The complaint, submitted to a Special Court in Dwarka, New Delhi on June 15 and 16, 2026, invokes the Prevention of Money Laundering Act (PMLA) of 2002. It names Chirag Tomar, who is currently serving a five-year federal prison sentence in the United States with two years of supervised release to follow, as the primary defendant. The ED has provisionally attached assets worth approximately 64.15 crore rupees, including nine immovable properties across Delhi and bank accounts. Investigators separately traced approximately 64.55 crore rupees (roughly $7.7 million USD) in Indian proceeds connected to the scheme. Two corporate entities, Tomar Group of Industries Pvt. Ltd. and Exahomes Realtors, are named as defendants in the complaint.

How the Scheme Worked

Tomar and his co-conspirators built a fake version of the Coinbase Pro trading platform. They registered the domain CoinbasePro.com, a URL that looks nearly identical to the legitimate pro.coinbase.com, then used search engine optimization techniques to push it toward the top of organic search results. Victims who typed "Coinbase Pro" into a search engine could easily land on the fraudulent page, enter their real login credentials, and hand them directly to the attackers. In one documented case, a North Carolina resident lost more than $240,000 in February 2022 after being directed to the fake site.

From there, the operation ran a fake customer support line. Victims were told their accounts had been locked and were encouraged to call in. Operators on the line then used social engineering and remote desktop software to extract one-time passwords and account recovery links, effectively bypassing two-factor authentication. Stolen cryptocurrency was moved through what TRM Labs described as a circuitous network of nonmonetary transactions across multiple wallets before being converted to Indian rupees via peer-to-peer (P2P) transactions, a method that bypasses the know-your-customer checks required on regulated exchanges. Funds were then deposited into personal and business bank accounts, and a portion was used to buy property in Delhi.

The Eight Defendants

The ED prosecution complaint names six individuals: Chirag Tomar, Pankaj Tomar, Kushagra Shakya, Akash Vaish, Rahul Anand, and Ketan Luthra. It also names two entities: Tomar Group of Industries Pvt. Ltd. and Exahomes Realtors. The inclusion of a real estate company as a named defendant in a PMLA complaint is significant. It signals that the ED is treating property acquired with stolen funds as a direct instrument of laundering rather than merely an incidental purchase.

Chirag Tomar was arrested by US authorities at Atlanta's Hartsfield-Jackson Airport in December 2023. FBI investigators identified him through an email account registered under his real name that appeared in communications with co-conspirators. He pleaded guilty to wire fraud conspiracy in May 2024. US District Judge Kenneth D. Bell sentenced him to 60 months in prison in October 2024. Court records note the proceeds funded Audemars Piguet watches, Lamborghinis, Porsches, and travel to Dubai, Thailand, and London. Evidence submitted at trial included a spreadsheet documenting victims and theft amounts, and investigators found that Tomar's internet search history contained queries for "fake coinbase page" and "coinbase scam."

Cross-Border Enforcement Mechanism

The Indian prosecution was made possible in large part by the Mutual Legal Assistance Treaty (MLAT) framework, which allows countries to formally share evidence and legal assistance across jurisdictions. The ED used MLAT channels to obtain evidence gathered during the US federal investigation, then built a parallel domestic case covering defendants and asset flows that fell outside the scope of US charges.

The ED said in an official statement that "further investigation is ongoing to trace the complete money trail and identify additional assets purchased with the proceeds of crime." The agency also issued a public advisory urging people to avoid clicking on unverified links and to never share passwords or one-time passwords in response to unsolicited contact.

Regional Context

This case carries implications well beyond one fraud ring. India's cyber fraud losses reached 22,845 crore rupees in 2024 alone, a 206 percent increase over the prior year, according to data from CoinIndex India. Impersonation scams, the category covering exchange spoofing, grew 1,400 percent year-over-year globally in 2025, per the Chainalysis 2026 Crypto Crime Report, which also estimated total global crypto scam and fraud losses at $17 billion in 2025. Cumulative crypto scam losses in India since 2015 are estimated at around 72,000 crore rupees (approximately $8.6 billion), per CoinIndex India.

The P2P conversion method used here is also a known vulnerability in markets across sub-Saharan Africa, where peer-to-peer crypto trading volumes are among the highest globally, per Chainalysis, and regulatory infrastructure for tracing off-ramp flows remains limited. The MLAT approach India used could serve as a direct template for financial intelligence agencies in Nigeria, Kenya, and Ghana pursuing similar cross-border cases with US connections.

What Comes Next

The ED's FY2025-26 enforcement numbers suggest this case is part of a broader institutional shift rather than a one-off action. The agency filed 812 chargesheets in the fiscal year, nearly double the prior comparable period, reported a 94 percent conviction rate, and returned 63,142 crore rupees to fraud victims during the same period. ED Director Rahul Navin said in May 2026 that crypto fraud has become one of the agency's primary enforcement focus areas alongside terror financing and narcotics, noting that stronger regulatory frameworks have stabilized more traditional sectors.

For crypto users in South Asia, particularly those newer to the space who are more likely to rely on search engines to navigate to exchange platforms, the practical lesson from the Tomar case is immediate: always navigate directly to exchange URLs rather than through search results, and treat any unexpected account lockout notification followed by a support call as a red flag for this exact type of attack.