Playback speed
Share post
Share post at current time

DOJ recovery of $3.6BILLION in crypto. Ilya “Dutch” Lichtenstein & Heather “RazzleKhan” Morgan, charged for the 2016 Bitfinex hack

Husband and Wife were arrested in the early morning of February 8, 2022. Both are charged with Money Laundering Conspiracy and Conspiracy to defraud the United States

Again I thought I had previously set your expectations that this week is absolutely full on firehose busy for me. It’s literally do or die time (figuratively speaking) because the legislative session is (praise sweet baby Jesus) almost in the home stretch. And that my work obligations would severely limit my free time. And I actually do take pride in the amount of work, researching and fact checking I do before I publish an article. In my industry you are either all in or GTFOH because the “old college try” isn’t an option. It’s more take no prisoners or get out of my way or I’ll flatten you like a pancake. Also because I respect my readers, I don’t ever want to publish a half-researched article…if I did this correctly, then this article will publish while I’m making the 3 hour one way drive.

Hello virtual money exchange -oh how I’ve missed you

Before we dissect the recently unsealed charges by the Justice Department -I’ll like to draw your attention to the following published articles:

And should you be inclined this link will take you to previously published articles specifically concerning cryptocurrency —This link with take you to the previous articles concerning ransomware. And lastly this search-link is a generalized search of the countless previously published article concerning crypto writ large

The 2016 Bitfinex Hack

In the late summer of 2016, Bitfinex was forced to announce/acknowledge that their platform had been infiltrated by unauthorized users. Over 112K bitcoins were stolen and Bitfinex was crippled for a significant period of time. Moreover Bitfinex customers were unable to log into their accounts and that create an infrastructure nightmare for Bitfinex. Below is an extremely condensed 2016 tick-rock of the hack:

  • On August 10, 2016, Bitfinex announced that it had added “additional platform and infrastructure security checks; regenerated all encrypted services, including wallets, security tokens, and passwords; moved funds to multisig cold storage; re-evaluated all third-party integrations; performed a comprehensive system audit in order to identify vulnerabilities; and, rebuild our entire platform on new infrastructure.”

  • On August 17, 2016, Bitfinex announced; a critical failure in its platform was a security breach of its 3rd party partner BitGo’s segregated multi-signature wallet solution.

The March 2015 Bitfinex Hack, target

Hot wallet versus Cold Storage. Here’s the thing, in May 2015 was Bitfinex hacked. See the archived 2015 Urgent Message to their customers. Also see embedded 2015 tweeet below. and made a series of security infrastructure improvements. After the unauthorized intrusion, Bitfinex alerted it customer its hot wallet, which allows their customers to transfer and short-term storage of bitcoins, may have been compromised. On March 5, 2015 Bitfinex announced that it had turned to BitGo Multisig Wallets. Thereafter Bitfinex made the decision to suspended the use of the “BitGo hot wallet solution” and reverted to using multi-signature cold storage.

Twitter avatar for @bitfinex
Bitfinex @bitfinex
Urgent Action Required:… Don't deposit to old BTC addresses. New addresses are online and updates will follow soon.

Heather “RazzleKhan” Morgan Brief Bio:

If you are wondering why I reference Heather Morgan’s alias “RazzleKhan”, that is her stage name for her “rapping” music career. And let me tell you her social media presence is, in a word -intriguing. And not that I’m a music industry expert, herb”talent” is like listening to nails on a chalk board. For Example the follow music video she posted on Instagram on March 3, 2020

A post shared by Razzlekhan (@razzlekhan)

As my standard practices, I’ve taken the time to hunt down her social media and digital footprint.

Prosecutors allege that ILYA “DUTCH” LICHTENSTEIN, who has dual citizenship (USA & Russia) and his wife, HEATHER MORGAN; committed the following offenses:

  • Money Laundering Conspiracy, in violation of 18 U.S.C. § 1956(h); and

  • Conspiracy to Defraud the United States, in violation of 18 U.S.C. § 371.

As alleged in the complaint, Defendants Lichtenstein and Morgan conspired to launder the (illicit) proceeds of 119,754 bitcoins. These bitcoins were stolen when the hacker penetrated Bitfinex’s platform. The hacker then initiated more than 2,000 unauthorized transactions. Lichtenstein sent the 2,000 unauthorized transactions to a digital wallet that he control.

In the preceding years after the 2016 hack, over 25,000 stolen bitcoin were then transferred out of Lichtenstein’s wallet. The Defendants then used an extremely complex money laundering process. And ultimately the Defendants unjustly enriched themselves by depositing the stolen bitcoins in to various financial Accounts controlled by both Lichtenstein and Morgan. I’d now like to draw your attention to page 2, specifically paragraphs 5 and 6 —as you’ll note the Government proffered the following disclosures:

  • Jan 31, 2022 thru Feb 1, 2022, pursuant to a lawfully authorized search and seizure warrant, law enforcement was able to gain access to Wallet 1CGA4s. Investigators then decrypted a file saved to LICHTENSTEIN’s cloud storage account

    • importantly: after decryption of the file, investigators located an extensive list of 2,000 virtual currency addresses, along with corresponding private keys.

    • these private keys from LICHTENSTEIN’s file to seize Wallet 1CGA4’s remaining balance of approximately 94,636 BTC, worth $3.629 billion…

  • On Feb 4, 2022, investigators obtained another search and seizure warrant, which authorized the seizure of those funds.

  • Those funds remain secured in the U.S. Government’s possession.

Alphabay you say…the gift that keeps on giving

I’d now like to draw your attention to page 3, specifically Section A paragraphs 7a-7e -as further explained in the Affidavit, investigators then discovered Defendants Lichtenstein and Morgan had wallets at nine additional Virtual Currency Exchanges…but again once investigators decrypted the file, they discovered that Defendant Lichtenstein had over 2,000 digital wallets.

Those files contained the private keys required to access the digital wallet that directly received the funds stolen from Bitfinex, and allowed special agents to lawfully seize and recover more than 94,000 bitcoin that had been stolen from Bitfinex. The recovered bitcoin was valued at over $3.6 billion at the time of seizure.

The Government then disclosed that the Defendants used some of the tried and test money laundering techniques. For example: creating accounts with fictitious names, breaking up transactions into many smaller transactions, (think of the term “stacking” or a daisy chain or more precisely “chain hopping” again these type of tactics are meant to frustrate law enforcement’s investigation but also seek to mask the origins of said cryptocurrency…

…which obfuscates the trail of the transaction history by breaking up the fund flow..

Oh you now have my undivided attention because an Affidavit with charts is kind of my catnip. Keep in mind the transactions depicted in these charts are not at all inclusive. Because accounting for each “micro-transaction” would be a jumbled mess. Whereas these simplified charts provide you with a general overview. Another thing you might recall (particularly when I was on Twitter) I frequently highlighted how Crypto exchanges and ICOs needed to do a better job of not only complying but also enforcing with the BSA (banking secrecy act) AML (Anti-money Laundering) and KYC (know your customer)

I’d also argue that the private-public partnership is paramount when investigators are following the digital currency. Case in point in June 2021 this article was largely overlooked and I think you should (re)read it because in my industry this was a really BFD. And it further solidifies the assertion that the government and private sector could and should seek symmetrical relationships if they truly want to curb the hacking of VCEs who may not take cybersecurity seriously and they do so at their own peril.

And as much as this pains me to say this, the past administration was almost laissez faire about tackling the ever growing cyber threats, which are largely fined by cryptocurrency. Conversely the current administration is definitely leaning into the illicit funds and malicious activity but the biggest delineation, the scales tip in favor of the Biden Administration… on pages 6 & 7 the Government explains how investigators were convinced that these various accounts at least 10 VCE —Defendant Lichtenstein created a spreadsheet that included the information of the thousands of wallets, it also included passwords, the status of the wallet(s) …Defendant Lichtenstein’s spreadsheet delineated “frozen” accounts

Follow the cryptocurrency…

I mean I suppose we should thank Defendant Lichtenstein for his meticulously spreadsheets and that assisted investigators’ endeavors critical task, that is: to follow the cryptocurrency…

The connection among the VCE 1 accounts was further confirmed upon reviewing a spreadsheet saved to LICHTENSTEIN’s cloud storage account. The spreadsheet included the log-in information for accounts at various virtual currency exchanges and a notation regarding the status of the accounts. Six of the VCE 1 accounts referenced above were included in the spreadsheet, with a notation indicating “FROZEN.” In other words, LICHTENSTEIN possessed a document with the login information for the accounts at VCE 1 that received funds traceable to the hack of Victim VCE and that reflected his knowledge that the accounts had been frozen.

The funds were sent to various locations, including through multiple unhosted BTC addresses to an account at another U.S.-based VCE (“VCE 5”) in LICHTENSTEIN’s name (“Lichtenstein’s VCE 5 Account”). As illustrated below, the withdrawals from multiple VCE 1 accounts merge together as they flow through a peel chain and ultimately fund a deposit on or about February 13, 2017, to Lichtenstein’s VCE 5 account (as well as other deposits in January, June, and December 2017)…

In short the investigators did in fact follow the cryptocurrency and in the end it was Lichtenstein and Morgan who brought this all on themselves. Partly due to the comically sloppy nature of how Lichtenstein and Morgan set up the various accounts at 10 VCEs. More specifically it was Lichtenstein’s repeated use of a specific email address and connectivity to those email accounts —which were used to open up accounts at all 10 of the VCEs. Again you can read the February 8, 2022 DOJ-OPA Press Release and you can read the 20 page Affidavit.Statement of Facts sans my highlights and spicy snark.

Just to reiterate my week is off the charts packed this week, it’s not like I can give certain lawmakers my death stare of evil eye via a teams call or God-Forbid via a Zoom video call. No this requires me to be there in person and quietly screaming inside my head. Because invariably it’s always the home stretch of a legislative session that is filled with me questioning why are lawmakers trying to screw over our clients. I mean just about 2 months ago I was sent in as the cleaning crew, after a certain lawmaker decided to recant on their commitment to not send XYZ bill to ABC Committee —where the new/proposed legislation is sent to die on the vine…. It’s my job to “gently” remind them about the previously agreed upon verbiage. And that Groundhog Day isn’t actually a thing but it’s starting to feel like it. After all the Crossover Deadline is quickly approaching… and then it’s onto the appropriations portion of my own personal hell.

At any rate I hope this article helps color in the various contours in this landmark criminal case. To date I being $3.6B as in Billion is in fact a landmark seizure by the DOJ. The fact that the IRS-IC took the lead further fortifies this is a whole of Government approach.

Rhetorical questions, 1) if you haven’t filed your business and/or personal Federal income taxes (let’s say hypothetically since 2015) is that criminal? 2) would that render your incessant public declarations of your patriotism moot, if not just embarrassingly fraudulent?, 3) also is it terrible to enjoy watching others unwittingly resetting the statute of limitations clock? <snort> apparently I’ve added a 6th level to the heads of individuals I’m currently living in rent free…

And lastly your daily dose of saltwater therapy…

A post shared by File411 (@file411_dc)

Again apologies for the sportiness of publishing a daily article. I’m literally counting down the days to April 8th. Because this year’s legislative session is the first time in a while that I’ve wanted to just chuck-it in the bucket.


File411’s Newsletter
File411’s Newsletter