$800 000 USD

JULY 2017




"Blogger A (33) caught the attention of the industry at a glance when he first created the cryptocurrency 'Ripple' exchange in 2014. Mr. A, who had been having fun with the exchange for a while, was hacked a year after opening the exchange. Although it was reported to the investigative agency, it was impossible to track the hacker, and the exchange was closed with a loss of about 80 million." As a "victim of [that] phishing scam [he] lost a large investment. When investigators failed to recover his stolen funds, he became “inspired” to orchestrate phishing scams himself."


"Although it was reported to the investigative agency, it was impossible to track the hacker, and the exchange was closed with a loss of about 80 million. Mr. A, who lost a lot of money thought, 'Then if I cheat in the same way using cryptocurrency, I won't be caught'."


"Person A started conspiring to commit a crime in earnest with [person] B, a Japanese cryptocurrency exchange operator he met while working as a Japanese interpreter in the past. Person A collected the information of the members of the exchange that was closed and the information of the members of the Japan Exchange received through Mr. B. [O]nly users who can transfer cryptocurrency using [user] ID and password without additional authentication procedures such as mobile phone authentication were selected." "[The] Japanese cryptocurrency exchange operator who provided him with the user data (email accounts, affiliated exchanges, and 2FA status) needed to amass a list of potential targets."


"In July 2017, he created a 'phishing site' that was planned through programmer C (42). In order to avoid being pursued by investigative agencies, it was also shown that they were meticulous in using overseas hosting companies." "Prosecutors said the man hired a 42-year-old programmer to create a fake Ripple exchange website. The mastermind then sent emails to Ripple users in South Korea and Japan, claiming their funds had been frozen. The email redirected Ripple users to the fraudulent site, where he was able to convince them to enter their IDs and passwords, which he then used to access their accounts. It is thought that the FBI became involved because the phishing site targeted users of Ripple, an American cryptocurrency."


"The mastermind then spoofed or impersonated the real exchange’s email account and contacted users saying their funds had been frozen." "They sent an e-mail to the selected members stating, 'If you do not transfer your cryptocurrency to a specific site, you will not be able to use the cryptocurrency in the future' to induce them to access the phishing site they created. After that, they made the site use members' IDs and passwords to steal account information."


"The email contained a link to the fake website, where 24 Korean investors and 37 Japanese investors were convinced to enter their login details which were then recorded by the scammer and used to gain access to user funds on the real exchange site. While the scam exclusively targeted Korean and Japanese citizens, the FBI may have gotten involved last December due to the fact that Ripple is an American company."


"In this way, Mr. A and others transferred about 2 million ripples (unit XRP) from 47 victims (17 Koreans and 30 Japanese) to their accounts without permission, and then withdrew about 400 million won in cash. Concerned that a large amount of cryptocurrencies would be transferred at once, fearing that they would be suspicious, so-called 'mixing' work was also carried out by washing and withdrawing with other currencies such as Bitcoin."


"South Korean Authorities and the U.S. Federal Bureau of Investigation (FBI) uncovered a [total of] $800,000 [collected from the] phishing scam targeting XRP investors." "The man allegedly mastermind[ed] an email-powered sting that drew in 24 South Koreans and 37 Japanese investors."


"As detailed by local sources, 37 Japanese, and 24 South Korean traders fell for the scam as they proceeded to enter their login details on the fake website. Users’ login information was then used to access and steal funds from their crypto accounts on the real digital currency trading website."


"According to Korean news outlet JoonAng Ilbo, authorities were able to track down the scammer as he quickly converted the stolen XRP to South Korean won (KRW)." "Per TV news station MBC, at least one of the two men arrested is described as an office worker." "[T]he suspect claims that he has spent all of the money and cryptocurrency holdings, and has nothing left over." "He reportedly used the money to book a room at a five-star apartment building and buy various luxury items." "Mr. A stated that he spent most of the 700 million won in crime proceeds out of 900 million won for the use of luxury officetels, entertainment and living expenses. He claims that there is currently no remaining cryptocurrency or cash balance."


"[T]he Korean police cannot legally freeze or confiscate his other assets due to the nature of the crime – cryptocurrencies are not deemed legal tender under South Korean law." "The prosecution service said it would be hard for the victims to receive any compensation for their losses – largely because cryptocurrencies are not deemed to have any monetary value under South Korean law." "[P]rosecutors [stated] that it is very unlikely that the victims of the scam will be compensated."


"The Japanese accomplice is still at large and believed to be in Japan at this time – Seoul’s cybercrime division say they are reaching out to Japanese authorities for collaboration."

An unnamed individual who apparently lost $80m in an unknown event in 2014, was later involved in phishing users of an unnamed exchange. The victims were a mix of 24 South Koreans and 37 Japanese, who were hand-picked as the users who didn't have two-factor authentication enabled on their accounts. Their private information was provided by an insider of the exchange, and they were sent warnings that their funds had been frozen. Once the information was provided, it was used to empty their accounts.


From the standpoint of individuals, this can be prevented by enabling two-factor authentication, and never responding to phishing emails or unsolicited contact. If you receive something that you didn't request, always navigate directly to the official website and confirm with official points of contact there.


From the standpoint of platforms, this can be prevented by placing a delay on withdrawals to new addresses by default, especially if the action is initiated from a new IP address and the user does not have a dynamic IP address normally. Most successful attacks target less experienced users, who would leave settings as default and therefore be protected even if a platform chose to allow sophisticated users to disable these protections at their own risk.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.