From (Mine)Craft to Con(Man)
Minecraft’s First Cyber Kingpin and the Community that Bore him.
On September 23, 2024, a TikTok video taken earlier in the month at the LIV Nightclub in Miami Beach went viral. Future blares in the background, bottle girls hoist LED light-boxes above their heads, and a confused club-goer asks an important question about the name plastered across every wall and sign in the club that night: “Who the fuck is Malone, y’all?!”
Who was this Malone, who had, purportedly, spent up to $500,000 that night on an exorbitant bar tab?
She wasn’t the only one asking that question. Over the course of the preceding month, the FBI had quietly launched an investigation in pursuit of an answer. The government’s answer came in the form of an arrest and an indictment, unsealed the week prior on September 19, 2024.
The U.S. Attorney’s Office of DC charged Malone Lam (aka “$$$,” “Anne Hathaway”), a 20-year-old LA and Miami based Singaporean national, and Jeandiel Serrano (aka “VersaceGod,” “@SkidStar”), a 21-year-old based in LA, with conspiracy to commit wire fraud and launder a monetary instrument (18 USC §1349, §1956(h)), alleging that the pair conspired to steal and launder 4,100 Bitcoin, or over $230 Million, from one victim in August of 2024.
Andy Greenberg, a senior cybersecurity writer at WIRED, described the incident as “perhaps the biggest known crypto heist ever to target an individual.”
Malone, in particular, received substantial media attention in the following days and he became a meme overnight. Numerous videos of the (at the time) unknown (and underage) fraudster spending hundreds of thousands of dollars across clubs in Miami and LA gained media traction. Although Malone (and various club promoters) had posted actively at the time of their outings, what remains online is of dubious veracity (at best).
A year earlier (circa 2023), it is unlikely that Malone Lam would have ever been spotted in a nightclub. He would have been found at a computer all day. He was still playing Minecraft, where he met his co-conspirators. Yet, only one year later, he had graduated from Minecraft to a whole new world: operating a complex cybercriminal enterprise.
A quick aside on what Minecraft is (for those who may not know):
Launched in 2011, Minecraft is the best selling video-game in the world, with over 300 million copies sold as of 2023. If you don’t know the game, you probably know of the movie. (Or this algorithmic abomination). Beneath the low-tech surface, however, is a complex game. It is simultaneously a sandbox game (think: high degree of freedom) and a MMORPG (Massively Multiplayer Role-Playing Game). Independent users can host servers and modify them in various ways. Because of the games outsized cultural impact (behind “music” it was the second most searched term on YouTube in 2014), each of the core elements of the Minecraft community—the creator economy, server hosting companies, servers, modification and plug-in creators—are massive industries with their own deep subcultures.
In fact, Malone Lam and his co-conspirators were all known entities within a once popular Minecraft subculture, the “factions” community, as longtime players of a flagship server CosmicPVP.
Okay, and here is where (for me) a strange story becomes stranger.
In 2021, in the thralls of quarantine, across a period of nearly six months of virtual school, I did very little besides play an obscene amount of “competitive” Minecraft, largely on CosmicPVP. What competitive means here, to be clear, are communities with a high degree of self-organization (usually on Discord) that play a deeply modified, highly technical version of Minecraft with custom coded items, perks, and environments. Although I never played with, or (to my knowledge) ever communicated with the co-conspirators, I was aware of both Lam (aka “Greavys”) and Serrano (aka “Boxhaha,” “Box”) as top players within the Cosmic community.
Now that most of the dust from the initial indictment has settled, and most of the charging documents are unsealed, I hope that I can add from my firsthand knowledge of this digital subculture to the discourse on this scheme… before it inevitability fades fully out of public consciousness as a piece of internet ephemera.
Therein, I hope to provide a better profile of the co-conspirators in the build-up to the investigation into their malfeasance by exploring the underbelly of competitive Minecraft, where low scale criminal and highly unethical behavior is communally normalized. Although Minecraft generally earns favorable media coverage, and the relationship between the game and criminal activity is indirect, I hope to provide a more nuanced look at how even video game communities oriented towards children can serve as a key pathway from cyber deviance (norm violating behavior) to outright criminality.
Now that all that is out of the way… buckle up.
First, I will cover how a series of apparent coincidences put the criminal conspiracy on the radar of government investigators before explaining the anatomy of the theft. Next, I will reflect on the broader criminal scheme, as documented by a more recentsuperseding indictment. I will conclude by turning to the documented activities of the co-conspirators as players in Minecraft, to document their journey from “Craft to Con.”
Coincidence Doesn’t Happen a Third Time
(or) 偶然は三度は起こらない — Osamu Tezuka
To add to the absurdity of it all, the conspiracy was uprooted so quickly because of what (initially) appeared to be a series of highly unusual coincidences involving (in reverse chronological order) free Birkin Bags in LA, an attempted kidnapping in Danbury, CT, and an anonymous, Bitcoin Investigating Influencer.
Let’s start at the beginning with ZachXBT, (said influencer) an independent blockchain investigator who is generously profiled by WIRED.
On August 19, 2024, while in an international airport, ZachXBT received a notification from a tool used to monitor unusual transactions on global cryptocurrency exchanges. The first ping notified him of a transaction >$500,000, highly unusual for any exchange, before “another ping alerted him to a second transaction on the same exchange worth more than $1 million. Then one for $2 million.”
Racing the clock to the runway, and the ensuing Wi-Fi blackout, ZachXBT traced the transactions to a relatively illiquid wallet based in Washington DC that had been active since 2012. Just hours earlier, the wallet had held $238 million in Bitcoin. Then it had $0. He posted his findings in hopes of notifying the victim.
According to the New York Times, over the following days, “ZachXBT noticed that the victim had received bankruptcy payouts from Genesis, a lending platform, which filed for bankruptcy in 2023, related to the collapse of Sam Bankman-Fried’s FTX.” Alongside his collaborators, ZachXBT got in contact with the victim and was subsequently hired to continue his investigation. The victim also filed a report with the FBI’s Internet Crime Complaint Center.
Around this time, on August 25, 2024, a second highly unusual, and at the time unrelated, incident occurred in Danbury, CT. While house-hunting in a matte gray Lamborghini Urus, Sushil—a VP at Morgan Stanley—and Radhika Chetal were carjacked and kidnapped.
While awaiting an open house in a gated community, a Honda Civic slammed into the bumper of the Chetal’s Urus, and a van pulled in front of the car. The couple were bound and put in the back of the van.
The Danbury local paper, NewsTimes, first reported the unusual incident the following day. Namely, that the would-be kidnappers, six Floridian men aged 18-26, were quickly apprehended thanks to off-duty officers. The police, however, struggled to find a clear motive: kidnapping is already a highly unusual occurrence in Danbury, but these kidnappers had all but abandoned the Chetal family’s Lamborghini, and left the couple tied up to flee police. The attack appeared targeted, but why? Who was the target?
And then, the key to unlocking the whole conspiracy, more or less, fell into ZachXBT’s lap.
The same week as the kidnapping, ZachXBT persuaded a source to share a 90-minute screen-capture that had come into their possession, a video that depicted the entire theft (henceforth called the “Genesis Wallet Theft”), and the voices of the hackers as they celebrated their unprecedented heist. The video was obtained by the source when one of the co-conspirators (unbeknownst to the others) shared the screen-capture with another group via Discord call.
Beyond the ninety-second clip released by ZachXBT, the video was a treasure trove. It depicted the co-conspirators referring to each other by their first names, and one even doxxed himself, revealing his name by flashing the start menu on his Windows computer.
This co-conspirator was Veer Chetal (aka “Swag,” “Wiz”), a 19-year-old incoming freshman at Rutgers University, and the son of Sushil and Radhika, from CT.
Chetal had known Lam for many years, and had first known him as “Greavys” from CosmicPVP. He had participated willingly in the theft…and then his parents were kidnapped.
And suddenly, the blocks began to fall into place, loosely tying a kidnapping in CT carried out by Floridians to a massive crypto theft in Washington DC.
Now that ZachXBT had tracked the theft to Chetal, he used open source investigative techniques to track Chetal, and then Lam, and then Serrano, from their public social media accounts, which detailed their lavish lifestyles in Miami and LA.
ZachXBT was then able to attribute Malone Lam and company to the third unusual coincidence.
On September 8, 2024, Olivia Allen posted on TikTok about receiving a lime green Hermès bag in an LA nightclub. Two days later, Influencer and OnlyFans model SkyBri posted a story time on TikTok. She too had received a Birkin bag, from a “random kid” at the Keys Nightclub.
It was, in fact, Lam who had gifted the “purses worth between $30,000 and $50,000 each” to numerous influencers and ordered the bottle service signs that read “WHO WANTS A BIRK.” Lam’s spending spree continued uninterrupted for four weeks, as recently unsealed court documents allege that between Aug. 19 - Sept. 10, Lam and his co-conspirators “spent over $4,000,000 in stolen virtual currency at Los Angeles nightclubs” (p. 21).
After Lam was arrested in Miami, ZachXBT released the full details of his investigation to his followers. This information, more or less, forms the core of the DOJ indictment.
Nonetheless, there was one major discrepancy between ZachXBT’s manual reconstruction of the Genesis Wallet theft, the indictment, and the ensuing press coverage of the alleged hackers: the absence of Chetal.1
For Zach, Chetal was the key to unlocking the whole crime. Why, then, was Chetal not charged alongside his co-conspirators?
The Anatomy of the Theft
Thanks to the All Powerful Passage of Time, (and the unsealing of sensitive legal documents) we now know with certainty: Chetal took a plea deal.
Even to federal investigators, Chetal’s story was the key to understanding the Genesis Wallet Theft as connected to a far larger criminal conspiracy to steal and launder crypto currency.
The FBI had raided Chetal’s New Jersey apartment earlier in the month, on about September 9, 2024. He was appointed counsel that week, and began providing information on his co-conspirators.
Only one day earlier, on September 8, Lam appeared at the top of the world, untouchable, giving out Birkin Bags to club-goers in LA. For Chetal, the next morning was probably the worst of his life: waking up to a strongly-worded coffee chat with the FBI folks in windbreakers. And only a week (or so) later, Lam’s fortunes would change too. With police on their way to arrest him, Lam walked out to the dock of his rental home in Miami and dropped his phone into Biscayne Bay.
Lam was done for. The enterprise, on the other hand, was not done.
This section will cover the anatomy of the Genesis Wallet Theft, as alleged by the government across a “Statement of Offense” in support of Chetal’s plea in November, 2024. Although Chetal’s plea deal was initially sealed, these documents were released (and his deal was revoked) after he was caught a second time, for stealing $2 million in cryptocurrency on October 21, 2024, “through a nearly identical scheme as the [Genesis Wallet] theft detailed in the defendant’s plea agreement.”
It is in this document, which further illustrates Chetal’s malfeasance, that the government clearly lays out its understanding of the enterprise responsible for the theft.
Scope: November 2023 — (at least) September 2024
Although Lam, Chetal, and Serrano had secured an unprecedented payday with the Genesis Wallet Theft in August, the government alleged that the three young men had conspired with others to operate a criminal Social Engineering (SE) Enterprise between November of 2023 and at least September of 2024.
As defined on p. 4 of the Statement of Offense:
“Social engineering is a term used to describe a fraud scheme where criminal actors impersonate employees from trusted companies, send spoofed emails and websites, or employ related techniques designed to convince a victim to disclose valuable personal information that can be exploited for profit”
In the world of cybersecurity, SE is a low-level technical scheme, requiring only minimal coding skills or background with hacking.
Chetal and Serrano participated as “callers” or “se/ers,” pretending to represent technical support or security teams at tech companies including Google. They used case-correct area codes, phone numbers, and faked emails to spoof, or legitimate their identity as representatives of the company. Lam, on the other hand, provided breached databases with target information to the callers, and would send fake account and security alerts to these targets, legitimizing the call from Chetal or Serrano. Later, Lam would pursue “remote access” of a would-be victim’s device, allowing him to search its contents for passwords and photos.
Once they convinced their victim to give them (1) remote access or (2) their account password, they could search for the wallet addresses and seed phrases (essentially back up/recovery phrases) on the victim’s computer to access their crypto holdings.
When it comes to the alleged Genesis Wallet Theft, the Government documents how the wallet holder fell victim to the social engineering scheme, and alleges that the trio then laundered the $238 Million using common crypto-laundering techniques such “as changing Bitcoin in the XMR Monero [Exchange], using peel chains, pass through wallets, and cryptocurrency exchange platforms that do not require detailed know your customer (“KYC”) information” (p. 7).
And on September 9, 2024, when the FBI raided Chetal’s New Jersey Apartment they would find—sitting there—a crypto wallet with $37 Million in laundered cryptocurrency
Prior to the Genesis Wallet Theft, the government alleges that Chetal had participated in defrauding “approximately 50 victims,” and was compensated for his participation to the tune of $3 million dollars (p. 9).
Although federal investigators had reconstructed the SE Enterprise that it took to orchestrate the Genesis Wallet Theft, they would further charge Lam and 12 others for a much larger criminal crypto-conspiracy, henceforth called the Lam Enterprise, in a sweeping 42-page superseding indictment.
An Enterprising Lot
Although I have, thus far, covered what initially entered the public record as the “Genesis Wallet Theft,” the superseding indictment, which became public in April, 2025, dramatically expanded the case against Lam to include 12 new co-conspirators, 7 defrauded victims, and charges for residential burglary and obstruction of justice — reflecting the far broader scope of criminal activity than initially charged.
Rather than recounting every new incident, in its entirety, in a case that is still being litigated, here is what you need to know about the indictment.
First and foremost, the indictment alleges that the Lam Enterprise carried out as many as six other frauds prior to the Genesis Wallet Theft. Although the conspiracy began around October of 2023, the Government’s first alleged fraud occurred in March, 2024. Between March and June, the Enterprise defrauded three victims for a total just shy of $4.4 million USD in crypto-holdings. In July, 2024, the Enterprise successfully targeted three further victims, from whom they stole over $15.75 million USD.
Federal investigators allege that the Lam Enterprise was highly organized and stratified, with each co-conspirator serving in up to two roles within the organization. In addition to the original (here unnamed) co-conspirators besides Lam, the superseding indictment alleges a wider criminal enterprise involving additional “Callers” and six new “Launderers,” who helped clean fraudulent gains into usable fiat currency.
Second, in the superseding indictment the interest of the investigators shifts from wire fraud (the SE fraud itself) to documenting the complex crypto-to-wire laundering scheme established by the Lam Enterprise.
This new information describes how Lam and his initial unnamed co-conspirators (likely Chetal and Serrano) began to develop relationships with money exchangers in Texas and LA as early as the end of 2023, to launder $10-50,000 in stolen currency.
From then onwards, the laundering network engaged by Lam expanded dramatically, to facilitate the laundering associated with the thefts from Victims 1-6, allowing the SE Enterprise to clean millions of dollars, up to increments of $500,000 per exchange. The Lam Enterprise’s goal was to obfuscate any tie between the fraudulent gains and find suitable, or “clean” crypto (and physical currency) to “re-enter” the economy.
In turn, over time, the Enterprise came to include a “sophisticated virtual currency money laundering ring” capable of crypto-to-wire and crypto-to-cash payments (p. 16). Exchanges on behalf of the enterprise happened in Florida, California, and the Maldives, for a fee paid to the launderers anywhere between 7-20%.
Given the string of (oh so) obscene, (oh so) public expenditures tied to Lam in the weeks following the Genesis Wallet Theft, it is particularly interesting to learn that the conspirators went to great lengths to clean their currency and hide their ill-gotten property.
For example, Lam used intermediaries and “straw signers,” third-parties who sign for and hold legal titles, to secure rental properties. In March, 2024, Lam used fake identities and documents to rent a 7,000 Sq. ft. house in Encino, California and, in August, the Enterprise laundered $3 million for the purpose of securing a secondary rental home in LA. The indictment alleged (p. 15) that between Jan. and Sept. of 2024, another conspirator was responsible for placing “various rental homes in false names, listed fictitious tenants, and paid deposits in large cash sums, in excess of hundreds of thousands of dollars, in order to disguise and conceal the true ownership of the rental homes.”
Lam also used a fictitious holding company, Crypto Administration LLC, to purchase thirty supercars from a dealership using illegally laundered cryptocurrency. He used the company to hold the titles for thirty cars, ranging in price from $100,000 - $3.8 million, to hide the true ownership of his collection from investigators.
When the conspirators needed to send fiat currency, duffels of cash, they sent Squishmallow® plushies stuffed with cash in increments of $25,000. When the Lam Enterprise sacrificed adorable anthropomorphic plushies to hide their financial transactions (or to please the Labubu Gods®), they did so in furtherance of a criminal conspiracy.
All told, even after Lam was arrested, the Enterprise was able to use his hidden assets to fund his defense. Some members, namely Tucker Desmond (who was only charged with obstruction of justice), also coordinated with Lam after he was arrested in September, 2024, to profit off of his notoriety, working on a Malone Lam “meme coin” and a documentary to distance Lam from the fraud.
Racketeering in a Bitcoin Operation
Ultimately, from a legal perspective, perhaps the most interesting part of the indictment is not the sheer absurdity of the Lam Enterprise, but rather how it was charged: the superseding indictment charges the defendants under 18 USC §1962(d) aka RICO (Racketeer Influenced and Corrupt Organizations) Conspiracy.
While not a total anomaly, it is a significant deviation from the precedent to see a law historically used against organized crime used to prosecute a group of teenage crypto fraudsters.
Going forward, however, TRM Labs—a cryptocurrency intelligence firm—argues that the use of RICO law against the Lam Enterprise may signal a meaningful shift in approach by law enforcement, towards considering “what may look at first like a string of isolated hacks, wallet thefts, and laundering schemes” as “part of a coherent, ongoing criminal enterprise—complete with assigned roles, coordination across jurisdictions, [and] shared proceeds.”
The legal basis for using RICO against Bitcoin enterprises is best enumerated in an article by Andrew R. Klimek in the Washington & Lee Law Review, entitled “Reinvesting in RICO with Cryptocurrencies: Using Cryptocurrency Networks to Prove RICO’s Enterprise Requirement” (2019).
Klimek argues that RICO law allows prosecutors to circumvent some of the complexity of proving cyber fraud by framing these activities as the racketeering activities of an enterprise, two broadly interpreted legal terms which cover fraud carried out by legitimate and illegitimate organizations. As applied to the Lam Enterprise, RICO conspiracy allows prosecutors to better capture the full scope of underlying criminal conduct tied to carrying out the charges of money laundering and wire fraud.
According to the TRM Labs Blog, this will allow the government to focus on the increasing convergence of “on-chain financial crime converges with real-world” threats and violence:
What begins with the compromise of digital credentials can escalate into physical surveillance, intimidation, and home invasion. Sophisticated laundering strategies—including the use of mixers, VPNs, and shell entities—are increasingly paired with coercive offline tactics to access and monetize digital assets.
The Lam Enterprise was not, wholly, without its coercive offline tactics. Marlon Ferro, for example, allegedly participated in the frauds as both a money launderer and a burglar. In July, 2024, after the Enterprise singled out Victim 4 as a viable target of their fraud, Ferro traveled to New Mexico and recorded himself breaking into the victim’s house in search of a virtual currency hardware wallet, a physical device akin in appearance to a USB drive.
TRM describes this activity as a type of wrench attack, “a situation where physical force or intimidation is used to compel a victim to surrender access to their cryptocurrency holdings.” This was likely the case as well when Chetal’s parents were kidnapped in Danbury.
The use of a wrench attack by (and against) the conspirators likely, further, factored into the government’s description of the conspiracy as an enterprise.
If the RICO case against the Lam Enterprise succeeds, it is likely that we will continue to see the law deployed as a tool by federal investigators and prosecutors.
The Kingpin on Minecraft
Now that we’ve covered the Genesis Wallet Theft and the Lam SE Enterprise in full, let’s return to Minecraft.
You might reasonably be thinking: Why Minecraft again???
Well, because, according to Chetal’s plea deal he initially met his co-conspirators, Lam and Serrano, playing Minecraft.
In this section, I hope to dive into the poorly documented, but substantive digital footprints of the three initial conspirators on CosmicPVP, to give you a better impression of how an otherwise innocuous subculture of Minecraft, an otherwise innocuous game, might serve as a gateway into a world of cyber criminality As a longtime Minecraft player, and a one-time patron of CosmicPVP, I hope to demonstrate how exploitative server features, a flourishing “grey market,” and a competitive culture contributed to a community where low-scale criminal conduct was well-documented and frequent.
Although little can be said (with absolute certainty) about the activities of the co-conspirators on CosmicPVP and beyond, here is what we do know.
Chetal, who used the screen name “Wiz,” was a popular CosmicPVP YouTuber active between 2021-2022. There is, perhaps, no better introduction to the immersive experience and competitive community on CosmicPVP, than from one of the conspirators himself:
Not only do these videos depict him as a top player over the course of a year, with many expensive items and weapons to his name across various maps, but they substantiate that Chetal met, and interacted with, Lam on CosmicPVP. Indeed, the very first name featured in Wiz’s above video, “Greavys123,” is none other than his future co-conspirator: three years before the two would conspire to steal a quarter billion dollars of crypto, they would meet as players in enemy factions.
According to SeanYT, a longtime CosmicPVP player and YouTuber, Serrano (“box”) was the least well known player of the three, preferring to play on alternate accounts, but was a “Whale,” or a top financial contributor to the server who made his money through dishonest means:
“Box is a big Sim swapper in the community. This is not like Insider information, this isn't brand new, every fucking server owner knows this, okay, and I'm sorry but a lot of the servers don't give a shit and they just they just take the money anyway.
Although there is no evidence supporting the veracity of this claim, it is worth noting, in light of the scarcity of public information about Serrano’s digital life prior to the conspiracy. Today, Sim Swapping fraud is an increasingly popular fraud for the Minecraft-borne hacking community, allowing fraudsters with limited technical knowledge to hijack a victim’s phone number and access more sensitive information (such as a bank log in).
Then, of course, there was Lam, who was infamous within the Minecraft factions community as one of the top factions players, and a noted scumbag.
For Lam, in particular—who dropped out of school in the eighth grade—there is very little documented about his life besides Minecraft. In fact, he had only stopped playing the game sometime in 2023, only months before he began his life as a cyber criminal.
As early as 2017, when Lam was only 12 or 13, Greavys was first named in a YouTube video simply called “Greavys Cheating.” He appears again, in 2020, on record breaking the server rules by trapping and killing one of his faction-mates in a video simply called “greavys scumming imagine.” Then again, in 2022, Lam appears in a video accusing him of scamming another player of cryptocurrency for $400 million in-game currency. And finally, the very last video featuring Greavys on CosmicPVP, depicts Lam being notified by one of his faction-mates via Discord that the server admins are accusing his faction of being associated with fraud.
According to the New York Times, Lam was also responsible for doxxing the staff of Minecadia, a comparable factions server, in the Spring of 2023:
“When he got into a minor disagreement with the managers of the server Minecadia that resulted in him losing in-game items, he doxxed the staff, releasing their addresses and Social Security numbers online and, in at least one case, sending emergency services to their house, according to several users and Discord chats from the time.”
Although the above references are (admittedly) of dubious veracity, it is Lam’s digital footprint—of the three conspirators—lingering in the public record, that best paints the picture of a young man journeying from cyberdeviance, or norm violating behavior like breaking community rules, to outright criminal activity.
Yet, I hope to take my analysis a step further, adding necessary context—from my firsthand knowledge—about the community and environment in which Lam journeyed from the Craft to the Con.
Going forth, my approach will be heavily influenced by Melissa Martineau, Elena Spiridon, and Mary Aiken’s “Pathways to Criminal Hacking” (2024). In broad strokes, the authors conceptualize a framework to describe the progression from an early interest in technology to hacking:
“This interest leads to online game playing, the development of cheats and game modification, a virtual connection to like-minded others and self-directed development of technical skills and abilities. Intrinsic and extrinsic rewards cause a continuation of hacking behavior, which only ceases due to criminal justice intervention or a choice to redirect one’s interest.” (p. 661).
Across the literature on criminal hacking, the presence of immersive gaming and competitive communal environments is a ubiquitous gateway to cyber criminality. Therefore, it is critical to map Lam’s trajectory alongside the server’s development.
Lam’s Path From Cyberdeviant to Fraudster
Perhaps the most succinct account of CosmicPVP’s development, prior to Lam’s first captured use of the server in 2017, comes in the form of a YouTube video posted by investigative Minecraft Youtuber TheMisterEpic.
The CosmicPVP server was started by two popular children’s YouTubers, PrestonPlayz and Woofles in 2014, the heyday of what the New York Times called the Minecraft Generation — a period of (near) unparalleled popularity of Minecraft with Gen Z. On the server, players in groups of 30-40—sometimes as large as double that—formed guilds called factions, claimed land and built bases, while forming alliances and attacking other factions. PVP (player versus player) combat was paired with highly technical raid mechanics, where factions could cannon into the bases of opposing factions, and a competitive “grindset,” where players had to pour time into preparing for each of these aspects. Due to the initial appeal of custom mechanics, events, graphics, and enchantments, as well as the wild popularity of their initial videos with their pre-teen viewers, thousands of players flooded to CosmicPVP. When CosmicPVP shut down in 2023, its owners had netted ~$25 million dollars.
Assuming Greavys joined the server in 2017, which was when he was accused of hacking, this would have been around the time he dropped out of school.
Mirroring the massive change in Lam’s life, were developments on CosmicPVP that had dramatically reshaped the environment. Seeking to pay to develop new projects, CosmicPVP introduced 200 custom enchants, skins, and new kits. They financed these developments through a robust digital store selling ranks, loot boxes, kits and implemented a novel, custom casino-like gambling mechanic called Cosmo Slotbots.The slots had addictive visual animation, offered the chance of advancement, and were the main way of acquiring the server’s top rank—which otherwise cost over $400. Moreover, because the various worlds (or “maps”) of CosmicPVP reset cyclically (every 90-180 days) to keep the competitions fresh, Slots offered an immediate advantage for P2W players who could pay to get a head start.Frequent sales, weekly updates—which offered top players fleeting advantages—and a pay-to-get-ahead culture culminated in a game environment where the player base was constantly encouraged to spend: time or money.
According to TheMisterEpic, the gambling mechanics pioneered on Cosmic violated the EULA (End-User License Agreement) between Mojang and the server. Despite a history of lax and arbitrary enforcement on the part of Mojang, CosmicPVP was blacklisted in 2021—players could no longer access the server directly through Minecraft. Nonetheless, the server controversially circumvented the blacklist by creating its own “custom client,” an interface to access CosmicPVP and a suite of modifications tailor-made for the server, that was downloaded over >500,000 times.
The never-ending grind for in-game wealth, reputation, and gear, coupled with addictive gambling mechanics (that could be accessed with a large amount of in-game money or a much more trivial amount of real money, as few as $5-10), created a highly competitive and toxic subculture, a community with a long reputation for in-game scamming, trapping and “ganking” (gang killing/theft).While, on many servers, these unethical activities are frowned upon, the factions culture on CosmicPVP favored “Griefers,” encouraging activities where players intentionally disrupt one another’s game experience, particularly their enemies.
According to “Griefers versus the Griefed,” an academic analysis of player motivations in MMORPGs, players that perform griefing overwhelmingly identify themselves as motivated by “competition” and “advancement.”
It should, perhaps, then be unsurprising for you to learn that on a server as competitive as CosmicPVP, griefing extended far beyond the activities explicitly proscribed by the server, such as raiding and PVP events, to include norm-violating and illegal behavior. Doxxing-threats, where players threatened to reveal information (such as the location or social security number) of a fellow player or server staff, were relatively common, as were Distributed denial of service (DDoS) attacks. Using free YouTube tutorials and cheaply acquired software, Cosmic players targeted one another with DDoS attacks, slowing down an opposing player’s game, or knocking them entirely offline. As evidenced by a YouTube search combining the key words “CosmicPVP” & “DDoS,” these attacks (or threat of attack) were a near daily occurrence on the server.
Over time, the exploitative and addictive gaming experience of CosmicPVP further converged with the community’s countercultural “pro-Griefing” tide, resulting in the creation of a grey market economy run on Discord to facilitate IRL (“Real Life”)-Trading between players, where in-game currency and items were exchanged for PayPal or cryptocurrency. In-game gambling mechanics, such as the coin flip, further facilitated the growth of IRL-trading networks, as players could cash out by trading currency (quickly accrued through gambling) for the real thing. At its peak, desirable and rare items could be sold for comparable (or greater) prices than store value, with “god sets” (armor and weapons) taken from notable players selling for a premium. I suspect that, at its highest price, the armor sets worn by “Wiz” and “Greavys123” could have been worth hundreds of dollars.
Although it is unclear if the CosmicPVP administration officially sanctioned the activities of IRL Traders, it is apparent that (at best) the server’s leadership failed to effectively detect and combat IRL trading networks, resulting in a grey market that was ubiquitous among paying players.
Taken together, there were now a combination of individual motivations, such as vengeance against an enemy faction, and financial incentives, like “ganking” an enemy’s rare gear to sell on Discord, for players to engage in cyber deviant or illegal behavior.
Okay, time to return to Lam:
It is in this environment, that Lam continued to develop technical skills and experiment with game modification within the confines of Minecraft, such as using hacked clients, Schematica (a blue print tool), and CosmicClient. After several years of grinding, to join the upper echelon of players in the elite, top factions, Lam learned about the true value of the items he now had; what his faction mates were willing to pay in the flourishing grey market; or what they were willing to do. He joined a culture where there were extrinsic pressures to participate in the P2W economy, to spend money to get ahead. But also, seeing how easy it was to scam, that he could break server rules, and buy his way out of being banned, there was motivation to participate in the illegal economy.
Within this community , Lam was likely exposed to and learned how to do what the authors call “cyber-dependent” crime, which includes “distributed denial of service [DDoS] and unauthorized access to computer systems” (648). Yet, increasingly, DDoS attacks—which were already difficult to attribute on Minecraft servers—were carried out by players who used simple techniques, such as VPNs and alternate (alt) accounts, to cover their tracks or circumvent retribution. In these cases, even when an alt account was caught and held responsible for a threat or attack, the perpetrator could continue to act from different accounts or masked IP addresses.
By this time, the Cosmic community was deeply hardened: the P2W economy and insular culture of elite factions had weeded out the middle of the population pyramid: people who were uncomfortable with the toxicity of the community either left, or became accustomed to the griefing lifestyle of factions. It would not take long for me to get burnt out and leave the server for good. Those who remained were, at best, accepting of the toxicity and potential criminality within the community, and, at worst, responsible for perpetuating it.
It is likely that around this time, Lam further learned about hacking and cybersecurity through YouTube and internet forums, joining Discords and Telegram channels about Minecraft hacking.
Only months later, with a declining player base and economic pressures the server shuttered.
From there, it was a matter of months before Malone Lam started the SE Enterprise which would land him in federal prison. Maybe conditions had changed, maybe his appetite had changed. It is then, in the death of CosmicPVP, an institution pivotal in the upbringing of Malone Lam, that we see the emergence of a criminal hacker.
Food for Thought
If you’ve made it to the very tail end of this winding story about an $260-million-fraudulent-Bitcoin-enterprise and the Minecraft community that bore it, I hope to leave you with one and only one brief food for thought:
Doesn’t this all seem, in retrospect, so very preventable?
if fate was different—if Malone Lam did not spend exorbitantly on cars and clubs, if ZachXBT was not on the case, if Chetal’s parents were not kidnapped—and if luck favored the Lam Enterprise, is it possible that the hackers may have lived lives of quiet crypto-fueled luxury absent of suspicious federal investigators?
But that’s not really what I mean. Although the Lam Enterprise ended like the above theoretical framework, with criminal justice intervention, I believe there were many steps where meaningful intervention could have happened. By accepting that even innocuous children’s games like Minecraft or Roblox can serve as a gateway to a world of exploitation and cybercrime, intervention and norm-shaping must occur much earlier than legal or criminal intervention.
In the above case, CosmicPVP slowly evolved into an exploitative game environment which hosted a highly organized and unethical community, child gambling mechanics, and a grey market. By all appearances, despite significant anti-cheat efforts (resulting in tens-of-thousands of bans), CosmicPVP staff appeared ill-equipped to successfully influence or uproot the off-server activities of its players.
At various points, CosmicPVP’s failure to successfully police malicious actors or act responsibly for its younger players contributed to an unsafe environment. Moreover, at various points, despite appearing to seriously violate the internal EULA between private servers and Mojang, the company failed to investigate or publicly intervene, beyond unsuccessfully blacklisting the server.
With little serious attention paid to these digital subcultures outside of their own creator economy on YouTube and forums like Reddit, malfeasance can go wholly unreported or unremembered, with few official mechanisms for accountability. When considering the roots of something like the Lam enterprise, perhaps we should also turn our attention to the soil in which it grew.
On this front, the press does not generally cover the names of alleged suspects of a criminal investigation, absent the public record of an arrest or formal charges. In the case of Chetal, he was not publicly arrested nor were his formal charges unsealed until a later date.