While the SEC has dominated headlines in crypto regulation, the Department of Justice (DOJ) has steadily built a strong track record targeting criminal activity in the space. That effort reached a new peak on May 15, 2025, when the DOJ unsealed an indictment against twelve individuals charged in a $263 million crypto crime ring.
Once just online gaming acquaintances, the group evolved into a highly organized criminal enterprise. This article will discuss how the case reflects broader trends in crypto crime, including the use of generative AI, the importance of blockchain analytics, and the growing need for smarter KYC infrastructure.
The DOJ is often overshadowed by the SEC when it comes to enforcement action in the crypto space. Under the Biden administration, the SEC primarily targeted entities suspected of offering unregistered securities—cases often hinged on interpretations of the Howey Test. This led to a surge in enforcement, rising from 17 cases in 2021 to 23 in 2022, peaking at 42 in 2023, before dropping to 13 in Biden’s final year in office.
By contrast, the DOJ has focused on more blatant criminal conduct within the crypto sector. Since launching its enforcement initiative in 2019, the department has prosecuted cryptocurrency fraud schemes involving more than $2 billion in intended financial losses, including KuCoin, Baller Ape Club, My Big Coin Pay, and BitMEX.
On May 15, 2025, the Department of Justice unsealed an indictment in a staggering case that reads more like a Hollywood script than a criminal complaint. Twelve individuals—who first met as online gaming friends—were charged in connection with a $263 million crypto crime ring. The charges include racketeering conspiracy, wire fraud, money laundering, and obstruction of justice.
Their operation was highly organized. The group allegedly hacked databases to identify potential victims, then used cold-calling and social engineering tactics to trick crypto holders. One particularly devastating theft involved 4,100 BTC from a Genesis creditor in August 2024.
At the center of their laundering network was 45-year-old California resident Kunal Mehta, known within the group as “Papa.” Mehta allegedly managed the money laundering efforts, employing peel chains, coin mixers, and virtual private networks to obscure the flow of stolen funds.
Once laundered, the money funded an extravagant lifestyle. Nights out reportedly cost up to $500,000, and their collection of 28 exotic cars included models worth millions. They also splurged on luxury handbags, high-end watches, and premium fashion.
What’s most shocking is not just the scale of the theft, but who pulled it off. These weren’t seasoned cybercriminals—they were gamers who rapidly organized into a highly effective criminal enterprise. In fact, the group’s haul rivals that of the state-sponsored North Korean hacking collective Lazarus Group, which netted approximately $286 million from combined hacks on WazirX and BingX. Their story illustrates a troubling reality: the barrier to entry for large-scale crypto crime is far lower than many assume.
While the case is noteworthy on its own, it also highlights several important trends.
Members of the group operated with clear specialization. Some were hackers who used their technical expertise to breach databases, while others acted as “callers,” focusing entirely on social engineering to deceive victims.
So far, news reports haven’t clarified whether these callers used their own voices or employed real-time voice cloning—a tactic that has become increasingly common in pig butchering scams. This technology allows criminals to disguise their voices or convincingly mimic trusted individuals, such as family members or colleagues, to manipulate targets. According to CrowdStrike’s 2025 report, these tactics contributed to a staggering 442% increase in vishing operations between the first and second half of 2024.
The rise of real-time voice manipulation has supercharged the effectiveness of social engineering.
High-profile hacks like the one involving Bybit are a double-edged sword. On one hand, they draw much-needed attention to the state of cybersecurity and encourage collaboration among stakeholders. In Bybit’s case, the exchange released a public API to help track stolen funds—a commendable step toward collective defense.
But the spotlight on dramatic, large-scale heists can obscure a more persistent reality: much of crypto crime isn’t flashy. It happens in ways that are far more mundane. In one reported case, the crypto crime ring simply monitored the victim’s location via iCloud and then broke into their New Mexico home when the opportunity arose. It was a basic burglary—just with a hardware wallet as the target.
This is often the nature of crypto crime: traditional tactics with a digital twist. And while Bybit’s API initiative was laudable in response to a high-profile incident, it underscores a deeper issue—we can’t rely on isolated, reactive efforts from individual platforms. Even in that case, numerous other firms were already tracking the stolen funds independently using blockchain analytics.
To keep pace with this evolving threat landscape, crypto investigators need access to a trusted, unified blockchain analytics tool like Merkle Science’s Tracker to allow for rapid response, shared intelligence, and proactive defense before the next attack unfolds.
The perpetrators were mostly between the ages of 18 and 22, with no professional background to justify their extravagant lifestyles. Reports indicated they even used fake IDs to carry out certain transactions, such as renting private jets or leasing homes. While some details about their laundering tactics were disclosed, it remains unclear whether the stolen funds were ultimately off-ramped through a regulated entity with KYC protocols, such as a crypto exchange or OTC desk.
Regardless, their actions highlight the critical importance of robust KYC processes. At a minimum, KYC tools should be capable of detecting fraudulent documentation—using features like selfie verification, liveness checks, or other advanced authentication methods. Beyond verifying identity, these systems should also assess whether a person’s financial behavior aligns with their declared profile. Had a company been using a risk-detection solution like Merkle Science’s Compass, the discrepancies in both identity and transaction patterns could have been flagged early, prompting escalation and a report to the appropriate authorities.
This case underscores how quickly loosely connected individuals can evolve into sophisticated crypto criminals—and how urgently the industry must adapt. From generative AI-driven social engineering to cross-chain laundering, today’s threats are complex, fast-moving, and multidimensional.
Combating them requires more than reactive responses. Businesses need tools to assess customer risk from day one, and investigators need real-time visibility into fund flows. Merkle Science’s Tracker provides the blockchain analytics needed to trace illicit activity, while Compass empowers firms to detect and report anomalous behavior early. Reach out for a free demo on either product.
