Inside a Wild Bitcoin Heist: Five-Star Hotels, Cash-Stuffed Envelopes, and Vanishing Funds
As Kent Halliburton stood in a lavish bathroom at the Rosewood Hotel in central Amsterdam, thousands of miles from his home in Peru, his fingers traced the crisp edges of a thick envelope. Inside lay €10,000 in freshly printed banknotes, a sum far exceeding the modest $3,000 worth of Bitcoin he was asked to exchange. A strange blend of excitement and unease began to stir within him, making him wonder precisely what intricate web he had unwittingly stumbled into. This fleeting moment of opulent intrigue, however, was merely the opening act in a meticulously orchestrated drama that would soon unravel, leaving him stripped of hundreds of thousands of dollars and questioning the very survival of his company.
Halliburton, the cofounder and CEO of Sazmining, was no stranger to the volatile world of cryptocurrency. His company specialized in "mining-as-a-service," operating vast networks of Bitcoin mining hardware on behalf of clients across diverse locations such as Norway, Paraguay, Ethiopia, and the United States. His base in Peru kept him somewhat removed from the glittering hubs of global finance, making the sudden summons to Amsterdam for a high-stakes deal feel even more surreal. The promise, however, was too significant to ignore: a Monaco-based family office had expressed keen interest in purchasing hundreds of Sazmining’s specialized Bitcoin mining rigs, a transaction valued at approximately $4 million. These rigs were destined for a new facility under construction in Ethiopia, and before committing, the family office insisted on a personal meeting with Halliburton.
He arrived at the elegant Rosewood Hotel on August 5, stepping into a world of understated luxury. There, nestled in a plush booth, were Even and Maxim, the supposed representatives of the affluent family. From the outset, they exuded an air of effortless wealth and calculated charm. Maxim, in particular, was the quintessential "playboy, high-roller" archetype. Dressed impeccably in a tan three-piece suit, his long dark hair meticulously parted down the middle, he emanated an aura of cultivated sophistication. A glinting Rolex, a silent testament to his perceived status, protruded conspicuously from the cuff of his sleeve. Even, by contrast, was more effusive, his jocular demeanor and talkative nature filling the conversational gaps as they settled into a three-course lunch. The meal itself was an indulgence: delicate ceviche garnished with roe, followed by succulent Chilean sea bass, and culminating in a rich cherry cake. Throughout, they discussed the potential deal’s intricacies, trading polite anecdotes about their respective backgrounds. Even regaled Halliburton with tales of extravagant parties in Marrakech, painting a vivid picture of their lavish lifestyle. Maxim, however, remained largely aloof, his intense gaze fixed on Halliburton for extended periods, as if meticulously dissecting him, measuring his worth, or perhaps, identifying his vulnerabilities.
It was during this initial encounter that Even proposed a peculiar "relationship-building exercise": Halliburton should sell the family office a modest $3,000 worth of Bitcoin. Halliburton, initially hesitant, dismissed it as an idiosyncratic ritual, perhaps a test of trust or an eccentric display of wealth. Then came the cash-stuffed envelope. One of the men discreetly slid it across the table, instructing Halliburton to retreat to the privacy of the bathroom to count the funds. As his fingers brushed against the crisp €10,000 notes, far more than the requested $3,000, the theatricality of the moment became palpable. "It felt like something out of a James Bond movie," Halliburton later recounted, a sense of bewildered excitement mixing with his underlying apprehension. "It was all very exotic to me." He left the Rosewood in a taxi, somewhat bemused but fundamentally optimistic. For Sazmining, a relatively small company with around 15 dedicated employees, this deal promised to be truly transformative, a gateway to a new level of growth and stability.
Yet, less than two weeks later, the intoxicating allure of the deal had curdled into a bitter nightmare. Halliburton found himself staring at a vanished sum exceeding $200,000 worth of Bitcoin, the cold, hard reality of a sophisticated scam slowly sinking in. The question gnawed at him: how had he, a seasoned professional in the crypto space, been so completely ensnared? The journey from hopeful anticipation to devastating loss had been swift and insidious.
Immediately following his initial Amsterdam lunch, Halliburton had embarked on a whirlwind of travel, first to Latvia for a Bitcoin conference, then onward to Ethiopia to personally oversee the construction progress at the data center facility. It was while he was immersed in the dusty, nascent infrastructure of the Ethiopian site that a WhatsApp message from Even pinged on his phone. Even, pressing the deal forward, introduced a new, non-negotiable condition: Sazmining would need to sell the family office a substantially larger amount of Bitcoin as a prerequisite for the main contract, far beyond the initial small exchange at the Rosewood. After some negotiation, they settled on $400,000 worth, representing a tenth of the overall $4 million deal value.
Even then insisted that Halliburton return to Amsterdam to personally sign the necessary contracts to finalize the agreement. Halliburton, weary from weeks away from his family and the relentless travel, initially protested, suggesting remote execution. But Even’s response was firm, drawing an unequivocal line in the sand: "Remotely doesn’t work for me that’s not how I do business at the moment," he declared in a text message reviewed by WIRED, leaving Halliburton with little choice. The carrot of the $4 million deal was too tantalizing to risk.
Thus, on the early afternoon of August 16, Halliburton found himself back in Amsterdam. That evening, he was scheduled to meet Maxim at a teppanyaki restaurant within the opulent five-star Okura Hotel. The hotel’s interior was a symphony of traditional Japanese aesthetics, adorned with rich wooden paneling, delicate paper walls, and a serene zen garden. From the spiral staircase in the lobby, a graceful flock of origami cranes hung suspended, creating an ethereal cascade. Halliburton located Maxim in the waiting area outside the restaurant, strikingly dressed in a rather gaudy silver suit that seemed to announce his presence with a flourish. As they waited for their table, Maxim casually introduced the next crucial step. He asked Halliburton to demonstrate Sazmining’s capacity to fulfill the side transaction proposed by Even. This demonstration involved moving roughly half of the agreed $400,000—a staggering $220,000 worth of Bitcoin—into a specific Bitcoin wallet app favored by the "family office." Crucially, Maxim assured Halliburton, the funds would remain entirely under his control, but their existence and quantity could be publicly verified by the family office using blockchain transaction data.
With Maxim observing intently, Halliburton pulled out his iPhone. He searched for the specified app: Atomic Wallet. A quick check revealed thousands of positive reviews and a long-standing presence on the Apple App Store, lending it an air of legitimacy. With a growing sense of commitment to the impending $4 million contract, Halliburton downloaded the app and meticulously created a new wallet. "I was trying to earn this guy’s trust," Halliburton recalled, the monumental deal serving as a powerful motivator. "Again, a $4 million contract. I’m still looking at that carrot."
The teppanyaki dinner proceeded largely without incident, the clatter of spatulas on the hot grill providing a rhythmic backdrop to their conversation. Maxim, somewhat less guarded than at their previous encounter, spoke of his passion for expensive watches and his role in sourcing lucrative deals for the family office. Halliburton, feeling the cumulative toll of relentless travel, sought to bring the evening to a close. They parted ways with a clear understanding: Maxim would take the signed contracts for the family office’s final execution, while Halliburton would proceed with sending the $220,000 in Bitcoin to his newly created Atomic Wallet address as agreed.
Back in the solitude of his hotel room, Halliburton meticulously performed a small test transaction, sending a minimal amount of Bitcoin to the new Atomic Wallet address. Satisfied, he then took an extra security measure, wiping the wallet and reinstating it using the private credentials—the all-important seed phrase—that had been generated upon his initial download of the app. He wanted to ensure that the wallet functioned perfectly, providing him full control. "Had to take some security measures but almost ready. Thanks for your patience," Halliburton messaged Even via WhatsApp, outlining his careful steps. "No worries take your time," Even responded, his words seemingly reassuring.
At 10:45 pm, confident in his security checks, Halliburton instructed a colleague to release the $220,000 worth of Bitcoin to the Atomic Wallet address. The transaction processed swiftly. Upon confirmation of its arrival, Halliburton sent a screenshot of the updated balance to Even. A mere minute later, Even’s reply pinged back: "Thank yiu [sic]." Halliburton then sent another message, inquiring about the status of the contracts. This time, however, the quick responses ceased. A cold dread began to creep in. Halliburton opened the Atomic Wallet app, a sudden, sickening premonition washing over him. The Bitcoin had vanished.
His stomach dropped, a visceral reaction to the unfolding disaster. As he sank onto the hotel bed, he fought a desperate urge to vomit. "It was like being punched in the gut," Halliburton recounted, the shock and disbelief paralyzing him. The dream of the $4 million deal had evaporated, replaced by the crushing reality of a monumental loss.
Halliburton frantically racked his brain, trying to decipher how he had been so cunningly swindled. At 11:30 pm, he sent a final, desperate message to Even: "That was the most sophisticated scam I’ve ever experienced. I know you probably don’t give a shit but my business may not survive this. I’ve worked four years of my life to build it." Even’s response was a swift denial of any wrongdoing, a final, hollow deflection before he disappeared entirely. That was the last Halliburton ever heard from him. The Telegram account Even had used, provided by Halliburton to WIRED, was last active on the very day the funds were drained, a digital ghost in the machine. Even did not respond to requests for comment.
Within a matter of hours, the stolen funds embarked on a complex, digital odyssey. Blockchain analytics companies Chainalysis and CertiK meticulously tracked their path: the Bitcoin was rapidly divided, shuffled through a labyrinthine web of different addresses, and deposited with various third-party platforms designed for converting cryptocurrency into traditional fiat currency. A significant portion was funneled into instant exchangers, allowing for near-instantaneous swaps between different cryptocurrencies. However, the bulk was consolidated into a single address, a critical point where it was blended with funds that Chainalysis flagged as the likely proceeds of "rip deals"—a notorious scam where criminals impersonate high-value investors to defraud startups of their crypto assets.
"There’s nothing inherently illegal about the services the scammer leveraged," explained Margaux Eckle, a senior investigator at Chainalysis. "However, the fact that they leveraged consolidation addresses that appear very tightly connected to labeled scam activity is potentially indicative of a broader fraud operation." Some of the Bitcoin passing through this consolidation address was subsequently deposited with a crypto exchange, likely converted into regular currency. The remainder underwent another transformation, converted into stablecoin and then meticulously moved across "bridges" to the Tron blockchain, a network known for hosting several over-the-counter trading services that facilitate the discreet cashing out of large quantities of cryptocurrency, according to security researchers.
The intricate dance of hops, shuffles, conversions, and divisions served a singular purpose: to obfuscate the origin of the funds, making them nearly impossible to trace and enabling their conversion to fiat currency without arousing suspicion from financial authorities. "The scammer is quite sophisticated," Eckle affirmed. "Though we can trace through a bridge, it’s a way to slow the tracing of funds from investigators that could be on your tail." Eventually, the public transaction data trail simply vanishes. To truly identify the perpetrators and potentially recover the stolen assets, law enforcement agencies would need to issue subpoenas to the various services involved in the cash-out process, which are typically mandated to collect identity information from their users.
From the raw transaction data alone, it was impossible to pinpoint precisely how the scammers gained unauthorized access to and drained Halliburton’s wallet. However, a careful re-examination of his interactions with Even and Maxim began to provide crucial clues. Halliburton initially wondered if his ordeal might be linked to a major 2023 hack perpetrated by North Korean government-affiliated threat actors, which saw over $100 million drained from other Atomic Wallet users’ accounts. (Atomic Wallet did not respond to a request for comment regarding Halliburton’s case.)
But security researchers who analyzed the incident for WIRED quickly dismissed that theory. Instead, they concluded that Halliburton had fallen victim to a highly targeted, "surveillance-style attack." "Executives who are publicly known to custody large crypto balances make attractive targets," explained Guanxing Wen, head of security research at CertiK. The in-person meetings, the lavish five-star hotels, the ostentatious clothing, the casual display of thick wads of cash – all these elements, researchers theorized, were carefully calculated gambits designed to put Halliburton at ease, to erode his natural caution. "This is a well-known rapport-building tactic in high-value confidence schemes," Wen elaborated. "The longer a victim spends with the attacker in a relaxed setting, the harder it becomes to challenge a later technical request."
To execute the theft, the scammers undeniably needed to acquire the seed phrase for Halliburton’s newly created Atomic Wallet address. With a wallet’s seed phrase, complete, unfettered access to all the Bitcoin held within is granted to anyone possessing it. One initial possibility considered was that the scammers, who had dictated the locations for both Amsterdam meetings, might have hijacked or mimicked the hotel Wi-Fi networks, thereby enabling them to surreptitiously harvest information from Halliburton’s phone. "That equipment you can buy online, no problem. It would all fit inside a couple of suitcases," noted Adrian Cheek, a lead researcher at cybersecurity company Coeus. However, Halliburton adamantly insisted that his phone never left his possession and, critically, that he had used his secure mobile data connection to download the Atomic Wallet app, not the public hotel Wi-Fi.
This left a more sinister, yet highly plausible, explanation. Wen and other researchers strongly believe that the scammers—possibly aided by a nearby accomplice or a sophisticated camera equipped with long-range zoom capabilities—were able to record Halliburton’s seed phrase at the precise moment it appeared on his phone screen when he first downloaded the app, while seated on the couch at the Okura Hotel. Long before Halliburton ever transferred the $220,000 in Bitcoin to his Atomic Wallet address, the scammers had likely already set up a "sweeper script," Wen claimed. This type of automated bot is specifically coded to detect and instantly drain a wallet the moment it registers a significant balance change, ensuring the funds are siphoned off almost immediately upon arrival. The people the victim meets in person in cases like this—the charming, persuasive figures like Even and Maxim—are rarely the ultimate beneficiaries of the heist. Instead, they are typically mercenaries, hired by a larger, more sophisticated network of scam artists who could be operating from anywhere in the world. "They’re normally recruited through underground forums, and secure chat groups," Cheek revealed. "If you know where you’re looking, you can see this ongoing recruitment."
For a tense few days, the future of Sazmining hung precariously in the balance. The stolen funds, a devastating $220,000, equated to roughly six weeks’ worth of the company’s revenue, creating an immediate and severe cash crunch. "I’m trying to keep the business afloat and survive this situation where suddenly we’ve got a cash crunch," Halliburton confessed, the weight of his company’s fate resting heavily on his shoulders. Through a combination of strategic measures, including delaying payments to a key vendor and extending the duration of an outstanding loan, Sazmining ultimately managed to remain solvent, narrowly escaping a catastrophic collapse.
In the aftermath, one of Sazmining’s board members diligently filed reports with law enforcement bodies in the Netherlands, the United Kingdom, and the United States. They received acknowledgements from only two agencies: the UK-based Action Fraud, which informed them no immediate action would be taken due to the volume of similar cases, and the Cyber Fraud Task Force, a division of the US Secret Service. (The CFTF did not respond to a request for comment regarding Halliburton’s case.) The sheer, overwhelming volume of crypto-related scam activity has made it virtually impossible for law enforcement agencies worldwide to investigate each theft individually. "It’s a type of threat and criminal activity that is reaching a scale that’s completely unprecedented," Chainalysis’s Eckle lamented.
The best, albeit slim, chance for a scam victim to recover their funds lies in law enforcement successfully busting an entire scam ring. In such rare scenarios, any recovered funds are typically dispersed proportionally to those who have officially reported themselves as victims. Until such a time, Kent Halliburton has had to begin the painful process of making peace with his significant loss. "It’s still painful," he admitted, the memory of the betrayal and the financial blow still raw. But, he added with a resilient note of defiance, "it wasn’t a death blow." The experience served as a brutal, expensive lesson in the perilous, yet alluring, frontier of decentralized finance, a stark reminder that even in the most luxurious settings, danger can lurk in the most sophisticated of guises.
