Fake Google Support Call Drained $243M in Bitcoin

What happened

Why it matters

How to protect yourself

Sources

What happened

In the early morning hours of August 19, 2024, a wealthy investor in Washington, D.C. watched a lifetime of cryptocurrency savings evaporate in less than 60 minutes. Approximately 4,100 Bitcoin, then valued at roughly $243 million, vanished from his digital wallet. The attackers did not exploit a zero-day vulnerability, crack a private key through brute force, or compromise an exchange's cold storage. They simply picked up the phone.

By the time the victim realized he had not been speaking to Google support but to a 20-year-old Singaporean national and his accomplices living in Miami and Los Angeles, the funds were already tumbling through a sophisticated laundering network spanning multiple countries, cryptocurrency mixers, and luxury goods purchases. What followed would become the largest known single-victim cryptocurrency theft in history, and the first time the U.S. Department of Justice would deploy the RICO statute against a crypto-theft conspiracy.

The anatomy of a $243 million phone call

According to federal prosecutors and court filings unsealed in September 2024, the scheme began like thousands of less sophisticated scams that target retirees and small business owners every day. A call appeared on the victim's phone. The caller ID read “Google Support.” The voice on the other end was calm, professional, and urgent.

The caller informed the investor that his Google account had been compromised by “foreign hackers” who had already accessed sensitive financial information. To prevent an imminent loss of funds, the victim was told he needed to take two immediate actions: reset his two-factor authentication (2FA) settings and grant remote access to a “trusted security specialist.”

The victim, a sophisticated cryptocurrency holder who had accumulated his wealth through legitimate investments, complied. He reset his 2FA, effectively handing over the keys to his account-recovery infrastructure. Then, following the caller's instructions, he downloaded AnyDesk, a legitimate remote-access tool used by IT professionals worldwide, and granted the “support agent” full control of his computer.

Once the attackers had remote access, the theft was clinical. They navigated to the victim's Bitcoin Core wallet, located the stored credentials and private keys, and began transferring funds. In a single session, they drained 4,100 BTC. The victim did not realize what had happened until hours later, when he attempted to log into his wallet and found a zero balance.

The perpetrators: three young men, one RICO conspiracy

Federal prosecutors identified three primary actors in the initial phase of the investigation: Malone Lam, 20, a Singaporean citizen living between Miami and Los Angeles; Jeandiel Serrano, 21, of Los Angeles; and Veer Chetal, 19, arrested separately. Lam and Serrano were taken into custody on September 18, 2024, following a joint operation by the FBI, the Department of Justice, and international law enforcement partners.

The investigation did not stop there. In 2025, a superseding federal indictment named 12 additional defendants and described a wider criminal enterprise that operated from 2023 to 2025. Prosecutors charged the group under the Racketeer Influenced and Corrupt Organizations (RICO) Act, the first time in U.S. legal history that the statute had been applied to a cryptocurrency theft conspiracy.

The indictment alleges the enterprise was structured like a modern, decentralized crime family. Different members handled different functions: phone spoofing and social engineering, remote-access deployment, fund laundering through mixers and decentralized exchanges, and the physical conversion of crypto into luxury assets. The DOJ has tied roughly $263 million in total losses to the group's broader scheme.

The spending spree that unraveled everything

Cryptocurrency thefts are notoriously difficult to solve when attackers practice perfect operational security. The young men behind this heist did the opposite. They spent like lottery winners who had forgotten that blockchain transactions leave permanent, public records.

Court filings and reporting from Krebs on Security and NBC News paint a picture of almost absurd excess. Lam allegedly spent between $250,000 and $500,000 per night at nightclubs in Los Angeles and Miami, routinely picking up entire tables' worth of bottle service for strangers. He purchased more than 30 luxury cars, including a $3.8 million Pagani Huayra and multiple Lamborghinis, a $2 million watch, and traveled exclusively by chartered private jet.

Serrano's spending was similarly reckless. He rented luxury mansions in Los Angeles for months at a time, purchased high-end jewelry in bulk, and was tied to a brief, bizarre kidnapping incident in Connecticut reportedly linked to a dispute over stolen funds among the conspirators themselves.

That spending created a forensic goldmine. Investigators traced cryptocurrency transactions to car dealerships, watch brokers, real estate agents, and private jet charter companies. Each purchase left a blockchain trail that linked specific wallet addresses to physical assets and, ultimately, to Lam, Serrano, and their associates.

Current status of the case

As of April 2026, the case remains active. Lam and Serrano are in federal custody awaiting trial on charges that include conspiracy to commit wire fraud, conspiracy to launder money, and, under the superseding indictment, RICO conspiracy. Veer Chetal was arrested separately and is also awaiting proceedings. The 12 additional defendants named in the 2025 indictment are in various stages of arrest, extradition, and pretrial litigation.

Recovery of the stolen funds has been partial. Law enforcement has seized dozens of luxury cars, several million dollars in cash and cryptocurrency, and multiple properties purchased with proceeds from the heist. A significant portion of the 4,100 Bitcoin, however, has been laundered through mixers and decentralized exchanges, making full recovery unlikely.

Why it matters

The headline figure, $243 million stolen from one person in one night, is staggering. But the most important detail is not the dollar amount. It is the method.

There was no zero-day exploit. No one cracked a cold wallet. No exchange was hacked. The victim was a sophisticated, long-term cryptocurrency investor who understood private-key management, two-factor authentication, and the importance of security hygiene. And yet, he was talked into opening the door himself.

This is the defining characteristic of modern impersonation scams. The attacker does not need to be a world-class hacker. They need only to be a convincing actor. By spoofing a trusted brand (Google), creating artificial urgency (a “security breach”), and using a legitimate tool (AnyDesk) for an illegitimate purpose, the attackers bypassed every technical safeguard the victim had in place.

The same script is executed thousands of times per day against ordinary people. The only difference is the size of the ask. A retiree in Florida might be convinced to hand over $5,000 in gift cards. A small business owner might be tricked into wiring $50,000 to a “vendor” who is actually a scammer. In this case, the target held $243 million in a hot wallet, and the attackers asked for all of it.

According to the FTC Consumer Sentinel Network 2024 Data Book, impersonation scams accounted for $2.95 billion in reported losses in the United States in 2024 alone. That figure includes everything from fake government agents demanding back taxes to “tech support” calls targeting elderly computer users. The fake Google support call that drained 4,100 Bitcoin is not an outlier. It is the extreme upper end of a fraud epidemic that touches millions of Americans every year.

The RICO gambit: why this case changes everything

The DOJ's decision to file RICO charges in this case is a legal milestone. The RICO Act, passed in 1970, was designed to give prosecutors a way to attack criminal organizations as whole enterprises rather than pursuing individual members for isolated crimes. It has historically been used against the Mafia, street gangs, drug cartels, and certain corporate fraud cases.

By applying RICO to a cryptocurrency-theft ring, the DOJ signaled that sophisticated, multi-person crypto scams will now be treated with the same legal gravity as traditional organized crime. The implications are significant: RICO carries enhanced penalties, including longer prison sentences, asset forfeiture, and the ability to charge defendants for crimes committed by their co-conspirators even if they did not personally participate in every act.

For the 12 additional defendants named in the superseding indictment, that means they can be held liable for the full $263 million in thefts attributed to the enterprise, not just the specific heists they personally executed. Prosecutors can also seize assets purchased with any funds tied to the conspiracy, even if those assets are held in the name of a family member or a shell company.

How to protect yourself

The AuthentiLens editorial team distilled this case into five concrete protections that could have prevented the theft, and can protect you.

1. Never install remote-access software because someone called you. AnyDesk, TeamViewer, LogMeIn, and similar tools are legitimate products used by IT professionals worldwide. They are safe when you initiate the session with a company or individual you trust. But if an inbound caller, no matter how convincing their caller ID or how urgent their tone, asks you to install one of these tools, the call is a scam. Hang up immediately.
2. Never reset two-factor authentication on an inbound call. Google, Apple, Microsoft, your bank, your credit-card issuer, and every reputable cryptocurrency exchange operate on a simple, inviolable rule: they will never call you and ask you to reset your 2FA or share a verification code. If you receive such a call, it is a scam. If you are genuinely concerned that the call might be legitimate, hang up and call the company back using a phone number from their official website, never a number the caller provides.
3. Treat every “we detected a breach on your account” call as a scam until proven otherwise. Urgency is the attacker's primary weapon. “Your funds will be stolen in the next 30 minutes if you do not act now.” “Hackers are already inside your account.” These statements are designed to bypass your rational brain and trigger a fear-based response. The moment you feel urgency on an unsolicited call, you are in the kill box. Slow down. The attack cannot survive a five-minute pause.
4. Keep significant crypto holdings in hardware cold storage. The victim in this case kept credentials for a substantial Bitcoin wallet on a computer connected to the internet , a “hot wallet” setup. Once the attackers gained remote access via AnyDesk, they could simply read the credentials off the screen. Hardware wallets (Ledger, Trezor, etc.) store private keys on a physical device that does not expose them to the operating system. A remote attacker cannot extract keys from a properly configured hardware wallet, even with full screen-sharing access.
5. Verify any suspicious message, video, or caller before you act. If you receive an unexpected call, email, or text that asks you to take action, especially if that action involves sharing credentials, installing software, or moving money, verify it first. Capture the message text, save a recording of the call, or screenshot it. Drop it into AuthentiLens and our detection engine will flag signs of impersonation, social-engineering pressure, AI-generated language, and known scam patterns in seconds.

No one wakes up planning to fall for a scam. Scams succeed because they exploit normal human responses: trust in authority, fear of loss, and a desire to resolve problems quickly. The only reliable defense is to build verification into your default behavior.