Chirag Tomar, a 31-year-old Indian citizen, was sentenced to five years in federal prison for orchestrating a cryptocurrency fraud scheme that defrauded hundreds of victims out of more than $20 million.

U.S. District Judge Kenneth D. Bell handed down the sentence, which also included two years of supervised release.

Scammers Imitate Coinbase to Steal Millions

According to court documents, Tomar and his co-conspirators executed the fraud by “spoofing” a website designed to imitate the legitimate cryptocurrency exchange Coinbase.

From June 2021, the group set up a fraudulent version of the exchange’s professional trading site, Pro.Coinbase.com, using a fake URL, CoinbasePro.com. Victims who attempted to log into their Coinbase accounts were tricked into providing their login credentials.

One of the tactics used involved impersonating Coinbase customer service representatives and convincing victims to hand over two-factor authentication (2FA) codes. In other instances, fraudsters instructed these individuals to install remote desktop software that would give them full control of their computers.

Tomar used the ill-gotten credentials to access multiple victim accounts and transfer funds to wallets under his control. He then converted the cryptocurrency into other digital assets, moving them between several wallets to hide the transactions. Eventually, the funds were converted into cash and distributed amongst the criminal group.

The 31-year-old used the stolen money to fund a lavish lifestyle, purchasing luxury watches like Audemars Piguet, high-end vehicles like Lamborghinis and Porsches, and traveling to destinations such as Dubai and Thailand.

$240,000 Theft and Arrest

The scheme impacted targets from all over the world, including those based in North Carolina’s Western District. In February 2022, a local attempted to access his Coinbase account through the spoofed site. The fake website instantly alerted them that their account was locked and directed them to call a number provided to reach a fake Coinbase representative.

The supposed representative then deceived them into giving up their 2FA details. This allowed the fraudsters access to their target’s legitimate Coinbase account. With this information, the criminals stole over $240,000 worth of cryptocurrency from the account’s associated wallet.

It is not the first time such incidents have occurred. In 2021, authorities charged Soufiance Oulahya with stealing $450,000 in cryptocurrencies and NFTs from a Manhattan victim by spoofing the OpenSea marketplace.

Additionally, Convex Finance had to introduce two alternative new URLs after its DNS was hijacked in a spoofing attack, which caused users to approve malicious contracts unknowingly. Following confirmation of the hijack, Convex revealed that five wallets had been affected, though verified contracts remained secure.

The menace isn’t confined to crypto alone. In 2020, JP Morgan was fined nearly $1 billion by U.S. authorities for its spoofing practices in metals futures and Treasury securities after being implicated in the FinCEN files for allegedly laundering as much as $2 trillion worth of “dirty money.”