Scammers appear to have made off with more than $2 million in cryptocurrency after carrying out an apparent fake initial coin offering (ICO), and the individuals linked to the incident may be connected to another recent theft, CNBC has learned.
A bad actor or actors used a fake LinkedIn profile and copied pictures from another user's Instagram to create a false persona — and successfully drew more than 1,000 investors into the ICO project, which was called Giza.
An initial coin offering or ICO is a way for start-ups to crowd-fund investment. Instead of raising cash from venture capitalists, a company can hold an ICO, which allows people to invest a cryptocurrency, such as ethereum or bitcoin, in exchange for a new token that's issued by the start-up. The new digital coin is not equity. Instead, it can be used in exchange for future services offered by the company. It's also possible that the new coin may climb to a much higher value than the initial investment.
There is big money in ICOs, and they are largely unregulated. Last year, companies raised $3.8 billion via ICOs, and this year alone they have already raised $2.8 billion, according to data from CoinSchedule, a site which tracks the activity in the space.
But ICOs are unregulated in most countries, meaning investors don't have the protections that they enjoy with other assets such as stocks. However regulators are keeping a closer eye on ICO activity, amid a rising number of reports of scams.
Investors who spoke to CNBC all described a common experience with the ICO in question: They thought the project was legitimate until warning signs began to appear, including a falling out with the company's sole supplier, a lack of correspondence from its supposed founders, and failed attempts to recoup the lost funds.
The apparently well-orchestrated scam centers around a mysterious individual called Marco Fike, the COO of Giza. Among the eight investors, partners and former employees of Giza interviewed by CNBC, all claim they have never seen Marco Fike's face.
The ICO was for a supposed start-up called Giza, which claimed to be developing a super-secure device that would allow people to store cryptocurrencies.
It carried out its ICO in January and drew investors for several weeks after. One person who put money into the project told CNBC that they invested ether that was equivalent to $10,000 at the time, and another said they had put in around $5,000 worth of ether.
At the beginning of February, Giza had raised and was holding more than 2,100 ethereum coins, which at the time were worth around $2.4 million. All but $16 worth of those ethereum coins are now missing.
But after putting in money throughout January and into February, many who had invested began to become suspicious of the project.
"Everything was fine, until that company that was meant to develop their device came out on the internet and said that Giza has cut ties, and it seems to be a scam and they might not be developing anything. Then things started looking fishy," an investor named Chris, who wished to keep his surname anonymous, told CNBC by phone.
Giza's website was deleted last Friday, but an archived version can be seen here.
Late last year, Giza contracted a Russian firm known as Third Pin LLC to make the devices it would eventually sell. The Third Pin website explains that it makes hardware for a number of industries. But on January 30, Third Pin's CEO, Ivan Larionov, posted on a bitcoin forum that his company had cut ties with Giza. Larionov confirmed to CNBC that Giza had contracted Third Pin and that the post was his.
The Third Pin CEO explained that he was contacted by a representative of Giza before the new year. He was given a design for a device that Giza wanted to make, but not technical requirements. Once Third Pin's engineers had worked out the specifications of the device, they quoted a $1 million price for Giza and signed a contract.
Larionov contacted STMicro, a components supplier, to help get the parts required for Giza's device. He said that the sales manager at the company was asking basic questions, such as the quantity required and when it would be produced, which Larionov couldn't answer. The Third Pin CEO got in touch with Fike, who gave answers that Larionov described as unclear. That was a red flag, Larionov said.
Fike asked Larionov if he would be willing to set up new operations outside Russia and manage the relationship with Giza from there, Larionov told CNBC. The Third Pin CEO suspected that Fike wanted to get away from Russia's strict cryptocurrency rules but declined that request.
As Third Pin continued assessments on the cost of production, the company found that it would be higher than initially thought. The cost to Giza went up to $1.5 million. Larionov suggested to Fike that Giza could pay in installments, something Fike didn't want to do.
"At that moment he said no, no way," Larionov told CNBC. "So next thing I said to my employees is that we will cut the contract."
One of the investors, who wished to remain anonymous but who used the screen name ShayJo, showed CNBC an exchange with Larionov over messaging app Telegram, in which he told the same story. In the conversation reviewed by CNBC, Larionov said Giza offered to pay 60 percent of the total contract, with the rest coming later on in 2018, once they had carried out another part of the ICO to raise more money. But by that time Larionov had suspicions about whether the company would disappear after getting the funds so ended the relationship, as seen in the conversation below.
Around mid-February, the digital wallet address associated with Giza, where people had been asked to send money, began showing outflows of large amounts of ethereum. That continued for about two weeks. The last movement of money from the Giza account took place on March 2.
Another investor, Nicolas, who asked that his surname remain anonymous, sent CNBC a trail of the money — because ethereum transactions are on the blockchain, they can be tracked, though the person behind them remains anonymous.
Money is sent from wallets, which store cryptocurrencies, to other wallets or an exchange, where people trade cryptocurrencies. By following wallet addresses, it's possible to see the movement of money.
Most of the money from Giza's wallet was drained over the course of two weeks. The money was sent to various other wallet addresses.
Intriguing parallels exist between the movement of money in the Giza case and a separate scam perpetrated against a digital coin called Bee Token. In February, Bee Token ran an ICO. But during the digital coin sale, scammers pretending to be the founders of Bee Token inserted themselves into the money flow, by sending an email to people prompting them to invest in that ICO.
One of the wallets linked to the Bee Token phishing scam sent ethereum to a wallet associated with Giza, according to etherescan.io, a site that tracks all transactions on the ethereum blockchain as shown in the diagram below.
That could mean that person or persons involved with the Giza scam were also behind the Bee Token heist. Or it could mean that the people behind the scam perpetrated against Bee Token have some sort of relationship with those behind Giza. It is ultimately unclear.
Eventually some of the ether made it to the ShapeShift cryptocurrency exchange via associated Giza wallet 2, shown above. ShapeShift doesn't allow people to exchange cryptocurrencies into government-issued cash, but it does allow a person to change between different digital coins. After CNBC reached out to ShapeShift, the exchange said it blacklisted the wallet associated with Giza. But it said it could not reveal the person who was registered to the wallet address because "we don't collect user data."
Despite their efforts to get in contact with Giza, investors still have no clear way to reclaim their money. Several told CNBC they have contacted law enforcement authorities in the United Kingdom.
After Third Pin made its announcement on the bitcoin forum, investors began to worry. Those who had bought Giza digital coins banded together to create a Telegram group to investigate the people behind the scam, led by the previously-mentioned Nicolas, as well as others.
The central figure in the Giza scam was its Chief Operating Officer Marco Fike. Several people who spoke to CNBC, including developers hired by Fike as well as investors in Giza itself, said they had never seen him. All said they had spoken to the person behind the alias via messaging services.
His LinkedIn page claims he studied at the University of Oxford in the U.K but does not list which college there. Oxford told CNBC on Thursday that it was investigating those claims.
CNBC reached out to Fike via LinkedIn but received no response.
Fike listed Microsoft as a previous employer in Switzerland. However, the software giant revealed to CNBC on Friday that he had never worked for the company.
Fike said he was the assistant to the CEO at a company called the United Arab Emirates Agency in Dubai. CNBC contacted all the numbers listed on the site. Two numbers in the U.K. and Croatia went unanswered. The main Dubai headquarters number went to an individual who denied any knowledge of a company by that name.
One member of the Telegram group managed to trace the source of Fike's LinkedIn profile picture came from — it appears to be from an Instagram user based in Dubai.
It's unclear whether that Instagram user knows the person behind the Fike persona, or if his image was used without his knowledge. CNBC reached out to the Instagram user to request comment, but received no response.
"We contacted people on LinkedIn associated with the company. None of them had said they had met this guy Marco, it was all online. Some started removing their association with Giza, it all started looking shady," an investor who goes by the name of ShayJo told CNBC.
Third Pin CEO Larionov provided more details about Fike. Larionov said he communicated with Fike over Skype, but that Fike never turned his video on. Instead, they spoke with just audio. Larionov described Fike as a fluent Russian speaker but with an accent.
As their suspicions rose, investors in the ICO began trying to ask questions directly of Giza. A Telegram channel existed for the investors to talk with Giza. A user called Karina appeared to be the community manager for the group and for Giza.
The investor with the screen name ShayJo said Karina banned several people from the Telegram group who had asked questions. Karina posted in the Telegram channel that she was paid by Giza, but had never spoken to Marco Fike. Eventually, the company stopped paying Karina, she said.
CNBC contacted Karina via LinkedIn, and she followed up on Telegram. Karina said that Marco Fike hired her on a website called Freelancehunt.com, but she spoke with him only over Telegram and Skype chat, never via a voice call or video.
In a transcript of the Telegram group posted online, Karina claimed on February 11 that she had no information from Fike since February 7.
CNBC spoke to multiple former employees of Giza who all told a similar story: They were contacted online by someone who claimed to be from Giza. They were offered a job after an interview over Skype. None actually received a job, none were paid, and none heard from the company again.
Giza advertised a software development job on a site called UpWork, a job posting platform for freelancers. The company described itself there as "an ambitious startup."
Aleksander Rajic is listed as a software developer on Giza's site. Rajic applied for the role in October 2017 on UpWork and was contacted by Marco Fike on the platform. Fike, whose UpWork account had no profile picture, told Rajic that his human resource assistant would reach out and add Rajic on Skype. Screenshots provided by Rajic confirmed the conversation.
The HR assistant was called Esthelle Ness. Her profile picture on Skype was a cartoon. Rajic signed a nondisclosure agreement in October, and then was asked to complete a technical test. After he passed, Ness offered him the job with a $1,000 monthly salary, to start after the ICO in January. Ness said she would contact Rajic at the end of December, which she did. In January, after the fundraising, Ness stopped providing details about the next stages of the project and eventually stopped communicating with Rajic.
"When they stopped responding to my Skype and LinkedIn messages, I suspected it is a scam," Rajic told CNBC, adding that he is trying to get his image removed from the Giza site, but has had no contact from the team.
Two other people who were hired, both of whom wish to remain anonymous for fear of retaliation, had an experience almost the same as Rajic's. Ness has not responded to a request for comment that CNBC sent via LinkedIn. She still has the job title HR assistant at Giza listed on her profile.
Cal Evans who is listed on Giza's site as its legal advisor, told CNBC that his firm, Gresham International, is a cryptocurrency compliance and strategy firm. Gresham was brought on board to review documents on Giza's website. That included a white paper that sets out the project's aims.
Evans said that investors started getting in touch with him around a month ago and that's when he knew something was wrong, though he said he is convinced that the project started as a legitimate project.
"We started looking, and people started talking about this community. I am convinced when this started it was legitimate, around about the time we got involved," Evans said. Gresham International cut ties with Giza last month.
"We are going to do whatever we can to catch these guys," Evans said.