Scammers steal $4 million in crypto during face-to-face meeting
Demand to display wallet full of coin facilitated mystery heist
Ahad Shams, the co-founder of Web3 metaverse gaming engine startup Webaverse, discovered in late November 2022 that someone had stolen $4 million of his cryptocurrency – during a real world interaction.
Stolen crypto isn't unusual: billions of digi-dollars were stolen last year, some by crime gangs or nations like North Korea.
What made this case different is that the scammers stole the funds from a newly created Trust Wallet account when Shams and a Webaverse colleague met in the lobby of a Rome hotel. By the premature end of the meeting, the money – and the miscreants – were gone.
We thought it was weird but no private keys or seed phrases were showing, so we humored them
In a detailed statement posted on Twitter this week, Shams outlined how the scammers posed as possible investors, courted him over several weeks, arranged the meeting in Rome, convinced him to shift $4 million in crypto into the new Trust Wallet account, and eventually disappeared, followed by the funds minutes later.
"We aren't 100 percent sure as to technically how this happened yet, but in short it involved the scammers convincing us to move funds into a fresh wallet (which we created and controlled) in order to provide 'proof of funds'," Shams wrote.
Not the first victim
What he found in the wake of the theft and the following investigation is that such scams, while not typical, are not unheard of. He pointed to a Twitter thread from 2021 in which NFT entrepreneur Jacob Riglin, founder of Dream Lab, wrote that $90,000 in crypto was stolen from him in a similar scheme that involved a meeting in Barcelona.
Also in that case, Riglin was talked into opening his crypto wallet and showing it to the scammers, again to show the "investors" that he had the money to make the deal.
In the Webaverse case, Shams wrote that he was working to close a Series A fundraising round when he was contacted by man calling himself the lawyer for a person – "Joseph Safra" – who wanted to invest in Webaverse. The email seemed to be from a legitimate law firm – Shams checked the website – and the lawyer sent him know your customer (KYC) information, which eventually turned out to be fake.
After weeks of negotiations via emails and video calls with the lawyer and "Mr. Safra," Shams agreed to meet with them in Rome. The miscreant posing as Safra said he needed proof of funds and suggested a Trust Wallet account would be sufficient evidence.
Meeting in a hotel in Rome
Shams said he and a colleague met with Safra and his lawyer for dinner and then the next day to close the deal. He had created a fresh Trust Wallet account while still at home, using a device that Webaverse didn't typically use. The idea was that without Shams' private keys or seed phrases, the funds would be safe.
"We sat across from these men and transferred 4M USDC [USD Coin] into the Trust Wallet," Shams wrote. "'Mr Safra' asked to see the balances on the Trust Wallet app and took out his phone to 'take some pictures'. We thought it was weird but since no private keys or seed phrases were showing, we humored them."
He said Mr Safra was satisfied but needed to step outside to discuss it over with his colleagues.
"We never saw him again," Shams wrote. "Minutes later the funds left the wallet. I was in shock … I had absolutely no idea how these guys had stolen the money from us."
He said he has reported the theft to Rome police and the FBI. The ongoing investigation – including by a private lawyer hired by the Webaverse co-founder – hasn't determined exactly how the crypto was stolen. They're still working to get more information from Trust Wallet about what was going on with the wallet when the fund was drained.
The lawyer also said that the group that scammed Shams had reached out to other of his clients earlier in 2022, as proven by matching signatures in documents. In addition, investigators have put crypto exchanges about the miscreants.
Webaverse also is offering bounties to anyone who can help track down the scammers or recover the stolen money.
The laundering of the stolen money was extensive. Investigators found that the funds taken from Shams' wallet were split into six transactions that were sent to six previously unused addresses. Almost all the USDC was converted into Ethereum, Wrapped Bitcoin (wBTC), and Tether (USDT) and then run through a group of 14 addresses.
From there, the funds were sent to four new addresses, with about 83 percent currently sitting in one of the addresses.
Shams wrote that while the crypto theft hurt his company – as losing $4 million would – Webaverse has enough money for the next 12 to 16 months and looking to raise more money. And while the investigation continues, he's looking ahead.
"The event haunts me to this day but it has not broken me," Shams wrote. ®