Could You Fall for This $230M Bitcoin Heist? What a 70‑Month Sentence Teaches You About Crypto Scams

If someone calls saying they’re “Google support” or “Gemini support,” your brain wants to cooperate. You want the problem gone. That’s the trap. In a real case tied to a $230M Bitcoin theft (4,100+ BTC), scammers allegedly used spoofed phone numbers, fake support roles, a 2FA reset, and AnyDesk screen sharing to get close enough to steal private keys . Then the money didn’t just vanish—it moved through a laundering pipeline that got a 22‑year‑old, Evan Tangeman, a 70‑month prison sentence for helping clean at least $3.5M . Let’s break down what happened, how the laundering worked, and what you can do so you’re not the next “it won’t happen to me” story.

The case, in plain English: who got hit, who got charged, who got sentenced

If the intro made you think, “Okay, but who exactly got fooled here?”—that’s the right question. Big crypto scams feel abstract until you see the roles laid out like a cast list.

Who got hit (the victim + what was taken)

In August 2024, a Washington, D.C. victim allegedly had 4,100+ Bitcoin stolen—worth over $230 million at the time.
Reporting tied the target to a Genesis crypto exchange creditor, which matters because scammers love lists of people who might be sitting on meaningful balances.

Who got charged for the theft (the alleged front-line operators)

In September 2024, Malone Lam (20) and Jeandiel Serrano (21) were arrested and charged in connection with the alleged theft.
Investigators alleged the crew used a classic support impersonation setup—spoofed phone numbers and fake “Google support” / “Gemini support” roles—to get the victim to cooperate.

Who got charged later (the wider group + the “money movement” side)

After the initial arrests, the case expanded. Fourteen suspects were charged across September 2024 and May 2025, tied together under a RICO conspiracy theory connected to stealing and laundering over $230M in cryptocurrency.
The May 2025 wave included additional defendants (including Tangeman) facing counts like racketeering conspiracy, money laundering, obstruction of justice, and conspiracy to commit wire fraud.

Here’s the key distinction people miss: the alleged thieves don’t need to be the same people who cash out. Big thefts usually have:

• Operators who get access and move the crypto out
• Laundering “helpers” who convert, route, split, and “clean” funds so they’re harder to trace

Who got sentenced (and why a “helper” still did serious time)

Evan Tangeman, a 22-year-old from Newport Beach, California, was sentenced to 70 months in prison for laundering funds linked to the heist.
Court documents say he helped launder at least $3.5 million between October 2023 and May 2025.

Timeline-wise:

• December 2025: Tangeman pleaded guilty to laundering stolen funds for a criminal organization as part of a RICO conspiracy
• April 2026: Tangeman was sentenced to 70 months and three years of supervised release

Prosecutors also pointed to alleged evidence-destruction efforts after co-conspirators were arrested, framing it as “consciousness of guilt.”

Where Kunal Mehta fits (“the accountant” role)

Another laundering figure, Kunal Mehta (45)—also known as “Papa,” “The Accountant,” and “Shrek”—pleaded guilty in November 2025 to laundering at least $25 million of the stolen cryptocurrency and was awaiting sentencing at the time of reporting.

If you take one practical lesson from this section, let it be this: in crypto scams, the theft is only step one. The real machine is the pipeline that turns stolen BTC into spendable money—often with extra people in the middle who think they’re “just moving funds,” right up until the sentencing.

How the theft allegedly happened: the support-impersonation playbook that works too well

Once you see the mechanics, the scary part isn’t the tech. It’s how reasonable the conversation can sound while it’s steering you into a trap.

The social-engineering chain (step by step)

This is the alleged sequence investigators described:

1. Spoofed phone numbers
   • The call looks like it’s coming from a real place. Caller ID is easy to fake.
   • In this case, scammers allegedly impersonated Google and Gemini support.
2. The “account compromised” script
   • The line is simple: “Your account’s been accessed. We need to secure it right now.”
   • That message pushes you into urgent, reactive mode, where you’ll follow instructions instead of questioning the setup.
3. Pressure to reset 2FA
   • The caller allegedly convinced the victim to reset two-factor authentication (2FA).
   • A 2FA reset is a huge pivot point: it can turn “I can’t get in” into “I can get in as you.”
4. AnyDesk screen sharing
   • Next came AnyDesk, a remote desktop / screen-sharing tool.
   • Screen sharing doesn’t just show what you’re doing. In the wrong hands, it can become guided theft—they can watch where you click, what you open, what you copy/paste.
5. Access to Bitcoin Core private keys
   • With remote access, the scammers allegedly got close enough to steal the crypto after gaining access to Bitcoin Core private keys.
   • That’s the endgame. If someone gets your private keys (or seed phrase), they don’t need your exchange login. They are you.

The human moments they exploit (and why smart people still fall for it)

These scams don’t work because victims are careless. They work because the scammer pushes predictable buttons:

• Urgency: “If we don’t act in the next 10 minutes, you’ll lose everything.”
• Fear: You start thinking about the worst-case scenario instead of the most likely one.
• Embarrassment: People don’t want to admit they might’ve made a mistake, so they comply quietly.

The tells you can use in real life

Keep this list short and non-negotiable:

• Real support won’t ask for your seed phrase or private keys. Ever.
• Don’t accept inbound help. Hang up.
• Call back using the official number from the company’s website/app (not what the caller gives you).
• Never install remote access tools (AnyDesk or anything similar) because “support” told you to.

If a “support” call tries to mix 2FA resets + screen sharing + urgency, treat it like a fire alarm pulled by a thief.

How stolen crypto gets ‘cleaned’: mixers, exchanges, peel chains, pass-through wallets, VPNs

Once scammers have the Bitcoin, the next problem is simple: how do you spend stolen crypto without getting caught? The answer is a laundering pipeline meant to break the “straight line” between the theft and the cash-out.

In this case, prosecutors say the stolen funds were laundered using a mix of crypto mixers, exchanges, “peel chains,” pass-through wallets, and VPNs to hide identities and locations.

The laundering pipeline (plain-English version)

Think of this like turning one obvious trail into a messy spiderweb.

• Pass-through wallets (rapid hops)
  • Funds get moved quickly across multiple wallets.
  • Goal: make tracking harder by adding “distance” and noise between the theft wallet and the exit point.
• Peel chains (splitting + dripping)
  • A peel chain is basically “peeling off” smaller amounts from a larger pile as it moves wallet to wallet.
  • Goal: avoid moving one giant, attention-grabbing transfer, and create lots of smaller transactions that are harder to follow as a single story.
• Crypto mixers (obfuscation)
  • Mixers are used to blend funds with other users’ funds, aiming to blur which coins belong to whom.
  • Goal: reduce the clarity of blockchain tracing by muddying the transaction graph.
• Exchanges (the off-ramp)
  • At some point, stolen crypto often needs to touch an exchange to become spendable: swapping assets, withdrawing, or cashing out.
  • Goal: convert, liquidate, and move value into places where it looks “normal.”
• VPNs (hide the operator, not the money)
  • VPNs can mask location and make activity look like it’s coming from somewhere else.
  • Goal: make it harder to tie wallets and accounts back to a real person and place.

The part people underestimate: “I only moved money” still counts

A lot of laundering helpers talk like they’re just doing logistics.

Courts don’t see it that way. Reporting on this case says Evan Tangeman helped launder at least $3.5 million and received a 70-month sentence.

And it wasn’t only the transfers. Prosecutors also alleged that after co-conspirators were arrested, he tried to destroy evidence, calling it “consciousness of guilt.”

The practical takeaway is uncomfortable but useful: crypto laundering isn’t a side quest. It’s the business model. If you can recognize the laundering patterns (splits, hops, mixers, exchange exits), you can spot when a “support” scam isn’t just a scam call—it’s the front door to a full cash-out operation.

Your personal defense plan: stop the call, lock the keys, harden 2FA (a checklist that sticks)

If a scam like this can end with private keys exposed and funds routed out fast , your defense needs to be boring, repeatable, and automatic. No “I’ll be careful next time.” A checklist.

A. The moment you get the “support” call (60-second script)

Treat every inbound “Google support” / “Gemini support” style call as untrusted by default .

Do this, in order:

1. Hang up.
   • Don’t argue. Don’t explain. You’re not being rude—you’re staying alive.
2. Verify through official channels.
   • Open the exchange app or type the official domain yourself (not from a text/email).
   • If you need a phone number, get it from the official site/app, not the caller.
3. Never screen-share.
   • Remote desktop tools like AnyDesk are a scammer’s best friend because they turn “guidance” into “control.”
4. Never read codes aloud.
   • Any request for a one-time code is a real-time attempt to log in as you.
5. Refuse “2FA reset help” over the phone.
   • In the case described, a 2FA reset + AnyDesk was a key step in getting to Bitcoin Core private keys . That combo is a red-alert pattern.

B. Lock the keys (so one bad call can’t drain you)

Your goal is to make “account support” irrelevant to your core holdings.

• Keep long-term funds in cold storage (hardware wallet), not sitting in a hot wallet or exchange account you log into often.
• Separate devices if you can:
  • Day-to-day device for browsing + email
  • A cleaner device for signing transactions / wallet actions
• Backups matter: store seed phrases offline, protected from cameras, screenshots, and cloud notes.

C. Harden 2FA (so resets don’t become a shortcut)

Not all 2FA is equal.

• Prefer authenticator apps or hardware security keys over SMS.
• Add a strong, separate password for your email account (because email is where many “resets” end up).
• If your exchange supports it, turn on:
  • Withdrawal allow-lists (only approved addresses)
  • Withdrawal delays / cool-down periods (time to cancel if compromised)

D. Reduce your exposed attack surface (so you don’t get singled out)

Support-impersonation scams often start with one simple ingredient: your real contact info being easy to match to your crypto life.

Do these two things:

• Use separate email + phone number for crypto accounts
  • Don’t use your “everywhere” email/number that shows up in leaks, broker lists, and random sign-ups.
• Minimize where your real number/email is used
  • The fewer places it lives, the fewer ways attackers can connect dots.

If you want a practical way to do that, tools like Cloaked can help by giving you masked emails and phone numbers for sign-ups, so breaches and data broker lists don’t point straight back to your primary identity. It’s not a magic shield, but it’s a clean way to cut down targeted social-engineering attempts before they ever hit your real inbox or phone.

‍