Author

Topic: [2022-2-8]WSJ: bitfinex hacker arrested, $2.8B in stolen BTC seized re 2016 hack (Read 288 times)

legendary
Activity: 3122
Merit: 1492
@PrimeNumber7. Have you seen their social media accounts, their videos or their pictures? I reckon those people do not appear like they can hack Bitfinex. They might only be the scapegoats. Also, I really speculate that the real hackers might behind this is within the American government and the scapegoat couple is being paid to play their part in a scheme to retrieve the coins.
copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
The Press are already calling them the "Bonny and Clyde" of Crypto currencies. It seems that they were not the actual hackers, but rather the Money launderers of the money that was hacked.This might mean that they know who the hackers were.....
Do you have a source for this? They have not been charged with the actual hack, however it would be very strange for the hacker to entrust someone with billions of dollars to launder his stolen coin, especially when they are having difficulty moving hundreds of thousands of dollars.
legendary
Activity: 3542
Merit: 1965
Leading Crypto Sports Betting & Casino Platform
The Press are already calling them the "Bonny and Clyde" of Crypto currencies. It seems that they were not the actual hackers, but rather the Money launderers of the money that was hacked. This might mean that they know who the hackers were.....

So once again.... people get caught when they start to live like "Super Rich" people, but they are unemployed. They made up some stories to their family and friends ....but that only last for a while.  Roll Eyes  The final nail in the coffin for them, was when a Wallmart gift card that was bought with stolen bitcoin.... was traced back to their luxurious rental. (delivery address for the goods purchased)  Roll Eyes
copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
I know I have said it before, but if they (and other crooks in general) been willing to pay the money in taxes and put in some time to make some fake businesses then they could have laundered it quite well.
They appeared to have tried that.

They appear to have created a company, SalesFolk, that Morgan told at least one exchange (coinbase?) that their company provided consulting services. The statement of facts doesn't say anything about this exchange flagging the SalesFolk account, so it is possible this at least temporarily worked. They still had the issue of the fact that deposits could be traced back to the bitfinex hack (via deposits/withdrawals from other exchanges).

They were also not charged with tax fraud, so it is very well possible they were paying taxes on the amounts they cashed out.

From what I saw, he sent the BTC straight to CoinBase.
1) Did not bounce it through exchanges
2) Did not not use CoinBase Commerce just to a regular Coinbase account.

When you rob a bank and the die packs explode all over the cash, you don't walk to the next bank down the street to deposit the cash.

There was actually a case around here about a bunch of very successful drug dealers. Most of the profits from the dealing were run through business that paid taxes and then they actually issued pay checks for the dealers along with tax withholding and insurance and everything else. Got busted for other reasons, but since the government got their cut they did not get hit with tax evasion too.....

-Dave
They moved some money from exchange to exchange:
Quote
37. As noted above, MORGAN had two accounts at VCE 7: a retail account and an
institutional account. MORGAN represented via email to VCE 7 that she would be using her
accounts at VCE 7 to receive funds from her business clients and also to transact with her own
virtual currency. MORGAN claimed that the source of digital assets that would be deposited in
her institutional account would be virtual currency that she had received in 2014 and 2015 from
LICHTENSTEIN. This claim is belied by the blockchain, which shows that her virtual currency
accounts received the bulk of deposits from the above-referenced accounts at VCE 4 and received
none from identifiable business clients.
So they deposited some coin to an exchange, withdrew the coin, then tried to deposit the coin to another exchange (I believe to be coinbase).

The problem with this strategy is that when they deposited to "exchange 4", law enforcement can ask "exchange 4" for the txid(s) for any withdrawals associated with that account. So it is likely that the FBI found the "exchange 7" account by asking "exchange 4" about withdrawal transactions.

It doesn't appear they were using coinbase's merchant service's product, however I don't think it would have made a difference. It would still be clear they were receiving the stolen bitfinex coin.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
I know I have said it before, but if they (and other crooks in general) been willing to pay the money in taxes and put in some time to make some fake businesses then they could have laundered it quite well.
They appeared to have tried that.

They appear to have created a company, SalesFolk, that Morgan told at least one exchange (coinbase?) that their company provided consulting services. The statement of facts doesn't say anything about this exchange flagging the SalesFolk account, so it is possible this at least temporarily worked. They still had the issue of the fact that deposits could be traced back to the bitfinex hack (via deposits/withdrawals from other exchanges).

They were also not charged with tax fraud, so it is very well possible they were paying taxes on the amounts they cashed out.

From what I saw, he sent the BTC straight to CoinBase.
1) Did not bounce it through exchanges
2) Did not not use CoinBase Commerce just to a regular Coinbase account.

When you rob a bank and the die packs explode all over the cash, you don't walk to the next bank down the street to deposit the cash.

There was actually a case around here about a bunch of very successful drug dealers. Most of the profits from the dealing were run through business that paid taxes and then they actually issued pay checks for the dealers along with tax withholding and insurance and everything else. Got busted for other reasons, but since the government got their cut they did not get hit with tax evasion too.....

-Dave
copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
I know I have said it before, but if they (and other crooks in general) been willing to pay the money in taxes and put in some time to make some fake businesses then they could have laundered it quite well.
They appeared to have tried that.

They appear to have created a company, SalesFolk, that Morgan told at least one exchange (coinbase?) that their company provided consulting services. The statement of facts doesn't say anything about this exchange flagging the SalesFolk account, so it is possible this at least temporarily worked. They still had the issue of the fact that deposits could be traced back to the bitfinex hack (via deposits/withdrawals from other exchanges).

They were also not charged with tax fraud, so it is very well possible they were paying taxes on the amounts they cashed out.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
I know I have said it before, but if they (and other crooks in general) been willing to pay the money in taxes and put in some time to make some fake businesses then they could have laundered it quite well.

Coinbase Commerce and all the other payment processors will convert BTC to fiat.

So you setup a 'crypto consulting business' and take BTC payments.

There are a lot of exchanges that exist even today that have $10K+ withdraw limits a day with no KYC

BTC goes in to exchange -> other coin (preferably XMR or other privacy coin) comes out -> other exchange -> BTC to fiat gate way.
You burn some exchange fees and the % that the processor takes AND you get a W2 or 1099 for the amount so you have to pay income tax on it.
You will also need to pay an accountant / bookkeeper to keep the records unless you want to do it yourself.

Generate a bunch of fake emails from clients and poof you have a way to move the money.
With some work, and giving 30% to the government and so on.

But it's work and time and you have to give some away and as I started. Most criminals don't want to do that.
So they get to go to jail.

-Dave

copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
That investigation is nuts  Cheesy
I love how they've covered every detail, they've traced everything, they have even linked them with ATM transfer and NFT purchases.
Once they had the list of private keys, and the notes in their cloud storage account, much of the guesswork would have been removed.

Yeah some of them  but they've only got that 7 days ago, I doubt they could have finished the investigation from scratch in that time.
That kind of investigation is going to be automated, and they likely already knew that xx address belongs to a BTM, and yy address belongs to an NFT exchange, etc. They probably had an educated guess where some of the money was going.

Quote
On or about January 31, 2022, law enforcement was able to decrypt several key files contained within the account. Most notably, the account contained a file listing all of the addresses within Wallet 1CGA4s and their corresponding private keys.

I'm pretty sure that by the time they asked for the warrant they were aware of all the money transfers those two have made and of all the accounts on exchanges they've made, besides, without certain proof nobody would have given them one in the first place.
Right. The probable cause to get the search warrants likely came from them trying to sell large amounts of coin on multiple exchanges and abandoning the accounts when asked for enhanced KYC/AML documentation with hundreds of thousands of dollars in the accounts. That and the likely fact that the deposits sent to these exchanges can be reasonably traced to the bitfinex hack.
I think their luck ended here:

Quote
As depicted in the chart above, a portion of funds laundered through AlphaBay were sent to six VCE 1 accounts (“VCE 1 Account 1” through “VCE 1 Account 6”). Records from VCE 1 showed that these six accounts were all registered using email addresses hosted by the same India-based email provider
~

Alphabay was seized, for sure they have all the data, linking a transaction from Alphabay to exchanges made this really simple for them.
AlphaBay was seized in 2017, and they have been trying to cash out the money in recent months. I think they tried to launder more of the coin via a "peeling" technique, in which a large (in value) input is split up into many outputs via a very long chain of transactions. The peeling technique makes it difficult to trace "manually", however the transactions can be traced via automation and will be accurate provided certain assumptions are correct.

If they were hired, I don't think he actual hacker would have given them billions of dollars worth of coin at the same time, but would rather give them small amounts that would be replinsihed as they give the actual hacker assets.

Unless the hacker is new to the job as well and he is a relative of them or a close friend that while excelling in the things he does he has no real-world connections that would help them. I'm saying this because I know a real case of credit card fraud that was discovered when the gang beat nearly to death the poor guy who was doing the tech work after they've had an argument in a disco, probably his first contact with alcohol, I don't remember his age but he was under 18 for sure.
If you're "a nerd" and you suddenly have millions in your pocket the moment you realize the consequences the first instinct would be to seek somebody close to you, usually a relative. At least that's my take on this.

My guess is the hacker was the husband, and he had his wife try to help him launder the money. Or perhaps, he stole her identity when trying to open exchange accounts without her knowledge.

If these people did just steal the coin from the hacker (which it appears would be the case if neither of them is the hacker), the hacker could have reported these people to the FBI as being the hacker, and they would have been caught red-handed with the private keys of the addresses associated with the hack. The money laundering charges are easier to prove, but if the government knew they had the private keys, and had nothing else to charge them with, they would likely have been charged with the hack, IMO.


It probably would have been smart for them to return the majority of the stolen coin to bitfinex less what bitfinex agreed to let them keep. Doing so would have resulted in bitfinex almost certainly stopping corporation with law enforcement, and probably would have muddied the watters sufficiently that it would be unclera if there was even any stolen coin outstanding.
Yes the guy has Russian citizenship but he didn't even bother to fly away there while he could certainly more easily find ways to open companies and bank accounts with nominees or fake identity there. If he just wanted to quietly stay at home, the smarter thing to do was to return the funds and to take the reward. He really thought he would be able to launder billions of dollars during his lifetime?
Most people cannot even spend billions of dollars during their lifetime. I don't think just anyone can easily set up fake identities in Russia, you probably would need to be somewhat politically connected to do that.


Heather is apparently a rapper and has a TikTok presence -- https://www.tiktok.com/@realrazzlekhan?lang=en
I watched some of her videos.
legendary
Activity: 2912
Merit: 6403
Blackjack.fun
That investigation is nuts  Cheesy
I love how they've covered every detail, they've traced everything, they have even linked them with ATM transfer and NFT purchases.
Once they had the list of private keys, and the notes in their cloud storage account, much of the guesswork would have been removed.

Yeah some of them  but they've only got that 7 days ago, I doubt they could have finished the investigation from scratch in that time.

If they were hired, I don't think he actual hacker would have given them billions of dollars worth of coin at the same time, but would rather give them small amounts that would be replinsihed as they give the actual hacker assets.

Unless the hacker is new to the job as well and he is a relative of them or a close friend that while excelling in the things he does he has no real-world connections that would help them. I'm saying this because I know a real case of credit card fraud that was discovered when the gang beat nearly to death the poor guy who was doing the tech work after they've had an argument in a disco, probably his first contact with alcohol, I don't remember his age but he was under 18 for sure.
If you're "a nerd" and you suddenly have millions in your pocket the moment you realize the consequences the first instinct would be to seek somebody close to you, usually a relative. At least that's my take on this.


legendary
Activity: 2604
Merit: 2353
It probably would have been smart for them to return the majority of the stolen coin to bitfinex less what bitfinex agreed to let them keep. Doing so would have resulted in bitfinex almost certainly stopping corporation with law enforcement, and probably would have muddied the watters sufficiently that it would be unclera if there was even any stolen coin outstanding.
Yes the guy has Russian citizenship but he didn't even bother to fly away there while he could certainly more easily find ways to open companies and bank accounts with nominees or fake identity there. If he just wanted to quietly stay at home, the smarter thing to do was to return the funds and to take the reward. He really thought he would be able to launder billions of dollars during his lifetime?
copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
That investigation is nuts  Cheesy
I love how they've covered every detail, they've traced everything, they have even linked them with ATM transfer and NFT purchases.
Once they had the list of private keys, and the notes in their cloud storage account, much of the guesswork would have been removed.

But going through all that info it seems that the major flaw in the plan was that they've almost always failed to provide a source for those coins when exchanges asked, and after their first try went wrong they've gone completely silent not communicating on the issue anymore. In my opinion that was really a big mistake, nobody just leaves hundred of thousands of dollars frozen like that, throwing them away from that easily unless they are stolen money, I'm pretty sure all CEX reported those incidents and the police has just to connect slowly the dots.
They provided information about the source of funds that was not plausible nor verifiable. They stopped communication when asked to do enhanced KYC verification. When someone more or less abandons a financial account with six figures worth of coin in it, the exchange will likely file a SAR, and law enforcement will almost certainly be very interested.
But yeah, I doubt he is the hacker, probably somebody employed to clean the coins...and failing miserably at it.
I don't think they were hired to clean the coins. For example, they bought gold that was shipped to their residence and had money withdrawn to their bank accounts, and there was not anything mentioned about sending anything of value to any third parties. I think it is likely that one of them was responsible for the hack. The wife appears to be a writer for Forbes and Inc (according to what appears to be her LinkedIn profile), and the husband may or may not have actually founded some kind of what could have been a tech company.

If they were hired, I don't think he actual hacker would have given them billions of dollars worth of coin at the same time, but would rather give them small amounts that would be replinsihed as they give the actual hacker assets.

Quote
On or about May 3, 2020, Cluster 36B6mu sent approximately 0.057 BTC directly to VCE 10. VCE 10 is a business that sells prepaid gift cards in exchange for BTC. Records from VCE 10 showed that this specific transaction was for the purchase of a $500 gift card to Walmart from an account registered with an email address hosted by a provider in Russia and conducted via an IP address resolving to a New York City-based cloud service provider
Records showed that portions of the $500 gift card were then redeemed through three transactions for personal items via the Walmart iPhone application

When you have 100k BTC and you use them to buy a 500$ gift card for Walmart...
I get that you might want to keep a low profile but this is just funny.

My impression was that they resorted to buying gift cards after other attempts to launder the money failed. It appears they were unable to actually sell very much of the stolen coin for anything of value. For example, their shell business apparently took out a PPP loan.

I think they were probably greedy, and probably aren't career criminals. At the time of the hack, bitfinex was using a third-party service, BitGo, for their wallet whose platform was open-source. My guess is that one of them either knew someone at BitGo who told them about a flaw in their software, or one of them was able to review the BitGo code on GitHub, and was able to exploit the flaw that allowed the hacker to bypass 2FA to allow for BitGo to authorize an unlimited amount of coin to be transferred.

It probably would have been smart for them to return the majority of the stolen coin to bitfinex less what bitfinex agreed to let them keep. Doing so would have resulted in bitfinex almost certainly stopping corporation with law enforcement, and probably would have muddied the watters sufficiently that it would be unclera if there was even any stolen coin outstanding.
legendary
Activity: 2912
Merit: 6403
Blackjack.fun
That investigation is nuts  Cheesy
I love how they've covered every detail, they've traced everything, they have even linked them with ATM transfer and NFT purchases.

But going through all that info it seems that the major flaw in the plan was that they've almost always failed to provide a source for those coins when exchanges asked, and after their first try went wrong they've gone completely silent not communicating on the issue anymore. In my opinion that was really a big mistake, nobody just leaves hundred of thousands of dollars frozen like that, throwing them away from that easily unless they are stolen money, I'm pretty sure all CEX reported those incidents and the police has just to connect slowly the dots.

But yeah, I doubt he is the hacker, probably somebody employed to clean the coins...and failing miserably at it.

Quote
On or about May 3, 2020, Cluster 36B6mu sent approximately 0.057 BTC directly to VCE 10. VCE 10 is a business that sells prepaid gift cards in exchange for BTC. Records from VCE 10 showed that this specific transaction was for the purchase of a $500 gift card to Walmart from an account registered with an email address hosted by a provider in Russia and conducted via an IP address resolving to a New York City-based cloud service provider
Records showed that portions of the $500 gift card were then redeemed through three transactions for personal items via the Walmart iPhone application

When you have 100k BTC and you use them to buy a 500$ gift card for Walmart...
I get that you might want to keep a low profile but this is just funny.
copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
The DOJ has announced they have arrested Ilya Lichtenstein and his wife Heather Morgan in connection with the 2016 hack of Bitfinex, in which 120,000 bitcoin was stolen. The DOJ also said that they seized most of the 120,000 BTC, now worth ~$3.6 billion (out of ~$4.5 billion) that was stolen in the 2016 hack last week.

According to the "statement of facts" attached to the criminal complaint, the FBI was able to seize files out of a cloud storage provider belonging to the defendants (Ilya Lichtenstein and Heather Morgan) that contained the private keys of addresses directly associated with the bitfinex hack, along with a spreadsheet of various login information to several exchange accounts belonging to the defendants that can be traced to the 2016 hack.

Interestingly, the defendants apparently represented to an exchange (it sounds somewhat like coinbase pro) that they were mining in 2011 and this is how they obtained so much bitcoin. I remember seeing posts on this forum asking for private keys from circa 2011 that received mining rewards.

It appears that the defendants were able to successfully cash out some of the stolen coin, so I think it is unlikely that more of the stolen coin is going to be recovered.

Article: https://www.wsj.com/articles/justice-department-says-it-seized-3-6-billion-in-stolen-cryptocurrency-exchange-hack-11644339381?mod=hp_lead_pos6

DOJ statement of facts: https://www.justice.gov/opa/press-release/file/1470211/download


Interestingly, it does not appear that it is alleged that the defendants actually hacked bitfinex. Although given they are in possession of billions of dollars of what can be traced to the hack, it is almost certain one of them was involved in the hack IMO. Based on the facts presented, it sounds like they used their real name when KYC verifying some of their exchange accounts, and when they tried cashing out large amounts, SARs were filed, which contained sufficient evidence for the FBI to get search warrants for their email and cloud accounts.
Jump to: