New Delhi: A Florida man—one of 542 victims of a massive crypto theft racket operating out of India—was attempting to log into his Coinbase account to manage his cryptocurrency holdings, including Bitcoin, but he accidentally logged into a spoof website, called coinbasepro.com.
The website—created for phishing—displayed a message at the top of the webpage after he shared his Coinbase login credentials. The message indicated a security breach and instructed him to call a number. Unaware of what was unfolding on the screen, the man dialled the number, and over the next few minutes, he shared his authentication code in a chat box on the phishing website. Before he could realise, 138.5 Ethereum, equivalent to nearly Rs three lakh, had been transferred out of his Coinbase account.
This particular incident dates 6 June 2022—three years ago.
In a conspiracy hatched over nearly a year in 2021-22 by a Delhi-based businessman, Chirag Tomar, the crypto theft racket managed to steal a total of Rs 19.9 million, a United States Secret Service probe has revealed.
The US Secret Service arrested Tomar in December 2023 at the Atlanta airport, and Tomar pleaded guilty to conspiracy to commit fraud. In October 2024, a US district court sentenced the defendant to five years’ prison, which would be followed by two years of supervised release.
In its investigation, the US Secret Service found that Tomar hatched the conspiracy and created spoof websites—coinbasepro.com, fastsupport.gotoassist.com, primetoyking.com, autho.coinbasepro.com, and coimdrazeprogogicsecure.com. The websites would capture the login credentials of Coinbase users, and later, the criminals in the racket would transfer the cryptocurrencies out of the accounts.
“According to court records, Tomar used the victims’ stolen log-in credentials to access the victim accounts and transfer the victims’ cryptocurrency holdings to wallets controlled by Tomar. After Tomar received the stolen cryptocurrency, he would convert it into other forms of cryptocurrency and move the funds among many wallets controlled by Tomar,” the US Justice Department said in its October statement, adding that Tomar and his co-conspirators distributed the cryptocurrency—once turned into cash—among them.
What the ED unearthed
As reports of his sentencing trickled in, the Enforcement Directorate in India suspected the flow of money into Tomar’s businesses, as well as the accounts of his aides and relatives. Taking cognisance of the case details, the ED raided the premises linked to Tomar and his family in Delhi, Jaipur, and Mumbai to crack the crypto theft case.
The ED investigation revealed that as soon as Coinbase users called the phone numbers that the spoof websites would flash, the call centres that Tomar had established would get busy answering the victims. On gaining access to their accounts, a quick transfer of cryptocurrencies to other accounts followed.
The ED investigation revealed that in the next step, the stolen cryptocurrencies were sold on websites such as localbitcoins.com and converted into Indian Rupees at local crypto exchange offices ahead of the final transfer in which the money was deposited in the bank accounts of Chirag Tomar and his family members.
As the ED found movement of illicit funds from foreign sources to India, with Tomar and his family recouping the money in Indian currency, the ED converted its case under the Foreign Exchange Management Act, 1999, to an Enforcement Case Information Report under the provisions of the Prevention of Money Laundering Act, 2002.
Upon opening an Enforcement Case Information Report (ECIR), the ED summoned Tomar’s brother, Pankaj Tomar, for questioning. The ED investigation also included the examination of operators who helped Tomar convert crypto into INR.
Based on its inquiries into the crypto theft racket, the ED Saturday provisionally attached 18 immovable properties, along with bank accounts’ credit, amounting to Rs 42.8 crore, overall, holding the money as the proceeds of crime generated by Tomar through fraud committed in the United States.
A majority of the immovable properties are in Janakpuri and Vikaspuri in West Delhi.
(Edited by Madhurita Goswami)