By Retracefi on 2 October 2025

In the spring of 2022, a regional crypto trading desk owned by a well-known Middle Eastern conglomerate woke up to a shock. At 4:00 a.m., their Binance Bitcoin balance had been converted and withdrawn. By 4:30 a.m., a company executive—referred by a mutual industry contact—called one of our investigators. This was local to us, so we arrived at their office by 7:00 a.m.

The first hour was triage. We confirmed accounts, devices, and recent activity. The desk lead explained that nothing was supposed to move overnight; all automations were paused. Still, the account history showed the balance had been withdrawn. The total loss was 27 BTC. For context: using a typical spring-2022 spot midpoint of ~$40,000/BTC, the loss was ≈ $1.08 million USD. (At today’s market, the nominal value would be about $2.7 million USD.)

We started with people, not just wallets. Rapid interviews surfaced an oddity in one executive’s Google access logs and a second device the executive did not recognize. A quick inventory suggested the device matched an assistant’s older iPhone. The assistant mentioned she had loaned her phone to a colleague days earlier “to fix a network issue.” That colleague was not at the office and wasn’t answering calls.

We conducted a focused, preliminary review and delivered our findings to the company’s leadership: indicators of unauthorized account access, device overlap, and a tight timeline linked to the 4:00 a.m. theft. The company engaged law enforcement based on these results. Later, it was confirmed the employee was preparing to leave the country that same day, but the combination of rapid reporting and relevant forensic indicators enabled immediate action.

The legal process took time, but the evidence held. With law enforcement’s involvement, the company recovered the funds in full. The attempt to exit immediately after the theft collapsed and access logs, device fingerprints, withdrawal paths, and the origin of the second-factor credentials were used to solve the case. The employee returned the stolen assets and faced the consequences that followed.

Prepared by the Retrace Investigations team. Amounts and USD equivalents use the current BTC spot price (≈ $114k/BTC; 2 BTC ≈ $228k). The thief realized ~$200k USDT at the time of conversion, reflecting contemporaneous pricing and fees. Victim name is altered.