Daniel Veidlinger is a professor of Digital Humanities and an angel investor with a focus on AI startups. He specializes in using computational methods to analyze historical texts, blending his academic expertise with an interest in blockchain technology.
The Anatomy of a Sophisticated Crypto Scam
Daniel recently fell victim to a meticulously orchestrated crypto scam involving Tesalia Asset Management, a fraudulent entity posing as a Luxembourg-based investment firm. The scheme unfolded over months, combining social engineering, wallet vulnerabilities, and a fabricated corporate identity.
The Initial Contact and False Credibility
Tesalia approached Daniel’s AI startup with an $8 million convertible bond offer, name-dropping retired industry contacts to build trust. Their professional website, registered in 2016, appeared legitimate at first glance. However, investigations later revealed it was a repurposed domain purchased months prior—a tactic to mimic long-standing credibility.
Proof of Funds and Wallet Manipulation
Tesalia demanded a $400,000 “proof of funds” in crypto to verify liquidity. Skeptical, Daniel deposited $50,000 USDT into Atomic Wallet after initial attempts using Coinbase failed (Coinbase’s custodial model hid the funds from public ledgers). The scammers then insisted on a “test transaction” to confirm wallet addresses—a common practice to avoid transfer errors.
The QR Code Exploit
During a Zoom call, Tesalia instructed Daniel to send $0.05 via a QR code. Unbeknownst to him, the QR code embedded a manipulated amount.
1. Atomic Wallet’s Flaw: The app allowed recipients to override user-entered amounts via QR codes without clear warnings.
2. Decimal Displacement: The code replaced $0.05 with 49,977 USDT by omitting the decimal point. Atomic Wallet’s interface displayed the altered amount as $0.049977 due to the leading zeros the scammers added in front of the amount reading as $0049977, while the USD equivalent falsely showed $0.05.
3. No Safeguards: The app failed to highlight the drastic change or update the USD value, enabling the full $50,000 transfer.
The Aftermath and Critical Vulnerabilities
The funds vanished instantly. Post-scam analysis uncovered Tesalia’s fake Luxembourg office and forged regulatory filings. Daniel’s team traced the stolen USDT to Binance, but recovery efforts stalled due to jurisdictional challenges and the scammers’ use of pseudonymous wallets.
Atomic Wallet Blunders and Bad UI:
1. Permitting QR codes to override user-input amounts.
2. Failing to sync crypto and fiat values during transactions.
3. Ignoring security warnings post-scam, citing liability disclaimers.
Key Takeaways for Crypto Users
1. Verify Everything: Cross-check company addresses, domains (using tools like Wayback Machine), and regulatory filings.
2. QR Code Risks: Manually enter wallet addresses for high-value transfers. Avoid wallets allowing recipient-controlled amounts.
3. Custodial vs. Self-Managed Wallets: Understand differences—exchanges like Coinbase custody funds (invisible on public ledgers), while self-custody wallets (e.g., Atomic) expose addresses but require heightened vigilance.
4. Law Enforcement Limits: Crypto’s pseudonymity complicates recovery. Exchanges like Binance require legal orders to freeze funds, often prioritizing larger thefts.