Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the acf domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /data00/vhosts/blog.marketdraft.com/httpdocs/wp-includes/functions.php on line 6170
Inside the $263 Million Crypto RICO Case: How an Online Crew Became a Federal Racketeering Target - MarketDraft BlogMarketDraft Blog Inside the $263 Million Crypto RICO Case: How an Online Crew Became a Federal Racketeering Target - MarketDraft Blog

Inside the $263 Million Crypto RICO Case: How an Online Crew Became a Federal Racketeering Target

Posted in Crypto News, General News by on May 29th, 2026.

What began, according to federal prosecutors, as friendships formed on online gaming platforms became one of the most striking cryptocurrency crime cases in recent memory: a sprawling social-engineering enterprise accused of stealing more than $263 million in digital assets, laundering the proceeds through crypto exchanges and shell companies, and spending the money on mansions, private jets, designer goods, nightclub blowouts, armed security, and a fleet of exotic cars.

Federal prosecutors in Washington, D.C., described the case not as a simple hacking operation, but as an organized criminal enterprise. In a superseding indictment unsealed in May 2025, the Justice Department charged 12 additional defendants in connection with a RICO conspiracy tied to cryptocurrency thefts, money laundering, obstruction of justice, and home break-ins. The indictment expanded an earlier case against Malone Lam, a 20-year-old accused organizer who used online aliases including “King Greavys,” “$$$,” “7,” “Kg,” and “Anne Hathaway.”

The defendants listed in the May indictment included Lam; Marlon Ferro, also known as “Marlo” and “GothFerrari”; Hamza Doost, also known as “Scyllia”; Conor Flansburg, also known as “O O,” “Green Room,” and “@d0uu0b”; Kunal Mehta, also known as “Papa,” “The Accountant,” “Shrek,” and “Neil”; Ethan Yarally, also known as “Rand” and “15%”; Cody Demirtas, also known as “KO” and “Kody”; Aakash Anand, also known as “Light” and “Dark”; Evan Tangeman, also known as “E,” “Tate,” and “Evan | Exchanger”; Joel Cortes, also known as “J”; an unidentified alleged database hacker known as “Chen” and “Squiggly”; an unidentified alleged database hacker known as “Danny” and “Meech”; and John Tucker Desmond, accused separately of destroying evidence. Later court filings identified “Danny” and “Meech” as Danish Zulfiqar, while additional defendants were also added to the broader case.

At the center of the case was a method that has become painfully familiar in the crypto world: social engineering. Prosecutors said the group used stolen or purchased databases to identify people believed to hold large cryptocurrency balances. Database hackers allegedly obtained cryptocurrency-related information by breaching websites and servers or buying data on the dark web. Organizers and target identifiers then sorted through that information to find the most valuable targets.

Once the targets were selected, callers allegedly took over. Prosecutors said they cold-called victims while posing as people trying to help them secure accounts supposedly under attack. The callers allegedly used spoofed phone numbers and persuasive scripts to make victims believe they were speaking to legitimate security representatives. The goal was simple: get victims to hand over passwords, authentication codes, account access, or other information needed to drain digital wallets.

The biggest alleged theft took place on Aug. 18, 2024, when Lam and others contacted a victim in Washington, D.C. Prosecutors said the group fraudulently obtained more than 4,100 Bitcoin from that victim. At the time, the stolen Bitcoin was valued at more than $230 million; later filings placed the value even higher as Bitcoin’s price rose. In a separate July 2024 incident, Lam and others were accused of stealing more than $14 million in cryptocurrency from another victim.

But the case was not limited to online deception. Prosecutors said the enterprise also turned to old-fashioned burglary when digital tricks were not enough. Marlon Ferro, described by authorities as both a money launderer and residential burglar, allegedly broke into homes to steal hardware wallets — physical devices that can store cryptocurrency offline.

In one instance, Ferro was accused of traveling to Winnsboro, Texas, in February 2024, breaking into a victim’s home, and stealing a hardware wallet containing about 100 Bitcoin, worth more than $5 million at the time. In another incident in July 2024, prosecutors said Ferro flew to New Mexico, surveilled a victim’s home for days, and used a brick to smash a window after co-conspirators tracked the victim’s location through an iCloud account. He was captured on the victim’s home surveillance camera, according to the Justice Department.

The laundering operation was just as central to the enterprise as the thefts themselves. Prosecutors said money launderers received stolen cryptocurrency and converted it into U.S. dollars through bulk cash and wire transfers. The indictment alleged that stolen funds were moved through mixers, peel chains, pass-through wallets, exchanges, and VPNs to disguise the flow of money and hide the identities of those involved.

Kunal Mehta, Hamza Doost, Joel Cortes, and Evan Tangeman were accused of helping provide unlicensed crypto-to-cash services for the enterprise. Prosecutors said members used fake identity documents to obtain luxury rental homes, booked private jet travel with stolen cryptocurrency, hid ownership of exotic cars through shell companies, and even shipped bulk cash through the U.S. mail inside Squishmallow stuffed animals.

Mehta’s alleged role showed how the crypto-to-cash pipeline worked. Prosecutors said he created multiple shell companies in 2024 to move funds through bank accounts that appeared legitimate. He allegedly received stolen cryptocurrency, moved it through associates who used blockchain-laundering techniques, and later received wire transfers back into shell-company bank accounts. Mehta also allegedly arranged car purchases, titled vehicles in shell-company names, and recruited straw signers to put their names on car documents in exchange for payments.

The money was spent with astonishing speed. Prosecutors said members and associates of the enterprise spent stolen funds on nightclub services costing as much as $500,000 per evening, luxury handbags worth tens of thousands of dollars, watches worth between $100,000 and $500,000, high-end clothing, rental homes in Los Angeles, Miami, and the Hamptons, private jets, armed security, and at least 28 exotic cars ranging from $100,000 to $3.8 million.

Tangeman’s case later became one of the clearest examples of the laundering side of the operation. In December 2025, he pleaded guilty to participating in a RICO conspiracy and admitted helping launder at least $3.5 million for members of the enterprise. Prosecutors said Tangeman converted stolen cryptocurrency into cash, helped the group rent mansions costing tens of thousands of dollars per month, and concealed the identities of people behind the rentals. After Lam’s arrest, Tangeman also allegedly accessed home security systems to take screenshots of FBI agents searching residences and asked another member to retrieve and destroy digital devices.

Tangeman was sentenced in April 2026 to 70 months in prison and three years of supervised release. Prosecutors said he benefited from the scheme through luxury goods and exotic cars, including vehicles seized by law enforcement.

Ferro’s case, meanwhile, showed how the digital theft operation crossed into physical crime. He pleaded guilty in October 2025 to conspiracy to participate in a racketeer influenced and corrupt organization. In May 2026, he was sentenced to 78 months in prison, three years of supervised release, and ordered to pay $2.5 million in restitution. Prosecutors said Ferro served as the enterprise’s “instrument of last resort,” breaking into homes when online deception could not access victims’ crypto wallets.

The case also included obstruction allegations. John Tucker Desmond, of Huntington Beach, California, was charged with obstruction of justice. Prosecutors said that after arrests began, members of the group tried to destroy evidence. In Tangeman’s sentencing materials, authorities said Tangeman directed Desmond to retrieve and destroy digital devices belonging to enterprise members.

Authorities have not publicly described every investigative step that led to the arrests, but the available filings point to several major breaks: blockchain tracing, search warrants, surveillance evidence, seizures of luxury assets, arrests in Miami and California, cooperation from defendants, and the physical evidence left behind during break-ins and laundering operations. Ferro’s image was allegedly captured on a victim’s surveillance camera after a home break-in. Tangeman’s conduct after the first arrests allegedly showed consciousness of guilt. Mehta’s shell-company network and bank transfers gave investigators a financial trail. And the movement of stolen crypto through wallets, exchanges, mixers, and cash-out services gave federal investigators a map of the enterprise’s money flow.

The investigation was handled by the U.S. Attorney’s Office for the District of Columbia, the FBI’s Washington Field Office, and IRS Criminal Investigation, with support from FBI offices in Los Angeles and Miami and other federal partners. Several defendants were arrested in California, while others were abroad. Later DOJ filings said two defendants connected to the expanded case were arrested in Dubai on related charges.

The charges carry a larger meaning for the crypto industry. This was not just another case of hackers stealing from anonymous wallets. Prosecutors framed it as a modern organized-crime operation, one that mixed cyber intrusions, impersonation, stolen data, money laundering, luxury spending, and real-world burglary. That is why RICO mattered. The statute allowed prosecutors to treat the group as an enterprise, not merely as separate individuals accused of isolated crimes.

The case also exposed a dangerous shift in crypto crime. The same data that helps scammers identify digital targets can also lead them to real homes, real families, and real physical wallets. In this case, prosecutors said the enterprise did not stop at spoofed calls or online deception. It allegedly monitored victims, broke into homes, moved cash through shell companies, and continued operating even after arrests began.

For investors, the lesson is stark: cryptocurrency theft is no longer only about hacked passwords or compromised exchanges. It can begin with a phone call that sounds like customer support, move through a fake emergency about account security, and end with a drained wallet — or, in the most extreme cases, a break-in. For law enforcement, the case shows how blockchain tracing, financial records, surveillance footage, and traditional racketeering laws are being combined to pursue crypto thieves who once believed digital money made them untouchable.

For the defendants, the case remains at different stages. Some have pleaded guilty and been sentenced. Others are still facing allegations and remain presumed innocent unless proven guilty in court. But the government’s message is clear: the era of treating crypto theft as a faceless online scam is fading. Prosecutors are now describing these groups as organized criminal enterprises — and charging them that way.

LetsEncrypt SSL Secure Stripe Payment Processing