The former CEO of an emerging crypto project lost $450,000 to his “best friend” simply by connecting to his WiFi network. This was part of what is an emerging trend called a “Proximity Breach,” noted by anti-money laundering firm AMLBot.
Tom, whose full identity must remain hidden due to AMLBot’s investigation policy, left a crypto company and sold his stake for $500,000. This represented most of his net worth as he moved from Europe to a country in Asia. During his time living in the new country he became close friends with a well-known local over a year and a half.
One night, Tom was caught in a rainstorm that caused water damage to his phone. Once he managed to get his phone working again and re-entered his seed phrase, he realized that his life savings were gone.
“I come from a non-drinking family and I decided that day that I was going to start drinking. And I was drinking heavily for like, a week and a half,” Tom told Decrypt on a video call. “I was asking ChatGPT about fucking ways to make money because I wasn’t planning on doing any work.”
Tom spoke to the local who had become his best friend. He recalled him saying: “Oh no, I can’t believe that would happen to you. Keep me updated on the story.” At the same time, the best friend was trying to rent one of his properties to the former CEO while pretending to have no clue about the exploit.
Tom made contact with AMLBot because he wanted help recovering his crypto funds. Fortunately, the firm was able to quickly track the funds back to a Binance account. AMLBot contacted the centralized exchange to freeze the funds and hand over details about the case.
Binance does not reveal the identity of the account or the size of the frozen assets in cases like this. Instead, Tom and AMLBot had to figure that out together by walking through the days leading up to the exploit. From this investigation, the firm determined that Tom’s best friend compromised the former CEO’s device by getting Tom to connect to his WiFi network.
This is part of a rising trend called a ‘proximity breach’ scam. AMLBot claims to have recorded seven cases that fall under this category over the past three months. This includes 13 Bitcoin (BTC) being stolen by a victim’s girlfriend and $300,000 being swiped by a victim’s brother.
Pig Butcher scams, by contrast, require an individual making contact with someone and forming a relationship with them with the sole intention of scamming. With a Proximity Breach, scammers simply take advantage of someone who is close to them.
Fortunately for Tom, his attacker didn’t hide their tracks very well—but that isn’t always the case.
Bubblemaps told Decrypt that if the attacker had used a coin mixer—which obfuscates the sender and receiver of crypto tokens—AMLBot would likely not have been able to track the funds. Equally, certain centralized exchanges have become popular among scammers as they do not cooperate with firms such as AMLBot.
Before AMLBot takes on a case, they conduct a pre-assessment to decide if they can help the victim. Factors like the victim being in a sanctioned jurisdiction, their local law enforcement being historically difficult to deal with, or the stolen funds being swapped to privacy coins would mean the firm wouldn’t take on the case. Once AMLBot takes on a case, it claims to have a success rate ranging from 60-75% depending on how quickly the victim contacts the firm.
“Unfortunately, in this profession, we come across at least 10 victims everyday, ” Jain told Decrypt. “Sometimes the funds are swapped to privacy coins. Sometimes they are taken to privacy protocols,” adding, “even if we have the best of intentions, even if we want to help, sometimes we just cannot.”
AMLBot refused to give details about how this occurred due to fears the exploit will grow in popularity. On-chain analytics company Bubblemaps confirmed to Decrypt this is possible in a variety of ways. The exploit likely gave the attacker control of the actual device, they said, rather than access to Tom’s data.
Aside from usual security measures such as using two factor authentication, AMLBot recommends that you never access crypto sites or wallets using a public WiFi network. On top of this, the firm recommends enabling notifications for when transactions take place on your account so you can be alerted as soon as possible.
After the firm felt confident that the CEO’s best friend had robbed him, it used a fake account to make contact with the scammer on Facebook.
“He was actually a real estate consultant. So I told him I was looking to invest in real estate,” Anmol Jain, AMLBot lead investigator for the case, told Decrypt. Jain eventually got the scammers Telegram account where he applied pressure, threatening to go to the police if he didn't comply.
“[Eventually] I told him I was actually an investigator with AMLBot and we know what you did to your friend Tom.” Jain explained, “Because Binance made that block, he was also aware that action was being taken—he was already scared. So when he found out that we understood that it was him. He cracked in, I think, 15 to 20 minutes.”
Now a month later, $380,000 has been returned to Tom—the scammer had already spent the rest of the money. Tom has reached a settlement to be paid the final $70,000 over the coming months.
“He said that greed just overcame him. He just lost control,” Tom told Decrypt. “It’s the first time anyone’s ever robbed anything from me that isn’t a lighter. I’m just very surprised.”
Edited by Stacy Elliott.