An Indian national pleaded guilty Monday in federal court in Charlotte to charges related to the theft of more than $37 million through a spoofing scheme of the Coinbase website. Chirag Tomar, 30, a citizen of India, was arrested at the Atlanta airport on Dec. 20, 2023, upon entering the United States. He remains in federal custody.
One of Tomar’s victims lived in western North Carolina and lost more than $240,000 worth of cryptocurrency in Tomar’s scheme, according to court records.
Tomar pleaded guilty to wire fraud conspiracy, which carries a maximum sentence of 20 years in prison and a $250,000 fine. A sentencing date has not been set.
According to court documents, Tomar used his victims’ funds to pay for his lavish lifestyle, including to purchase a Rolex and other expensive watches, to buy luxury vehicles like Lamborghinis and Porsches, and to make trips to Dubai, Thailand and elsewhere.
In June 2021, Tomar and his co-conspirators engaged in a scheme to steal millions in cryptocurrency from hundreds of victims located worldwide and in the United States, including in the Western District of North Carolina. Tomar and his co-conspirators executed the fraud by “spoofing” the Coinbase website.
Coinbase is one of the largest virtual currency exchanges in the world, that allows customers to buy, sell or trade cryptocurrencies. Coinbase users can also store their cryptocurrencies in their virtual exchange wallets. Upon logging in, users are able to quickly access their wallets and transfer the cryptocurrencies to other wallets or other outside linked accounts. Coinbase operated a “Pro” version of its exchange, which was found at the URL “Pro.Coinbase.Com.”
According to court documents, Tomar and his co-conspirators spoofed the Coinbase Pro website by using a similar fake URL, CoinbasePro.Com. In order to deceive unsuspecting users into believing they were accessing the legitimate Coinbase webpage, the fraudulent website was crafted to mimic the authentic website. Once victims entered their login credentials into the fake website, an authentication process was triggered. In some instances, victims were tricked into providing their login and authentication information of the real Coinbase website to fraudsters.
Other times, victims were tricked into allowing fake Coinbase representatives into executing remote desktop software, which enabled fraudsters to gain control of victims’ computers and access their legitimate Coinbase accounts. The fraudsters also impersonated Coinbase customer service representatives and tricked the users into providing their two-factor authentication codes to the fraudsters over the phone.
Once the fraudsters gained access to the victims’ Coinbase accounts, the fraudsters quickly transferred the victims’ Coinbase cryptocurrency holdings to cryptocurrency wallets under the fraudsters’ control.
In February 2022, a victim located in the western North Carolina attempted to log into his Coinbase account through the fraudulent website. The spoof website immediately notified the victim that his account was locked and prompted the victim to use a number provided to call a fake Coinbase representative. The fake representative tricked the victim into providing his two-factor authentication information, ultimately gaining access into the victim’s real Coinbase account. Using the information, fraudsters stole cryptocurrency from the victim’s Coinbase wallet worth more than $240,000.
Tomar admitted in court on Monday that he controlled several cryptocurrency wallets that received hundreds of transactions of cryptocurrency stolen from victim accounts at Coinbase, totaling tens of millions of dollars. After Tomar received the stolen cryptocurrency, he would quickly convert it to other forms of cryptocurrency or move the funds amongst many wallets controlled by Tomar and others.
Ultimately, the cryptocurrency was converted into cash which was then distributed to Tomar and his co-conspirators.