Not All Money Is Good Money

The tale of a sophisticated web3 scam ring

tyler.scharf
Mar 9, 2023
News
Not All Money Is Good Money

It happened to me several months ago and I have remained quiet because I believe that I was dealing with an international crime syndicate. But I do believe it is important to raise awareness so other unsuspecting founders do not fall into the same trap.

 

Webaverse has recently released a theft statement about how these scammers tricked them out of $4m in stablecoins. After conversing with the founder, I realize that I had interacted with the exact same folks, at nearly the same time.

 

These guys are extremely skilled in maneuvering. Every single step was taken with the utmost caution to avoid disclosing any revealing data like IP addresses, card details or IDs. They were very deliberate with words and very careful at playing us into their hands.

 

If an investor is too keen to give you money, something must be wrong. 

 

I first came into contact with one individual through a conference Telegram group. He said he was representing a VC and was looking for projects to invest in.

 

My cofounder and I had several calls with him where things went rather smoothly. They explained their background in venture capital was limited but their wealth came from international real estate and early crypto investments. Fine. Sounded like they wanted to start deploying capital to make it more efficient.

 

I did a bit of digging into them on the internet. The name of the firm was disclosed but not the portfolio—first red flag. Why not give over info on previous investments? Maybe we are the first? Let’s see. 

 

The company was registered in Switzerland. Most individuals were not public, not on LinkedIn. Two were, and were well connected in crypto. A bit strange, but money likes silence. Ok, let’s see. 

 

Next, they want a face to face meeting to get to know the founders. A bit suspicious in the day and age of the internet, but these property guys are old school. Ok, I’ll go out there and see what kind of people they are. Could be a good learning experience. 

 

Book a flight the next morning, get in the taxi to the airport and forget my passport. Hmm, something is already amiss.

 

Arrive and go for a dinner with the second point of contact, the money guy. Very nice guy, easy to speak to, easy to trust. Family man, strong values, definitely quite wealthy. 

 

Both points of contact are very well trained in NLP and behavioural sciences. I recognized various techniques they were using to pique our interest and prime us for the deal, and then the various manipulative tactics deployed later on when things weren’t going as planned. They started by saying they invest $500k minimum because anything less is not worth their time, they bring you into the family when they invest, if we need more than that just say so because they believe in our project. Then he casually dropped $1m a few minutes later in the conversation, as if by accident. Obviously it was just to get us hungry.

 

So at the dinner, the second point of contact says he is eager to close the deal to write down his tax owing for this year. He shows me that he has large amounts of money in his wallets that he's ready to invest, and then teases me with other various incentives, like free office space in Geneva and a property to stay at while we network.

 

He then gets me to create a crypto wallet with Exodus and sends over a couple small "test transactions". He says that if they arrived, he will send a million dollars to that same address once we sign the deal. This was to build anticipation of receiving the money. 

 

But there’s one catch. He needs to insure his investment in case of bankruptcy. He wants to sign a convertible note (essentially a loan) with us to pay yearly interest. This, he explains, is necessary in order for the insurance company to cover his investment if there is a loss.

 

And in order to get the insurance company to cover that note, we need to show proof of funds at the outset. I don’t have that money, I explained, it's all locked up in staking contracts and illiquid jpegs. It’s ok, he said, get together as much as you can, and then I’ll send the rest in through a different wallet just for verification. Just don’t tell anyone. It’s because I trust you. 

 

Now at this point it’s getting pretty obvious that this is a bad deal, but still I’m struggling to see what their end game is. What is the nature of this scam? How do they get their money out of this? Where is the attack vector?

 

Ok, sure. Just send over all the details. Send the insurance policy, send the term sheet, send your passport details. Let’s do it. 

 

Stalling, stalling. Calling people in venture capital, they’re all telling me it’s ridiculous. Phone calls back and forth on all ends, all day. He keeps calling me and asking if I had the funds ready. 

 

Who would be so desperate to give someone money?

 

This is when it really gets crazy. I start telling him that having this much debt on a company term sheet is unsustainable for its growth. But he says he doesn’t want to sign it with the company—he wants to sign it with me as an individual. Because he trusts me. 

 

And he’s willing to give more money too, just in case we need it. Several million more is no problem, just to ensure we can reach profitability. 

 

So now it’s obvious. He wants to sign a contract in which I as an individual will be obligated to pay interest on a loan.

 

That's when I started pressing him for background checks, due diligence, investor history. The more I pressed, the more he wanted to send me the money. I was careful to lead them on just enough while not directly engaging.

 

I started mentally retracing every move they had made, step by step. First they didn't want to use Google Meets—presumably because it logs sensitive data. They insisted on Zoom.

 

These guys had never even opened the deck.

 

The convertible note they sent for us to sign was an .odt format—no metadata to scrape, nothing to trace. They were probably operating on a Linux.

 

He paid with cash at our dinner the night before—small bills, no cards, no wallet. Strange behaviour for a millionaire.

 

Then the second guy called again. Asked me if I was leaving tomorrow. I said yes, I need to go to see my family (playing their cards back at them), and that's when he started getting angry that I didn't want to complete the deal. I said I just need to see your KYC to make sure that everything is in the clear you know. Compliance and whatnot.

 

Right right, I get that. KYC no problem, I'll send it to you right now. AML isn't necessary because it's crypto, right?

 

Uhh...

 

So he sends over the driver's licence of some random dude who doesn't look anything like him. I take one look at it and say "oooooooohkaayyyy"

 

And that's when he knows that I know.

 

So what about your KYC, I ask?

 

Yes yes, I'll send that to you right after we complete the deal. But you mustn't show that to anyone. I'm a banker, you know. I handle billions of dollars for my clients in Switzerland but they all think blockchain is a scam. They all hate blockchain and they can't know that I'm investing their money into blockchain.

 

Wait.

 

Story change. First it was his money, now it's their money?

 

Of course, I understand, I say. Makes total sense. Look, I need to go back home tomorrow to see my family but I'll come and visit you in Switzerland next week, ok? We can finish the deal then. And you can show me that office.

 

Yeah sure of course, and we hang up the phone. He then proceeded to delete the messages with the fake KYC that he had sent over.

 

So where’s the scam? At first we thought that either the money is dirty and they need a way to clean it (what better way than a convertible note for equity?) or the money was never going to arrive and they just wanted to trick me into signing something to pay interest. 

 

But then I heard the webaverse story.

 

Ahad did not open any files or documents from these guys on the phone that had the wallet on it. He did not connect to any wifi networks.

 

They had him use Trust wallet but that's not where the vulnerability lies. Multiple other reports have emerged of similar people getting scammed with Exodus, Metamask.

 

The only possible attack vector was when the guy took photos of Ahad’s phone for the "proof of funds". He flash copied the device, sent it over to someone to decrypt and send out the funds.

 

Lots of people scoff at this but us normal citizens really have no idea what grade of technology the military has, and what is accessible through the dark web.

 

It’s shameful that they go after the people most hungry for money—founders who are eager to bring their innovative solutions to the world. Those with less awareness of fundraising mechanisms or who don’t have advisors to consult could easily fall victim to this scheme. It’s quite honestly the most clever form of social engineering that I have ever seen.

 

Not all money is good money.