Teens steal $243M in BTC after Bitcoin private key leaked in social engineering scam

In August 2024, three self-taught hackers—19-year-old Veer Chetal, Malone Lam, and Jeandiel Serrano—orchestrated one of the largest crypto thefts in history after a victim’s Bitcoin private key leaked during a sophisticated social engineering attack

Their weapon? A highly sophisticated social engineering attack that tricked a Gemini exchange user into leaking their Bitcoin private key, granting the thieves full access to 4,100 BTC ($243 million).

The victim, targeted via spoofed calls impersonating Google and Gemini support, was convinced to reset their 2FA and share their screen via AnyDesk, exposing the Bitcoin private key leaked during the session.

“Once they had the private key, it was game over,” said blockchain investigator ZachXBT, who helped track the stolen funds.

Livestream blunder leads to arrests

The hackers’ downfall began when Chetal, nicknamed “Wiz,” livestreamed their reaction to receiving the stolen Bitcoin. During the broadcast, he accidentally revealed his full name, while accomplices referred to him as “Veer” in chat logs. “It was like watching a crime documentary narrated by the criminals themselves,” ZachXBT noted in his X thread.

Further sloppiness sealed their fate:

• Malone Lam flaunted luxury cars and $500,000 in club spending on Instagram.

• Serrano reused the same profile picture across Telegram and Discord, linking him to $18 million in stolen crypto.

• The Bitcoin private key leaked during the attack left an irreversible trail. Funds were traced through 15+ exchanges as the trio swapped BTC for Monero and Ethereum.

By September 2024, all three were indicted.

Teen hacker’s second scam—while on bail

In a bizarre twist, Chetal struck again while cooperating with authorities. Released on bond in October 2024, he allegedly scammed a New Jersey woman out of $2 million using the same Gemini/Google support ruse.

This time, a VPN failure exposed his IP address after $200,000 of the stolen crypto was gambled away in nine minutes.

“Chetal gambled the money on a single bet—trivial to him, but damning in court,” said US District Judge Colleen Kollar-Kotelly, who revoked his bail.

His lawyer admitted Chetal “knew the funds were illicit” but accepted them anyway.

Key takeaways: The risks of leaked private keys

1. Social engineering works: Even basic spoofed calls can trick victims into revealing a Bitcoin private key leaked—the digital equivalent of handing over a bank vault combination.

2. Teens are high-risk targets: Chetal’s case shows how young, tech-savvy individuals can be lured by quick riches. His parents later faced a kidnapping attempt tied to the stolen funds.

3. Exchange vigilance is critical: Gemini reiterated in a statement: “No legitimate support team will ever ask for your Bitcoin private key leaked or 2FA codes.”