Two Canadian scammers who duped a woman from Oregon out of ₿23 earlier this year have pleaded guilty in a Portland court, reports The Oregonian. Jagroop Singh Khatkar, 24, and his brother, Karanjit Singh Khatkhar, 23, filed their pleas before U.S. District Judge Michael H. Simon in federal court yesterday after being accused of conspiring to commit wire fraud and money laundering.
— The Oregonian (@Oregonian) December 17, 2019
Fake HitBTC Support Accounts
The Khatkhar brothers’ scam involved creating a fake Twitter profile, @HitBTCAssist, that resembled a support page for Canadian-based exchange HitBTC, which they knew their victim used. They used this to get her to hand over her email address, which they hacked into, allowing them to take control of her HitBTC account.
Karanjit Khatkar then rinsed the victim’s account of her ₿23 holdings, worth $140,000 at the time, sending it to his Kraken account before splitting the proceeds with his brother. Over the following months, Karanjit Khatkar cashed out the remaining BTC for Canadian dollars, not knowing the FBI were already investigating the case.
Khatkhar’s Big Mistake
Khatkhar might have got away with his crime had he not sent the BTC straight to a well-known US-based exchange. The trail would have been immediately visible to anyone with basic blockchain knowledge, meaning they simply had to sit back and wait to see what Khatkhar did with the money.
Happily, the victim has been repaid the $140,000, while the pair face a maximum of 30 years each for their crimes, although the fact that they have pleaded guilty will vastly reduce their sentences.
The case acts as another example of why Bitcoin is not as anonymous as the mainstream media likes to make out – identifying one address in a chain immediately exposes the entire chain, making it one of the worst ways of perpetrating a crime. It is also a reminder that leaving large sums of money on exchanges is never a good idea, and also that two-factor authentication (2FA) is not 100% safe. Kraken made 2FA mandatory for all accounts in April, but it seems that either the thieves were able to overcome this or it wasn’t properly set up by the victim. There is no suggestion they also hacked into her phone, meaning that human error possibly contributed to the theft.