WHAT HAPPENED
On May 6, 2026, U.S. District Judge Colleen Kollar-Kotelly sentenced Marlon Ferro, 20, of Santa Ana, California — known online as “GothFerrari” — to 78 months in federal prison following his guilty plea to one count of conspiracy to participate in a racketeer influenced and corrupt organization. Ferro was also ordered to pay $2.5 million in restitution and serve three years of supervised release. Ferro was a member of the Social Engineering Enterprise — the same multi-state criminal organization CDW covered in Alert 006 — which stole more than $250 million in cryptocurrency from victims across the United States between late 2023 and early 2025.
WHY IT MATTERS
CDW subscribers know this enterprise. In Alert 006 we covered the RICO charges against Malone Lam and the broader organization. Ferro’s sentencing is the latest chapter in the same investigation — and it introduces something none of the previous alerts covered.
This enterprise had a hardware wallet problem.
Hardware wallets are widely regarded as the gold standard for protecting cryptocurrency from remote theft — and for good reason. Because the device stores private keys offline, internet-based attacks cannot reach them.
But this enterprise found a different way in. Every hardware wallet comes with a seed phrase — a sequence of 12 to 24 words that can be used to recover the wallet if the device is lost or damaged. In the wrong hands that seed phrase provides complete access to the wallet’s contents — no physical device required. According to the indictment, the enterprise’s callers specifically targeted victims’ seed phrases through social engineering calls and by searching victims’ cloud storage accounts. When they obtained a seed phrase that way the physical device was irrelevant — the funds were accessible without it.
When no seed phrase could be found digitally — meaning the victim had only written it on paper somewhere in their home — that’s when the enterprise sent Ferro.
In February 2024 Ferro traveled to Winnsboro, Texas, broke into a victim’s home, and stole a hardware wallet that controlled access to approximately 100 Bitcoin — valued at more than $5 million at the time. He then laundered the stolen funds through cryptocurrency exchanges.
In July 2024 Ferro flew to New Mexico. He surveilled a residence for several days, positioning a cell phone outside the home to monitor the victim’s movements. Enterprise members tracked the victim’s location through his iCloud account and alerted Ferro when he left. Ferro broke into the home by smashing a window with a brick. He was captured on the victim’s home surveillance camera.
The indictment does not specify exactly how Ferro accessed the contents of the stolen devices — that level of detail is not in the publicly available court record. What the indictment does confirm is that the funds moved. Access was obtained by some means — whether through a seed phrase found during the burglary, through prior social engineering of the victim, or through some other method the public record does not disclose.
That sequence — sophisticated digital surveillance, iCloud tracking, and a man smashing a window with a brick — captures something important about where cryptocurrency crime is heading. The digital and physical threat vectors are converging. The enterprise didn’t choose between hacking and burglary. It used both, deploying whichever worked against each individual target.
The security lesson this case teaches is straightforward: a hardware wallet is only as secure as the secrecy of your seed phrase. Where you store that backup, and who knows it exists, matters as much as the device itself. If your seed phrase is written on paper in your home, stored in a document on your computer, or saved anywhere in your cloud accounts — it is potentially accessible to an enterprise willing to send someone through your window to find it.
Ferro’s role extended well beyond burglary. He was also a key money launderer — using fraudulent identification documents obtained from a foreign national to open a digital payment card account on a geo-blocked platform. A geo-blocked platform is a financial service that deliberately restricts access to U.S. users to avoid American regulatory oversight and compliance requirements. By using a foreign national’s identity to pose as a non-U.S. person Ferro bypassed those restrictions entirely, giving the enterprise a payment mechanism that operated outside the U.S. financial system’s anti-money laundering infrastructure. He spent more than $255,000 in designer clothing on behalf of co-conspirators. He arranged the purchase and shipment of Hermès Birkin bags for a co-conspirator’s girlfriend. After Malone Lam was arrested in September 2024 Ferro collected hundreds of thousands of dollars in cryptocurrency from enterprise members, converted it to cash through illicit exchanges, and used the proceeds to pay Lam’s attorneys. He was arrested on May 13, 2025, found in possession of two firearms and a fake identification document.
This is the first sentencing CDW has covered from this enterprise. The investigation is ongoing. More sentencings are coming.
WHO SHOULD PAY ATTENTION
If you hold significant cryptocurrency on a hardware wallet the device itself is only part of your security posture. Who knows you hold cryptocurrency? Who knows approximately how much? Where is your seed phrase stored? If your seed phrase is written on paper at home, saved in a cloud account, or stored in any document accessible to others — your security is only as strong as the physical security of that backup and the secrecy of your holdings.
If you have ever discussed your cryptocurrency holdings publicly — on social media, in forums, at industry events, or with people you don’t fully trust — understand that this enterprise conducted systematic target identification before deploying anyone physically. Database hackers compiled lists of individuals with significant cryptocurrency holdings. You may have already been identified as a target without knowing it.
If you provided any services to this enterprise — burglary, money laundering, document fraud, logistics, or any other support — and have not yet been contacted by investigators, understand that this investigation has produced multiple guilty pleas and is still active. The net continues to expand.
DEFENSE NOTE
The Social Engineering Enterprise investigation continues to produce sentencings. Multiple guilty pleas have now been entered in this investigation and more sentencings are expected. A co-defendant recently received 70 months. Ferro received 78 months. The sentences are substantial and the enterprise’s peripheral participants — money launderers, logistics providers, document fraudsters — are being charged and sentenced alongside the core operatives. If you have any connection to this enterprise, do not assume that because you haven’t been contacted the investigation has moved past you. It hasn’t. Get counsel now. Zerillo Law Firm handles federal crypto matters — contact us at zerillolaw.com.
Source: U.S. Attorney’s Office, District of Columbia, May 6, 2026
About the Author
Michael J. Conley is a former federal prosecutor with nearly 25 years in federal law enforcement. He served as an Assistant U.S. Attorney in the District of Maine and as Chief of the Criminal Division for the U.S. Attorney’s Office in the U.S. Virgin Islands. He secured one of the first federal convictions in the country for operating an unlicensed Bitcoin money service business — a landmark prosecution that helped establish Bitcoin as money under federal law at a time when that legal question remained largely unsettled. He is Of Counsel at Zerillo Law Firm, where he focuses on federal cryptocurrency criminal defense. Contact the firm at zerillolaw.com