Executive Summary
In April 2026, Evan Tangeman, a 22-year-old from Newport Beach, California, was sentenced to 70 months in prison for laundering at least $3.5 million in stolen cryptocurrency. This was part of a larger criminal enterprise that, between October 2023 and May 2025, stole over $263 million through social engineering tactics, including impersonating customer support to gain access to victims' cryptocurrency wallets. The stolen funds financed extravagant lifestyles, with expenditures on luxury cars, high-end real estate, and lavish parties. (justice.gov)
This case underscores the growing sophistication of cybercriminals in exploiting social engineering techniques to execute large-scale financial thefts. It highlights the urgent need for enhanced security measures and user education to prevent such attacks, especially as the cryptocurrency market continues to expand and attract both legitimate investors and malicious actors.
Why This Matters Now
The sentencing of Evan Tangeman highlights the increasing prevalence and sophistication of social engineering attacks targeting cryptocurrency assets. As the digital currency market grows, individuals and organizations must remain vigilant against such schemes to protect their investments and maintain trust in the financial system.
Attack Path Analysis
The attackers initiated the compromise by impersonating a trusted entity to deceive the victim into resetting their two-factor authentication and sharing their screen via a remote desktop application. This allowed them to escalate privileges by gaining access to the victim's cryptocurrency wallet. Subsequently, they moved laterally within the victim's systems to locate and extract the Bitcoin Core private keys. The attackers established command and control by maintaining access through the remote desktop application. They exfiltrated the stolen cryptocurrency by transferring it to wallets under their control. Finally, they laundered the stolen funds through various means, including crypto mixers and exchanges, to obscure the origin of the assets.
Kill Chain Progression
Initial Compromise
Description
The attackers impersonated a trusted entity to deceive the victim into resetting their two-factor authentication and sharing their screen via a remote desktop application.
Related CVEs
CVE-2025-27917
CVSS 7.5AnyDesk versions prior to 9.0.5 on Windows, 9.0.1 on macOS, 7.0.0 on Linux, 7.1.2 on iOS, and 8.0.0 on Android are vulnerable to a remote denial of service due to incorrect deserialization leading to failed memory allocation and a NULL pointer dereference.
Affected Products:
AnyDesk Software GmbH AnyDesk – < 9.0.5 (Windows), < 9.0.1 (macOS), < 7.0.0 (Linux), < 7.1.2 (iOS), < 8.0.0 (Android)
Exploit Status:
no public exploitCVE-2021-44426
CVSS 8.8AnyDesk versions up to 6.2.6 and 6.3.0 to 6.3.3 on Windows are vulnerable to unrestricted file upload, allowing remote attackers to upload files with dangerous types.
Affected Products:
AnyDesk Software GmbH AnyDesk – <= 6.2.6 (Windows), 6.3.0 - 6.3.3 (Windows)
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Phishing
Remote Desktop Software
Compromise Accounts
Remote Services
Financial Theft
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Incident Response Plan
Control ID: 12.10.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Cryptocurrency theft and money laundering schemes directly threaten financial institutions through social engineering attacks, requiring enhanced egress security and zero trust segmentation controls.
Capital Markets/Hedge Fund/Private Equity
High-value crypto assets make investment firms prime targets for sophisticated social engineering attacks exploiting remote access tools and requiring multicloud visibility for protection.
Computer/Network Security
Social engineering bypassing 2FA and remote desktop exploitation demonstrates critical need for threat detection capabilities and encrypted traffic monitoring in cybersecurity infrastructure.
Information Technology/IT
AnyDesk remote access exploitation and VPN-based laundering highlight vulnerabilities in IT infrastructure requiring inline IPS and cloud native security fabric implementations.
Sources
- Money launderer linked to $230M crypto heist gets 70 months in prisonhttps://www.bleepingcomputer.com/news/security/money-launderer-linked-to-230m-crypto-heist-gets-70-months-in-prison/Verified
- Indictment Charges Two in $230 Million Cryptocurrency Scamhttps://www.justice.gov/usao-dc/pr/indictment-charges-two-230-million-cryptocurrency-scamVerified
- AnyDesk Changelog for Windowshttps://anydesk.com/en/changelog/windowsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally and exfiltrate sensitive data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix Zero Trust CNSF may not prevent initial user deception, it could limit the attacker's subsequent actions by restricting unauthorized access paths within the network.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely restrict unauthorized access to sensitive resources, thereby limiting the attacker's ability to escalate privileges.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely limit the attacker's ability to move laterally by enforcing strict controls on internal communications.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and limit unauthorized remote access, thereby constraining the attacker's command and control capabilities.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit unauthorized data exfiltration by controlling outbound traffic.
While Aviatrix Zero Trust CNSF may not prevent the laundering of stolen funds, it could likely limit the initial theft by restricting unauthorized access and data exfiltration.
Impact at a Glance
Affected Business Functions
- Cryptocurrency Transactions
- Customer Account Management
- Financial Operations
Estimated downtime: N/A
Estimated loss: $230,000,000
Private keys and sensitive financial information of the victim, leading to unauthorized access and theft of cryptocurrency assets.
Recommended Actions
Key Takeaways & Next Steps
- • Implement multi-factor authentication (MFA) to prevent unauthorized access.
- • Utilize zero trust segmentation to limit lateral movement within systems.
- • Deploy egress security and policy enforcement to monitor and control outbound traffic.
- • Enhance threat detection and anomaly response capabilities to identify and respond to suspicious activities.
- • Educate users on recognizing and reporting social engineering attempts to reduce the risk of initial compromise.
