Oxford student jailed over cryptocurrency scam

An Oxford student has been jailed for four and a half years after stealing over £2 million in a cryptocurrency scam. 

Wybo Wiersma, a PhD student from Goredijk in the Netherlands, was studying at the Internet Institute of St Cross College when he set up a website, iotaseed.io, under a false name. The website generated ‘seeds’, passwords made of what users believed to be entirely randomised strings of 81 characters. The seeds are necessary to use Iota, a type of cryptocurrency, and Julian Christopher KC told the court “Anyone who knows the seed can access, and so can transfer and trade the Iota crypto”.  

Wiersma’s website led users to believe the seeds it generated were entirely random. However, they were in fact predetermined, owing to the malicious code that was written into the site. Wiersma was therefore able to access each one. Since those who have the seed have the power to transfer Iota, Wiersma was then able to steal funds by transferring them into his own accounts. He subsequently converted them into Bitcoin and another cryptocurrency known as Monero using the cryptocurrency exchange website Bitfinex on January 19, 2018. 

Bitfinex quickly became suspicious of the activity on the accounts and froze them, requesting identification. Wiersma provided them with photographs of two obviously fake passports. One passport, supposedly from Belgium, had an incorrect outline of the country evident in the document. The other photograph was of a man allegedly called ‘Jason’ holding an Australian passport, which was also proven to be fake. 

The accounts on Bitfinex remained frozen, so Wiersma pivoted to another crypto exchange called Binance and opened five more accounts. These were also quickly frozen, and he provided another photograph for identification of a man holding a fake British passport. 

By 2018, a number of victims of the iotaseed.io site had reported their stolen funds to German police, who traced the crime to the UK and passed the case to the South East Regional Organised Crime Unit’s cyber crime unit. They managed to trace the crime to Wiersma “when it became apparent that he and he alone had used the same virtual private network to access his own Bitfinex account”, leading authorities to the four other accounts which had received stolen funds.

British police then raided his home in Oxford in January 2019, by which time he had dropped out of his PhD studies at St Cross. Finding his desktop computer opened, they were able to track his activities. In interviews, Wiersma claimed his computer had been hacked. When questioned about the malicious iotaseed.io website, he answered “no comment”, and was eventually released without charge, returning to the Netherlands. 

However, detectives continued their investigation, and found that the pseudonym Norbert van den Berg (used to set up the original malicious website) had also appeared in Wiersma’s university coursework. They were also able to connect his virtual private network to a payment made in Bitcoin that was used to set up the seed-generating website. Although unable to access another laptop, six hard drives, two USB sticks, and a memory card seized in the raid, prosecutors were still able to charge Wiesma and he was arrested on Christmas Eve 2020 in the Netherlands. 

Sentencing Wiesma to four and a half years in prison after he pled guilty in Oxford Crown Court on Friday afternoon (27th January), Judge Michael Gledhill KC said: “You are an expert in IT and computer sciences… The fact of the matter is that you decided to abuse your skills in order to steal. This is dishonesty at the highest level.”

“Why did you commit these offences? Greed and dishonesty are the two words that readily come to mind”. 

Image description: Blackwell Quadrangle at St Cross College, Oxford

Image credit: Brian Fence – Photo taken from Brian Fence's Digital Cameranie, Public Domain, https://commons.wikimedia.org/w/index.php?curid=7339755