Full Report
The U.S. Department of Justice has filed a civil forfeiture complaint to seize more than $225.3 million in cryptocurrency that the government alleges was obtained through crypto scams. The DoJ outlined its case in a 75-page filing June 18 in the U.S. District Court for the District of Columbia. A court order to seize the money was issued on May 1, and the funds are presently in the custody of the U.S. Marshals Service in the District of Columbia. The $225.3 million is the largest cryptocurrency seizure in U.S. Secret Service (USSS) history, according to a DoJ press release announcing the court filing. U.S. Tipped off to Crypto Scams by Exchange According to the court filing, after initiating an investigation into virtual currency accounts used to launder funds from crypto scams in November 2023, the USSS received a report from Tether – which was working with OKX, a Seychelles-based virtual currency exchange – alleging that they had identified approximately $250 million “traceable to cryptocurrency confidence scams that transferred through certain OKX accounts.” Law enforcement investigators were able to identify about 434 suspected crypto scam victims, including 60 confirmed victims, whose funds could be traced to 22 of the 144 OKX accounts that the perpetrators allegedly controlled. “Victim funds were not directly sent to the identified 144 OKX Accounts,” the DoJ court filing says. “Instead, the funds dissipated among various intermediary addresses before arriving in the 22 OKX Accounts, which were then generally cycled through the remaining 122 OKX accounts controlled by the same actors.” The Secret Service and FBI used blockchain analysis and other investigative techniques to identify, freeze, and seize the proceeds from the alleged money laundering scheme. “All 144 OKX Accounts are believed to be controlled by a group of cryptocurrency confidence scam actors and/or their money laundering co-conspirators,” the U.S. court filing said. That assessment is based on their coordinated transaction activity, identical transaction counterparties, matching account naming conventions, similar know-your-customer information that including Vietnamese registrants and connections to a Philippines call center operation at the heart of the network, and a list of overlapping identical IP addresses used by many of the 144 OKX Accounts, all of which have IPs tracing back to the Philippines. Crypto Investment Scams Cost Billions Annually The U.S. says that the more than 400 identified victims in the case “lost funds after being duped into believing that they were making legitimate cryptocurrency investments.” Crypto investment scams are the costliest category of internet crime, according to the FBI. The FBI’s 2024 Internet Crime Report found that investment fraud – particularly fraud involving cryptocurrencies – was the most damaging category of cybercrime, with victims reporting losses exceeding $6.5 billion last year.
Analysis Summary
# Incident Report: Seizure of Funds from Cryptocurrency Confidence Scams
## Executive Summary
The U.S. Department of Justice announced the seizure of **$225.3 million** derived from cryptocurrency confidence investment scams targeting over 400 victims. The operation involved coordinated blockchain analysis by the Secret Service and FBI, which traced funds laundered through 144 allegedly controlled OKX accounts. This incident highlights the significant financial impact of cryptocurrency investment fraud, which remains the costliest category of internet crime.
## Incident Details
- Discovery Date: Investigation ongoing prior to June 19, 2025 (Date of Filing/Report)
- Incident Date: Multiple transactions over an unspecified period leading up to the seizure.
- Affected Organization: Multiple individual victims globally (over 400 identified).
- Sector: Financial/Cryptocurrency Investment.
- Geography: Traces indicate connections to a Philippines call center operation, with victims worldwide.
## Timeline of Events
### Initial Access
- Date/Time: Not specified, related to a long-running scam campaign.
- Vector: Deceiving victims into believing they were making legitimate cryptocurrency investments (Confidence Scam).
- Details: Funds were sent voluntarily by victims duped by the scam.
### Lateral Movement
- Details: Funds were deliberately obfuscated by being sent to various intermediary cryptocurrency addresses before being consolidated into 144 identified OKX accounts controlled by the actors. This rapid cycling suggests complex money laundering, not traditional network intrusion.
### Data Exfiltration/Impact
- Details: Financial loss totaling $225.3 million across more than 400 victims. The impact is purely financial theft resulting from fraud, not data exfiltration or system compromise.
### Detection & Response
- Detection: Ongoing investigative techniques, including blockchain analysis by the Secret Service and FBI.
- Response Actions: U.S. authorities filed court documents to freeze and seize the $225.3 million traced across the 144 OKX accounts.
## Attack Methodology
*This incident focuses on financial fraud and money laundering rather than traditional network infiltration.*
- Initial Access: Social engineering/Confidence Scams (duping victims).
- Persistence: Maintaining control over the mule/laundered cryptocurrency exchange accounts (OKX accounts).
- Privilege Escalation: N/A (Not an intrusion event).
- Defense Evasion: Using numerous intermediary addresses to break the chain of custody ("dissipated among various intermediary addresses").
- Credential Access: N/A (Victims willingly provided funds).
- Discovery: N/A (Regulatory/Law enforcement investigation).
- Lateral Movement: Rapid cycling of funds between 144 OKX accounts.
- Collection: N/A (Not data collection, but fund accumulation).
- Exfiltration: Moving illicit funds through crypto exchanges and intermediary addresses to obscure the source.
- Impact: Significant financial theft from victims.
## Impact Assessment
- Financial: **$225.3 million** seized, representing losses incurred by over 400 victims. Investment fraud (especially crypto) is cited as the costliest cybercrime category ($6.5B loss reported in FBI 2024 report).
- Data Breach: None reported; the activity was transactional fraud, not a data breach of an organization.
- Operational: Minimal direct operational disruption to the affected *organizations* (as victims were individuals), but significant disruption to the criminal network's ability to access illicit funds.
- Reputational: Minimal direct reputational impact mentioned, but highlights broad issues with crypto investment scams.
## Indicators of Compromise
*These indicators relate to the criminal network's money laundering infrastructure:*
- Network indicators: Overlapping identical IP addresses traced back to the **Philippines** used across multiple accounts.
- File indicators: N/A
- Behavioral indicators: Coordinated transaction activity, identical transaction counterparties across 144 accounts, matching account naming conventions, and similar KYC information (including Vietnamese registrants).
## Response Actions
- Containment measures: Freezing of 144 identified OKX accounts.
- Eradication steps: Seizure of $225.3 million in illicit proceeds.
- Recovery actions: Funds are being recovered by U.S. authorities for potential victim restitution.
## Lessons Learned
- Crypto investment scams remain a primary vector for high-value cyber financial crime.
- Advanced blockchain analysis tools are critical for unraveling complex money laundering operations that use numerous intermediary addresses.
- Coordinated geographic activity (e.g., IP addresses traced to a Philippines-based center) can be a strong behavioral indicator of organized scam operations.
## Recommendations
- Enhance monitoring and anomaly detection specifically for rapid, coordinated fund cycling across multiple user accounts in cryptocurrency exchanges, especially when distinct geographic or KYC patterns emerge.
- Increased public awareness campaigns regarding 'confidence investment scams' to prevent individuals from voluntarily transferring funds to fraudulent schemes.