The Drug Enforcement Agency took from one criminal enterprise and accidentally gave to another, after falling for a common crypto scam.
Earlier this year, the DEA was duped by a common cryptocurrency scam, resulting in the agency losing over $50,000 in digital money it had seized during a three-year investigation into the use of digital currency for laundering suspected drug proceeds.
In May, the DEA seized just over $500,000 in the dollar-linked cryptocurrency Tether from two Binance accounts it suspected were being used to funnel illegal narcotics proceeds, according to a search warrant reviewed by Forbes. The funds were placed in DEA-controlled accounts, stored in a Trezor hardware-based wallet and placed into a secure facility.
Meanwhile, a scammer had been watching the blockchain and noticed when the DEA sent a test amount of $45.36 in Tether to the United States Marshals Service, as part of standard forfeiture processing. The scammer quickly set up a cryptocurrency address that matched the first five and last four characters of the Marshals account. (In cryptocurrency, unique addresses are attached to each wallet and it is to these addresses users send funds–think of it like a long bank account number, though it’s typically around 30 characters.)
The swindler “airdropped” the fake address into the DEA’s account by dropping a token into the DEA account so it looked like the test payment made to the Marshals. The idea here was to basically trick the DEA into thinking the scammer’s address was actually the Marshal’s service’s address. Crypto addresses are so long that people usually just copy and paste instead of typing them fresh each time. Airdropping is a legitimate feature in cryptocurrency and sees an individual or entity drop tokens representing a certain value of a currency into someone’s account. It’s normally done as part of a launch of a new kind of token, but it’s also been abused by those seeking to dupe crypto owners into scams like this.
The scammer in the DEA case got lucky, as the agency sent just over $55,000 to the scammer in a single transaction. When the Marshals noticed what happened and alerted the DEA, the latter contacted Tether operators to freeze the fake account so the scammer couldn’t withdraw the crypto. But Tether officials said the money had already gone.
“It is yet another reminder of how important it is to verify everything and have further pairs of eyes confirm the transaction when large sums of money is involved…”
Working with the FBI, the DEA determined the funds had been converted into ether – alongside bitcoin, one of the most popular kinds of digital money – and moved to a new wallet. According to the warrant, while investigators hadn’t identified the user of that wallet, they had noticed two accounts on cryptocurrency exchange Binance had been paying for the scammer’s “gas fees” – charges for using the compute power of the Ether network. Two Gmail addresses were used to sign up for those Binance accounts and agents are now hoping Google will have some identifying information on the users.
Whoever is behind the hack, they’ve been shifting large sums of Ether in recent months. A search on Etherscan Ethereum blockchain explorer showed the scammer’s wallet currently contained nearly $40,000 in the currency, but that it had received $425,000 since June. In the last three weeks, over $300,000 of that has been moved to seven different wallets.
The DEA declined to comment. The FBI, which filed the warrant and is leading the investigation into the theft, hadn’t responded to a request for comment at the time of publication.
The kind of “airdrop” attack that hit the DEA has become increasingly common in recent years, though in different forms. The better-known kind of attack sees a scammer “airdrop” some cryptocurrency tokens into a wallet, alongside a website link, promising the target they can claim big sums with the tokens. That website is a phishing site, where the hacker will try to get the victim to hand over the keys to their wallet.
The variation on the hack in the DEA case was cunning, said Jake Moore, global security advisor at cybersecurity company ESET, in that it took advantage of users’ reliance on checking the first and last characters of unique account identifiers. There are tools available that can check for rogue addresses, such as Chainalysis’ Address Screening, but it’s not clear if DEA uses them in handling crypto asset seizures.
“By only verifying the last four digits of the wallet address, agents could easily believe this to be enough but it is yet another reminder of how important it is to verify everything and have further pairs of eyes confirm the transaction when large sums of money is involved,” Moore said. “Especially due to the nature of this crime where cybercriminals continue to have the upper hand when it comes to digital crime and fraud.”