Impersonator Posing as UK Police Forces Steals Bitcoin

Every week, Information Security Media Group compiles notable cybersecurity incidents involving digital assets. This week, a scammer impersonated a police official to steal Bitcoin; Taiwan charged 14 individuals in a substantial fraud case amounting to $41 million; U.S. regulators lifted a consent order on Anchorage Digital; the Justice Department clarified that simply “writing code” is not a crime; and the Commodity Futures Trading Commission enhanced its engagement with the cryptocurrency sector.

See Also: Post-Quantum Cryptography – A Fundamental Pillar in the Future of Cybersecurity [ES]

North Wales Police are investigating a cryptocurrency theft involving approximately 2.1 million euros stolen by scammers masquerading as a senior British police official. The perpetrator contacted the victim under the pretense that their personal documents had been discovered on a suspect’s phone and urged them to safeguard their assets.

This deception led the victim to unwittingly enter their wallet’s seed phrase—a crucial 12- to 24-word key that provides complete access to their cryptocurrency holdings—on a counterfeit website. Once the seed phrase was submitted, the attackers swiftly siphoned off the funds. This incident highlights the initial access and social engineering tactics commonly utilized in cybercrimes, often seen in the MITRE ATT&CK framework under methods of exploitation and credential dumping.

Taiwan’s prosecutors have filed charges against 14 individuals tied to the BitShine cryptocurrency exchange, alleging fraud and money laundering that exploited over 1,500 victims for a total of 1.27 billion New Taiwan dollars—roughly $41 million. Reportedly, BitShine, which passed regulatory inspections, was a front for the unauthorized operations of Biying Technology.

Investigators have identified an individual with the surname “Shih” as the mastermind, managing operations with his wife in the Asia-Pacific region and an associate named “Yang” handling business affairs. Prosecutors allege that the group collaborated with fraud syndicates to launder victim funds into USDT purchases, obscuring transfers through multiple wallets. The breadth of this operation illustrates various tactics such as money laundering, financial fraud, and conspiracy as outlined in the MITRE ATT&CK framework, where techniques for persistence and privilege escalation may have been employed.

Between January and April, the scammers reportedly laundered an estimated NT$2.3 billion. Prosecutors are pursuing a lengthy prison sentence of 25 years for Shih, while those who acknowledge guilt or provide restitution could see their sentences mitigated.

The U.S. Office of the Comptroller of the Currency (OCC) has lifted a consent order imposed in 2022 on Anchorage Digital, the first federally chartered cryptocurrency bank in the U.S. This decision follows the OCC’s assessment that the bank’s anti-money laundering and know-your-customer measures have improved sufficiently to lift the oversight.

Anchorage’s CEO Nathan McCauley hailed the decision as recognition of the company’s commitment to compliance within digital banking. This regulatory easing aligns with a broader shift in the U.S. regulatory landscape towards cryptocurrency, which has seen federal agencies, under the previous administration, soften previously stringent requirements. Other companies, such as Paxos and Ripple, have sought national trust charters, emphasizing a move towards more robust regulatory frameworks for the crypto sector.

The Justice Department has indicated a shift in its stance on cryptocurrency-evolving technology, with Acting Assistant Attorney General Matthew J. Galeotti stating that “simply writing code without malicious intent does not constitute a crime.” While acknowledging the commitment to pursue fraudulent activities, money laundering, and sanctions violations, Galeotti clarified that decentralized software development should not be automatically deemed criminal.

His remarks come in light of recent convictions, such as that of Tornado Cash co-founder Roman Storm, who was found guilty of running an unlicensed money transmitting business. Galeotti reassured stakeholders in decentralized technologies that if software functionality allows only peer-to-peer transactions and developers do not control user funds, prosecution under existing statutes may not be necessary.

The U.S. Commodity Futures Trading Commission (CFTC) is moving forward with its “Crypto Sprint” initiative, responding to recommendations from a presidential working group focused on digital asset markets. Acting Chair Caroline Pham announced a new phase aimed at broadening engagement with stakeholders, inviting public commentary on the proposed recommendations until October 20.

This initiative follows an initial phase that emphasized enabling spot trading of cryptocurrency assets on registered futures exchanges. Pham has underscored that facilitating federal-level trading access is a top priority for the administration. The forthcoming phase may broaden its focus to include custody and registration processes, as well as inter-agency coordination with the Securities and Exchange Commission (SEC). The SEC recently initiated its own “Project Crypto,” aiming to adapt securities regulations to accommodate blockchain-based assets while delineating classifications for digital tokens. The CFTC has also announced a partnership with Nasdaq to utilize advanced market surveillance technology, enhancing its capability to combat fraud and market manipulation as it prepares for an expanded regulatory role in the cryptocurrency sector.