Article Details

Man pleads guilty to stealing $37 million in crypto from 571 victims. A 21-year-old man from Indiana named Evan Frederick Light pleaded guilty to stealing $37,704,560 worth of cryptocurrency from 571 victims in a 2022 cyberattack. According to an announcement by the U.S. Department of Justice, Light stole the cryptocurrency from an unnamed investment holdings company based in Sioux Falls, South Dakota. In a Statement of Fact obtained by BleepingComputer, Light says that he and unknown co-conspirator(s) stole the identity of a legitimate client of the company to gain access to the company's servers. They then exploited vulnerabilities to spread further into the network. Using this access, Light says they stole the personal information of the company's clients, which was then used to steal their cryptocurrency. "After successfully accessing the investment holdings company's computer servers, my coconspirator(s) or I then exfiltrated from the servers the PII of hundreds of other clients. Along with one or more individual(s)," reads the Statement of Fact. "I ultimately used this access to steal virtual currencies from the clients who held such assets with the investment holdings company." In total, Light says he stole $37,704,560 worth of cryptocurrency from 571 victims and then proceeded to transfer it to various coin-mixing services and gambling websites to obscure the trace of the assets and hide his real identity. "After acquiring control of the stolen cryptocurrency, these proceeds, in part, were funneled to various locations throughout the world, including multiple mixing services and gambling websites to conceal my identity and the identities of coconspirator(s) and to hide the virtual currency," said Light. Despite that, the FBI was able to track down Light and arrest him, leading to his indictment in May 2023. Initially, Light had not pleaded guilty, but he has now admitted his involvement in the cyberattack. Light now faces up to 20 years of imprisonment per count, three years of supervised release, and restitution. Whether or not victims will get any of their money back remains to be seen, as the authorities have not announced the seizure of any assets held by Light. Last month, the FBI reported that cryptocurrency losses reached a record $5.6 billion in 2023, with each year since 2019 breaking a new record. To best secure cryptocurrency, it is recommended to use cold wallets, which store crypto offline and are less susceptible to hacking, use multi-factor authentication, and limit the sharing of sensitive information online.