Malone Lam Sentence: Inside the $263 Million Crypto Syndicate That Stole From Gamers, Mansions, and a Single Washington D.C. Victim

Key Facts

• Evan Tangeman, 22, of Newport Beach, California was sentenced on April 25, 2026 to 70 months in federal prison for his role laundering proceeds from the Malone Lam-led crypto theft syndicate (DOJ / The Block, April 2026)
• Tangeman is the ninth defendant to plead guilty in a case that traces back to the September 2024 indictment of Malone Lam and Jeandiel Serrano (The Block, April 2026)
• The criminal enterprise — known internally as the "SEE" — stole roughly $263 million in cryptocurrency between October 2023 and May 2025, primarily through social engineering and residential burglaries targeting hardware wallets (DOJ, April 2026)
• The syndicate's single largest theft was an August 2024 attack on one Washington, D.C. victim — a Genesis creditor — that drained more than 4,100 BTC worth approximately $230 million at the time, now worth over $350 million (Gate.com / Wikipedia, 2026)
• Malone Lam, the operation's 20-year-old Singaporean ringleader known online as "Anne Hathaway" and "Greavys," was arrested in Miami in September 2024 (Wikipedia / WUSA9, 2024)

Breaking: The federal sentencing wave from one of the most brazen crypto crime operations in American history is accelerating. Over the past two weeks, two members of the Malone Lam syndicate have been sentenced to combined prison terms of nearly 12 years — and the ringleader himself has still not been sentenced.

Evan Tangeman got 70 months for laundering. Marlon Ferro got 78 months for the physical end of the operation — breaking into homes, stealing hardware wallets, and continuing to launder funds for Lam even after Lam's arrest. Nine defendants have now pleaded guilty. The case that started with a 20-year-old Singaporean teenager meeting criminals on gaming platforms has become a multi-year federal prosecution spanning six states and two countries.

The full story of how this group operated — and what it reveals about the most exploitable vulnerabilities in crypto security — is worth understanding in detail.

Signal 1 — How the Theft Actually Worked: Social Engineering at Its Most Devastating

The $230 million single-victim theft is the clearest case study in why social engineering remains the most effective attack vector in crypto, even against sophisticated holders.

The victim was a Genesis creditor — someone with a legitimate claim to millions of dollars in assets from the bankrupt crypto lender, meaning they were identifiably wealthy and almost certainly had significant crypto holdings. The Lam group identified their targets through hacked databases, dark web purchases of personal data, and phishing emails — then worked backward from the target's identity to their likely exchange relationships and wallet infrastructure.

On August 18, 2024, the attack began. Lam's callers first triggered unauthorized Google account access notifications to the victim — genuine-looking security alerts that created immediate alarm. Then, using a spoofed phone number matching Google's actual support line, Lam called the victim personally, posing as Google support staff, claiming the account had been compromised and offering to help secure it. The victim agreed.

Through carefully scripted manipulation, they convinced the victim to reset their password through a fake security form, giving the attackers access to the Google account. Once inside, they found emails revealing substantial holdings on the Gemini exchange. A second call followed — this time with Serrano posing as Gemini support — warning about suspicious account activity and convincing the victim to install AnyDesk, a legitimate remote access software, supposedly to allow Gemini's "security team" to monitor and protect the account. With AnyDesk installed, the attackers had full visibility into the victim's computer.

They found a hidden folder containing private keys to multiple crypto wallets. Within two hours, they executed three large transactions, draining more than 4,064 Bitcoin. The entire operation — from first contact to completed theft — left the victim holding paperwork for accounts that no longer contained anything.

The SEE's operational structure explains how they scaled this beyond individual attacks. The group divided labor precisely: database hackers who sourced victim information, organizers coordinating the operation, target identifiers who researched specific victims, callers trained in voice phishing scripts, and money launderers who converted stolen crypto to cash. When social engineering alone wasn't enough — when a target kept their funds on a hardware wallet with no exchange exposure — the operation shifted to physical intrusion. That's where Marlon Ferro came in.

What This Means For You

• For active traders and crypto holders, the attack chain the SEE used — spoofed Google/exchange support calls, fake security forms, remote access software — represents the most effective current method for compromising large crypto positions. No phone call from "Google" or any exchange is legitimate if they initiate it.
• For long-term holders with significant crypto wealth, hardware wallets provide meaningful security against remote attacks but not against physical ones. The SEE's home burglary operations were specifically designed to target hardware wallet holders — the group they couldn't reach through phones.
• For newcomers, the single most important security takeaway from this case is: no legitimate company will ever call you unsolicited to help protect your account. If someone calls you claiming to be Google, Gemini, Coinbase, or any other platform, hang up and call the official number yourself.

Signal 2 — The Physical Operation: How Burglary Became the SEE's Backup Plan

Marlon Ferro's sentencing to 78 months — handed down in early May 2026 — illuminates the most disturbing dimension of the SEE's operation: the point where online fraud became real-world violence.

Ferro's role existed because the digital attack vector had a limit. Holders who kept funds in hardware wallets — physical devices that store private keys offline, requiring physical access to use — couldn't be robbed remotely. The SEE's response was to add physical burglary to their toolkit.

In February 2024, Ferro traveled to Winnsboro, Texas, broke into a victim's home, and stole a hardware wallet containing approximately 100 Bitcoin — then worth more than $5 million — before laundering the funds through exchanges. In July 2024, he traveled to New Mexico, spent several days surveilling a residence, and conducted a home invasion using a brick to break in. What made the New Mexico operation especially disturbing was the real-time coordination: Lam, operating remotely, had hacked the victim's iCloud account and was monitoring the victim's physical location from his own device, alerting Ferro if the owner returned. One member of the group stationed an iPhone in front of the property so other conspirators could watch remotely as well.

By the time of the group's largest operations in 2024, the SEE had members who had armed themselves with firearms. The operation had evolved from voice phishing calls placed from comfortable apartments into a multi-state criminal enterprise that combined sophisticated cyber intrusion with home invasion and physical theft — all coordinated in real time across members in California, Connecticut, Florida, New York, and abroad.

Ferro's role extended past the thefts. After Lam's arrest in September 2024, Ferro continued operating — gathering stolen cryptocurrency from other SEE members, using those funds to pay Lam's criminal defense attorney, and passing messages from Lam to other members while Lam was detained. He also opened a fraudulent digital payment card account using fake identification to allow SEE members to spend stolen funds at nightclubs and retail locations, personally spending over $255,000 on designer clothing — including multiple Hermès Birkin bags for one member's girlfriend. The sentence of 78 months, with three years supervised release and $2.5 million in restitution, reflects both the operational role and the continuation of criminal activity after the first arrests.

What This Means For You

• For active traders and large holders, the Ferro case illustrates that hardware wallet security is a necessary but not complete defense. If your identity as a large crypto holder becomes known — through exchange leaks, blockchain analysis linking public addresses to identifiable individuals, or social media — you become a potential physical target.
• For long-term holders with significant wealth, operational security around your identity as a crypto holder is as important as the security of the wallet itself. The SEE identified targets specifically because those targets were identifiably wealthy on-chain or in hacked exchange databases.
• For newcomers, the escalation from online scam to home invasion in this case is a useful reminder that crypto crime is not victimless or abstract. These were real people whose homes were surveilled and broken into. Digital asset security is also physical security.

Signal 3 — The Sentencing Wave and What Comes Next for Malone Lam

The current sentencing wave represents the culmination of an investigation that ZachXBT — the pseudonymous blockchain investigator — helped catalyze in September 2024, when he published a detailed on-chain analysis tracing the $230 million theft back to specific wallets and then to real identities. That public thread, shared hours after the theft, contributed directly to law enforcement's rapid response: Lam and Serrano were arrested within weeks.

Nine defendants have now pleaded guilty. Sentences issued so far span from Ferro's 78 months for physical operations to Tangeman's 70 months for laundering. Tangeman also directed the destruction of evidence after Lam's arrest — instructing a co-defendant to destroy digital devices belonging to SEE members — which prosecutors called a "consciousness of guilt" that factored into his sentence. His home contained a black 2022 Rolls-Royce Ghost worth over $300,000 and a Porsche GT3 RS when authorities searched it.

U.S. Attorney Jeanine Ferris Pirro's statement at sentencing captured the case's larger significance: she called the operation one "built on greed so brazen it borders on the cartoonish," citing the $500,000 nightclub tabs, Lamborghinis, and Rolexes funded by stolen crypto. What made the prosecution distinctive beyond the dollar amounts was the legal theory: the DOJ brought RICO charges — the Racketeer Influenced and Corrupt Organizations statute traditionally used against organized crime — against a group of young men who had met on Minecraft and Discord. It's the first Bitcoin-related RICO prosecution in history, according to Wikipedia's documentation of the case.

Malone Lam himself — the ringleader who orchestrated the $230 million single-victim theft at 20 years old, who livestreamed the social engineering attack to friends online, and who purchased 33 luxury cars before his arrest — has not yet been sentenced. Given the scale of his role versus the 70–78 month sentences received by supporting members, observers expect a substantially longer term. The 4,100 BTC stolen in August 2024 are now worth over $350 million — a figure that will likely factor into restitution calculations at sentencing.

What This Means For You

• For active traders, the RICO prosecution model sets a significant precedent: crypto theft organized with division of labor and sustained criminal enterprise can now be prosecuted under organized crime statutes that carry far heavier penalties than individual fraud charges. That changes the risk calculus for sophisticated crypto criminal operations.
• For long-term crypto holders, the ZachXBT-assisted investigation demonstrates that on-chain forensics have reached a maturity where large-scale theft is increasingly traceable in near-real time. The SEE's laundering through offshore exchanges, Monero mixing, and peel chains was eventually defeated by blockchain analysis and traditional investigative work in combination.
• For newcomers, the Lam case is the clearest demonstration yet that the most dangerous crypto security threats are not protocol vulnerabilities or exchange hacks — they are human vulnerabilities. The $230 million theft required zero lines of malicious code. It required one phone call that the victim believed.

How Different Investors Are Reading This

The Malone Lam sentencing wave is being read very differently across the crypto community — and the divergence reveals something important about how the industry processes high-profile crime cases.

Security-focused researchers and practitioners are reading the Ferro and Tangeman sentences as a calibration point for how federal prosecutors are weighting different roles within a coordinated crypto theft operation. Ferro, who conducted physical break-ins and continued operations after Lam's arrest, received 78 months. Tangeman, who laundered $3.5 million and destroyed evidence but didn't conduct physical operations, received 70 months. The gap is narrower than many expected given the difference in physical danger involved — suggesting prosecutors were weighing the evidence-destruction conduct heavily. The Lam sentence, when it comes, will establish the upper bound for a first-time RICO Bitcoin case.

Crypto security advocates are treating the case as a public education opportunity. The attack vector that produced the largest single-victim theft in crypto history was a phone call and a piece of remote access software. No protocol exploit, no exchange vulnerability, no cryptographic weakness. The technical security community has been warning about social engineering attacks for years — the Lam case makes the abstract threat concrete and expensive. The immediate response to any unsolicited call claiming to be from Google or a crypto exchange should be to hang up. That simple rule would have prevented $230 million in losses.

Retail crypto investors are processing the case with a combination of horror at the amounts involved and relief that the perpetrators are being prosecuted. The RICO prosecution and the multi-year sentencing wave signal that federal law enforcement has developed genuine capacity to investigate and prosecute sophisticated crypto crime — a contrast to the earlier era when crypto thefts were treated as effectively unsolvable. That prosecutorial competence is a structural improvement for the ecosystem's credibility, even if it arrives too late for the individual victims.

For those wanting to track the Malone Lam sentencing date, follow developments in the broader SEE prosecution, or monitor crypto security news alongside market developments — BYDFi's platform offers integrated alerts and data tools that support staying informed across both market and ecosystem security events.

Disclaimer: This article is for informational purposes only and does not constitute financial, investment, or trading advice. Cryptocurrency markets are highly volatile and unpredictable. Past performance is not indicative of future results. Always conduct your own research and consult a qualified financial advisor before making any investment decisions.

FAQ

Who is Malone Lam and what did he do?

Malone Lam Yu Xuan, born July 19, 2004, is a Singaporean national who became the ringleader of a multi-state cryptocurrency theft operation known as the SEE (Social Engineering Enterprise). Operating under online aliases including "Anne Hathaway" and "Greavys," Lam coordinated a group of 14 members recruited through online gaming platforms including Minecraft and Discord. The operation stole approximately $263 million in cryptocurrency between October 2023 and May 2025. Its largest single theft occurred on August 18, 2024, when Lam and co-conspirator Jeandiel Serrano executed a social engineering attack on a Washington, D.C. victim — a Genesis bankruptcy creditor — that drained more than 4,100 Bitcoin worth approximately $230 million at the time, now valued at over $350 million. Lam was arrested in Miami in September 2024. The case is documented as the first Bitcoin-related RICO prosecution in history.

What sentence did Evan Tangeman receive and what was his role?

Evan Tangeman, 22, of Newport Beach, California, was sentenced to 70 months in federal prison on April 25, 2026, by U.S. District Judge Colleen Kollar-Kotelly in the District of Columbia. Tangeman pleaded guilty in December 2025 to a RICO conspiracy charge and admitted to laundering at least $3.5 million for SEE members. His specific role involved converting stolen cryptocurrency into fiat cash and working with real estate agents to rent luxury Los Angeles mansions for $40,000 to $80,000 per month on behalf of the criminal enterprise. He received compensation in the form of exotic automobiles and used commission earnings on luxury goods. He further compounded his conduct after Lam's arrest by directing a co-defendant to destroy digital devices belonging to SEE members — conduct prosecutors called a "consciousness of guilt." Authorities seized a 2022 Rolls-Royce Ghost worth over $300,000 and a Porsche GT3 RS from his home at arrest.

How did the SEE's social engineering attacks actually work?

The SEE's core attack methodology combined database hacking to identify wealthy crypto holders, sophisticated voice phishing to trick victims into surrendering account access, and technical intrusion once access was obtained. In the largest documented case — the $230 million August 2024 theft — the attackers first triggered fake unauthorized access notifications to the victim's Google account, then called posing as Google support using a spoofed phone number, convincing the victim to reset their password through a fake form. Once inside the Google account, they found emails revealing exchange holdings. A second attacker called posing as Gemini exchange support, convincing the victim to install AnyDesk remote access software. With full remote access to the victim's computer, they located a hidden folder containing private keys and drained over 4,000 Bitcoin within two hours. When targets kept funds on hardware wallets rather than exchanges, the SEE shifted to physical burglaries conducted by Marlon Ferro, sometimes with Lam remotely monitoring the victim's physical location through hacked iCloud accounts.

What is a RICO charge and why was it used in a crypto case?

The Racketeer Influenced and Corrupt Organizations Act — RICO — is a federal statute traditionally used against organized crime, allowing prosecutors to charge members of a criminal enterprise collectively for the organization's overall pattern of activity rather than only for individual crimes each person directly committed. The SEE prosecution marks the first time RICO has been applied to a Bitcoin-based criminal organization in U.S. history. Prosecutors used RICO because the SEE operated with defined division of labor — hackers, callers, organizers, target identifiers, burglars, and money launderers — functioning as a coordinated criminal enterprise over an extended period rather than a series of isolated crimes. The RICO framework allows for potentially much longer sentences and broader recovery of criminal proceeds than individual fraud charges would permit.

What happens next for Malone Lam's sentencing?

As of May 2026, Malone Lam has not yet been sentenced in the SEE case. He was arrested in September 2024 and has been detained throughout the prosecution. Nine co-defendants have now pleaded guilty, with sentences ranging from 70 months (Tangeman) to 78 months (Ferro) for supporting roles in the enterprise. Given Lam's status as the ringleader who orchestrated the $230 million single-victim theft, coordinated the entire operation including remotely monitoring victims during physical burglaries, and inspired the RICO theory of prosecution, legal observers expect his sentence to be substantially longer than those of supporting members. The 4,100 BTC stolen in August 2024, valued at approximately $230 million at the time of theft, are now worth over $350 million at current Bitcoin prices — a factor that is likely to inform restitution calculations at Lam's sentencing. No official sentencing date has been publicly confirmed.