The login page looked right. The padlock looked right. The money was already gone.

Marcus typed his password into a page that did not exist.

It looked like it existed. The blue was right. The little padlock icon sat where it always sat. The URL was one character off, the kind of character your eye fills in for you when you are tired and it is 9:47 at night and you have just gotten home from a job site in Mecklenburg County. He was 54. He had been buying crypto for four years on a phone that charged on the kitchen counter next to a bowl of keys. He was not reckless. He had read articles. He used two-factor authentication. He thought the two-factor was the wall.

The page asked for his password. He typed it.

The page asked for his 2FA code. He typed that too.

Then the page said something was wrong and gave him a number to call.

He called.

The voice was calm. The voice used his first name. The voice walked him through a screen-share so the technician could "verify the account from your side." Marcus watched his own cursor move without his hand. He thought it was help. That is the part to read slowly. He thought the cursor moving on its own was someone helping him.

By the time he hung up, his Coinbase account showed a balance he could not read at first because the number had too few digits. Not down. Gone.

II. The mirror

The Directorate of Enforcement is India's financial-crimes agency. It enforces the Prevention of Money Laundering Act, which is the Indian statute that lets the government trace, freeze, and seize property bought with proceeds of crime. On June 16, 2026, the ED filed a prosecution complaint, which is the Indian equivalent of an indictment, naming eight people and two companies in what it describes as a $20 million Coinbase spoofing operation. The ED says it has provisionally attached roughly ₹64.55 crore (about $7.7M USD) in assets connected to the money.

The names in the complaint are Chirag Tomar, Pankaj Tomar, Kushagra Shakya, Akash Vaish, Rahul Anand, Ketan Luthra, Tomar Group of Industries Private Limited, and Exahomes Realtors.

Chirag Tomar is already in custody. Not in India. In the United States. He pleaded guilty in May 2024 in federal court in the Western District of North Carolina to wire fraud conspiracy. He is serving 60 months. The ED's filing builds outward from that conviction, using Mutual Legal Assistance Treaty channels, which is the formal pipeline by which one country's prosecutors borrow another country's evidence.

The operation, according to the US case and the ED's complaint, was a mirror.

A spoofed website is a copy of a real one designed to be confused with the real one. The operation allegedly built a copy of Coinbase Pro, which was at the time Coinbase's professional trading interface. Victims arrived at the mirror through search ads and links. They typed their credentials in. The credentials were captured in real time. When the 2FA code arrived on the victim's phone, the operation captured that too, then used both to log into the real Coinbase account on the other side of the mirror.

Sometimes that was enough. Sometimes the victim got suspicious and called the support number on the fake page, which was answered by the operation, which then offered to "help" by taking over the account by screen-share.

The mirror was the whole machine. Everything else was furniture.

III. The pipe

Once the operation had the crypto, it moved.

The ED's complaint describes a routing pattern that is now standard in this kind of case. The stolen assets were sent through multiple wallets to break the chain. Some were swapped into other tokens to obscure the trail. Then the assets were sold peer-to-peer for Indian rupees, which is to say sold directly to individual buyers off any regulated exchange, the way you might sell a used car on a classified site.

The rupees, the ED alleges, were then used to buy property. Real property. Buildings. Land. A holding company. The two corporate defendants, Tomar Group of Industries Private Limited and Exahomes Realtors, sit at the end of that pipe in the ED's telling. The crypto became apartments. The apartments became collateral. The collateral became a life.

The ED's attachment of ₹64.55 crore is what regulators recovered along that pipe. The alleged loss is $20 million. The reader can do the math. Most of the money is not in the attachment order. Most of the money has already become something else, or someone else, or nothing at all.

IV. Marcus, again

Marcus did not know any of this in 2023. He knew that he called Coinbase's actual support number, the real one, after the screen-share call ended, and that the real support told him the login had come from a device he did not own. He knew that the wire had cleared and the chain transaction had finalized and that the network does not have an undo button. He knew that the local police took the report and told him, gently, that they did not have the tools.

The FBI did. The case eventually rolled up into the federal prosecution that produced Chirag Tomar's guilty plea. Marcus was one name in a victim file that, per US filings, includes hundreds of people. The North Carolina victim publicly identified in that case lost over $240,000. Marcus's number was smaller. The shape was the same.

He stopped checking the app. He stopped talking about it at the job site. When his daughter asked about Christmas he said money was tight and did not say why. That part may be the saddest. The fraud took the money. The shame took the conversation.

V. What the mirror keeps doing

The reason this case matters past Chirag Tomar is that the mirror is not a person.

A spoofed-login operation is a template. It needs a domain, a hosting account, a phone bank, a payment rail out, and somebody on the other end who knows how to convert crypto to local currency without leaving a usable signature. None of those pieces are scarce. The US conviction took one operator off the board. The ED's complaint, if it holds, attaches roughly a third of the alleged proceeds and names the corporate vehicles that absorbed them.

That is the public-record posture. Chirag Tomar's US conviction is adjudicated. The ED complaint is an allegation, and an allegation is not a finding. The other named individuals are entitled to the presumption of innocence in Indian court.

What is not in dispute is the machine's design. A page that looks like the page you meant to visit. A voice that sounds like the voice you meant to call. A cursor that moves like you asked it to. The mirror works because it is built from the surfaces you already trust.

Marcus typed his password into a page that did not exist.

He just did not know which page was the real one.