A friendly law firm from the United States reached out to our partners for assistance in conducting a blockchain investigation. Their client had fallen victim to scammers and lost a substantial amount of money by investing cryptocurrency into a dubious project based on deceptive promises.

In this article, we will intentionally avoid disclosing any specific details that could identify the case, as we do not have the client’s permission to publish the materials.

This case involved one of the most common cryptocurrency fraud schemes — raising funds for so-called “trading.”

Typically, the victim becomes curious after a “new acquaintance” from Instagram casually mentions being involved in investments. The manipulation and deception process can last several months. During this time, the victim is persuaded to take out loans, borrow from friends, or sell a car — anything to invest the maximum possible amount. In our cases, the sums range from $50,000 to $500,000.

Here are examples of how shamelessly these bastards pressure people to invest every last penny — taken from a recent case (unrelated to the incident described in this article):

Returning to the American case — it followed the exact same pattern.

The victim provided the following information for the investigation:

1. website
2. Telegram correspondence with the scammers
3. phone number
4. blockchain address where the funds were sent

Based on blockchain transaction analysis, we traced the movement of the stolen funds. A connection graph was created, detailing all transactions and partially deanonymizing addresses using available data on cryptocurrency address owners from the dataset integrated into our software platform.

It was established that the scammer used numerous intermediary addresses to complicate tracking. Some funds were sent to mixers and unknown crypto exchange addresses, while another portion was sent to a regulated cryptocurrency exchange. This enabled us to gather additional investigative data.

In summary, the path of the stolen cryptocurrency looked like this:

With the help of the American law firm working with our partners, a U.S. court order was obtained to disclose the exchange account owner’s data. The exchange provided the required information, including login records and withdrawal details. The data was subjected to further analysis.

During the website investigation, it was found that the main domain used by the criminals was hidden behind Cloudflare. An analysis of historical Whois and DNS records also yielded no useful information. However, we managed to identify a related domain, which led the investigation to personal data of a Ukrainian citizen possibly linked to the criminal group.

Phone number and Telegram account analysis revealed that the fraudsters used a fake account (unsurprising). Nevertheless, after studying the victim’s chat history, we developed a social engineering strategy that allowed us to obtain the IP address of one of the group members.

The overall structure of the investigation looked like this:

The information obtained through continued analysis of newly discovered data confirmed our initial suspicions about the scammers.

All collected materials were handed over to the client for further cooperation with law enforcement authorities.