A Precision Hunt Targeting Mining CEOs

Written by: Joel Khalili

Translated by: Luffy, Foresight News

Complex cryptocurrency fraud cases are on the rise, but few have been as meticulously executed as the scam that befell a Bitcoin mining executive earlier this year.

When Kent Halliburton stood in the bathroom of the luxurious hotel in downtown Amsterdam, thousands of miles from home, he rubbed his fingers over an envelope filled with 10,000 euros in brand new bills, beginning to question what kind of storm he had gotten himself into.

Halliburton is the co-founder and CEO of Sazmining, a company that operates Bitcoin mining hardware for clients, a model known as "mining as a service." Halliburton is based in Peru, but Sazmining's mining hardware is distributed across third-party data centers in Norway, Paraguay, Ethiopia, and the United States.

According to Halliburton, he flew to Amsterdam on August 5 to meet Even and Maxim—two men who claimed to represent a wealthy family office in Monaco. This family office proposed purchasing hundreds of Bitcoin mining machines from Sazmining, valued at around $4 million, which would be installed at a mining site under construction in Ethiopia. Before finalizing the deal, the family office requested a face-to-face meeting with Halliburton.

Upon arriving at the luxurious hotel, Halliburton found Even and Maxim already seated in a private booth. They gave the impression of playboy gamblers—especially Maxim, who wore a brown three-piece suit, was well-groomed, and had dark hair parted in the middle, with a Rolex watch peeking out from his cuff.

During a three-course lunch (featuring fish roe-topped ceviche, Chilean sea bass, and cherry cake), they discussed the framework of the deal and shared their backgrounds. Even was talkative and humorous, recounting tales of lavish parties in Marrakech; Maxim, on the other hand, was aloof, mostly staring at Halliburton with a long gaze as if scrutinizing him.

To build trust, Even suggested that Halliburton sell about $3,000 worth of Bitcoin to the family office. Halliburton was initially hesitant but took it as a peculiar "ice-breaking ritual." One of them handed Halliburton an envelope filled with cash, asking him to privately count the amount in the bathroom. "It felt like a scene from a James Bond movie," Halliburton said, "it was all too novel for me."

Halliburton took a taxi away, feeling somewhat confused about the meeting but still hopeful about closing a deal with the family office. For Sazmining, which had only about 15 employees, this deal could bring transformative change.

Less than two weeks later, Halliburton was scammed out of over $200,000 worth of Bitcoin by Even and Maxim. He was unsure if Sazmining could survive this blow and unclear about how the scammers had set the trap for him.

After lunch with Even and Maxim, Halliburton flew directly to Latvia to attend a Bitcoin conference, then headed to Ethiopia to check on the construction progress of the data center.

While in Ethiopia, Halliburton received a WhatsApp message from Even, who wanted to push the deal forward but with one condition: following the small Bitcoin purchase at the luxurious hotel, Sazmining needed to sell more Bitcoin to the family office. The two sides eventually settled on an amount of $400,000, equivalent to one-tenth of the total deal value.

Even requested that Halliburton return to Amsterdam to sign the necessary contracts. Halliburton, having been away from home for weeks, opposed this, but Even was adamant: "Remote operations don't work for me; I don't do business like that."

On the afternoon of August 16, Halliburton returned to Amsterdam. That evening, he was to meet Maxim at the teppanyaki restaurant of the five-star Okura Hotel. The restaurant featured traditional Japanese decor, with wooden paneling, paper walls, and a Zen garden, and a string of origami cranes hung from the spiral staircase in the lobby.

Halliburton found Maxim sitting on a sofa in the waiting area outside the restaurant, dressed in a garish silver suit. While waiting to be seated, Maxim asked Halliburton to prove that Sazmining had enough Bitcoin to complete the additional transaction proposed by Even. He wanted Halliburton to transfer half of the agreed amount (about $220,000) into a Bitcoin wallet application trusted by the family office. The funds would still be under Halliburton's control, but the family office could verify the existence of the funds through public trading data.

Halliburton opened his iPhone. The application, called Atomic Wallet, had thousands of positive reviews and had been available on the Apple App Store for years. Under Maxim's watchful eye, Halliburton downloaded the app and created a new wallet. "I wanted to earn his trust," Halliburton said, "after all, it was a $4 million contract."

The dinner went relatively smoothly. Maxim was less guarded this time, discussing his love for luxury watches and his work finding trading opportunities for the family office. Halliburton, feeling unwell from days of travel, wanted to wrap up the meeting quickly.

As they parted, they agreed: Maxim would submit the signed contract to the family office for execution, and Halliburton would transfer the $220,000 worth of Bitcoin to the new wallet address as agreed.

Back in his hotel room, Halliburton initiated a small test transaction to the new Atomic Wallet address, then reset the wallet using the private key (mnemonic phrase) generated when he first downloaded the app to ensure it was functioning properly. "I had to take some security measures; I was almost ready. Thank you for your patience," Halliburton wrote in a WhatsApp message to Even. Even replied, "No problem, take your time."

At 10:45 PM, after confirming the test was successful, Halliburton signaled to a colleague to transfer $220,000 worth of Bitcoin to the Atomic Wallet address. After the funds arrived, he sent a screenshot of the updated balance to Even. A minute later, Even replied, "Thanks."

Halliburton sent another message to Even inquiring about the contract, but Even, who had previously responded quickly, was now silent. Halliburton opened the Atomic Wallet app, sensing something was off—his Bitcoin had vanished.

Halliburton felt a wave of nausea wash over him, sitting on the bed nearly ready to vomit. "It felt like being punched in the stomach," he said, "full of shock and disbelief."

Halliburton racked his brain trying to understand how he had been scammed. At 11:30 PM, he messaged Even again: "This is the most sophisticated scam I've ever experienced. I know you probably don't care, but my company could go under because of this. It took me four years to build it."

Even replied, denying any wrongdoing, but that became the last message Halliburton received. Halliburton provided WIRED with the Telegram account used by Even, which was last active on the day the funds were stolen. Even did not respond to requests for comment.

Analysis by blockchain firms Chainalysis and CertiK showed that the funds in Halliburton's wallet were split within hours, transferred through multiple different addresses, and deposited into third-party platforms that exchanged the cryptocurrency for fiat currency.

Some of the Bitcoin was split into multiple instant exchange platforms, while most flowed into a single address, mixed with funds marked by Chainalysis as possibly originating from "fraudulent transactions."

"These services that the scammers utilized are not illegal in themselves," said Margaux Eckle, a senior investigator at Chainalysis, "but the funds flowing through the consolidation address are closely linked to known fraudulent activities, indicating that this is an organized fraud ring."

Some of the Bitcoin flowing through the consolidation address was deposited into a cryptocurrency exchange, likely converted into fiat currency; the remaining funds were converted into stablecoins and transferred to the Tron blockchain via cross-chain bridges. Researchers noted that there are multiple over-the-counter trading services on that blockchain, facilitating the cashing out of large amounts of cryptocurrency.

The multiple transfers, splits, exchanges, and cross-chain operations aimed to increase the difficulty of tracing the source of the funds, allowing for cashing out without raising suspicion. "This scammer is quite sophisticated," Eckle said, "even though we can trace the flow of funds after cross-chain transactions, it slows down the investigators' tracking speed."

Ultimately, the trail of public trading data went cold. To identify the perpetrators, law enforcement would need to subpoena these cash-out platforms, which are typically required to collect user information.

From the transaction data, it is unclear how the scammers obtained and transferred the wallet funds without Halliburton's permission, but the details of his interactions with the scammers provide some clues.

Initially, Halliburton suspected that this might be related to the 2023 attacks by a North Korean government-linked hacking group, during which Atomic Wallet user accounts were compromised, resulting in the theft of $100 million (Atomic Wallet did not respond to requests for comment).

However, security researchers interviewed by WIRED believe Halliburton was a victim of a targeted surveillance attack. "Publicly known executives holding large amounts of cryptocurrency are highly attractive targets for scammers," said Guanxing Wen, head of security research at CertiK.

Researchers speculate that the in-person dinner, expensive attire, large amounts of cash, and other displays of wealth were all strategies to lower Halliburton's guard. "This is a common method of building trust in high-value trust scams," Guanxing Wen said, "the longer the victim spends time in a relaxed environment with the attacker, the harder it becomes to question subsequent technical requests."

To complete the theft, the scammers needed to obtain the mnemonic phrase for Halliburton's newly created Atomic Wallet address—whoever possesses the mnemonic phrase can access the Bitcoin in the wallet without restrictions.

One possibility is that the scammers hijacked or spoofed the hotel's WiFi network to obtain information from Halliburton's phone. "Such devices can be easily purchased online and are convenient; they can fit into two or three suitcases," said Adrian Cheek, chief researcher at cybersecurity firm Coeus. However, Halliburton insists that his phone was never out of his sight and that he used mobile data to download the Atomic Wallet app, not public WiFi.

Guanxing Wen stated that the most plausible explanation is: the scammers may have recorded the mnemonic phrase displayed on his phone when Halliburton first downloaded the app, either through an accomplice nearby or with a camera equipped with a telephoto lens—at that time, they were sitting on a sofa in the Okura Hotel.

Guanxing Wen noted that the scammers might have set up a "sweep script" even before Halliburton transferred $220,000 worth of Bitcoin to the Atomic Wallet address. This is an automated program that immediately transfers funds once it detects a significant change in the wallet balance.

In such cases, the individuals the victims interact with face-to-face (like Even and Maxim) are rarely the ultimate beneficiaries; they are more likely "mercenaries" hired by the scam network, whose core members may be located on the other side of the globe.

"They usually recruit through underground forums and crypto chat groups," Cheek said, "as long as you find the right places, you can see ongoing recruitment messages."

For several days, it was uncertain whether Sazmining could survive this financial blow, as the stolen funds amounted to six weeks' worth of the company's revenue. "I was struggling to keep the company running and cope with this sudden cash shortage crisis," Halliburton said. Ultimately, the company barely maintained its solvency by delaying payments to suppliers and extending the terms of outstanding loans.

That week, a board member of Sazmining reported the incident to law enforcement agencies in the Netherlands, the UK, and the US. Only the UK's Fraud Action Team and the US Secret Service's Cyber Fraud Task Force confirmed receipt of the report—the former stated that no immediate action would be taken, while the latter did not respond to requests for comment.

The number of cryptocurrency-related fraud cases is staggering, making it nearly impossible for law enforcement to investigate each theft individually. "The scale of these threats and criminal activities has reached unprecedented levels," Eckle said.

Eckle indicated that the best hope for fraud victims to recover their funds is for law enforcement to dismantle the entire scam ring. In such cases, the recovered funds are typically distributed to the reporting victims.

Until then, Halliburton can only accept the loss. "It still hurts now," he said, but "it's not a fatal blow."

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。