UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA
UNITED STATES OF AMERICA,
Plaintiff,
v.
ALL VIRTUAL CURRENCY SEIZED Civil Action No. 24 - 3309 (LLA) FROM ONE MEXC ACCOUNT ENDING IN 8248, ONE MEXC ACCOUNT ENDING IN 7017, ONE BINANCE ACCOUNT ENDING IN 8327, AND ONE BINANCE ACCOUNT ENDING IN 5064,
Defendant.
MEMORANDUM OPINION
The United States of America brought this civil forfeiture action in rem against virtual
currency that it seized from four accounts: a MEXC account ending in 8248, a MEXC account
ending in 7017, a Binance account ending in 8327, and a Binance account ending in 5604 (the
“Defendant Property”). ECF No. 1. The Clerk of Court entered default, ECF No. 7, and the United
States now moves for a default judgment and a final order of forfeiture pursuant to Federal Rule
of Civil Procedure 55(b), 18 U.S.C. § 981(a)(1)(A) and (C), and Rule G of the Supplemental Rules
for Admiralty or Maritime Claims and Asset Forfeiture Actions (the “Supplemental Rules”), ECF
No. 9. The United States argues that the Defendant Property is subject to forfeiture because it
“contains proceeds that were obtained from wire fraud [and] conspiracy to commit wire fraud”
and “is property involved in or traceable to money laundering.” ECF No. 9 ¶ 13; see ECF No. 1
¶¶ 31-36. For the reasons explained below, the court will grant the motion. I. FACTUAL BACKGROUND
The court draws the following facts, which it accepts as true for the purpose of assessing
the default judgment motion, from the United States’ verified complaint. See United States v. Oil
Tanker Bearing Int’l Mar. Org. No. 9116512, 480 F. Supp. 3d 39, 43 (D.D.C. 2020) (“Once default
is entered, the defendant ‘is deemed to admit every well-pleaded allegation in the complaint.’”
(quoting Adkins v. Teseo, 180 F. Supp. 2d 15, 17 (D.D.C. 2001))).
This case concerns theft of virtual currency 1 by a North Korean military hacking group,
CryptoMimic. ECF No. 1 ¶ 15. 2 CryptoMimic began targeting banks and virtual currency
exchanges 3 as early as 2014, and between 2017 and 2024, it stole hundreds of millions of dollars
from virtual asset service providers and other victims. Id.
Between October and December 2023, the FBI interviewed several individuals employed
by virtual asset service providers whose computers had been compromised by malware and
identified a common pattern resulting in the theft of virtual currency. Id. ¶ 18. The typical scheme
proceeded as follows: First, a North Korean actor created a fake online persona, pretending to work
at a venture capital firm with a reputation for investing in virtual currency companies. Id. The
imposter used the persona to contact virtual currency executives and offer to meet with them about
a potential investment. Id. The imposter then sent a link purportedly inviting the executive to a
video meeting, but the link would display an error message. Id. The imposter offered to “help”
1 The United States defines virtual currency as a digital representation of value that is non-fiat, meaning it is neither issued nor guaranteed by any jurisdiction. U.S. Dep’t of Treasury, Off. of Foreign Assets Control, Questions on Virtual Currency, https://perma.cc/S8CW-UAWT. 2 CryptoMimic is also known as the Lazarus Group and APT38. ECF No. 1 ¶ 17. The court will use the name “CryptoMimic” throughout this opinion. 3 A virtual currency exchange is a platform that allows individuals to trade virtual currencies including, as relevant here, Bitcoin, Ether, Tether, and NFPrompt. ECF No. 1 ¶ 13.
2 the executive by sending a file of computer code, known as a script, to run on the executive’s
computer. Id. When the executive ran the script, it actually downloaded malware from a server
CryptoMimic controls. Id. The cyber actor could then steal the executive’s private computer files
and gain access to his company’s cryptocurrency. Id.
In March 2024, the FBI received a complaint that COMPANY-2 had fallen victim to
CryptoMimic’s scheme and lost approximately $34 million in virtual currency. Id. ¶¶ 20-24. The
FBI interviewed the affected employee, who described the fraud, and analyzed data indicating that
the employee’s computer had connected to two of CryptoMimic’s servers at least eighteen times
between March 11 and March 13, 2024. Id. ¶ 23. The employee maintained a text file on their
compromised computer containing the private keys to approximately 5,000 virtual currency
addresses holding millions of dollars’ worth of NFPrompt, a cryptocurrency native to
COMPANY-2’s platform. 4 Id. ¶ 22. After the hack, that file was deleted, meaning that
COMPANY-2 lost access to its cryptocurrency. Id.
The FBI traced much of the stolen property—about $17 million worth of NFPrompt across
approximately 2,600 virtual currency addresses—to one virtual currency address. Id. ¶ 25. From
there, the FBI traced the NFPrompt’s distribution to several other virtual currency addresses,
including to the four accounts at issue in this case. Id. MEXC and Binance voluntarily froze the
four accounts, but by the time of the seizure, the perpetrators had withdrawn substantial funds from
at least two of the accounts. Id. ¶¶ 26-30. As of November 15, 2024, the Defendant Property
consisted of:
4 A virtual currency address is “an alphanumeric identifier that represents a potential destination for a digital currency transfer,” or a unique address where virtual currency is stored. See Questions on Virtual Currency, supra n.1.
3 • $1,064,489.29 worth of Bitcoin and $341,756.79 worth of Ether in MEXC Account x8248; • $48,721.22 worth of Tether, $446,439.05 worth of Ether, and $328,907.83 worth of NFPrompt in MEXC Account x7017; • $90,969.55 worth of Tether in Binance Account x8327; and • $706,920.00 worth of Bitcoin and $314,376.51 worth of Tether in Binance Account x5604. Id. ¶ 13.
II. PROCEDURAL HISTORY
On November 21, 2024, the United States filed a verified complaint for forfeiture in a civil
action in rem against the Defendant Property. ECF No. 1. The United States also requested a
warrant in rem to issue against the funds, ECF No. 2, and the Clerk of Court issued a warrant one
day later, ECF No. 3. On January 17, 2025, the United States posted notice of this action on the
official government forfeiture website, www.forfeiture.gov, where it remained for thirty
consecutive days. See ECF No. 4-1. No claims were filed, ECF No. 6 ¶ 4, and the Clerk of Court
entered default on April 18, 2025, ECF No. 7. The United States thereafter moved for a default
judgment and an order of forfeiture of the Defendant Property. ECF No. 9. In February 2026, the
court issued an order directing the United States to show cause why venue is proper in the District
of Columbia, see Feb. 25, 2026 Minute Order, to which the United States responded, ECF No. 11.
III. LEGAL STANDARD
A plaintiff must complete two steps to obtain a default judgment. First, the plaintiff must
ask the Clerk of Court to enter default based on a defendant’s failure “to plead or otherwise defend”
in response to the complaint. Fed. R. Civ. P. 55(a). “Upon entry of the default, the factual
allegations of the complaint are deemed admitted, which usually establishes the defendant’s
Free access — add to your briefcase to read the full text and ask questions with AI
UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA
UNITED STATES OF AMERICA,
Plaintiff,
v.
ALL VIRTUAL CURRENCY SEIZED Civil Action No. 24 - 3309 (LLA) FROM ONE MEXC ACCOUNT ENDING IN 8248, ONE MEXC ACCOUNT ENDING IN 7017, ONE BINANCE ACCOUNT ENDING IN 8327, AND ONE BINANCE ACCOUNT ENDING IN 5064,
Defendant.
MEMORANDUM OPINION
The United States of America brought this civil forfeiture action in rem against virtual
currency that it seized from four accounts: a MEXC account ending in 8248, a MEXC account
ending in 7017, a Binance account ending in 8327, and a Binance account ending in 5604 (the
“Defendant Property”). ECF No. 1. The Clerk of Court entered default, ECF No. 7, and the United
States now moves for a default judgment and a final order of forfeiture pursuant to Federal Rule
of Civil Procedure 55(b), 18 U.S.C. § 981(a)(1)(A) and (C), and Rule G of the Supplemental Rules
for Admiralty or Maritime Claims and Asset Forfeiture Actions (the “Supplemental Rules”), ECF
No. 9. The United States argues that the Defendant Property is subject to forfeiture because it
“contains proceeds that were obtained from wire fraud [and] conspiracy to commit wire fraud”
and “is property involved in or traceable to money laundering.” ECF No. 9 ¶ 13; see ECF No. 1
¶¶ 31-36. For the reasons explained below, the court will grant the motion. I. FACTUAL BACKGROUND
The court draws the following facts, which it accepts as true for the purpose of assessing
the default judgment motion, from the United States’ verified complaint. See United States v. Oil
Tanker Bearing Int’l Mar. Org. No. 9116512, 480 F. Supp. 3d 39, 43 (D.D.C. 2020) (“Once default
is entered, the defendant ‘is deemed to admit every well-pleaded allegation in the complaint.’”
(quoting Adkins v. Teseo, 180 F. Supp. 2d 15, 17 (D.D.C. 2001))).
This case concerns theft of virtual currency 1 by a North Korean military hacking group,
CryptoMimic. ECF No. 1 ¶ 15. 2 CryptoMimic began targeting banks and virtual currency
exchanges 3 as early as 2014, and between 2017 and 2024, it stole hundreds of millions of dollars
from virtual asset service providers and other victims. Id.
Between October and December 2023, the FBI interviewed several individuals employed
by virtual asset service providers whose computers had been compromised by malware and
identified a common pattern resulting in the theft of virtual currency. Id. ¶ 18. The typical scheme
proceeded as follows: First, a North Korean actor created a fake online persona, pretending to work
at a venture capital firm with a reputation for investing in virtual currency companies. Id. The
imposter used the persona to contact virtual currency executives and offer to meet with them about
a potential investment. Id. The imposter then sent a link purportedly inviting the executive to a
video meeting, but the link would display an error message. Id. The imposter offered to “help”
1 The United States defines virtual currency as a digital representation of value that is non-fiat, meaning it is neither issued nor guaranteed by any jurisdiction. U.S. Dep’t of Treasury, Off. of Foreign Assets Control, Questions on Virtual Currency, https://perma.cc/S8CW-UAWT. 2 CryptoMimic is also known as the Lazarus Group and APT38. ECF No. 1 ¶ 17. The court will use the name “CryptoMimic” throughout this opinion. 3 A virtual currency exchange is a platform that allows individuals to trade virtual currencies including, as relevant here, Bitcoin, Ether, Tether, and NFPrompt. ECF No. 1 ¶ 13.
2 the executive by sending a file of computer code, known as a script, to run on the executive’s
computer. Id. When the executive ran the script, it actually downloaded malware from a server
CryptoMimic controls. Id. The cyber actor could then steal the executive’s private computer files
and gain access to his company’s cryptocurrency. Id.
In March 2024, the FBI received a complaint that COMPANY-2 had fallen victim to
CryptoMimic’s scheme and lost approximately $34 million in virtual currency. Id. ¶¶ 20-24. The
FBI interviewed the affected employee, who described the fraud, and analyzed data indicating that
the employee’s computer had connected to two of CryptoMimic’s servers at least eighteen times
between March 11 and March 13, 2024. Id. ¶ 23. The employee maintained a text file on their
compromised computer containing the private keys to approximately 5,000 virtual currency
addresses holding millions of dollars’ worth of NFPrompt, a cryptocurrency native to
COMPANY-2’s platform. 4 Id. ¶ 22. After the hack, that file was deleted, meaning that
COMPANY-2 lost access to its cryptocurrency. Id.
The FBI traced much of the stolen property—about $17 million worth of NFPrompt across
approximately 2,600 virtual currency addresses—to one virtual currency address. Id. ¶ 25. From
there, the FBI traced the NFPrompt’s distribution to several other virtual currency addresses,
including to the four accounts at issue in this case. Id. MEXC and Binance voluntarily froze the
four accounts, but by the time of the seizure, the perpetrators had withdrawn substantial funds from
at least two of the accounts. Id. ¶¶ 26-30. As of November 15, 2024, the Defendant Property
consisted of:
4 A virtual currency address is “an alphanumeric identifier that represents a potential destination for a digital currency transfer,” or a unique address where virtual currency is stored. See Questions on Virtual Currency, supra n.1.
3 • $1,064,489.29 worth of Bitcoin and $341,756.79 worth of Ether in MEXC Account x8248; • $48,721.22 worth of Tether, $446,439.05 worth of Ether, and $328,907.83 worth of NFPrompt in MEXC Account x7017; • $90,969.55 worth of Tether in Binance Account x8327; and • $706,920.00 worth of Bitcoin and $314,376.51 worth of Tether in Binance Account x5604. Id. ¶ 13.
II. PROCEDURAL HISTORY
On November 21, 2024, the United States filed a verified complaint for forfeiture in a civil
action in rem against the Defendant Property. ECF No. 1. The United States also requested a
warrant in rem to issue against the funds, ECF No. 2, and the Clerk of Court issued a warrant one
day later, ECF No. 3. On January 17, 2025, the United States posted notice of this action on the
official government forfeiture website, www.forfeiture.gov, where it remained for thirty
consecutive days. See ECF No. 4-1. No claims were filed, ECF No. 6 ¶ 4, and the Clerk of Court
entered default on April 18, 2025, ECF No. 7. The United States thereafter moved for a default
judgment and an order of forfeiture of the Defendant Property. ECF No. 9. In February 2026, the
court issued an order directing the United States to show cause why venue is proper in the District
of Columbia, see Feb. 25, 2026 Minute Order, to which the United States responded, ECF No. 11.
III. LEGAL STANDARD
A plaintiff must complete two steps to obtain a default judgment. First, the plaintiff must
ask the Clerk of Court to enter default based on a defendant’s failure “to plead or otherwise defend”
in response to the complaint. Fed. R. Civ. P. 55(a). “Upon entry of the default, the factual
allegations of the complaint are deemed admitted, which usually establishes the defendant’s
4 liability.” Serv. Emps. Int’l Union Health & Welfare Fund v. N. Am. Cleaning Servs. Co. Inc., 264
F. Supp. 3d 1, 4 (D.D.C. 2017). Second, after the Clerk has entered default, the plaintiff must file
a motion for default judgment and provide notice of the same to the defaulting party. Fed. R. Civ.
P. 55(b)(2). “The determination of whether default judgment is appropriate is committed to the
discretion of the trial court.” Int’l Painters & Allied Trades Indus. Pension Fund v. Auxier
Drywall, LLC, 531 F. Supp. 2d 56, 57 (D.D.C. 2008). A plaintiff is entitled to a default judgment
only if the court concludes, taking all factual allegations as true, that the plaintiff has stated a claim
upon which relief can be granted. See United States v. $6,999,925.00 of Funds Associated With
Velmur Mgmt. Pte Ltd, 368 F. Supp. 3d 10, 17 (D.D.C. 2019); United States v. $601,426.19 of
Funds Associated With Dynapex Energy Ltd., No. 24-CV-542, 2024 WL 4854310, at *4
(D.D.C. Nov. 21, 2024).
IV. DISCUSSION
A. Notice
“Before a default judgment is entered pursuant to a complaint for forfeiture in rem, the
government must show that it complied with the notice requirements contained in the
Supplemental Rules.” United States v. $1,071,251.44 of Funds Associated with Mingzheng Int’l
Trading Ltd., 324 F. Supp. 3d 38, 46 (D.D.C. 2018). In particular, “Supplemental Rule G(4)
requires the government to provide two forms of notice in a forfeiture action in rem: notice to the
public via publication and notice to potential claimants via direct notice.” United States v.
Twenty-Four Cryptocurrency Accts., 473 F. Supp. 3d 1, 5 (D.D.C. 2020); see Fed. R. Civ. P. Supp.
R. G(4)(a), (b). First, the United States may provide publication notice by publishing notice of the
forfeiture “to an official internet government forfeiture site for at least 30 consecutive days.” Fed.
R. Civ. P. Supp. R. G(4)(a)(iv)(C). That notice must “describe the property, state the time to file
5 a claim and answer, and name the government attorney to be served with the claim and answer.”
$601,426.19 of Funds Associated With Dynapex Energy Ltd., 2024 WL 4854310, at *5 (quoting
Twenty-Four Cryptocurrency Accts., 473 F. Supp. 3d at 5). Here, the United States posted notice
of this forfeiture proceeding on an official government website, http://www.forfeiture.gov, for
thirty consecutive days (from January 17, 2025 through February 15, 2025). ECF No. 4-1. The
notice stated the grounds for forfeiture and provided that “[a]ny person claiming a legal interest in
the Defendant Property must file a verified Claim with the court within 60 days from the first day
of publication.” Id. at 2. This publication satisfied Supplemental Rule 4(G)(4)(a).
Second, the United States must send direct notice to “any person who reasonably appears
to be a potential claimant.” Fed. R. Civ. P. Supp. R. G(4)(b)(i). Actual notice is not required, but
the notice “must be sent by means reasonably calculated to reach the potential claimant.” Id. Supp.
R. G(4)(b)(iii)(A). In this case, the United States sent direct notice to NFPrompt via e-mail in
January 2025. ECF No. 9 ¶ 11; see id. ¶ 2 (noting that NFPrompt did not file a claim with respect
to the Defendant Property but submitted a petition for remission); ECF No. 9-1 (notice sent to
NFPrompt). While the United States does not expressly state why NFPrompt is a potential
claimant, the complaint indicates that the virtual currency at issue was stolen from NFPrompt.
ECF No. 1 ¶¶ 20-24 (describing how cyber actors stole “addresses holding COMPANY-2’s native
token”), ¶ 25 (explaining, in a section titled “Tracing the Stolen COMPANY-2 Funds,” that the
cyber actors “stole approximately 19 million NFP . . . from a total of approximately 2,600 separate
virtual currency addresses”). Accordingly, the court concludes that the United States has satisfied
the notice requirements of Supplemental Rule G.
6 B. Adequacy of the Complaint
In civil forfeiture actions arising under a federal statute, Supplemental Rule G sets forth
the pleading requirements. Fed. R. Civ. P. Supp. R. G(1); see $601,426.19 of Funds Associated
With Dynapex Energy Ltd., 2024 WL 4854310, at *4. As relevant here, the complaint must “be
verified,” state the grounds for jurisdiction and venue, “describe the property with reasonable
particularity,” “identify the statute under which the forfeiture action is brought,” and “state
sufficiently detailed facts to support a reasonable belief that the government will be able to meet
its burden of proof at trial.” Fed. R. Civ. P. Supp. R. G(2).
“The first four requirements of the complaint are largely formal and are easily met here.”
$6,999,925.00 of Funds Associated With Velmur Mgmt. Pte Ltd, 368 F. Supp. 3d at 19. First, the
United States filed a verified complaint identifying 18 U.S.C. § 981(a)(1)(A) and (C) as the
statutory bases for forfeiture. ECF No. 1 ¶¶ 5-6, 31-36. Second, the United States correctly asserts
that the court has subject-matter jurisdiction over this action pursuant to 28 U.S.C. § 1345 because
the proceeding was “commenced by the United States.” ECF No. 1 ¶ 1. The court also has original
jurisdiction pursuant to 28 U.S.C. § 1355(a) because this is an action for forfeiture incurred under
an Act of Congress and does not fall within the exceptions for actions belonging exclusively in the
Court of International Trade. Id. ¶¶ 1, 31-36 (seeking forfeiture under two federal statutes for
violations of federal law). And the court has in rem jurisdiction because the Defendant Property
is in the District of Columbia and thus “within the court’s territorial jurisdiction.” United States
v. All Funds in Acct. Nos. 747.034/278, 747.009/278, & 747.714/278 Banco Espanol de Credito,
Spain, 295 F.3d 23, 25 (D.C. Cir. 2002); see ECF No. 11 (clarifying that the Defendant Property
“is held by the Federal Bureau of Investigation at the Washington Field Office in
Washington, D.C.”). Third, venue is proper in the District of Columbia because it is the “judicial
7 district . . . into which the [Defendant Property] [was] brought” after being seized. 28 U.S.C.
§ 1395(c); see ECF No. 1 ¶ 14 (noting that the Defendant Property is in FBI custody); ECF No. 11
(noting that the Defendant Property was brought into the District of Columbia). Fourth, the United
States has described the Defendant Property with particularity. See ECF No. 1 ¶¶ 13-14, 25-30.
The final requirement is that the complaint “state sufficiently detailed facts to support a
reasonable belief that the government will be able to meet its burden of proof at trial.” Fed. R.
Civ. P. Supp. R. G(2)(f). “The government’s burden at trial is to prove that the assets are subject
to forfeiture by a preponderance of the evidence.” United States v. Sum of $70,990,605, 4 F. Supp.
3d 189, 197 (D.D.C. 2014); see 18 U.S.C. § 983(c)(1). This is not an “‘an onerous standard,’ but
instead establishes a ‘low bar’ that is appropriate at the default judgment stage ‘where a court
should exercise greater flexibility in judging factual allegations.’” Approximately
1,467,761.163191 USDT, 2026 WL 320193, at *4 (quoting $1,071,251.44 of Funds Associated
with Mingzheng Int’l Trading Ltd., 324 F. Supp. 3d at 51-52).
The United States principally alleges that the Defendant Property was obtained through
wire fraud. ECF No. 9 ¶ 13; ECF No. 1 ¶¶ 3, 31-36. Property is subject to forfeiture pursuant to
18 U.S.C. § 981(a)(1)(C) if it “constitutes or is derived from proceeds traceable to violation of”
various statutes, including “specified unlawful activity” as defined in 18 U.S.C. 1956(c)(7).
Section 1956(c)(7), in turn, defines “specified unlawful activity” as “any act or activity
constituting an offense listed in [18 U.S.C. §] 1961(1) of this title.” Section 1961(1) includes a
laundry list of criminal laws, including 18 U.S.C. § 1343, which criminalizes use of the wires to
execute a “scheme or artifice to defraud, or for obtaining money or property by means of false or
fraudulent pretenses, representations, or promises.” Accordingly, wire fraud proceeds are subject
to forfeiture under Section 981(a)(1)(C).
8 The complaint explains that law enforcement identified a pattern of deception that
CyberMimic used to obtain virtual currency, ECF No. 1 ¶¶ 18-19, and that CyberMimic used such
a scheme to obtain virtual currency from COMPANY-2, id. ¶¶ 21-24. The scheme relied on
electronic deception several times over: cyber actors impersonated a potential investor online so
that COMPANY-2’s executive would want to meet with him; they intentionally sent a faulty link
purporting to invite the executive to a videoconference; they sent malware through a script
purporting to fix the faulty link, but which actually installed malware on the executive’s computer;
and they used that malware to obtain money in the form of virtual currency. Id. ¶¶ 20-25. And
the “particular focus” of CyberMimic was “to steal money and virtual currency from their victims.”
Id. ¶ 15. The Defendant Property is thus directly traceable to the wire fraud through a series of
virtual currency trades. Id. ¶ 25. The allegations in the complaint readily establish a reasonable
basis that the United States could show at trial that the Defendant Property constitutes or is derived
from proceeds traceable to wire fraud in violation of 18 U.S.C. § 1343, which renders the
Defendant Property forfeitable under 18 U.S.C. § 981(a)(1)(C). 5
5 Having concluded the United States has established a reasonable basis for forfeiture under Section 981(a)(1)(C), the court need not assess whether the United States has established a basis for forfeiture on its remaining allegation. See, e.g., Approximately 1,467,761.163191 USDT, 2026 WL 320193, at *4-5 (taking a similar approach).
9 V. CONCLUSION
For the foregoing reasons, the court will grant the United States’ Motion for Default
Judgement. ECF No. 9. A contemporaneous order will issue.
LOREN L. ALIKHAN United States District Judge Date: March 17, 2026