A California man who lost $100,000 in a 2021 SIM card swapping attack is suing the unidentified owner of the cryptocurrency wallet that contained his stolen funds. The case is believed to be the first time a federal court has recognized that the use of information contained in a Bitcoin transaction, such as a link to a civil claim filed in federal court, would reasonably have provided defendants with notice of the lawsuit. Experts say the development could make it easier for victims of cryptocurrency theft to recover stolen funds through the courts without having to wait for law enforcement to notice or provide help.
Ryan DeLongA healthcare worker in Fresno, California, claims that thieves stole his Bitcoin on December 14, 2021, through an unauthorized SIM swap involving an employee of his cell phone provider. Dellone’s phone number was transferred to a new device under attacker control.
DeLong said scammers then used his phone number to break into his account Coin library and siphoned off approximately $100,000 worth of cryptocurrency. Coinbase is also named as a defendant in the lawsuit, which claims the company ignored multiple red flags and should have discovered and stopped the theft. Coinbase did not respond to a request for comment.
Dai Long’s lawyers team up with experts tracking the flow of stolen funds in cryptocurrency robberies Ethan Mora A Bitcoin wallet was discovered to be the final destination for its customers’ stolen cryptocurrency. Mora said his client was aware that the Bitcoin address in question was implicated in an ongoing federal investigation into a cryptocurrency theft ring.
Mora said it was unclear whether the Bitcoin addresses holding customers’ stolen funds were held by the government or by anonymous hackers. Nonetheless, he is pursuing a novel legal strategy that would allow his clients to serve a civil lawsuit notice on that Bitcoin address and potentially win a default judgment seizing the client’s funds— No information is known about the identity of the attacker or the account holder.
In a civil action seeking monetary damages, a default judgment is typically entered on behalf of the plaintiff if the defendant fails to respond to the complaint within a specified time. Experts say that assuming the cybercriminals who stole the money don’t dispute Dellone’s claims, cryptocurrency exchanges could seize the money if the thieves try to move or spend it.
U.S. courts generally hold that if you are suing someone, you must provide the defendant with some meaningful and timely communication about the lawsuit in a manner that is reasonably likely to notify the defendant.
Some time ago, you located the defendants and hired someone to personally serve them copies of court documents. But legal experts say courts’ views on what constitutes meaningful service have changed in recent years and now allow notification by email.
On December 14, 2023, a federal judge in the Eastern District of California allowed Dellone to send notice of the lawsuit directly to the alleged hacker’s Bitcoin address – using a text message included with approximately $100 worth of Bitcoin sent by Mora. address.
Bitcoin transactions are public records, and each transaction can be sent with an optional text message. The message uses so-called “OP RETURN,” instructions in the Bitcoin scripting language that allow users to attach metadata to transactions, thereby saving them on the blockchain.
In a $100 Bitcoin transaction sent by Mora to the disputed Bitcoin address, the OP RETURN message reads: “OSERVICE – SUMMONS, COMLAINT US Dist.” ED Carr. Link: t.ly/123cv01408_service” is a short link to a copy of the lawsuit hosted on Google Drive.
“Courts are adapting to new ways of serving lawsuits,” said Mark RushServed as a federal prosecutor in the U.S. Department of Justice. “This is helpful, useful and necessary.”
Rush said Mora’s tactics could force the government to reveal information about their cases or explain to judges why plaintiffs can’t immediately recover stolen funds. Rasch said Dellone’s stolen cryptocurrency may have been seized as part of government asset forfeiture, but either way there’s no reason for Uncle Sam to hold onto the life savings of some cybercrime victims indefinitely.
“The government does not require cryptocurrency as evidence, but in a seizure action, the money will remain with the government,” Rush said. “But it was never the government’s money, and that doesn’t help the victims. The government should provide victims of cryptocurrency theft with information so their attorneys can get their money back on their own.”
Nick Backus is a security researcher who specializes in tracking the maze of criminals trying to use cryptocurrency exchanges and other financial instruments to launder the proceeds of cybercrime. Backus said Mora’s method could allow more victims to make legal claims against their stolen funds.
“For example, if you get a preset judgment against a Bitcoin address, and the Bitcoin is sent to an exchange that complies or complies with a U.S. court order, then it’s yours,” Bax said. “I’ve seen court orders issued of funds were frozen by exchanges that decided it made sense to comply with the U.S. federal court’s order.”
Bax’s research was highlighted in a September 2023 report about how experts now believe hackers are likely cracking some of the password vaults stolen in the 2022 LastPass breach.
“I’ve talked to a lot of victims who had life-changing sums of money forfeited and want to get that money back,” Backus said. “A big goal here is to make civil cases more efficient. Because then people can Help yourself instead of having to rely solely on law enforcement with limited resources. That’s really the goal: to scale it up and make it economically viable.”
While Dellone’s lawsuit may be the first time a federal judge has approved the use of Bitcoin to notify another party in a civil lawsuit, the technology has been used in several unrelated recent cases involving other cryptocurrencies, including Ethereum and NFTs.
Law firm DLAPiper wrote that in November 2022, the U.S. District Court for the Southern District of Florida “authorized the service of a lawsuit seeking to recover stolen digital assets through non-fungible tokens, or NFTs, containing the text of the complaint and a subpoena , as well as a hyperlink to a website created by the plaintiff that contains all pleadings and orders in the lawsuit.”
In granting Dellone’s request to provide services through Bitcoin exchanges, the judge in the case cited a recent New York Superior Court ruling in the John Doe case, brought by victims seeking to uncover a $1.3 million cyber heist. The liar behind the case.
In the New York case, the state trial court held that it was admissible for the plaintiff to serve notice of the lawsuit via a cryptocurrency transaction because the defendant frequently used the blockchain address to which the tokens were sent, and had recently done so. In addition, the New York court also found that because the accounts involved contained large amounts of money, they were unlikely to have been abandoned or forgotten.
“The court therefore infers that defendants may have access to the account in the future,” wrote Judge Helena M. March-Kuchta, for the Eastern District of California, summarizing New York cases. “Ultimately, Plaintiffs have no other way to contact these unidentified defendants.”
Regardless of the reason why cryptocurrency is stolen or lost — whether it’s a romance scam or a straight-up digital robbery — it’s important for victims to file a formal report with local police and the FBI, experts say Internet Crime Complaint Center (ic3.gov). IC3 collects cybercrime reports and sometimes bundles victim reports into cases for DOJ/FBI prosecutors and investigators.
The harsh truth is that most victims will never see their stolen funds again. But sometimes federal investigators achieve small victories and manage to seize or freeze crypto assets known to be tied to specific crimes and criminals. In these cases, the government will ultimately work to find, contact, and in some cases pay known victims.
This process can take many years to unfold. But if federal investigators do pursue this effort, they are likely to focus their efforts and attention on responding to victims who have made claims and can back up their claims with documentation.
But don’t be under any illusions that this can all happen in a short period of time that makes sense for the victim. For example, in 2013, the U.S. government seized the assets of the Virtual Currency Liberty Reserve, massively disrupting a major vehicle for laundering the proceeds of cybercrime and other illicit activities.
KrebsOnSecurity filed the claim when the government offered payments to Liberty Reserve account holders who wished to file a claim for financial losses and provide supporting documentation. I don’t have much money in my Liberty Reserve account; I just want to know how long it will take for federal investigators to follow up on my claims, or if they will.
In 2020, an IRS investigator contacted KrebsOnSecurity to discuss my claim. Investigators said they would have called earlier, but it took the IRS so long to legally obtain funds seized in the 2013 Liberty Reserve seizure.
3 Comments
Pingback: Oh, you’ve been served! ——Krebs on safety – Tech Empire Solutions
Pingback: Oh, you’ve been served! ——Krebs on safety – Paxton Willson
Pingback: Oh, you’ve been served! ——Krebs on safety – Mary Ashley