How I Tracked and Sent the World’s Top Three Crypto Social‑Engineering Scammers to Prison

On August 19 2024, a transaction of 4,064 BTC (≈ US$243 million) exploded across 15 exchanges, prompting a blockchain‑level investigation. The funds were rapidly swapped through Bitcoin, Ethereum, Solana, and Monero, creating a tangled web that could not be erased from the ledger.

Social‑Engineering Attack Narrative

The victims were not compromised by code; instead, attackers manipulated their emotions through a staged phone‑call sequence:

Step 1 – Planting Panic

A caller posing as Google support warned the victim of “abnormal activity” on their Gmail account, using a forged official number to trigger fear.

Step 2 – Authority Intervention

Minutes later, a second caller claimed to be from Gemini’s security team, offering to move the victim’s assets to a “safe wallet,” thereby gaining trust.

Step 3 – Bypassing 2FA

The attackers instructed the victim to reset their two‑factor authentication, effectively disabling the last line of defense.

Step 4 – Remote Access via AnyDesk

Victims were asked to install AnyDesk for remote assistance; once screen‑sharing began, the attackers extracted private keys directly from the victim’s Bitcoin Core wallet.

The result: the entire US$243 million was transferred without a single line of code being breached.

Profiles of the Perpetrators

The group, known as “The Com,” consisted of young, flamboyant members:

Malone Lam ("Greavys") – orchestrated money‑laundering, splurged US$500 k in a Miami nightclub, and distributed a Hermes bag like flyers, later captured on FBI‑released photos.

Veer Chetal ("Wiz") – a 19‑year‑old technical core who celebrated the US$238 million inflow on video, only to have his family kidnapped for ransom when internal disputes arose.

Jeandiel Serrano ("Box") – the “voice actor” who impersonated Gemini support, bought a US$500 k watch, and was later arrested at LAX while wearing it.

Operational Slip‑Up

During a celebratory Discord livestream, one attacker’s VPN dropped for a full 30 minutes, exposing his real IP address and Windows username on screen, allowing the investigator to pinpoint his location.

Arrest Timeline

In September 2024, coordinated FBI and DOJ actions led to arrests in Miami, Los Angeles, Connecticut, and Dubai, seizing over US$30 million in cash, vehicles, and luxury watches, and freezing an additional US$9 million for victim restitution.

Four‑Step Social‑Engineering Playbook

第一步：制造恐慌
  └─ "您的 Google 账户有异常"
第二步：权威介入
  └─ "我们是 Gemini 安全团队，来帮您"
第三步：绕过 2FA
  └─ "请您重置一下双重验证"
第四步：屏幕共享
  └─ AnyDesk 监控下，私钥自己送上门

Core logic: The attack succeeded by breaking human trust, not technical defenses.

Takeaways

Official Google or Gemini staff never request 2FA resets via phone.

Legitimate support never asks you to transfer funds unsolicited.

Never install remote‑desktop tools like AnyDesk on an unverified request.

This case illustrates a new era of cybercrime where psychological manipulation and remote tools replace traditional exploits, reminding us that blockchain’s transparency records every transaction, even when the perpetrators think they are dancing in the dark.