Crypto crime is increasing globally – from Vietnam’s $200M PAYN Ponzi scheme to Brazil’s Bitcoin kidnappings and North Korea’s Lazarus heists funding weapons programs. These cases highlight the urgent need for stronger compliance, coordinated enforcement, and increased vigilance in financial and law enforcement sectors. Here’s what you need to know this week.
Vietnam Police bust $2B crypto Ponzi scheme
Vietnam’s Phu Tho Provincial Police have dismantled an illegal multilevel marketing network built around Paynet Coin (PAYN). The scheme promised investors 5%–9% monthly returns and referral commissions, and it was presented through websites such as FMCPAY.com and AFF2024.com. Organizers falsely claimed the platform was registered in the United States and even advertised hotel and flight booking services to appear legitimate.
Authorities arrested 20 suspects and seized or froze around $38M in assets. Investigators allege that mastermind Nguyen Van Ha personally embezzled about $200M. The network is believed to have defrauded investors of approximately $2B overall, making it Vietnam’s largest-ever crypto fraud and one of the world’s biggest Ponzi cases.
Why this matters:
This $2B Ponzi scheme shows how criminals use crypto to run old fraud schemes on a massive scale. It underlines the need for regulators and investigators to share information quickly across borders. Compliance teams should track unlicensed platforms, watch for promoters offering very high returns, and escalate cases that show signs of fraud.
Read more on Coinlive.
Brazil Bitcoin kidnap highlights wrench attacks
A retired professor in Recife was kidnapped in March 2025 and held for roughly 12 hours before her son paid a ransom of five Bitcoin. At the time, the ransom was worth about $600,000, or R$3.3M. The victim’s son, who works in crypto and lives in Portugal, made the payment to secure her release.
Brazilian police have since arrested four suspects—two men and two women—linked to the case. Investigators say the group tracked the family through the son’s social media activity, identifying and targeting his mother. The professor was released unharmed, though police noted that recovering the ransom is unlikely.
This kind of physical extortion, often referred to as “wrench attacks,” is becoming a global phenomenon. In Europe, a Belgian barber was kidnapped after boasting online about a Bitcoin fortune, he never had, with his abductors later convicted in London. In France, police arrested 25 suspects connected to crypto-related kidnappings, including the case of Ledger co-founder David Balland, who was brutally assaulted before rescue. In the US, two men are on trial for kidnapping and torturing a victim for weeks until he handed over Bitcoin passwords.
Why this matters:
This case highlights the growing risk of “wrench attacks,” where criminals use physical violence or coercion to force victims to hand over crypto assets. Publicly disclosing holdings online significantly increases exposure to such threats. Compliance and law enforcement teams should emphasize operational security, safe custody practices, and awareness training to help reduce individual risk.
Read more on Yahoofinance.
UK Treasury links Lykke hack to Lazarus
The UK Treasury’s Office of Financial Sanctions Implementation (OFSI) has attributed the June 2024 theft of about $23M from Lykke, a UK-registered exchange, to North Korea’s Lazarus Group. Hackers reportedly stole 158 BTC and 2,161 ETH, laundering assets by swapping ETH into DAI and distributing BTC across multiple wallets.
The theft represented one-third of Lykke’s total assets. In March 2025, following user legal actions, a court ordered the exchange into liquidation.
Along with several other high-profile Lazarus crypto heists, including the $1.5B Bybit heist, the WazirX $230M heist and the recent $44M hack of India’s CoinDCX, the Lazarus Group’s stolen funds are believed to fund North Korea’s nuclear and military programs.
Why this matters:
If confirmed, the Lykke theft underscores how state-sponsored groups exploit crypto platforms to raise funds for national security threats. This demands close alignment between compliance teams and sanctions authorities such as OFSI. Firms must strengthen wallet screening, monitor high-risk stablecoin swaps, and prepare escalation paths when DPRK-linked activity is detected.
Read more on Cryptonews.
