A security engineer at Yuga Labs, a blockchain technology company, was briefly detained and questioned by U.S. federal agents at an airport after returning from a trip to Japan. The engineer, Sam Curry, had unknowingly used the same Ethereum private key as a crypto scammer who had stolen millions of dollars from unsuspecting victims.
How Curry Got Involved in the Crypto Phishing Case
Curry, who is also a security researcher and bug bounty hunter, shared his experience on X, a social media platform formerly known as Twitter. According to his posts, he was taken into secondary inspection by agents from the Internal Revenue Service’s Criminal Investigation Division (IRS-CI) and the Department of Homeland Security (DHS) on September 15, 2023.
He was handed a grand jury subpoena and asked to testify in New York as part of an ongoing investigation into wire fraud and money laundering charges. He was also interrogated for nearly an hour about a “high-profile phishing campaign” and how his IP address could have been linked to a threat actor.
Curry said he willingly gave his unlocked phone to the agents, who searched his OpenSea logs and other data. OpenSea is a popular marketplace for non-fungible tokens (NFTs), which are unique digital assets that can be traded on the blockchain.
Curry said he was unaware of the reason behind his detention until his lawyer contacted the Assistant United States Attorney (AUSA) and the IRS-CI and DHS agents. They revealed that Curry had used the same Ethereum private key as a crypto scammer who had accidentally leaked it on their phishing website.
The Crypto Phishing Website That Stole Millions
Curry explained that in December 2022, he had helped investigate a crypto phishing website that had stolen millions of dollars from unsuspecting users. The website mimicked a legitimate project called Bored Ape Yacht Club (BAYC), which is a collection of NFTs featuring cartoon apes with different traits and accessories.
The scammer had created a fake website that offered users a chance to buy rare BAYC NFTs at discounted prices. However, the website was actually designed to steal users’ Ethereum private keys, which are essentially passwords that grant access to their crypto wallets.
However, he was too late, as the scammer had already moved the stolen funds to another address. Curry said he did not intend to steal anything from the scammer, but only wanted to investigate the incident and report it to the authorities.
The Chilling Effect on Security Research
Curry said he was shocked and scared by his encounter with the federal agents, who treated him as a suspect rather than a victim or a witness. He said he felt violated by the search of his phone and the subpoena to testify before a grand jury.
He also said he was worried about the chilling effect that such actions could have on security research and bug bounty hunting, which are activities that aim to find and report vulnerabilities in software systems and websites.
“I’m sharing this because I think it’s something people should be aware of if they’re doing similar work,” Curry wrote on X. “It was widely shared that the private key was leaked and my background as a security researcher wasn’t enough to dissuade using immigrations and a grand jury to intimidate me.”
Curry said he was grateful for the support he received from his employer, Yuga Labs, and his lawyer, who helped him clear his name and cancel the subpoena. He also thanked the crypto community for their solidarity and encouragement.
He said he hoped that his story would raise awareness about the risks and challenges faced by security researchers and bug bounty hunters, who often work in a legal gray area and face potential prosecution or retaliation from malicious actors or overzealous authorities.
He also urged users to be careful when dealing with crypto phishing websites and scams, which are becoming more prevalent and sophisticated as the popularity and value of NFTs and other crypto assets increase.