Yesterday, the Department of Justice and the U.S. Attorney’s Office for the District of Columbia unsealed a sweeping four-count superseding indictment charging 12 additional individuals—both American citizens and foreign nationals—in connection with a racketeering conspiracy involving over $263 million in stolen cryptocurrency. The charges include racketeering conspiracy—the RICO statute (more on that below)–-conspiracy to commit wire fraud, money laundering, and obstruction of justice. Several defendants were arrested this week in California; two remain at large and are believed to be in Dubai.
The Conspiracy
The indictment builds on charges initially brought against Malone Lam on September 19, 2024, and outlines a criminal enterprise that operated from about October 2023 through March 2025. The organization grew out of connections made on online gaming platforms and evolved into a coordinated scheme that combined cyber intrusions, social engineering, on-chain laundering, and real-world violence.
Members of the enterprise held defined roles. Database hackers obtained cryptocurrency-related user data by breaching websites and servers or purchasing information on the dark web. Organizers and target identifiers analyzed the data to locate high-net-worth individuals. Callers contacted victims directly by phone, falsely claiming to be cybersecurity professionals responding to a breach, and convinced them to disclose sensitive credentials or authorize fraudulent transactions. Money launderers converted stolen virtual assets into U.S. dollars through wire transfers and bulk cash deliveries. Residential burglars executed physical break-ins to steal hardware wallets containing digital assets.
In one of the largest alleged cryptocurrency thefts in US history, the indictment charges that on August 18, 2024, Malone Lam and others contacted a victim in Washington, DC, and fraudulently obtained over 4,100 Bitcoin—worth approximately USD 230 million at the time. In another incident in July 2024, Lam and associates allegedly stole over USD 14 million in cryptocurrency from a second victim.
In July 2024, Marlon Ferro, a member of the criminal enterprise, allegedly traveled to New Mexico to break into a victim’s home in order to steal a hardware virtual currency wallet. The burglary was coordinated in real time with Lam, who is accused of remotely monitoring the victim’s physical location by accessing the victim’s iCloud account. Ferro unlawfully entered the residence and stole the device containing cryptocurrency. This incident was part of a broader scheme in which members of the enterprise tracked and surveilled individuals identified as holding significant crypto assets, then targeted them for physical theft.
The allegations come in the wake of a number of high profile violent crimes involving cryptocurrency including an attempted kidnapping in France on May 15, 2025 - the same day as the superseding indictment in this case was unsealed.
The stolen proceeds were spent on luxury goods and services, including USD 4 million at nightclubs, with individual outings costing up to USD 500,000. Members of the group are alleged to have purchased high-end handbags, watches, and clothing, and to have rented properties in Los Angeles, the Hamptons, and Miami. They allegedly chartered private jets, retained personal security teams, and purchased at least 28 exotic cars, some worth as much as USD 3.8 million, often registering the vehicles through shell companies to conceal ownership.
The laundering of proceeds involved the use of cryptocurrency mixers, peel chains, pass-through wallets, and virtual private networks designed to obscure transaction paths and participant identities. Kunal Mehta, Hamza Doost, Joel Cortez, and Evan Tangeman are accused of facilitating these efforts through unlicensed crypto-to-cash conversion services. According to the indictment, they also secured rental homes and jet travel using fake identity documents, managed vehicle ownership concealment, and shipped bulk cash hidden inside squishmallow stuffed animals through the U.S. mail.
Even while in pretrial detention following his September 2024 arrest, Malone Lam is alleged to have continued participating in the enterprise. The indictment states he directed co-conspirators to collect stolen cryptocurrency and deliver Hermès Birkin handbags to his girlfriend in Miami.
The case is being investigated by the FBI’s Washington Field Office Criminal and Cyber Division, IRS–Criminal Investigation’s Washington, DC Field Office, and the U.S. Attorney’s Office for the District of Columbia, with support from the FBI’s Los Angeles and Miami field offices.
DOJ uses RICO statute to strike back
This case reflects a growing trend in which on-chain financial crime converges with real-world threats. What begins with the compromise of digital credentials can escalate into physical surveillance, intimidation, and home invasion. Sophisticated laundering strategies—including the use of mixers, VPNs, and shell entities—are increasingly paired with coercive offline tactics to access and monetize digital assets.
But law enforcement is also using new tools and authorities. Investigators are not only deploying advanced blockchain intelligence to trace stolen cryptocurrency across mixers, cross-chain swaps, and high-risk exchanges—they are also reaching back to a powerful statute originally designed to dismantle traditional organized crime: the Racketeer Influenced and Corrupt Organizations Act, or RICO.
Enacted in 1970, RICO was crafted to go after mafia syndicates, drug cartels, and other structured criminal enterprises that engaged in repeated, coordinated illegal conduct. The statute allows prosecutors to charge all members of an enterprise if they have participated in a pattern of racketeering activity—defined to include crimes like wire fraud, money laundering, obstruction of justice, and even acts of violence—provided those acts were committed as part of the group’s shared criminal objective. Importantly, RICO allows law enforcement to hold not just individual actors accountable, but to treat a sprawling web of participants as a single criminal organization.
The use of RICO in this case signals a shift in how federal prosecutors are approaching crypto-native criminal networks. What may look at first like a string of isolated hacks, wallet thefts, and laundering schemes is being treated as part of a coherent, ongoing criminal enterprise—complete with assigned roles, coordination across jurisdictions, shared proceeds, and infrastructure built for repeat targeting.
This approach is meaningful. It enables law enforcement to connect digital asset thefts with physical-world violence, to tie overseas laundering nodes to U.S.-based facilitators, and to apply enhanced sentencing guidelines and asset forfeiture tools designed for dismantling organizations—not just punishing individuals.
In short, the RICO charges in this case don’t just reflect what happened. They reflect how it happened: with structure, coordination, and intent. And they provide DOJ with the legal architecture to pursue the full enterprise, from the iCloud-tracking home invader to the squishmallow-stuffed cash courier to the crypto-laundering broker in Dubai. At a time when blockchain-based crime is converging with traditional organized criminal behavior, we may see DOJ leverage RICO more often as it pursue cartels and other criminal enterprises.
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.
