Evan Frederick Light, a 21-year-old from Indiana, has pleaded guilty to stealing $37,704,560 in cryptocurrency from 571 victims. This theft occurred during a 2022 cyberattack targeting an unnamed investment holdings company based in Sioux Falls, South Dakota. The U.S. Department of Justice revealed Light’s guilty plea, where he admitted to participating in an intricate cybercrime operation. Using stolen identities and taking advantage of vulnerabilities in the company’s systems, Light and his co-conspirators managed to access the firm’s servers, stealing personal information and digital assets.

How the Cyberattack Unfolded

In a Statement of Fact obtained by BleepingComputer, Light detailed how he and his unknown co-conspirators exploited the company’s network. Initially, they stole the identity of a legitimate client, which granted them access to the company’s servers. Once inside, they escalated their attack by acquiring the personal information (PII) of hundreds of other clients.

With this sensitive data, the group was able to steal vast amounts of cryptocurrency from the firm’s clients. “After successfully accessing the investment holdings company’s computer servers, my coconspirator(s) or I then exfiltrated from the servers the PII of hundreds of other clients,” Light confessed in his statement. The stolen virtual currencies were then transferred to various coin-mixing services and gambling platforms to obscure the trail.

Concealing the Digital Footprint

Despite attempts to hide their tracks, Light’s efforts to launder the stolen cryptocurrency were not enough to evade law enforcement. He admitted to using coin-mixing services and international gambling websites to conceal the origins of the funds. However, the FBI successfully tracked him down, leading to his indictment in May 2023. “After acquiring control of the stolen cryptocurrency, these proceeds, in part, were funneled to various locations throughout the world, including multiple mixing services and gambling websites to conceal my identity and the identities of coconspirator(s),” Light’s statement reads.

Initially, Light had pleaded not guilty but later reversed his stance. Now, he faces severe legal repercussions, with each count carrying up to 20 years of imprisonment. In addition, he could face three years of supervised release and be required to pay restitution to the victims. However, it remains uncertain whether the stolen assets have been seized, raising doubts about potential restitution for the victims.

Rising Threats in Cryptocurrency Theft

Light’s guilty plea is part of a larger trend of rising cryptocurrency thefts. According to a report from the FBI, cryptocurrency losses reached a record $5.6 billion in 2023, with the total amount increasing annually since 2019. The scale of cybercrimes in the cryptocurrency space has grown significantly, highlighting the need for better security practices.

Given the increasing prevalence of cyberattacks, experts recommend several measures to protect digital assets: Cold Wallets: Store cryptocurrency offline in cold wallets, which are less susceptible to hacking. Multi-Factor Authentication (MFA): Use MFA to provide an additional layer of security for accounts. Limit Online Exposure: Minimize sharing sensitive information online, reducing the chances of falling victim to social engineering attacks. These practices, combined with vigilant monitoring, can help individuals and organizations protect their cryptocurrency from cyber threats.