Full Report
A US resident based in Indiana was charged with cyber intrusion and cryptocurrency theft conspiracies
Analysis Summary
# Incident Report: $37M Cryptocurrency Heist by Individual Actor
## Executive Summary
An individual, Evan Frederick Light, orchestrated a scheme resulting in the theft of over $37 million in cryptocurrency from nearly 600 victims by illegally accessing an investment firm in South Dakota in February 2022. The subsequent investigation by the FBI led to the identification and arrest of the perpetrator, partial recovery of funds, and a resulting 20-year federal prison sentence for conspiracy and money laundering.
## Incident Details
- Discovery Date: February 2022 (Implied, confirmed by indictment in May 2023)
- Incident Date: February 2022 (Attack occurred)
- Affected Organization: Investment firm based in Sioux Falls, South Dakota
- Sector: Financial Services/Investment
- Geography: South Dakota (Victim firm), Indiana (Perpetrator location)
## Timeline of Events
### Initial Access
- Date/Time: February 2022
- Vector: Cyber intrusion targeting an investment firm's systems.
- Details: Unlawfully gained access to the systems of the investment firm.
### Lateral Movement
- *Not explicitly detailed, but implied by the scope of PII theft and subsequent large-scale fraud.*
### Data Exfiltration/Impact
- Stole Personally Identifiable Information (PII) from the firm’s customers.
- Used stolen PII to steal over $37 million in cryptocurrency from approximately 600 victims.
- Funds were laundered through mixing services and gambling websites.
### Detection & Response
- **Detection:** The initial intrusion occurred in February 2022; the perpetrator was indicted in May 2023, suggesting detection and investigation occurred between these dates, led by the FBI investigations.
- **Response Actions:** The FBI conducted an investigation leading to the identification and arrest of Evan Frederick Light. A substantial portion of the stolen cryptocurrency was recovered during the investigation. Light pleaded guilty in September 2024, and was sentenced in February 2025.
## Attack Methodology
- **Initial Access:** Gaining unauthorized access (intrusion) into the investment firm's environment.
- **Persistence:** *Not explicitly detailed.*
- **Privilege Escalation:** *Not explicitly detailed, but necessary to access customer PII.*
- **Defense Evasion:** *Not explicitly detailed.*
- **Credential Access:** Stole Personally Identifiable Information (PII) belonging to customers.
- **Discovery:** *Not explicitly detailed.*
- **Lateral Movement:** *Not explicitly detailed, but implied to target customer accounts.*
- **Collection:** Gathered customer PII.
- **Exfiltration:** Stole $37m in cryptocurrency from customer accounts.
- **Impact:** Financial devastation to victims (e.g., destruction of retirement savings) and significant financial loss to the firm/victims.
## Impact Assessment
- Financial: Over $37 million stolen. Restitution of $37 million was ordered. A substantial portion was recovered by law enforcement.
- Data Breach: Personally Identifiable Information (PII) of nearly 600 customers was compromised.
- Operational: No specific operational impact on the firm was detailed, but the compromise was severe enough to lead to mass theft.
- Reputational: The incident caused financial and emotional harm to hundreds of victims whose lives were "devastated."
## Indicators of Compromise
- *The article does not provide specific network or file IOCs; the focus is on the criminal conviction.*
## Response Actions
- **Containment:** Law enforcement (FBI) investigated and identified the suspect.
- **Eradication steps:** The perpetrator, Evan Ligh, was arrested and subsequently pleaded guilty.
- **Recovery actions:** A substantial portion of the stolen cryptocurrency was recovered by the FBI. Restitution orders were put in place.
## Lessons Learned
- The potential for sophisticated criminal operations to be executed by individuals operating from simple environments ("mother's basement").
- Thorough investigation and interagency cooperation (FBI, US Marshals Service) are crucial for tracing complex cryptocurrency crime.
- Cybercrime is not victimless and has severe personal (financial/emotional) impacts.
## Recommendations
- Implement enhanced controls around customer PII storage and access within financial and investment platforms.
- Strengthen multi-factor authentication and monitoring around access points that could lead to high-value asset (cryptocurrency) accounts.
- Enhance transaction monitoring systems to detect subsequent laundering activities (mixing services, gambling sites).