Michael Richo, a 35-year-old Connecticut man, pleaded guilty to charges linked to a $365,000 Bitcoin phishing scam on June 27. He admitted that he created fake login pages to popular darknet marketplaces and farmed the credentials. He then logged into their real account and withdrew Bitcoin balances.
We wrote about Richo after his arrest in 2016. The defendant spread phishing links across the internet through online forums. Like any clearnet phishing scheme, the links took unsuspecting visitors to page that looked similar to the real marketplace login. After they logged into the fake marketplace, Richo checked their balances for a quantity of Bitcoin with stealing.
Richo used a program called “Bitcoin Monitor” to alert him of an incoming Bitcoin transaction on a stolen account. He would withdraw the money before the account owner even had a chance to spend it, court documents revealed. He deposited the coins into his own wallet. From there, he turned them into US currency—$365,000 in total.
He then deposited the money into bank accounts that he owned or controlled. The press release from the U.S. Attorney’s Office of the District of Connecticut mentioned that bank accounts “were provided to him.” He paid for them with Green Dot Cards and various money orders. He also sold Bitcoin on LocalBitcoins.com as “bmerc.”
The FBI looked into Richo in connection with a darknet marketplace when they discovered the phishing scheme. Officers raided his house and found that he hosted the cloned darknet marketplaces on a laptop in his home. He gave details of the illegal activity to investigators after his arrest. He incriminated himself online.
One example was online chatting history that the FBI discovered on his hard drives. A user named “fatfreak82828” wrote about his Bitcoin phishing scheme. Investigators connected the fatfreak usernames to Richo through a chat history; he asked an individual to email him at “mediapenllc” at a Gmail address. He clarified that he (fatfreak) was the same person as mediapenllc. The agent found that Richo managed a Connecticut company called Media Pen LLC.
In one conversation, fatfreak82828 wrote, “I make my own phishing sites for darknet .onion drug sites. I make $1,000 a day.” Later on, in the same conversation, Riche sent a username and password to the same user. They belonged to a stolen account. “See those? username, password, pin, balance, and all BTC deposit addresses to a private illegal site,” he explained to the unidentified user.
“When I detect BTC payment there, I login, and withdraw. I make $1000 day all off 1 phishing site I built myself, so I know how to do this, big time. I am pretty big too, but within TOR network,” he wrote. He told the user that he lived in a house by the beach and that he drove a Mercedes “all paid off.”
He admitted his crimes online, in statements made to investigators, in statements made in court, and when he signed the plea agreement. Richo pleaded guilty to access device fraud and money laundering. He also agreed to forfeit up to $365,000 in money, electronics, and other valuables. Access device fraud brings a 10 year maximum sentence and money laundering brings a 20 year maximum. He is scheduled for sentencing in late September.