Cryptocurrency Theft of $150 Million: BitOK Exposes Bitmama

In September 2023, BitOK received information about a cryptocurrency theft amounting to $150 million. Preliminary findings suggest that Gagik Gulakyan, Vagram Stepanyan, and Valeria Fedyakina, also known as Bitmama, may be involved in this fraudulent activity. According to our information, Valeria Fedyakina did not have a direct intention to commit the crime.

Through an OSINT investigation, the BitOK team identified blockchain addresses believed to be owned by Bitmama. Funds belonging to Bitmama's clients were withdrawn from these addresses.

Based on the available data, these two addresses were controlled by Gagik Gulakyan and Vagram Stepanyan:

• TFzgd4W2xChinNYRB67Aks7Ki7gatynTX5;
• TXiCFKB3mpfPcsM3Ns6Mgr2oqpCF6qDFLH.

It should be noted that at the time of the investigation, there was no direct link established between Bitmama and the discovered wallets, as transactions using these addresses were conducted indirectly. However, there is circumstantial evidence of this connection based on information from the victims.

Importantly, as of the investigation date, the mentioned addresses were empty and ceased to perform any transactions after September 17, 2023. All remaining cryptocurrency balances were withdrawn from these addresses on that day. No further deposits were recorded on these addresses at the time of the investigation.
According to our calculations, approximately 20% of the cryptocurrency received by Bitmama's addresses came from the Russian exchange Garantex. Additionally, a portion of the funds came from various trading platforms such as HTX (formerly Huobi) and others.

The last activity on these addresses was recorded in the first half of September 2023. As the BitOK team discovered, it was during this time that addresses associated with Bitmama began actively "dispersing" cryptocurrency to make it harder to trace.

Noteworthy are the addresses presumably belonging to Valeria Fedyakina herself: TFzg…nTX5 и TXiC…DFLH.

From the address TXiC…DFLH, between September 13 and September 17, 2023, a total of $12,269,900 was withdrawn to two addresses:

1. TD5wy8pG1wPpy7L8Sa7v5J4zgunZTDxC4P;
2. TQ1aQuGE42trkUsrRrdQe2QEP2nMKKGrxK.

From the address TD5w…xC4P, the funds were further directed to two more addresses:

1. TJq9wvyxEJ7yoCDPuWb3KDrSqnctPELzR4;
2. TUairnLkdqc6QJCquPSbyJJgCF4jiLSD5f.

The address TUai…SD5f was used to split and forward funds to numerous other addresses, including deposit addresses on various cryptocurrency exchanges like Binance, Bybit, HTX, and so on (Figure 1):

In turn, funds from the address TJq9…LzR4 were sent to the address TRhowMzGbfwyQaCkn62QfKFiyCiUJ454Si.

It's also important to note that cryptocurrency from the address TQ1a…GrxK was also directed to the address TRho…54Si using an intermediary address TYk83xAhHCLiU5MCCUhPQNAvvJDtzueA4J. Based on the volumes and analysis of the intermediary address's behavior, it can be assumed that it may be the deposit address of an unidentified service.

From the address TRho…54Si, funds were further sent to three addresses:

1. TAiP9w3yTiLFZRcSZKKA2hrYgBLT18dqvh;
2. TKk3rHD99Djdi3copVrpwhsYe45r2LsDa9;
3. TUTyVUD9embHrAgPFpdjRzwgdQ8ue4nmem.

In turn, addresses TUTy…nmem and TAiP…dqvh underwent further cryptocurrency "dispersion" (Figure 2,3). Funds from the address TKk3…sDa9 were sent to the address TWvTgUZUpCtADEPoEpeF51AJEq7fvAkgy2, which is likely another deposit address for an unidentified service.

It's also important to note that the majority of funds on the address TXiC…DFLH came from the address THgM5CcfzW8hp7LcEZp1bhrLBPW2R5kaag, totaling $11,319,985.

Previously, funds were sent in the opposite direction — from address TXiC…DFLH to THgM…kaag. This could indicate an affiliation between the owners of these addresses or that a single individual controls both addresses.

The transaction history of address TXiC…DFLH looks as follows (Figure 4):

The withdrawal scheme of funds from addresses between September 13 and September 17, 2023, appears as follows (Figure 5):

Another address of interest for investigation is TFzg…nTX5. The majority of funds on this address came from the address TR53QCrcMkt6MRat264Ko7M4fj7oGtr3uK, which belongs to the cryptocurrency exchange HTX. This same address covered the gas fees for address TFzg…nTX5.

The address TFzg…nTX5 ceased transactions from September 17, 2023. However, examining the transaction history of this address and the list of addresses it interacted with reveals that most transaction counterparts consist of deposit addresses of exchanges and addresses belonging to the cryptocurrency exchange Garantex (Figure 6).

Based on the analysis of the found addresses presumed to belong to Gagik Gulakyan and Vagram Stepanyan, it can be asserted that all the funds were withdrawn to various unidentified services as well as cryptocurrency exchanges.

It is important to emphasize that, according to our data, the movement of funds to these addresses occurred without Valeria Fedyakina's knowledge, and it is possible that she had no intention of committing a crime.
To mislead blockchain analytics providers, intermediary addresses of different services were utilized, where funds were mixed and then forwarded to several other addresses.

The majority of funds are still in motion, and with each new transfer, tracking them becomes increasingly challenging. This is due to the fact that malicious actors employ various methods to conceal the movement of funds when sending cryptocurrency. Therefore, it is crucial to continue monitoring them for detection.

The BitOK team will continue to monitor the situation's development and is ready to provide assistance to the victims of this extensive fraud.