Did Moonpay Really Got Scammed? Here are the Details

In a startling example of how even the most high-profile figures in crypto are not immune to cybercrime, two top executives at MoonPay CEO Ivan Soto-Wright and CFO Mouna Ammari Siala were recently scammed into transferring over $250,000 worth of USDT to a fraudulent wallet. 

The phishing attack was carried out by impersonating Steve Witkoff, a well-known real estate developer and former co-chairman of President Donald Trump’s 2017 inaugural committee.

The sophisticated nature of this attack involving email domain manipulation, impersonation, and social engineering has not only raised questions about MoonPay’s internal security protocols but also highlighted the growing need for heightened cybersecurity vigilance across the crypto industry.

Anatomy of the Scam: How $250,000 Vanished

According to filings from the U.S. Department of Justice, the phishing campaign was meticulously orchestrated. The attacker created fake email addresses that appeared legitimate at first glance, using a classic substitution trick: replacing a capital “I” with a lowercase “l” (e.g., steve_witkoff@t47lnaugural.com). This technique effectively mimicked the domain of Trump’s inaugural committee.

The emails targeted Soto-Wright and Siala directly, urging an urgent transaction under the guise of a business matter tied to Witkoff. Given Witkoff’s prominence and the plausible nature of the communication, the executives followed through sending approximately $250,300 in USDT to a wallet believed to be associated with the real estate magnate.

However, blockchain forensics and IP geolocation data later traced the wallet to Ehiremen Aigbohan, a Nigerian national residing in Lagos, Nigeria. Email metadata further confirmed that the communication originated from Nigerian servers, not from any U.S.-based infrastructure.

Read Also: Did MoonPay’s Executive Send Money to Scammers?

DOJ Involvement and Recovery Efforts

The DOJ has since stepped in to investigate and recover the stolen funds. While the majority of the USDT remains unrecovered, approximately $40,350 worth of the stolen crypto has been frozen. 

This partial recovery was made possible through cooperation with blockchain analytics firms and cryptocurrency exchanges, which flagged the movement of illicit funds and froze them before they could be fully laundered or converted.

The U.S. government’s swift intervention in this case is a testament to the increased sophistication and seriousness with which authorities are treating cross-border crypto fraud. 

However, the incident also underscores a crucial point: crypto transactions are irreversible, and once a wallet is compromised or duped into sending funds, recovery becomes a race against time.

Read Also: Mastercard Partners With MoonPay for Payments! Capturing New Markets

Security Implications for MoonPay

This breach has cast a spotlight on MoonPay’s internal protocols, especially its executive-level communication safeguards. While MoonPay has not issued a public statement detailing changes, evidence suggests the company is already taking significant internal steps to bolster its cyber defenses.

MoonPay is actively hiring Security Operation Engineers and cybersecurity specialists, roles that specifically focus on identifying threats, patching vulnerabilities, and implementing anti-phishing protocols. 

This hiring activity indicates that MoonPay is seeking to reinforce its infrastructure with seasoned professionals capable of navigating the complex threat landscape in the crypto world.

Moreover, such incidents typically prompt internal reviews of:

• Email verification processes

• Executive training in social engineering threats

• Multi-level fund authorization systems

• Routine phishing simulations and red team assessments

In a landscape where billions of dollars in crypto are moved daily, executive training must go beyond the basics. Advanced social engineering threats now require high-level simulation training and continuous threat awareness particularly at the leadership level.

Read Also: Telegram Crypto Scams Surge After Huione Shutdown: What You Need to Know

Broader Industry Impact: A Warning Shot

The MoonPay scam is not an isolated event, it is emblematic of a broader trend. As digital assets become more valuable and accessible, cybercriminals are escalating their methods, increasingly targeting individuals rather than breaking into systems. 

High-level impersonation attacks like the one MoonPay experienced represent the next phase of cyber threats: psychological manipulation backed by technical precision.

In 2024 and early 2025 alone, several prominent crypto companies, including wallet providers and DeFi protocols, have reported phishing-based breaches that exploited human error rather than technical loopholes.

The MoonPay incident reinforces the industry’s need to:

• Implement zero-trust policies where no communication even from known individuals is treated as authentic without verification.

• Use blockchain analytics tools to monitor outgoing transactions for red flags.

• Integrate AI-driven anti-phishing engines into executive email accounts to detect spoofed domains in real time.

Read Also: Crypto Fraud Cases Occurring in Firefox Through Add-ons in the Form of Crypto Wallets

Has MoonPay's Reputation Been Damaged?

While the reputational impact is still unfolding, there are early indications that the damage may be limited provided MoonPay handles the situation with transparency and urgency.

Despite the phishing incident, MoonPay was recently tapped as a payment partner for the Trump-themed $TRUMP memecoin, suggesting that its operational credibility remains intact.

That said, perception management will be critical. Partners, institutional clients, and regulators will likely be watching closely to see whether MoonPay discloses its mitigation efforts and implements robust, verifiable controls.

Reputation in crypto particularly among service providers hinges not on whether a breach occurred, but on how well the response was executed. Transparency, a commitment to security upgrades, and visible cooperation with law enforcement are all crucial to regaining industry trust.

Read Also: Spain's Crypto Scam Network Exposed: Over 5,000 Victims Identified

Moving Forward: Lessons and Recommendations

This incident delivers several lessons not just for MoonPay, but for the broader crypto ecosystem:

1. Phishing Isn’t Just a Retail Threat

Executives are prime targets due to their elevated permissions and ability to move large sums without secondary approvals. Executive email security and behavior must be as rigorously monitored as user wallets.

2. Visual Deception Can Beat Technical Firewalls

Spoofed domains that visually resemble official addresses can bypass even advanced email security systems. Visual similarity detection algorithms and AI-based spam filters should be standard for any crypto firm.

3. Internal Protocols Must Assume Breach

Organizations must adopt an “assume breach” mindset, treating all inbound communication as potentially compromised unless verified through secondary, out-of-band channels.

Read Also: How to Detect Crypto Scams on ScamAdviser

Final Thoughts

The MoonPay phishing scam is a wake-up call to the entire digital asset industry. While the loss of $250,000 is financially significant, the more valuable takeaway is the realization that security is only as strong as its weakest human link. Sophisticated social engineering is now the most potent weapon in the arsenal of crypto criminals.

MoonPay’s next steps particularly its transparency, security revamp, and proactive user and executive education will determine whether this incident becomes a long-term reputational liability or a pivotal moment of organizational growth.

As the crypto ecosystem matures, trust will not be earned by tech alone, but by operational resilience and security-first leadership.

FAQ

What happened to MoonPay’s executives?

They were victims of a phishing scam where a scammer impersonated Steve Witkoff via deceptive emails. They transferred $250,300 USDT to a scam wallet.

Who was behind the scam?

A Nigerian individual named Ehiremen Aigbohan was identified as the controller of the recipient wallet. The scam emails originated from Nigeria.

Has MoonPay recovered the stolen funds?

Only partially. About $40,350 USDT has been frozen, while efforts to recover the rest are ongoing with help from the U.S. DOJ.

Will this affect MoonPay’s operations?

Not significantly, though it raises concerns about internal security. MoonPay is actively reinforcing its cybersecurity team and protocols.

How did the scam bypass MoonPay's security?

The attacker used email spoofing and character substitution, which fooled executives into believing the request was legitimate. It was a social engineering attack, not a technical exploit.

Bitrue Official Website:

Website: https://www.bitrue.com

Sign Up: https://www.bitrue.com/user/register

Disclaimer: The views expressed belong exclusively to the author and do not reflect the views of this platform. This platform and its affiliates disclaim any responsibility for the accuracy or suitability of the information provided. It is for informational purposes only and not intended as financial or investment advice.