Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime

Busted: Cryptojacking; UndeadApes NFT Rug Pull Suspects

Ukraine Nabs Suspected Cryptojacker; US Air Force Cyber Analyst Accused of Rug Pull
Busted: Cryptojacking; UndeadApes NFT Rug Pull Suspects
Non-fungible tokens are a quick way to get rich ... if you're a scammer. (Image: Shutterstock)

Illicit cryptocurrency mining and non-fungible token scams continue to generate big returns for criminals, according to charges recently unveiled in two cases.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

One case centers on a Ukrainian man accused of illicitly cryptojacking a cloud provider's infrastructure to mine for cryptocurrency. In the other, two U.S. men are accused of hyping up the value of a non-fungible token they created and then running away with the proceeds instead of sharing them with investors.

National Police of Ukraine on Tuesday arrested the cryptojacking suspect, age 29, in the Ukrainian city of Mykolaiv. Authorities accuse the man, who hasn't been named, of illicitly accessing the cloud service and using it to mine more than $2 million worth of cryptocurrency.

The cloud provider - also not named - approached authorities in January 2023 with evidence that someone had been accessing "compromised cloud user accounts" and using them to mine for cryptocurrency, Europol said Friday. Mining refers to the computationally intensive process of verifying transactions on a cryptocurrency's blockchain, in return for which miners receive the chance to be compensated with cryptocurrency.

"By stealing cloud resources to mine cryptocurrencies, the criminals can avoid paying the necessary servers and power, the cost of which typically outweighs the profits," Europol said. "The compromised account holders are left with huge cloud bills."

Europol said the suspect was eventually identified after months of close collaboration between law enforcement and the cloud provider.

Haunted by UndeadApes

Separately, a cyber analyst with the U.S. Air Force stands accused of perpetrating a cryptocurrency scam involving UndeadApes non-fungible token collections built on the Solana blockchain that allegedly made him $250,000 richer.

A Jan. 8 criminal complaint and affidavit charges Senior Airman Devin Alan Rhoden, aka "Deviinz," with money laundering conspiracy and making a false statement to a federal agency. Military law enforcement arrested him Tuesday.

Asked about the charges, Rhoden's federal public defender, Adam Allen, told Information Security Media Group on Monday: "We have no comment at this time."

The U.S. Air Force Office of Special Investigations in the affidavit accuses Rhoden of helping to create the UndeadApes, Undead Lady Apes and Undead Tombstone NFT collections before executing a rug pull. This type of cryptocurrency scam can involve developers luring in investors, hyping up their coins and then exiting without warning and taking all of the proceeds with them.

Blockchain intelligence firm Chainalysis reported that known cryptocurrency scam revenue surged to $10.9 billion in 2021 before dropping to $5.9 billion in 2022. The firm said that in 2021, rug pulls accounted for one-third of all losses due to scams.

The government's affidavit accuses Rhoden as well as Alabama resident Berman Nowlin of perpetrating the rug pull, based in part of "tens of thousands of chats" provided by Discord in response to a court-ordered search warrant for any Discord accounts associated with Rhoden's known email address and phone number.

The 2,500 UndeadApes NFTs, described by their developers - including Deviinz - as being "unique apes with over 60 hand drawn traits on the Solana blockchain" that were "read to take on the Metaverse," were minted on the Solana blockchain in March 2022, followed later that month by 750 Undead Lady Apes, according to the affidavit, signed by Nicolas David Itin, a civilian special agent with the OSI. The names riff on the popular Bored Apes Yacht Club NFTs that launched in April 2021.

Victims told Itin and other investigators that they had received certain promises in exchange for investing in the apes, such as earning up to a six-time return via staking, which refers to locking up tokens. Undead Lady Apes also promised a liquidity pool into which up to 75% of all proceeds from further NFT sales would be deposited, according to court documents.

The value of both types of NFTs rose after their creation. On April 19, 2022, the developers announced the minting of a third type of NFT token, Undead Tombstone, in collaboration with Stoned Ape Crew, which markets itself as being the "#1 herb-related NFT project."

Stoned Ape Crew Disputes Collaboration

Two hours after that UndeadApes announcement via Twitter - now known as X - Stoned Ape Crew tweeted that the claimed collaboration had been a lie.

"Shortly thereafter, the developers executed the rug pull by abandoning the Undead Tombstone mint," according to the affidavit. One victim told investigators that the three different types of NFTs immediately became "worthless" due to distrust in the developers and that the final signoff to the UndeadApesDAO Discord channel from the developer known as "Denny" was: "Yall are dumb as [expletive]."

"Social media eventually linked Devin Alan Rhoden's true identity to the Deviinz Discord account," according to the affidavit.

OSI investigators said the two suspects made "several incriminating statements" in Discord chats, including the following:

"Thanks or helping me make a quarter million in two months," Rhoden told Nowlin in a Discord chat dated April 29, 2022, according to court documents.

"I was able to put a down payment on a house," Rhoden added. "Buy my dream car outright. Have over six months of expenses in savings."

"Rich," Nowlin replied.

The affidavit doesn't detail every piece of evidence against Rhoden or Nowlin, but in it the investigators say they worked with Chainalysis to trace the stolen Solana, or SOL, cryptocurrency. They said this led to a fraudulent transfer of 21 ethereum, or ETH, to Rhoden's Coinbase account on April 19, 2022, followed 3 minutes later by the Coinbase account being used to purchase about $64,000. Over the next few days, investigators said, Rhoden transferred about $79,000 more to his USAA account. The next month, Rhoden and his wife bought a home in Pinellas Park, Florida, providing his bank statement from the USAA account as part of the underwriting process, according to court documents.

Investigators Detail Suspect's Google Searches

When they executed a search warrant on Rhoden's Gmail account, investigators said, they found multiple incriminating Google searches, including ones on April 20 and April 21, 2022, querying "does coinbase have kyc" - referring to "know your customer" anti-money laundering checks - as well as "does logs show on discord if they delete their account."

Shortly thereafter, investigators said, Rhoden queried "what happens if a utility nft rugs" and later, "wire fraud court martial."

On Tuesday, U.S. Magistrate Judge Julie Sneed ordered the U.S. Marshals Service to release Rhoden on an unsecured $20,000 bond after he agreed to multiple conditions, including surrendering his passport, undergoing a mental health evaluation, and agreeing to "avoid all contact, directly or indirectly, with Berman Jerry Nowlin in the investigation or prosecution of this case," including "any third-party contact."

Rhoden on his LinkedIn profile - now apparently deactivated - claimed to have a top-secret government security clearance, Forbes and Court Watch reported.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.