In August 2024, a Washington, D.C.-based cryptocurrency holder lost over 4,100 Bitcoin—worth approximately $230 million at the time—in what has become one of the largest individual crypto thefts in history.
By early 2025, that same Bitcoin would be worth over $450 million.
There was no exploit.
No smart contract vulnerability.
No sophisticated malware.
Instead, the entire operation hinged on something far simpler:
Trust.
🎭 The Setup: A Fake “Google Support” Call
The attackers—identified as Malone Lam (20, Singapore) and Jeandiel Serrano (21, Los Angeles)—didn’t break into the system.
They were let in.
Posing as Google or platform support personnel, they contacted the victim and initiated what appeared to be a legitimate account recovery process. During the interaction, they convinced the victim to:
- Reset their two-factor authentication (2FA)
- Enable screen sharing
- Walk through “security verification” steps
At that point, the attackers had everything they needed.
Once inside, they quickly gained control of the victim’s accounts and transferred 4,100 BTC out.
The theft itself was fast.
The damage was irreversible.
🧠 This Wasn’t a Hack — It Was a Manipulation
What makes this case particularly important is not the scale—it’s the method.
There was no technical breach.
Instead, this was a precision social engineering attack, exploiting:
- Authority (impersonating trusted platforms)
- Urgency (account compromise narrative)
- Compliance (guided instructions under pressure)
In other words:
The system didn’t fail. The human layer did.
🔍 How the Fraud Actually Worked
This operation followed a structured playbook:
1. Target Selection
High-value crypto holders are often identified through:
- data leaks
- social media exposure
- prior platform breaches
2. Impersonation
Attackers posed as:
- Google support
- crypto exchange security teams
Using spoofed identities and controlled communication channels.
3. Trust Building
They created a believable scenario:
- “Your account has been flagged”
- “We need to secure it immediately”
The victim is guided—not rushed—but controlled.
4. 2FA Reset Manipulation
Instead of bypassing security technically, they:
- walked the victim through resetting it themselves
This is a critical point:
2FA is only as strong as the person controlling it
5. Screen Share Compromise
This is where full exposure happens.
With screen sharing enabled, attackers can:
- observe credentials
- guide actions in real-time
- identify wallet access points
6. Asset Extraction
Once access is gained:
- funds are transferred rapidly
- often across multiple wallets to fragment visibility
⚠️ Where the Vulnerability Occurred
This isn’t about blaming the victim.
It’s about understanding the failure points:
- Trusting inbound support communication
- Allowing screen sharing on sensitive accounts
- Not independently verifying identity
- Centralizing large amounts of crypto in a single access path
- Assuming 2FA cannot be socially bypassed
These are not uncommon mistakes.
They’re exactly what these operations are designed to exploit.
💸 What Happened After the Theft
The post-theft behavior is what ultimately unraveled the operation.
The stolen funds were laundered through:
- mixers
- peel chains
- layered wallet transfers
- VPN-obfuscated activity
But despite attempts at obfuscation, the group made critical errors.
🚨 Operational Security Failures:
- Public displays of wealth
- Social media activity
- Geotagged posts
- Recorded group chats
- High-profile spending patterns
Reportedly:
- Lam purchased 31 luxury vehicles
- Spent $400K–$500K per night at clubs
- Serrano rented a $47,500/month home in Encino
This wasn’t quiet laundering.
It was visibility.
And that visibility created investigative leads.
👥 Who Was Involved
What initially appeared to be a two-person operation has since expanded significantly.
Primary Defendants:
- Malone Lam (Singapore)
- Jeandiel Serrano (Los Angeles)
Known Co-Conspirators / Individuals Charged or Identified:
- Veer Chetal (pled guilty, cooperating witness)
- Kunal Mehta (charged in laundering conspiracy)
- Additional unnamed and charged participants as part of a broader network (total defendants now reportedly 15+ individuals)
This is no longer an isolated fraud.
It is being prosecuted as a coordinated criminal enterprise.
⚖️ Current Case Status (2026 Update)
- Lam and Serrano were arrested in September 2024
- Trial was originally scheduled for October 6, 2025
- The trial did not occur and has been delayed
As of early 2026:
- The case remains in pre-trial proceedings
- Plea negotiations are ongoing
- Multiple co-defendants have:
- pled guilty
- begun cooperating with federal prosecutors
The delay is largely due to:
- the scale of digital evidence
- the number of defendants
- the expanding scope of the conspiracy
There is no confirmed sentencing for Lam or Serrano at this time.
Claims circulating online suggesting reduced penalties or community service are not supported by any official filings.
🔐 What This Case Teaches
The most dangerous part of this case isn’t the $230 million.
It’s how little technical sophistication it required.
This attack succeeded because:
- trust was exploited
- process was manipulated
- verification never occurred
🛡️ How to Protect Yourself
If you take nothing else from this case, take this:
- Never trust inbound support communications
- Never screen share financial or crypto accounts
- Verify identities through official channels only
- Use hardware-based authentication where possible
- Segment assets—don’t store everything in one place
- Assume social engineering is the primary threat vector
📣 Final Thought
This wasn’t a hack.
It was a conversation.
And that’s what makes it far more dangerous.
🚨 If You’ve Been Targeted or Affected
Cases like this are becoming more common—and more sophisticated.
If you’ve been the victim of a financial scam, crypto theft, or social engineering attack:
Reach out to us.
At BlockDivers, we specialize in:
- tracing digital assets
- identifying actors
- building actionable intelligence for recovery and legal action
We may be able to help you understand what happened—and what can be done next.
