Sam Curry, a security engineer at Yuga Labs, was at the center of a federal investigation conducted jointly by the Internal Revenue Service’s Criminal Investigation Division (IRS-CI) and the Department of Homeland Security (DHS).
The investigation traces back to Curry’s involvement in uncovering a cryptocurrency phishing website in December 2022.
Sam Curry’s Encounter with Federal Agents
Curry shared the incident on his X account, detailing the events that led to his subpoena and subsequent investigation by federal authorities. Upon returning to the United States after his trip to Japan, Curry was directed to a secondary inspection room. It was there that he was handed a Grand Jury subpoena.
For nearly an hour, Curry was grilled by officers from the IRS-CI and DHS who presented him with vague questions about a “high profile phishing campaign” and how his IP address could have been connected to a threat actor. “I assumed it was just a random selection,” Curry stated.
Upon his arrival, he willingly handed his unlocked device to an inspecting officer. His device was then handed to DHS and IRS-CI agents investigating money laundering, conspiracy, and wire fraud charges.
Despite being questioned extensively, Curry received very little information about his role in the case. Afterward, he was asked to leave the room while agents thoroughly searched his device for an additional hour.
Once the search concluded, Curry was allowed to leave, which prompted him to contact a lawyer. In the following days, his attorney communicated with the Assistant United States Attorney (AUSA) and the IRS-CI and DHS agents, after which they revealed the unexpected reason behind his encounter.
The Private Key that Sparked the Investigation
In December 2022, Curry played an important role in uncovering a crypto phishing website that had stolen millions of dollars. The scammer accidentally published their Ethereum private key in the website’s JavaScript. Curry had attempted to investigate the incident by importing the private key into his MetaMask and checking if any assets were left in the wallet. During this process, he used his home IP address.
Back in December, 2022, I helped investigate a crypto phishing website that had stolen millions of dollars. In the JavaScript of the website, the scammer had accidentally published their Ethereum private key. Sadly, I’d found it 5 minutes too late and the stolen assets were gone. pic.twitter.com/Kb4QNt8X9s
— Sam Curry (@samwcyo) September 27, 2023
The investigating agents requested the account’s authorization logs from OpenSea and traced the IP back to Curry. As a result, they issued a subpoena, leading to his unexpected encounter with federal authorities. However, after communicating with Curry’s lawyer and the authorities, the subpoena was dismissed, and all data from Curry’s device was deleted.