Energi Defense (EBI) is proud to announce that we have discovered the real-world identity of one of the most sophisticated scammers in the cryptocurrency space: Simon S. Tadros.

After two years of investigation, our cybersecurity experts have exposed this malicious actor that scammed over one million dollars from multiple cryptocurrency projects, enabling the recovery of $500,000 of stolen funds. This is a cybercrime story about how Energi is bringing professionalism into the crypto sphere, where reality seems to surpass fiction.

“We now have sufficient evidence linking his crimes to over a dozen fraud cases and two Dash masternodes, worth over a million dollars in total — and that’s just what we can prove beyond a reasonable doubt. We suspect him of much more. We have not begun to assess all of the other crypto projects he may have been preying on as well.” — Peter, Director of EBI.

A Day in the Life of a Crypto Con Artist

If you’ve been into crypto long enough, you know that scams and money heists are a daily occurrence of the space. Unlike traditional banks, where you deposit your money in exchange for certain protections and guarantees, the very nature of cryptocurrency places all the responsibility in the hands of the user: you are your own bank. Because it’s an unregulated, global market, it attracts scammers and hackers of all kinds, and they’re constantly getting better.

Many of them are just basic hustlers that send thousands of emails pretending to be someone else and asking for cash. On a lucky day, they’ll trick a minuscule percentage of their targets. They don’t pose a major cybersecurity threat, as most people know they shouldn’t send their money to strangers on the internet.

But there’s a different type of scammer. Someone that doesn’t rush it, that takes their time to earn your trust and then one day you wake up to discover that your wallets have been emptied and you’ve lost your entire life savings. These are the kind of crooks we’ve dealt with for the past two years. A crypto con artist that employs hundreds of accounts to hide in plain sight. Some of them may even believe that they’re simply smarter than everyone else and that what they’re doing is not wrong or illegal.

“It was terrible to see Bashful stealing people’s life savings. We saw many cases where he caused considerable damage to his victims — both financially and mentally. Furthermore, he never showed any remorse for his crimes, and even bragged about his so-called ‘lessons’ and accomplishments.” — Peter, Director of EBI.

Fighting this type of cybercrime requires lots of resources, and that’s why Energi Defense is a team formed by cybersecurity experts, including veterans from intelligence agencies. Our original approach to fighting thefts was identifying suspicious accounts on our Discord server and banning them. This worked well, and we disabled plenty of low sophisticated scammers, but there was a new guy in town, more dedicated and convoluted. Some Energi users raised concerns about his activities, and our security department decided to take him down.

Enter Kratøs

A breakthrough came when we changed our whole approach to this case. In the second half of 2019, we stopped trying to exclude scammers and instead kept them busy with fake victims called “sockpuppets”, or “honeypots.” Our objective wasn’t to close down the scam but to prolong the hunt for as long as possible while gathering valuable intelligence.

This proved to be a very effective approach. To our surprise, it became clear that over 90% of all scams involving the loss of assets on Discord led to the same single threat: Kratøs.

Kratøs worked on each victim for an average of two to three weeks, taking time to earn their trust by giving them real technical support with his many fake accounts. He impersonated developers and moderators from many projects, and after a few days of becoming “friends”, the users trusted him completely.

Whenever they faced a technical issue, they went to Kratøs directly, keeping all his activity hidden from the Energi Support Team. Once he had their trust, he had a few ways to get his victims’ money, like offering over-the-counter deals to sell their coins or asking them for the login credentials to their wallets.

Camouflaged as a Vigilante to Eliminate the Competition

We did not know who was behind this account, but we knew this was no ordinary low-life scammer. Rather, it was a highly educated individual with a technical background in hacking and customer service, who spoke fluent English. Energi Defense started mapping out all the Discord accounts involved in stolen funds. As we mapped each account, they all were related to the one and only: Kratøs.

Kratøs was very active in the anti-scam community. He was pretending to be one of the “good guys” and went as far as to run his own anti-scam Discord server. A server that included numerous admins and moderators from a whole range of crypto projects.

We quickly realized that the purpose of this server wasn’t to prevent scams at all. It was to gain trust among different projects while eliminating his competition and deflecting any suspicions that led his way. It was an ingenious setup, as he was able to hunt for potential targets by searching some 100 crypto platforms. He kept an almost exclusive monopoly on victims across Discord while being in a unique position to detect whenever a rival scammer came onto his “turf.”

Kratøs also posed as an active vigilante within the Energi community. He gave us vast amounts of data dumps on past victims and possible leads that we took as valid evidence and invested time and effort to investigate them. It was a frustrating and challenging time. It’s said that the best lies have an element of truth. What made Kratøs so difficult to detect was that he often helped to identify real scams. However, his leads usually pointed to small-time scammers, and many more led to dead ends. Presumably, he enjoyed this game of playing both sides. A game that was about to end.

Now we had positively identified Kratøs as the lynchpin of this operation, our next goal was to discover his real-life identity. Our initial reconnaissance showed he was in Lebanon, but we needed to dig deeper, designing, and laying traps to extract more specific information.

Social-Engineering: A Taste of His Own Medicine

Once we discovered this malicious behavior, our gut reaction was to act immediately. This fraudster was not only stealing people’s life savings but also destroying the trust in cryptocurrency as the next evolution of money. However, we needed to dig deeper and find out who this person was, so we carried on gathering information and evidence. Our discoveries had to be a closely-guarded secret for some time.

“It’s ironic, poetic justice that his own weapon of choice — ‘social engineering’ — was turned against him, which ultimately led to his own downfall.” — Peter, Director of EBI.

We made steady progress in tracking him by laying multiple traps, exploring all angles, and chasing down every lead. Piece by piece, we were able to collect conclusive data confirming his Lebanese nationality. For instance, we found that his computer language settings were in “Arabic-Lebanon” (most people don’t realize that you can still tell a lot about a person when they’re using a VPN).

Finally, in February this year, after numerous and prolonged attempts at social engineering, we were able to crack the case wide open, which led to the discovery of his real identity. Kratøs took the bait when he introduced us to some of his “friends” from “France” regarding a potential security consulting job.

By this time, we were able to track him and knew almost instantly that his “friends” were just different accounts he was running.

It’s a strange feeling to engage in a conversation with several people knowing that every single person in that conversation except you is fake and, in fact, you’re speaking to the same person the whole time.

We had to play along and pretend that we were clueless, which meant continuing to talk to each party as if they were different people.

Our discussion topic was a potential partnership where EBI would handle security for a gambling and trading project called “goliquid”. A rudimentary Whois investigation led us back to a company which, no surprise, was based in Lebanon. The company was named “cNepho SARL” and, lo and behold, the founder of that company was one Simon S. Tadros. Did we finally have our guy?

Exposing Simon S. Tadros

When we started to investigate this “Simon S. Tadros,” we knew almost instantly that we had likely found the culprit. His background, education, and timeline were a perfect fit.

Almost exactly a year ago, our suspect had a particularly productive month. He was able to steal a total of 103,000 USD (at that time, 14.7 BTC) from four victims. This series of big hits culminated in one final incident on the 25th of June 2019. On this date, our scammer transferred almost 5 BTC to his wallet (in addition to what was stolen from other projects); that same day, his real identity advertised coins for sale on his social media account.

We made sure to record every single piece of information we found about him: messages, videos, printouts, you name it. The data we collected was excessive and vast. We then took this data to law enforcement and received confirmation on its validity.

We could have stopped there and let the police take over, but we feared that their investigation could last months or even years. We wanted to expose Simon S. Tadros sooner than that because he was not only damaging Energi, but the whole crypto space. Now with our goal set, we came up with a simple but effective plan to nail him once and for all.

Digging His Own Grave

We wanted to get one more piece of evidence that confirmed our findings not using any of our previous leads, and who better to give us that than Simon himself?

Our idea was for Tommy World Power to follow Simon’s real-life twitter account — the “ping” — and then to contact one of his many known scam accounts to let him know we knew who he was. We name-dropped his first name and, as proof, suggested he check his social media accounts. To add further pressure, we deliberately “leaked” skewed information about this discovery to Kratøs, adding more heat to the situation.

Now with all the pieces in place, all we had to do was sit back and watch the fireworks. We knew Simon would spin out of control, desperately trying to find out what went wrong and, in doing so, giving us the confirmation we were looking for.

It didn’t take too long. There was no way he could have known who, or how, we “pinged” him on the other side with only a name and some vague instructions about his social media profile. That was the inventive part of the whole operation: under pressure and with little information to work with, his imagination took over. We knew Simon would eventually break and try to convince us that we had the wrong guy. Yet, by doing so, he was giving us the final, unrelated piece of information we needed.

We had previously seeded the idea to Kratøs that we had commissioned an outside forensics company. Simon imagined that they had traced the funds back to him, which he used to profess his innocence.

He went on to claim that he knew the person we targeted and tried to pass “Simon Tadros” as an OTC broker who had done some work for him last year. His intention was to convince us that we had the wrong guy.

When it was apparent that his attempts at persuasion had failed and once the stolen NRG in his wallet was drained, he even tried to bribe members of the Energi team.

Solving Crimes Requires Professional Processes

Bounty hunters and those new to cybersecurity often go looking for one incredible piece of evidence, the “home run” or clincher, that solves the case. In our experience, that’s a myth.

Solving crimes boils down to one thing: process. In the course of our two-year investigation, there was never one single eureka moment. It was time-consuming, tedious work. We were continually collecting, filing, and chipping away at the rock, one piece at a time until the whole wall came tumbling down. When that happened, the scale of Simon’s crimes was revealed.

Peter, the Director of EBI, answered questions about how much money was stolen and how long he had been doing this: “Based on our research, he seems to have been active since at least late 2017. Each year, he got exponentially better, so we can’t know how much for sure. We do know that the server group he was in was used to target almost 100 projects. Furthermore, we know that he’s caused much more damage than we could ever prove. If we’re currently able to prove one crime out of every hundred, you can do the maths yourself.”

He added, “I enjoy my work at Energi very much. I can think of no other cryptocurrency project with the means, or the willingness, to carry out the scale of investigation needed to identify and expose this guy. It’s all-consuming work.”

Solving these crimes is never accomplished through a high tech, “hacking the hacker” operation. It’s much simpler than that. We all make stupid mistakes, and hackers are no different. You only need two ingredients: time and grit. The evidence and errors will come in their own time if you’re there to capture them, and that is how we cracked this case.

Unfortunately, we were unable to recover the funds of his first victims from last year. At that time, the Energi project was still relatively new, and our processes and procedures were not what they are today, where we have been able to prevent all his cases in Gen 3.

User Protections Like Ours Are Badly Needed in the Space

Scammers like Simon are an unfortunate reality of the crypto space, and they are only going to get better and multiply in number. We’ve been able to assess that he stole over one million dollars, but the real figure could be ten times higher. Looking at the likely damage that this one bad actor caused, it’s no surprise that many projects and low cap coins have such difficulties early on. A large-scale attack could prove an existential threat to projects like this and we believe that individuals, like Simon, have contributed to the failure of many more.

Because scammers are always innovating their tactics and using the latest technology available for their malicious activities, companies can’t rely on governments or traditional task forces to protect them. A police department will take between 12–30 months to investigate this sort of highly complex scamming, not to mention the added difficulty of dealing with someone in a different jurisdiction.

The only feasible way of stopping these sophisticated scammers is by having your own defense team. Cryptocurrency projects that don’t implement this cybersecurity measure are doomed, and their users’ holdings are in constant danger.

For the whole industry to thrive, we must continue to innovate when it comes to security. By doing so, we can make projects less appealing to scammers and safer for users. Every innovation is a step towards greater mass adoption, which is why having a cybersecurity team like Energi Defense removing bad actors is not only beneficial for our project, but for the entire crypto space.

P.S.

We thought some readers might want to check out Simon Tadros’ activities by themselves, so here you have some of his social media profiles.

Instagram: https://www.instagram.com/evilqubit/
Facebook Main: https://www.facebook.com/thearchitectblog
Facebook alternative: https://www.facebook.com/evilqubit
GitHub: https://github.com/evilqubit
Ycombinator: https://news.ycombinator.com/user?id=evilqubit
About Me: https://about.me/evilqubit
Linkedin: http://www.linkedin.com/pub/simon-tadros
Twitter: https://www.twitter.com/conversionpoint
BitBucket: https://bitbucket.org/evilqubit/
Codepen: https://codepen.io/evilqubit/pens/
CodeWall: https://coderwall.com/evilqubit
PasteBin: https://pastebin.com/u/evilqubit
Reddit: https://www.reddit.com/user/thearchitectblog
SlideShare: https://www.slideshare.net/thearchitectblog
SoundCloud: https://soundcloud.com/thearchitectblog
Medium: https://medium.com/@conversionpoint
TradingView: https://www.tradingview.com/u/conversionpoint/
Youtube: https://www.youtube.com/channel/UCZaG-2D1lVaU-XKRsS6I-XA