November 5, 2024

A cryptocurrency scam that used the Coinbase Wallet led to $66.3 million in lost crypto

Some days PJ Jenkins just likes to look at his money.

He can’t get to that money, which totals about $15,000 in cryptocurrency — it’s been lifted from him by scammers. But thanks to the quirks of crypto, the cash sits visible to him online via the blockchain, taunting him.

“It’s right there; everyone can see it. But I can’t touch it,” said Jenkins, still sounding a little dazed a few months after the swindle.

Jenkins isn’t some greenhorn fresh to the world of money and crime. In fact, if anyone shouldn’t have been duped in a scam, it’s him — a 57-year-old retired cop from outside Atlantic City, who prides himself on his law enforcement wiles. He even used to direct security at a casino, his eagle eyes spotting the shady types who would take the house for a ride.

But over a months-long slow play — led by an attractive woman and fueled by a spate of confidence-winning gestures — Jenkins slowly gave his money to the crooks. He has little hope of ever recovering it.

As cryptocurrency investment in the United States skyrockets, Jenkins’s story is no longer a rarity. Scams are rapidly multiplying in the lightly regulated province of crypto, experts say, each boosted wallet and disappeared dollar underscoring just how mainstream the thievery has become. The Federal Trade Commission estimates that Americans lost $750 million to crypto scams in 2021, and the number could rise this year.

Law enforcement has been slow to rise to the challenge. The Justice Department recently announced a new task force focusing on cryptocurrencies, but it’s still very new and it remains to be seen how many scammers it can investigate, let alone arrest.

No one agency seems to have latched onto the scam that snatched Jenkins’s money, even though a Washington Post analysis of the blockchain records available suggests it is truly of staggering dimensions — with likely more than 5,000 victims in multiple states and $66.3 million stolen since August. The FBI did not respond to a request for comment.

Victims interviewed by The Post say that despite numerous attempts to alert law enforcement, they’ve yet to be contacted by authorities, leading them to believe no agency is even aware of the scam, let alone investigating it. Instead, they have organized on their own, in Reddit and Facebook groups, to commiserate and strategize.

Meanwhile, regulators and Congress have yet to develop a robust set of rules that would impose strict standards of behavior and enforcement. And the companies involved — in this case, the large crypto platform Coinbase and the currency Tether — have basically told the victims “buyer beware.”

“This is really, really hard because crypto is so thinly regulated and folks are used to picking up the phone and calling 911,” said Joe Rotunda, the enforcement director of the Texas State Securities Board, which investigates investment scams. “Oftentimes, the law enforcement agencies deal with violent crimes or street crimes. They simply don’t have the resources necessary to prosecute a case like this and don’t know where to turn.”

Jenkins says that when he went to his local police station, they didn’t understand what he was talking about. He tried contacting both the FBI and Securities and Exchange Commission via their websites but never heard back.

Like so many crypto investors who’ve been scammed, Jenkins tells a particularly American story, one in which a shiny new financial tool dangles the prospect of middle-class stability — but also lures criminals eager to take advantage of its anonymity and baffling complexity.

Jenkins thought he was savvy enough to use his crypto investments to swing a little extra money to supplement his income from his pension. Instead, he wound up losing some of that, too.

“American history is filled with episodes of fraud where a lot of people you wouldn’t expect to get taken in do,” said Edward J. Balleisen, a Duke history professor who explored scams in his book “Fraud: An American History From Barnum to Madoff.”

He cited “commodity-pool” scams from late 19th century that had Americans sending their money by mail to invest in “can’t-miss” wheat futures. Those scams also took place “at the frontier of economic innovation,” he said, where criminals find they can exploit the combination of consumer enthusiasm and government confusion.

“It would appear that’s what we’re living through now,” he said.

The scam that ensnared Jenkins unfolded on an app made by the cryptocurrency exchange Coinbase. It involved a niche crypto area known as “liquidity mining” and took the form of what activists have come to call “pig-butchering” — because the victim’s wallet is fattened before the slaughter.

Jenkins lives in Absecon, N.J., a sleepy, family-oriented town eight miles from the seductive lights of Atlantic City. Much of his time, and money, are occupied with taking care of his 3-year-old nephew.

Crypto was the furthest thing from Jenkins’s mind when he first met “Alice” last September on the dating app Hinge. After he matched with her, the two began messaging via WhatsApp.

Every day, for weeks, they communicated — about life, family, the hurly-burly of the everyday, on one occasion even talking by video. Alice, who told Jenkins she was 37, provided a sympathetic ear. She called Jenkins by endearments and seemed eager to get to know him.

After more than a month, Alice began mentioning crypto investments, particularly something called “liquidity mining.” She said Jenkins “could make money by simply ‘lending’ ” crypto he wasn’t using anyway.

“Dear blueberry, do you know how high its profit is?” she wrote in a message thread that Jenkins provided to The Post.

He asked how it worked. Alice described an operation that was nothing but upside. “Mining is not buying and selling. Like a mine, the mountains are full of ETH, and then we mine,” she said, referring to the Ethereum cryptocurrency.

“I think this is the safest, because the funds are in their own hands,” she added.

All he would need to do, Alice said, was buy a “mining certificate” — only $26, no big deal. Then he could begin depositing crypto to earn returns, a steady trickle of cash on the order of what bank savings accounts used to return decades ago.

Alice suggested Jenkins use Coinbase Wallet, an app made by one of the largest crypto trading exchanges in the United States. She also guided him to “CB-ETH.cc,” a seemingly affiliated website slathered in Coinbase’s signature blue. That site would handle the liquidity mining.

Jenkins was skeptical. He had worked for the New Jersey State Police protecting the State House in Trenton and for a time served as director of security at Resorts World, a casino in Queens, N.Y., about 120 miles north of Absecon. He was used to spotting all kinds of scams, and this smelled like one.

But a Google search confirmed for him that liquidity mining was a legitimate, if complicated, scheme, in which certain crypto exchanges pay to borrow cryptocurrency to fulfill their customers’ orders.

As someone who lived off a pension, Jenkins was wary — “I never even like to loan someone more than $500,” he said. But the stakes seemed low, and so were his ambitions. He wanted to make about $60 a day, enough to cover his $2,000 monthly mortgage payment.

So at the end of October, Jenkins bought about $4,000 in Tether, a so-called stablecoin based on Ethereum designed to be worth exactly $1. He then took that money and invested it in the CB-ETH liquidity mining website that Alice had directed him to.

After withdrawing his money from the account and then depositing it again over the next few days — to test that he really did still control the funds — he began steadily adding to it. If he worked his way up to $15,000, Alice had told him, bonuses would kick in that would net him 15 percent monthly returns — enabling him to hit his $2,000 earnings target.

“It seemed very legitimate. I mean, I could move the money,” he recalled. He even encouraged two nephews and a family friend to put their money in, too.

After four weeks, Jenkins had invested $15,000 in the supposed mining operation. The Post could verify the dates and amounts of his investments because, like almost anything involving cryptocurrency, they were recorded on a blockchain — a list of transactions posted online. The Ethereum blockchain that he used can also record instructions to be automatically executed, called “smart contracts.”

Checking his tally on the CB-ETH liquidity-mining site, Jenkins would see the “profits” tick steadily upward as time passed. He was headed toward $2,000 for the month. Perfect.

And then one day in early December, he got a call from his nephew. The nephew’s money was gone. Had Jenkins heard anything? Jenkins said he hadn’t but went to check his own wallet. All $15,000 of his money had disappeared, too.

The gains, it turns out, weren’t real. The account balance on the CB-ETH site was an illusion, to keep Jenkins engaged — part of the pig-butchering. And there’s no such thing as a “mining certificate,” either. It was a sham, meant to get Jenkins to click a button.

When Alice told Jenkins to buy a certificate, she was actually having him execute a smart contract. That contract wasn’t written in English, or even legal jargon. It was one solitary line of computer code written in the language of the Ethereum blockchain. Its function was to give her unlimited access to his money.

He hadn’t realized it at the time, but Jenkins had signed his own permission slip to be robbed.

Frantic, Jenkins messaged Coinbase, which said that, “after a review,” it couldn’t help. It said Jenkins had given away his “12-word recovery phrase.” (He had not.) He also messaged Tether, which said it couldn’t help, either. And he messaged CB-ETH, which he was jarringly coming to realize was not legitimate.

Jenkins insisted to CB-ETH’s online representatives that the removal of the $15,000 was an unauthorized transaction. That led only to Kafka-esque interactions in which he received responses like: “Smart contract is a kind of rule that cannot be interfered by the AI controller.”

Contacted by The Post about the scams, Coinbase security officer Philip Martin said he couldn’t comment on Jenkins’s situation. But “some bad actors are going to get on the platform,” he said. “When we find them, we work with the appropriate law enforcement organization and the appropriate regulators to prevent them from doing harm.”

Martin said the company had been investigating liquidity mining scams since January. He said he wasn’t sure if Coinbase would be reviewing its records to find and contact the victims.

The CB-ETH website did not respond to repeated requests for comment through its live-chat system.

Tether’s chief technology officer, Paolo Ardoino, issued a statement in response to queries from The Post. “Tether takes all reports of theft, scam or loss very seriously,” it said. “Tether will freeze wallets if the Company is notified via valid law enforcement requests but cannot fulfill arbitrary requests to freeze wallets where these conditions are not met.”

Ardoino said that Tether has frozen wallets in at least one case involving the Secret Service, and that the company has helped users recover $80 million in the past year. He did not address Jenkins’s case.

Tracking stolen crypto is a booming business: How blockchain sleuths recover digital loot

In a moment of dark comedy while Jenkins was messaging with CB-ETH, the system spat back a message that said, “You rated our customer service as bad.” Jenkins got a good laugh out of that.

What he didn’t get was his money. He could still see it living on the blockchain. But the blockchain noted clearly that it belonged to the thieves now. This brought its own torture. It’s one thing to know abstractly that criminals have your cash. It’s another to see them holding on to it.

“I feel stupid. I got slow-played,” said Jenkins, who has a flair for the theatric and years ago even did a little spot acting when he lived in Los Angeles. “I’m used to scams with a quick hit, a get-out-and-go. But this is a whole different play.”

Jenkins says he feels his case offers a broader social lesson.

“Security is my forte,” Jenkins said. “If it can happen to me, I feel like it can happen to anybody.”

The Post uncovered the breadth of the scam by analyzing crypto accounts belonging to Jenkins and four other victims, and then identifying 616 additional accounts with the same pattern of apparently stolen funds: First, the account owners approved access to their money, and then their money was moved somewhere else.

The Post then examined the accounts to which the money was transferred. That uncovered an additional 4,425 accounts whose transactions fit the same pattern. In total, The Post’s analysis identified 5,046 accounts with an average loss of more than $13,000 each.

The accounts’ addresses are just a mishmash of letters and numbers. Even though Jenkins can see the money in Alice’s wallet, there’s no way to find her real name, contact information or even what country she is in.

Another victim, Troy Gochenour, lost more than $25,000, $19,000 of which came in loans he must still pay back. Gochenour, 48, delivers packages in his hometown of Columbus, Ohio, after moving back from New York during the pandemic.

A former crypto skeptic who remembers thinking “this’ll never catch on,” Gochenour began investing at the suggestion of a woman he met online. “She would text me every morning ‘good morning,’ every night, ‘good night.’” But she never video-chatted with him, citing a phobia.

After his first investment of $5,000 disappeared in October, she denied his money was gone, but promised that if he brought his total investment up to $10,000, he’d earn a $3,000 reward. He invested the difference, taking out a loan to do so. That money disappeared, too. He took out another loan, then a third. That money also vanished.

“I was betrayed by somebody who I thought cared about me,” he said.

Besides Jenkins and Gochenour, The Post spoke with three other victims of nearly identical scams. Savvy people in midlife are common victims, activists say.

“It’s not just elderly folks; it’s not just technically illiterate folks,” said Jan Santiago, a spokesman for the crypto-scam victim group Global Anti-Scam Organization that has helped popularize the term “pig-butchering.“ “Traders, bankers, lawyers, doctors, nurses — they all fell for this and lost a large amount of their savings.”

As a genre, the scam started with victims in China, then began to ensnare Chinese-speaking residents of other countries. “Now it has grown to include just anyone” of any background, Santiago said.

“There is a lot of manpower and time and energy put into effectively grooming the victims,” added Grace Yuen, a Massachusetts-based spokeswoman for the victims’ group.

One of the particular features of crypto scams is how close they sit to conventional investing. Because of its volatility, crypto trading can have the feel of gambling — fortunes are gained and lost before lunch. Subareas like liquidity mining are even blurrier — the idea that your money could earn double-digit percentage returns with no risk seems too good to be true. But there are legitimate liquidity-mining operators, so how to tell the difference?

“Liquidity mining is a hard one to understand for many investors,” said Nick Furneaux, managing director at the U.K.-based investigative firm CSITech and author of the book “Investigating Cryptocurrencies.” “It can be a legitimate way to make money. The problem is: Who can you trust?”

What bothers Jenkins the most — more than his naivete, more than the lost money — is the guilt. To achieve maximum effect, crypto scams often rely on the victims to do their work for them. Each nephew Jenkins recruited put in $6,000. The family friend plowed in $60,000. All of it is gone.

“It’s the worst thing I’ve done in my life,” Jenkins said; his brother didn’t talk to him for months.

Furneaux said people can try to protect themselves by looking at when a domain was registered and avoiding newly created ones. But he said the industry also needs to do a better job of self-regulation. “I’m hoping social responsibility starts coming into play for more of these companies,” he said.

Making the ecosystem safe for regular people is a “hard job,” admits Dan Finlay, a founder of MetaMask, a competitor to the Coinbase Wallet app. But he says MetaMask has dedicated multiple security teams to investigating risks and plugging holes.

Jenkins believes one such hole in Coinbase Wallet contributed to his downfall. When Jenkins bought the “mining certificate,” he clicked a prompt in the Coinbase Wallet app that did not clearly explain that he was signing over full access to his money.

Other wallets are more transparent about such requests, and Coinbase has come under fire for the lapse. Last August, BlockSecTeam, a China-based blockchain security firm, issued a blunt evaluation of the issue: “The Coinbase wallet hides the necessary information.”

Asked about the hole, Martin, the Coinbase security chief, said “I’m not going to sit here and say Coinbase Wallet has the perfect [user interface]. Are there improvements we could make? Absolutely. And we will continue to do so.”

Both Coinbase Wallet and MetaMask collaborate on a public list of 13,500 scam sites that are blocked in both apps. But the list doesn’t include the sites that appeared to defraud Jenkins and Gochenour.

One seemingly easy fix would be to restrict outsiders’ access to users’ wallets, or at least require a human to interact with the user before control is given away. But crypto advocates say this is not possible: The “approval” process is key to many of the so-called decentralized finance tools necessary to achieve their goal of replicating or even replacing the regular financial system.

Read that link carefully: Scammers scoop up misspelled cryptocurrency URLs to rob your wallet

So far, nothing public has been done for the victims.

“The blockchain is kind of this permissionless frontier space,” said MetaMask’s Finlay. “You know, I don’t know if every user understands how much they really are kind of on their own.”

Jenkins said he realizes now just how vulnerable he is. But, perhaps surprisingly, he wants to keep investing in crypto.

“I just feel like there are ways to make money,” he said. “Sure, some of it feels too good to be true. But if you treat it like gambling, if you have that mentality and approach it wisely, you can make a lot more than having it sit in a bank.”

He added ruefully: “You just have to get a little lucky.”