2024has been truly unkind to web3 retail investors. Way too many of them have been cleaned out by both scammers and hackers.

While, as previously reported, obtaining a precise and accurate figure for the total funds lost by retail investors remains an incredibly challenging task, criminal reports suggest that at least $5.84 billion were wiped from their wallets. Of this, at least $4 billion was lost to pig-butchering scams, over a billion to phishing schemes — including wallet drainers and address poisoning — and $444 million to exit scams.

It must be said that the state of the crypto market in 2024 really helped those fraudsters score big.

The bull run that kicked off at the end of 2023, peaking with Bitcoin hitting a new ATH of $73,738 on March 14, 2024, brought in a flood of liquidity from both seasoned crypto enthusiasts and a wave of eager new retail investors. The promise that 2024 would be the year Bitcoin shattered the $100,000 barrier (which it did!), combined with the explosive activity in the memecoin supercycle, transformed the ghost town that was the crypto market in 2023 into an effervescent hub of transactional activity!

Source: Dune

Many of these newcomers are ignorant of crypto’s treacherous waters, making them extremely vulnerable and ideal targets for scammers. Seasoned traders, on the other hand, are just as, if not more, susceptible to the FOMO siren call after enduring a long and traumatic bear market, which created an ideal environment for scammers to victimize retail investors.

Astonishingly, the top 5 of those fraudulent projects, minus pig-butchering, are resulting in a staggering $611 million in losses.

So here are the most successful crypto scams of 2024!

1. $243 Million Stolen in Largest Social Engineering Phishing Heist to Date — Second Biggest Heist of the Year

The most impressive crypto scam of 2024, in terms of its mind-blowing sum, was a simple social engineering phishing attack. In terms of size, it ranks as the second most financially devastating crime of 2024, just after the DPRK threat group’s DMM Bitcoin private key exploit, which amounted to $308 million.

As of now, it also appears to be the largest amount lost by a single individual in a single crypto phishing attack.

On August 19th, 2024, crypto sleuth ZachXBT took to Twitter to reveal that he had uncovered a suspicious transfer amounting to $238 million, with attempts to launder and cash out the funds through multiple centralized exchanges (CEXs). Rumors quickly swirled around the identity of the victim — was it an individual, a hedge fund, or a CEX? And how was the heist carried out: through a private key exploit, phishing, or both?

For a long time, little was known about the case, except for two updates from ZachXBT, which reported two successful attempts to freeze the stolen funds — by Firn Protocol and NonKYC — totaling around $500,000. Barely a drop in the bucket.

One month, jour pour jour, after the $238 million attack, ZachXBT took again to Twitter to reveal the full story behind it.

ZachXBT’s Investigation Mapping — Source: ZachXBT

The heist was a “highly sophisticated social engineering attack,” a phishing scam that targeted a single individual. The victim was a creditor of the defunct crypto trading firm Genesis.

On the day of the attack, he received a call from a spoofed number, with the scammers posing as Google Support to compromise his personal accounts, according to ZachXBT’s investigation. Shortly after, the victim was contacted again, this time by the scammers posing as Gemini support. They informed him that his Gemini account had been hacked and instructed him to reset his 2FA and transfer funds from his Gemini account.

After much persuasion, the victim used AnyDesk to share his screen, allowing the scammers to access and leak his private keys from his Bitcoin Core.

His attackers successfully stole $243 million and immediately attempted to disperse the funds across multiple wallets before transferring them to over 15 exchanges, according to ZachXBT’s research. The stolen assets were rapidly swapped between Bitcoin, Litecoin, Ethereum, and Monero in an effort to obscure the trail.

Initial Exploit Tracing by ZachXBT- Source: ZachXBT

Unfortunately for them, but fortunately for the victims, they were neither thorough during their attack nor in their attempt to escape. This lack of diligence allowed ZachXBT to trace the phishing attack back to three main perpetrators and their accomplices.

Suspect List Established by ZachXBT — Source: ZachXBT

One of the many blunders they committed was revealing two of their names to the victim during the screenshare.

Source: ZachXBT Twitter

The other mistakes relate to their money laundering techniques. Although the attackers converted most of the stolen funds to Monero, ZachXBT discovered that two of them accidentally mixed stolen and clean funds by reusing a deposit address. One attacker, while sharing his screen, also revealed an address he used to purchase designer clothes, which was linked to millions in stolen money.

Tracing of Badly Laundered Funds by ZachXBT — Source: ZachXBT Twitter

Most of them had left enough trails on social media — or their exes did — for their full identities to be ultimately revealed during ZachXBT’s investigation. ZachXBT, alongside the Binance security team, Zero Shadow, and CryptoForensic Investigators, was able to further freeze $9 million.

The day before ZachXBT published his findings, Box (Jeandiel Serrano, 21) and Greavys (Malone Lam, 20) were arrested by the FBI and later indicted on September 19th.

Phishing through social engineering has been at the heart of many bountiful crypto heists, one of them extremely sophisticated, almost succeeding in wiping out $125 million from a single individual, as we recounted previously in Story of an Almost $100M Crypto Heist.

2. The November 2024 $129 Million Address Poisoning Attack

On November 20th, 2024, the victim decided to transfer out around $129.7 million from the address TGrS7QNCf85X2B6ddvGZY2MF9VwvFn6XAE to TMStAjRQHDZ8b3dyXPjBv9CNR3ce6q1bu8.

They began by sending an initial $100 USDT to test the address TMStaj…6q1bu8. After the transaction was successfully completed, the victim opted to transfer the full $129.7 million almost immediately.

Unbeknownst to them, just after their test transaction, the scammer had crypto dusted their wallet with $1 USDT using an address mimicking the one they tested, TMStaj…6q1bu8.

When they copied and pasted the destination address for their funds, they unknowingly picked the spoofed address. The spoofed address wasn’t even well-crafted, as only the last 6 digits matched, while the first part didn’t resemble the legitimate address at all, starting with THcTxQ instead of TMStaj.

Source: Certik

Fortunately for the victim, the address poisoner sent back $116.7 million within an hour, and four hours later, the remaining $12.97 million.

The two-part transfer and the amount of the second transfer — $12.97 million — seem to indicate that the attacker initially considered taking a 10% ‘bug bounty’ cut but then thought better of it.

Source: SlowMist via ScamSniffer

The most likely reason they sent everything back is fear — fear of being tracked down by the victim, who has the resources, as well as by the blockchain forensics community and law enforcement, especially given the enormous amount stolen, which would paint a huge target on their back.

3. Crypto4winners, A $100 Million Ponzi

On March 9th, 2024, the investment firm Crypto4Winners, which promised 3–20% monthly returns, announced that they had fallen victim to an exploit.

Source: Crypto4Winners Telegram Channel

Due to the exploit, Crypto4Winners found itself in the difficult position of no longer being able to allow ‘process fund withdrawals until it is resolved,’ or so they said.

The issue? DL News, a crypto newspaper, had revealed two months earlier that Crypto4Winners was co-owned by a certain Luc Schiltz, a Luxembourger found guilty in 2017 of defrauding victims for more than $1.5 million and sentenced to six years in prison, serving only two. Soon after his release, he co-founded the Crypto4Winners project.

So when the hack was announced, suspicions arose immediately. After the initial announcement post, Crypto4Winners went entirely silent. As soon, if not earlier, than March 12th, Crypto4Winners’ clients contacted lawyers and the police.

In the following days, it would be revealed that Crypto4Winners showed every sign of being a Ponzi scheme, which made thousands of victims for at least $100 million.

According to DL News, Luc Schiltz had co-founded Crypto4Winners but had kept his involvement hidden. The figurehead of Crypto4Winners was another Luxembourger, Adrien Castellani, who was its official CEO and founder. In truth, however, Castellani was only the co-founder of Crypto4Winners alongside Luc Schiltz.

Source: Virgule

Despite multiple questions arising about Luc Shiltz’s involvement in Crypto4Winners over the years, he never acknowledged him as either a co-founder or a general partner; instead, he barely recognized him as a consultant. In 2023, he promised to sever all relations between Crypto4Winners and himself by the end of that year, which he obviously did not fulfill.

Source: DL News

A little lie among many.

Such as the delirious returns they promised. They went as far as claiming a 377% return on customers’ Bitcoin deposits since 2019, as well as a 7% monthly average return up to 20%, irrespective of the crypto market’s ups and downs, typical of a crypto Ponzi scheme.

They also claimed to be partners of Chainalysis and Ledger, leading both companies to publicly disavow their claims in 2022.

Crypto4Winners is incorporated in Sweden. When asked by the Swedish Companies Registration Office to provide annual reports of its accounts for 2021 and 2022 in 2023, they claimed that their status as a Trust Management Company did not require them to submit them, which was false. Even under the risk of liquidation or being declared invalid, the deadline came and went without them submitting the reports.

It would also be revealed that Crypto4Winners, which publicly appeared to be a Luxembourg-Swedish entity, was actually a complex structure spanning through Dubai, Lithuania, Ireland, Sweden, and Luxembourg.

Worse, Crypto4Winners was, in fact, a shell company; investors’ funds were all transferred to an Irish company named “Big Wave Developments Limited.”

According to the Luxembourg newspaper Virgule, of the estimated $100 million customers’ funds, not even $200,000 appeared to be left in Big Wave Developments Limited’s accounts.

The most dumbfounding thing about this whole case is how its unraveling came about: a very bizarre car crash accident that allegedly caused Luc Shiltz’s amnesia.

On March 5th, before dawn, Luc Shiltz found himself crashing against a road guardrail, sending his car up a slope. He apparently did not suffer any injuries from this accident; then, for reasons unknown, said the Luxembourg police, he walked into the highway where a bus crashed into him.

He did not suffer life-threatening injuries and was hospitalized in the orthopedic department.

However, he claims that the accident has caused him to suffer memory loss. The thing is, Luc Shiltz is the one who has complete control over customer funds; which means he could no longer access the funds in cryptocurrency wallets and exchange accounts.

What stands out is that, according to the Virgule investigation and people who visited Luc Shiltz at the hospital days after the crash, there is room to doubt his amnesia.

Mario (fake name), a friend of Adrien Castellani, recounted to Virgule:

“He initially pretended to have amnesia and then told us that he would retrieve the USB keys from his parents, and that everything would return to business as usual…” (translated from French)

On that very day, Mario uncovered the shell nature of Crypto4Winners and Big Wave Developments Limited. Later, during a call on March 12th with Shiltz, Mario inquired about the mere $200,000 remaining in Big Wave Developments Limited’s account. Shiltz reassured him, explaining that it was to be expected since it represented only the funds in the hot wallet.

Despite his claimed amnesia, Luc Shiltz appears to have a complete grasp of his identity and how his company operates. So one must ask, what is it exactly that he has forgotten that prevents him from accessing the funds? Certainly not the seed phrases; it’s probably unheard of in crypto history for someone to solely rely on their memory, especially when $100 million is involved

.In his own words, he claimed that everything was with his parents and assured that everything would soon return to normal. So, what’s the catch?

The answers to this question and all inquiries raised by this affair will hopefully be unveiled in a court of law.

On March 15th, the Luxembourg public prosecutor’s office announced an investigation into Crypto4Winners for fraud and money laundering charges, and that two individuals have been charged and placed under custody.

One of the individuals is thought to be Luc Shiltz.

Source: TrustPilot

4. The May 2024 $72 Million Address Poisoning Attack

On May 3rd, 2024, a person fell victim to an address poisoning attack that would go down in history as the largest address poisoning heist at the time, with $72.7 million lost to the scammer after the victim transferred 1,155 wrapped Bitcoin to the malicious address.

What happened can be summed up as a stroke of extremely bad luck. The victim first successfully completed a test transfer of $149 to the legitimate address starting with 0xd9A1b. Afterward, they mistakenly copy-pasted the wrong address — the poisoned one that mimicked 0xd9A1b.

Address Poisoning Breakdown — Source: Chainalysis

The victim tried to negotiate the return of the funds in exchange for a 10% ‘bug bounty,’ an attempt that was proven unsuccessful. Blinded by greed, the attacker thought they could take off safely with everything — how mistaken they were.

Message sent by the victim to the attacker — Source: Chainalysis

The entire blockchain security community was on the case, and soon enough, there was talk of the exploiter returning the funds, minus the $7.2 million kept as a bug bounty. On May 10th, almost all of the stolen funds were returned by the attacker, who was barely able to make off with $3 million due to token appreciation.

Two weeks later, it was discovered that the prompt return of funds was not due to a change of heart from the scammer but rather because, despite trying to obfuscate their tracks as much as possible, their identity was partly revealed through the discovery of their “device fingerprint,” as reported by Match Systems CEO Andrey Kutin.

5. Epoch Times CFO’s $67 Million Crypto Scam and Money Laundering Heist

In June 2024, Bill Guan, the Chief Financial Officer (CFO) of The Epoch Times, was arrested in relation to a massive crypto scam.

The U.S. Department of Justice (DOJ) accused Guan of conspiring to launder at least $67 million in fraudulently obtained funds, including proceeds from unemployment insurance fraud. The scheme allegedly involved using cryptocurrency to purchase illicit funds at discounted rates, which were then funneled through various accounts, including those of The Epoch Times, to conceal their origins.

The crypto scam was discovered when banks reported a 410% revenue jump in one year from barely $15 million to over $62 million.

The DOJ’s indictment highlighted that the charges were unrelated to The Epoch Times’ journalistic activities. Guan faces serious charges, including conspiracy to commit money laundering and bank fraud, with potential sentences totaling up to 80 years in prison.