Today’s technology-led world is a gold mine for cybercriminals. Frauds of all shapes and sizes are happening on a frequent basis, and while there are ways to defend against them, someone always pays the price. Unfortunately, the crypto industry falls into this category, as there is no shortage of crypto-related scams, with more likely to come. What’s worse, crypto scams not only harm the victims but also the entire industry in more ways than one. The crypto world is slowly but surely becoming more and more known to the general public, and the many cons certainly don’t help the image. Plus, recurring criminal activity is bound to bring additional regulatory scrutiny that might discourage newcomers from ever dealing with crypto.
Still, it’s not fair to put all of that on the nature of cryptocurrencies as in the end, it’s just a payment method for scams. Not to mention, people have been getting swindled in various ways before Bitcoin was even a thing. That’s probably the way we humans are internally wired, as sad as that sounds. This brings us to the main topic of this article, and that is Chirag Tomar crypto, a 31-year-old Indian who created fake websites mimicking Coinbase Pro to steal over $20 million in cryptocurrency from at least 542 victims worldwide, tricking them into revealing their login credentials and two-factor authentication codes, then transferring the stolen funds to wallets he controlled. He used the stolen funds to purchase expensive watches, Lamborghinis, and Porsches, and take trips to Dubai and Thailand, staying in luxury hotels. He started scamming in June 2021 and was arrested in December 2023, pleading guilty to wire fraud conspiracy in May 2024, and sentenced to five years in prison in October 2024. In this article, we’ll dive deep into his methods, similar frauds, and his hubris. If you’re an avid PlasBit reader, then you know that excessive pride almost always catches up to cybercriminals in the end, leading to their downfall.
How victims' crypto went (s)poof
To steal crypto, Tomar used spoofing, which is one of the most common and effective cyber attacks. For those unfamiliar, spoofing is when scammers mimic a legitimate and trusted source to trick the victim into believing that what or who they’re interacting with is perfectly authentic. This can be many things, such as a device, email, person, or website, with the latter being exactly what Tomar and his band of co-conspirators did. To be more precise, he spoofed Coinbase’s Pro version of the exchange, now called Coinbase Advanced Trade. It originally had the URL pro.coinbase.com, but Chirag used the fake but similar URL coinbasepro.com. The bogus website was very similar in looks and functionality to the original one, practically mimicking it to the core. The oblivious victims would then proceed as if they were using the authentic Coinbase website, entering their login credentials and not suspecting a thing. This was all Tomar and his crew needed to get a hold of the login and authentication information. Additionally, they used another trick where, in some scenarios, they impersonated Coinbase customer service representatives, fooling users into giving them their 2FA codes over the phone. If you thought that was sly, there’s more, as this merry band of criminals showed their full impersonating skills by somehow convincing their targets to use remote desktop software. Thinking they were talking to real Coinbase representatives, this act all but doomed the victims since it allowed the criminals to take control of their computers and, more importantly, access their real Coinbase accounts. Regardless of the method they employed, once the thieves got what they wanted, they quickly accessed and cleaned those accounts by transferring all the cryptocurrency available to their own crypto wallets.
An image depicting the spoofed Coinbase Pro website (Image credit: www.documentcloud.org)
According to court documents, one of the incidents happened in late September 2021, when one of the victims attempted to log into their account. As you might expect by now, the login failed, and they had to reset their password. Naturally, they made the logical next step and contacted Coinbase support via live chat, or so they thought. It was, in fact, the fake Coinbase website and equally fake support, where the victim was told they would receive a phone call to proceed with the password reset, and indeed, the call came shortly after, where Tomar or one of his criminal buddies pretended to be a legitimate support team. Not long afterward, the victim noticed an unauthorized transfer of around 63.11323345 Ethereum and 0.8 Bitcoin out of their Coinbase account, and a following investigation showed that the money was transferred to the fraudster's Binance account. At the time, the value of that transaction was approximately $170,955, give or take a dollar. Another documented incident happened in February 2022 in the Western District of North Carolina when the victim tried to log in to their Coinbase account. Unknowingly, they were using Tomar’s website, informing them that their account was locked and that they needed to call a certain number to talk to a Coinbase representative. Of course, that representative was one of the cybercriminals who deceived the unfortunate user into providing their 2FA information and eventually gaining access to the real Coinbase account. It was reported that in this particular case, over $240,000 in cryptocurrency was stolen from the wallet.
The crime spree didn’t stop there, as just a couple of months later, a similar situation took place with the victim unsuccessfully trying to log in to a Coinbase account when they were in reality using the spoofed website. The same spiel of “you have a locked account, please contact customer support” was set in motion, ending in an unauthorized transaction. The unfortunate user saw that their balance of $132,515.51 was converted to 44.09 Ethereum in their Coinbase account before the Ethereum was moved to the scammer's account. There was an almost identical occurrence in June the same year, where, you’ve guessed it, an unlucky user logged in to the illegitimate website. Once again, they were told there was a security issue and that they needed to talk to “customer support” to resolve it. Not suspecting a thing, the victim proceeded to share all the codes the scammers had asked for, even sending pictures of their driver’s license. Shortly after, the thieves converted the scammed user’s crypto to 138.5 Ethereum, then used the submitted ID to bypass the account verification and transfer the stolen Ethereum.
A depiction of one of the assets being stolen and moved through the blockchain (Image credit: www.documentcloud.org)
These few examples are just the tip of the iceberg (more like fraudberg) out of the many scams that occurred. Believe it or not, it was reported that around 542 users were swindled in the time span of a single year. What’s more, a deeper examination shows that there were several variations of the spoofed website. Apart from the main one ‘coinbasepro.com’ we mentioned, there were also ‘fastsupport.gotoassist.com’, ‘autho.coinbasepro.com’, ‘primetoyking.com’, and ‘coimdrazeprogogicsecure.com’. Some of these also served as landing pages after being redirected, but generally speaking, it seems like the victims were caught in the trap by accident. Typing in the wrong URL, being redirected to the spoofed site, and a lack of awareness (fraud and otherwise) seem to be the main causes. We hope that you and the rest of the PlasBit readers are much harder to fool by the Chirag Tomar crypto gang and the like.
Chirag’s downfall
We talked about his methods and how it all worked, but we didn’t exactly say much about the man himself. Unfortunately, not much is known of his life in the public documents, apart from his age and nationality. So far, we know that Tomar is 31 years old and a citizen of the Republic of India, and we also know his intentions and criminal ideas, like the fact that he was orchestrating the scam for some time. Investigators have found his Google search history that contained terms such as ‘Fake coinbase page’, ‘Coinbase scam’, ‘How to take money from coinbase without OTP’, ‘need coinbase traffic’, ‘Scams in the USA’, and several more related to crypto swindling. In addition, it was determined that the Coinbasepro.com phony website was first registered on August 22, 2020, so we can assume he was carefully making a plan for quite a while. His effort (as heinous as it is) paid off at first, as many unsuspecting users fell for the trick, not noticing that they were not using the official Coinbase website, the counterfeit site and the landing page variations copied the design, branding, and overall functionality so that it could mimic the legitimate one as best as possible. Curiously, law agents discovered that despite all the details, sometimes there were grammatical errors and the use of wrong terminology, with stuff like poor capitalization and sentence structure found on the website. Basically, those were things that are akin to non-native English speakers, or the ones that aren’t that well-versed in the language. If the victims managed to notice these errors, it’s highly probable they wouldn’t be scammed in the first place, but alas, their awareness skills betrayed them.
Chirag Tomar - seen here sporting the classic look of a spoofer (Image credit: nairametrics.com)
As successful as Chirag Tomar crypto scam was in fooling numerous unaware users, his scheming eventually came to an end. He was caught in 2023, on December 20th (an early Christmas present) at the Atlanta airport when he entered the US. The exact time when the authorities suspected him is unknown, but with over 500 victims, a thorough investigation was bound to happen. Plus, as it usually happens with these types of “smart” criminals, he just couldn’t resist buying all kinds of expensive stuff and bringing attention to himself, we’re talking Lamborghinis, Porsches, Rolexes, expensive trips to exotic places, and basically being as lavish as you can get. During the inquiry into our story’s protagonist, the authorities believed they'd found his email address that was used in the scam and considering the email began with ‘chirag.tomar’ (that was really smart of him) and the account had multiple photos of his ID and his Indian passport, it wasn’t hard to connect the dots. Funnily enough, the reason those photos were on that account in the first place is that he used that same email to send those photos when applying for a travel visa to the US. Also, within that email, there were bank statements, personal info for hotel booking, and several other things that were more than enough to figure out who the email belonged to. If there was ever any doubt of who the owner of that email was, it was swiftly gone when the investigators compared the photos found on that email with his visa photo (yes, his travel visa got approved), which “shockingly” matched.
Then, Tomar’s phone number came into play, or rather, the fact that it was connected to the MEXC exchange account where some of the stolen crypto was transferred. Ironically, he used his real phone number for that account, but the account was registered under a different and fictitious name, which raised a red flag with the investigators. Add to this the already mentioned incriminating Google searches, and Tomar was pretty much done for. The investigators thoroughly checked his exchange account and found evidence of money laundering, deposits, and recurring chain hop conversions accompanied by many small withdrawals. In the end, last year in May, Tomar pleaded guilty to wire fraud conspiracy and was sent to prison for stealing more than $20 million.
Outcome of Chirag Tomar sentence
There you have it, yet another crypto scammer is behind bars, but we have this nagging feeling there will be more of them. Apparently, the crypto industry is a magnet to these types of people and Tomar is just one of many. Hey, at least we have the satisfaction of knowing he got what was deservedly coming to him. So, what was Chirag Tomar sentence? Five years in prison followed by two years of supervised release, it was given by the U.S. District Judge Kenneth D. Bell after being charged with wire fraud conspiracy and money laundering conspiracy, pleading guilty on May 20, 2024, following his arrest at Atlanta airport on December 20, 2023. Cases like these, where scammers run amok and wreak havoc, give the crypto industry a bad name, it has been built on a wonderful idea of being decentralized and anonymous, away from any government interference, but regrettably, there are a lot of scumbags in this world that aim to abuse this to their own benefit. This just hurts cryptocurrencies in the long run, makes them less attractive to casual users, and prompts loads and loads of regulations.
A part of Chirag Tomar’s arrest warrant (Image credit: www.documentcloud.org)
The Wrongdoings of Other Crypto Scammers
We have already written several articles about scammers and with how things are going, it doesn’t look like the PlasBit team will run out of material any time soon.
For example, we are talking about:
- Malone Lam from Singapore, who stole over $230 million in cryptocurrency, making Torag seem like a small potato. He used a bit different tactic than Tomar, fooling people into giving him account details on the pretense that he was on the Google support team (to first get their email) and that the victim's account was hacked. Then, after finding out which crypto exchange is connected to said email, Lam played the part of the support team member from that exchange, once again claiming it was hacked. He also managed to get his victims to share their screens to find out about their private crypto wallet keys. It was an elaborate scam and just like Tomar, he spent a huge amount of the ill-gotten money on expensive cars, watches, and travels, which was enough to raise suspicion on himself.
- We’d be remiss if we failed to mention a young hacker by the name of Ellis Pinsky, who orchestrated a scam that ultimately resulted in a $24 million loss to crypto investor Michael Terpin, even though he was still a teenager at the time. His tactics involved social engineering, SIM swapping, and bribing the phone company employees, which turned out to be a great success, that is, until eventually the long arm of justice caught up with him.
- Another teen going by the name Love2Shop successfully created a phony website and stole a bunch of account details from internet users who didn’t suspect a thing. The stolen value amounted to approximately $2.89 million in cryptocurrencies, not bad for a teen who didn’t even need to leave his bedroom.
- While we’re naming crypto scams, we might as well mention one of the biggest NFT ones called Undead Apes. In short, the creators got numerous people interested in the NFT, inflated the price, and then performed a classic rug-pull. They took all the money from the investors (at least $400k), leaving them with no value NFTs and a bad taste in their mouths.
As you can see, the Chirag Tomar crypto scam is just one of the seemingly countless frauds in the crypto sector, with perpetrators operating all around the globe. Sadly, this is the opposite of what the origins of crypto are all about, or rather what Bitcoin as the cryptocurrency that started it all, is about. It came in the aftermath of the 2008 global financial crisis, posing as an alternative and a critique of the centralized financial system. Bitcoin gave users a way to do finance without relying on banks or the government, and more importantly, it gave control to the people. Financial freedom and privacy were the main selling points, so to speak, but those exact elements are now being used for nefarious purposes. Today, the cryptocurrency market is often linked to illegal activities, with criminals using crypto's innate anonymity to hide their illegal doings, be it scams or something else. As with most things in history, crypto is just a tool made with admirable goals, but humans managed to turn it into something partly awful. It’s important to remember that technology isn’t the villain here, but rather those who abuse it for their gain, and crypto will hopefully continue to serve the noble idea of its origins.
Remembering the Chirag Tomar Coinbase scam
In the end, the culprit was caught and justice has been served to some degree once more. Still, it’s prudent to remember the details so one can avoid being a victim of a fraud such as Chirag Tomar Coinbase scam that involved creating a fake version of the Coinbase Pro website using a nearly identical URL (CoinbasePro.com), tricking hundreds of victims into entering their real login credentials, which he then used to access their actual Coinbase accounts and steal over $20 million in cryptocurrency.
Stay informed and vigilant!
There you have it, we’ve reached the closure of one more crypto hoax presented to you by the PlasBit team. If you’ve been sifting through our articles, we hope that apart from being an interesting read, they were also educational, with the main point that you should never take cybersecurity lightly. As you can see in the Chirag Tomar crypto case, even if you’re not an explicit target, you can still get scammed if you’re not careful or aware enough. Spoofing won’t be going anywhere soon, so always pay attention to your URLs, be mindful of how the website looks, and try to recollect the actual details. In the event you find anything suspicious at all, better stop whatever you were doing, since it’s always better to be safe than sorry. With the crypto industry getting more mainstream attention by the day, chances are there will be even more cybercriminal activity in the sector, and that means novel scams or fresh takes on old ones. So, the idea is to learn about the latest happenings and technologies, use cybersecurity tools that protect against spoofing, crypto-stealing malware, and phishing emails impersonating crypto exchanges, and use cold storage to safeguard your private wallet keys offline, and similar, and generally do whatever you can to protect yourself. Keep in mind that, unfortunately, only one human error is enough to turn everything upside down.
