$250M crypto-robbing gang’s dirty work guy sentenced to 6.5 years behind bars

A 20-year-old described as a cybercriminal organization’s "last resort" for cryptocurrency thefts will now serve a 78-month sentence for his role in a $250 million scheme. Marlon Ferro, of Santa Ana, California, was a member of what prosecutors called a social engineering enterprise (SEE) consisting of at least 12 other individuals, and was tasked with traveling across the US and physically stealing what other members couldn’t through online fraud. The gang all shared different responsibilities, but Ferro was the only one who carried out physical burglaries across the US when the methods of the crew’s remote cybercriminals failed to result in a financial reward. “Marlon Ferro served as the criminal enterprise’s instrument of last resort,” said US Attorney Jeanine Ferris Pirro. “When his co-conspirators couldn’t deceive victims into handing over access to their cryptocurrency or hack their way into digital accounts, they turned to Ferro to break into homes and steal hardware wallets outright. “This scheme blended sophisticated online fraud with old-fashioned burglary to drain victims of millions of dollars in digital assets. Today’s sentence sends a clear message: cryptocurrency fraud is not a victimless, consequence-free crime carried out safely behind a screen – it is serious criminal conduct that will lead to federal prison.” The FBI pinned Ferro to numerous specific thefts across the US between 2023-2025 when the SEE was operating. In total, the SEE was responsible for more than $250 million worth of cryptocurrency thefts during this period. The earliest tale of Ferro’s work came in February 2024, when he traveled to Winnsboro, Texas, and stole a hardware cryptocurrency wallet containing roughly 100 bitcoins, then valued at more than $5 million, before laundering it through online exchanges. He relocated to California later that year, the Justice Department stated. The move allowed him to connect with and integrate himself into the SEE’s inner circle, since some members were located in California, as well as others in Connecticut, New York, Florida, and overseas territories. Ferro began doing the SEE’s dirty, physical work. After another member identified a potential target, Ferro traveled to New Mexico and surveilled a residence for several days, and situated an iPhone in front of the property so members of the group could also watch remotely and alert Ferro if the owner returned. Despite several days’ worth of surveillance, Ferro seemingly failed to spot the home security system, which captured him breaking into the premises by throwing a brick through a window. Also on the 20-year-old’s rap sheet were details of his money laundering activities. Ferro used fraudulent ID documents belonging to a foreign national via “his KYC guy” to create a digital payment card account at what prosecutors described as “a geo-blocked platform.” Court documents named it as RedotPay, which secured some licenses to process transactions in the US and elsewhere earlier this year but it is still not allowed to offer products or services to US citizens. This payment card account allowed SEE members to spend their stolen cryptocurrency at retail stores and nightclubs, the DoJ said. Ferro alone spent more than $255,000 on designer clothing on behalf of SEE members, including multiple Hermès Birkin bags for one member’s girlfriend. He also gathered stolen cryptocurrency from group members after the SEE’s leader, Malone Lam, was arrested in September 2024, and used those funds to pay the leader’s lawyer. Ferro also regularly passed along messages from Lam to other group members while Lam was jailed. He was sentenced to 78 months in prison, with three years of supervised release, and ordered to repay $2.5 million in restitution. Lam’s gang Each member, who according to court documents [PDF] found and built relationships with each other through online gaming platforms, brought a different specialty to the crew. Some took responsibility for voice phishing and “database hacking,” while others looked after money laundering, among varied tasks. At least two members were involved in more than one of these operations. The superseding indictment alleged that the SEE comprised three hackers who compromised websites and servers to gather cryptocurrency-related databases, as well as two “organizers” who also helped identify potential targets. Six members worked as “callers,” the individuals carrying out voice phishing attacks, attempting to convince targets they were helping to secure their accounts against cyberattack. Money launderers, of which the SEE had at least eight, including Ferro, worked to exchange stolen cryptocurrency and other goods into fiat currency through bulk cash or wire transfer. The launderers also helped procure luxury services for group members, such as exotic car purchases, private jet rentals, international vacations, or shipping the bulk cash across the US, the Justice Department alleged. ®