files/private keys.
- **Exfiltration:** Direct blockchain transfer of 4,100 BTC.
- **Impact:** Financial theft and subsequent money laundering (RICO conspiracy).
## Impact Assessment
- **Financial:** Total theft of $230,000,000; individual launderers handled portions (Tangeman: $3.5M; Mehta: $25M).
- **Data Breach:** Compromise of private cryptocurrency keys and 2FA credentials.
- **Operational:** Significant loss of assets for the individual/creditor.
- **Reputational:** Demonstrated vulnerabilities in support-based authentication workflows for crypto exchanges.
## Indicators of Compromise
- **Network indicators:** Use of AnyDesk (remote desktop) from unauthorized IPs.
- **Behavioral indicators:** Requests to share screens with "support" staff; requests to reset 2FA during an unsolicited inbound call.
- **Blockchain:** Movement of funds into known mixing services and "peel chain" wallet structures.
## Response Actions
- **Containment:** Victim account freezing (post-incident).
- **Eradication:** Law enforcement seizure of assets (luxury cars, jewelry, cash).
- **Recovery:** Legal proceedings and sentencing of 14+ suspects involved in the RICO conspiracy.
## Lessons Learned
- **Social Engineering Resiliency:** Vishing remains a primary threat; standard 2FA can be bypassed if the user is manipulated into resetting it or sharing their screen.
- **Remote Software Abuse:** Tools like AnyDesk are frequently weaponized by attackers to bypass technical security perimeters.
- **Blockchain Forensics:** While mixers provide some anonymity, Large-scale movements are frequently traceable by specialized investigators.
## Recommendations
- **Zero Trust Authentication:** Implement hardware-based security keys (e.g., YubiKey) that are resistant to interception or manual resets.
- **Policy Enforcement:** Organizations should never ask users to share screens via remote desktop tools for "support" calls.
- **Asset Cold Storage:** High-value cryptocurrency assets should be stored in multi-signature cold wallets, preventing a single point of failure via a single compromised machine.