Jakub Porzycki | NurPhoto via Getty Images
Two young men accused of committing one of the largest person-to-person crypto thefts in U.S. history went on a brazen spending spree that included buying exotic cars, a $2 million wristwatch, renting mansions and running up nightclub tabs of hundreds of thousands of dollars apiece, new court records reveal.
The Aug. 18 cyber heist swindled a Washington, D.C., resident out of $230 million in cryptocurrency. To date, at least $100 million in bitcoin stolen from the victim remains unaccounted for, prosecutors said in a recent court filing in D.C federal court.
Police now say that another crime, the mysterious Aug. 25 kidnapping of a Connecticut couple in broad daylight while they were house hunting, may be connected to the Washington crypto theft.
Authorities are investigating whether the kidnapping was part of a plot to demand ransom from the couple's son — who is being investigated for possible involvement in the crypto heist.
"I've never seen anything like this in 20 years," Detective Sgt. Steven Castrovinci of the Danbury, Connecticut, Police Department, told CNBC.
That heist of more than 4,100 bitcoin occurred just a week before the couple was carjacked in Danbury, while driving a Lamborghini automobile that their son had rented.
Six Florida men now face state and federal charges in Connecticut in connection with the kidnapping.
They have not been charged in connection with the cryptocurrency theft. Nor has the unidentified son of the couple who was abducted.
"It's amazing to see how this thing has grown legs," Castrovinci said.
Source: Danbury Police Department
On Sept. 19, just a month after the crypto heist, the U.S. Attorney's Office for the District of Columbia announced that the FBI had arrested two men — Malone Lam, 20, and 21-year-old Jeandiel Serrano — on conspiracy charges related to their alleged theft and subsequent laundering of the stolen bitcoin.
Serrano, who uses the online monikers "VersaceGod" and "@SkidStar," was wearing a $500,000 watch at the time of his arrest in Los Angeles, where he lives, according to prosecutors.
Both men, who are being held without bail, admitted their role in the heist, prosecutors have said in court filings.
Serrano's lawyer, Paulette Pagan, had no immediate comment on his case. CNBC has requested comment from a lawyer for Lam, a Singapore resident who had been living in L.A. and Miami after overstaying by months a visa waiver that allowed him to visit the U.S. as a tourist for just 90 days.
The scheme at the center of the bizarre case is "one of the largest cryptocurrency thefts from a private individual ... in the history of the United States," according to a federal court filing.
A cyber heist in Washington
A month before they were arrested, Serrano, Lam and other, unnamed co-conspirators targeted a man in Washington "because they believed he held a considerable amount of virtual currency" after they "identified him as a high net-worth investor from the early days of cryptocurrency," court filings state.
In early August, one co-conspirator caused an "unauthorized Google account access" notification to be sent to the victim, making it appear that the purported access attempts had occurred overseas, a court filing said.
"In reality, this was just the conspirators laying the groundwork for their imminent theft through sophisticated social engineering," prosecutors wrote in a filing.
On Aug. 18, members of the conspiracy called the man, claiming they were from Google's security team, and asking him about the recent unauthorized access attempts.
"Through a series of prompts and misrepresentations," the co-conspirators managed to manipulate the man into giving them enough information to access his Google drive, "where they quickly located personal financial information, including the location of his virtual currency holdings with Gemini," a crypto exchange, a filing said.
Serrano and other scheme participants then called back the man and Serrano posed as a member of Gemini's support team, prosecutors said.
While he talked to the victim, Serrano and his co-conspirators were communicating with each other on the Discord and Telegram messaging apps, "strategizing on ways to "manipulate the victim into providing private keys to his virtual currency holdings and enough computer access for the conspirators to steal his entire savings," the filing said.
United States District Court for the District of Columbia
The schemers then duped the man into downloading a program onto his computer to protect his Gemini holdings.
But the program actually gave the co-conspirators real-time access to the victim's desktop, according to prosecutors.
"Serrano was eventually able to manipulate the victim into opening files with private keys
to over 4,100 Bitcoin," the court filing said.
"While Serrano continued to manipulate the victim, his co-conspirator used this access to quickly steal the entirety of the victim's virtual currency holdings."
Prosecutors said the co-conspirators split the theft's proceeds five ways.
The schemers then used "sophisticated money laundering techniques to hide the proceeds and mask their identities," a court filing alleges.
Serrano created an account on TradeOrgre.com, and deposited $29 million worth of cryptocurrency, "believing it to be clean and successfully laundered," the filing said.
A spending spree in Los Angeles
While he used a virtual private network to mask his location when he accessed his account, Serrano had failed to use a VPN when he created the account.
"Records from TradeOgre show that the account was created from an IP address registered to Serrano's $47,500 per month rental home in Encino, California," the filing said.
By the time Serrano was identified by federal authorities, "he was already out of the
country, vacationing in the Maldives," the filing said.
"Meanwhile, his co-conspirator Malone Lam was spending hundreds of thousands of dollars per night at Los Angeles night clubs and amassing an impressive collection of custom Lamborghinis, Ferraris, and Porsches," prosecutors wrote.
United States District Court for the District of Columbia
Lam, a Singapore native who was arrested in Miami after traveling there from Los Angeles on a private jet, was renting multiple homes in Miami, according to the filing.
One mansion he rented there cost $68,000 per month, the filing said.
Lam, who used the online handles "Anne Hathaway" and "$$$," had also purchased a watch for $2 million, and a Lamborghini Revuelto for more than $1 million, prosecutors said.
But "many of Lam's vehicles have not been located as of yet, such as his Pagani Huayra that he purchased for $3,800,000," prosecutors wrote.
In all, Lam "admitted to purchasing 31 luxury automobiles, 22 of which have yet to be recovered by law enforcement," prosecutors wrote.
Lam "also admitted to doing additional hacks and making millions from those separate cryptocurrency fraud schemes, which he states have supported his entire lifestyle since arriving in the United States in October 2023," prosecutors wrote.
United States District Court for the District of Columbia
"The three vehicles Serrano admitted to purchasing have also not yet been located."
Federal government surveillance captured Lam on "a spending spree of the victim's assets," which included sightings of him "at Los Angeles nightclubs ... and gifting handbags valued at tens of thousands of dollars," a court filing says.
Management at L.A. nightclubs told investigators that Lam tried to pay his tabs in cryptocurrency "and was spending approximately $400,000-$500,000 per night," the filing said. One receipt from an L.A. club showed Lam spent "$569,528.39 in one night," the filing said.
After Serrano was arrested in at L.A. International Airport on Sept. 18, when he returned from the Maldives with his girlfriend, an FBI agent interviewed that woman, who denied knowledge of Serrano's involvement in crimes, according to a court filing.
"The interviewing FBI Agent told her that the only way to make the situation worse would be for her to call Serrano's associates and tip them off to the arrest," the filing noted.
"Immediately after leaving the interview, Serrano's girlfriend promptly called his criminal associates, tipped them off to his arrest, and these associated in turn deleted their Telegram accounts and all incriminating evidence included in saved chats," the filing said.
"To date, approximately $70,000,000 has been recovered or frozen on various exchanges," prosecutors wrote in a court filing.
"Even considering the millions of dollars that Serrano and his co-conspirators spent on automobiles and jewelry, well over $100,000,000 remains unaccounted for."
Serrano had about $20 million of the victim's stolen bitcoin on his phone, and agreed to transfer those funds back to the FBI, according to a court filing.
A kidnapping in Connecticut
On Aug. 25, three weeks before Serrano and Lam were arrested, police in Danbury, Connecticut received multiple 911 calls reporting the abduction of a couple by two men.
Court records and Det. Sgt. Castrovinci said the victims were driving a 2024 Lamborghini Urus, which they said had been rented by their son, when they were rear-ended by a white Honda Civic.
A work van then cut in front of the Lamborghini, and a half-dozen or so men wearing black masks surrounded the car.
The perpetrators pulled the two victims out of the car. The husband resisted, and the kidnappers punched him in the face and hit him with a baseball bat, authorities said.
"The suspects repeatedly told [the couple] that they would 'kill them,'" FBI Agent Matthew Loucks wrote in an affidavit supporting a criminal complaint against the alleged kidnappers filed in U.S. District Court in Connecticut.
"The victims were pushed into the back of the work van and held down. The suspects then bound both victims' arms and feet with silver duct tape, which they also used to cover [the husband's] face. The suspects forced [his wife] to lie face down and ordered her not to look at them," according to Loucks' affidavit.
"The couple heard police sirens shortly after the van began moving, and heard one of the suspects yell, 'Call Rick ... we are in deep s---,' " according to the FBI agent. Shortly afterward, the van crashed and the suspects fled on foot, leaving the victims behind.
Police arrested four suspects later that day, and two more the following day. All six suspects are from the Miami area.
The couple, who were briefly hospitalized after the incident, had no idea why they had been targeted in the kidnapping, Castrovinci told CNBC.
"They kept asking us, 'Why?' Castrovinci said.
A family connection
Danbury police were already familiar with the couple who were abducted, Castrovinci said, because their home had been targeted by "swatting" calls.
Swatting is the practice of calling police and falsely reporting that a crime is occurring at someone else's residence or business, often causing police to descend upon that location.
Read more CNBC politics coverage
Castrovinci said they had suspected the swatting calls were being made by people who knew the couple's son from his online gaming.
The Danbury News-Times first reported on Oct. 11 that Danbury police had planned to interview the couple's son, but held off at the request of the FBI.
"We were contacted by the FBI and told there's an ongoing investigation into the son in regards to a cryptocurrency theft that occurred," Castrovinci told the newspaper.
"That's how we knew — and even at that time, we didn't really know to what extent he was involved in it. We just knew that there was an investigation into him regarding a crypto heist," he said.
"I don't know how (the six Florida men) knew this kid had that type of money, but everything leads to them going after the parents because of what this kid was involved in," he told the newspaper.
Castrovinci told CNBC that it is "certainly a good possibility" that the kidnappers planned to hold the couple for ransom, believing their son could pay.
A spokesman for the U.S. Attorney's Office in Connecticut declined to comment when asked about the possible connection between the carjacking and kidnapping of the couple, and their son's potential role in the August crypto heist.
The U.S. Attorney's Office in D.C. did not immediately respond to requests for comment.