Florida and Massachusetts recovered $5.4 million from a romance scam combined with cryptocurrency investment, returning $2 million to victims — while Bitcoin Depot lost an additional $3.6 million due to a cyberattack.
Authorities in Florida and Massachusetts have just completed the recovery of $5.4 million in cryptocurrency assets from scams combining emotional manipulation and digital asset investment, a model increasingly targeting seniors. This is the largest recovery to date by the Florida Cyber Fraud Enforcement Unit (CFEU), conducted in coordination with the Marion County Sheriff's Office.
In the first quarter of 2026 alone, CFEU recovered $3.3 million, equivalent to 45% of the total assets the unit had accumulated over 2.5 years of operation, which amounted to $7.2 million. Another $12.6 million in crypto assets remain frozen pending a judicial ruling.
Of the total recovered funds, $700,000 was returned to victims in Florida, including one victim in Marion County who lost over $450,000, and $1.3 million was returned to victims in Massachusetts. The remainder will be reinvested in CFEU's operations. Massachusetts Attorney General Andrea Joy Campbell said her office receives hundreds of cryptocurrency-related complaints each year, has shut down more than 60 fraudulent websites, filed more than 30 lawsuits, and recovered a total of over $6 million for victims to date.
Bitcoin Depot: From plaintiff to victim in the same week
The most ironic development of the week was the situation of Bitcoin Depot, the cryptocurrency kiosk operator that was singled out by the Massachusetts Attorney General for allegedly knowing about millions of dollars in fraudulent transactions passing through its machines without adequate protection, and at the same time had to file an 8-K report with the SEC announcing the loss of 50.9 Bitcoin, worth approximately $3.6 million, due to a cyberattack.
The company stated that it detected the unauthorized access on March 23rd, but blockchain investigator ZachXBT determined that the suspicious flow of funds began on March 20th, three days earlier, involving 19 wallet addresses, and the actual amount of Bitcoin stolen could be as high as 54 BTC, equivalent to approximately $3.9 million, before being transferred to Kucoin's deposit addresses.
The three-day gap between the actual intrusion and Bitcoin Depot's detection raises serious questions about the company's internal security oversight capabilities, especially in light of allegations from regulators that it failed to adequately protect its users.
