Skip to content
Naked Security Naked Security

“Crocodile of Wall Street” and her husband plead guilty to giant-sized cryptocrimes

Sentences still to be decided, but she could get up to 10 years and he could get as many as 20.

Back in August 2016, Heather Morgan, a.k.a. Razzlekhan, a.k.a. the Crocodile of Wall Street (actually, there’s a double-barrelled expletive in front of the word ‘crocodile’, but this is a family-friendly website so we’ll leave you to extrapolate for yourself), and her husband Ilya Lichtenstein got their hands on 120,000 of your finest bitcoins.

At the time, BTC was trading at about $600, so their stash was worth a cool $72,000,000.

For a couple in their mid-to-late 20s at the time, you’d imagine that sort of capital would fund a long life of idle luxury, especially if you stop to think that Bitcoin hasn’t traded below $10,000 for the past three years.

Even if they’d burned through half of their original fortune by now, they’d still have close to $2 billion left at today’s rate, about 25 times as much as they started out with.

But things didn’t work out that way.

The problem was that Morgan and Lichtenstein hadn’t acquired those bitcoins legally, weren’t able to cash them out as quickly as they probably thought they could, and ultimately disovered that bitcoin anonymity only goes so far, especially if you’re stuck with the problem of trying to launder a large quantity of the world’s best-known cryptocurrency.

In early 2022, US law enforcement experts had pieced together enough of the couple’s BTC story to arrest them for trying to spend the proceeds of a crime:

https://nakedsecurity.sophos.com/2022/02/09/self-styled-crocodile-of-wall-street-arrested-with-husband-over-bitcoin-megaheist/

Simply put, the couple weren’t directly charged with stealing the bitcoinage in the first place, but for trying to cash it out despite knowing it was stolen.

In the court document submitted to apply for their arrest warrants, the victim is referred to simply as VCE, short for virtual currency exchange, but that VCE is now publicly known to be Bitfinex, so we have used that real name here:

In or around August 2016, a hacker breached [Bitfinex’s] security systems and infiltrated its infrastructure. While inside [Bitfinex’s] network, the hacker was able to initiate over 2,000 unauthorized BTC transactions, in which approximately BTC 119,754 was transferred […] to an [outside wallet].

[…] US authorities traced the stolen funds on the BTC blockchain. As detailed [in the affidavit], beginning in or around January 2017, a portion of the stolen BTC moved out of [that wallet] in a series of small, complex transactions across multiple accounts and platforms. This shuffling, which created a voluminous number of transactions, appeared to be designed to conceal the path of the stolen BTC, making it difficult for law enforcement to trace the funds. Despite these efforts, […] US authorities traced the stolen BTC to multiple accounts controlled by ILYA “DUTCH” LICHTENSTEIN, a Russian-US national residing in New York, and his wife HEATHER MORGAN.

Fast forward just over a year-and-a-half, and both of the suspects have now pleaded guilty to money laundering charges.

This time, the US Department of Justice (DOJ) unambiguously states that Lichtenstein was the hacker referred to above, and offers some intriguing new details about how the couple tried to turn the stolen cryptocoins into ready money, including using some of the tainted bitcoins to buy gold, which they hid in the traditional way of robbers and pirates throughout the ages:

According to court documents, Lichtenstein used a number of advanced hacking tools and techniques to gain access to Bitfinex’s network. Once inside their systems, Lichtenstein fraudulently authorized more than 2,000 transactions in which BTC 119,754 was transferred from Bitfinex to a cryptocurrency wallet in Lichtenstein’s control. Lichtenstein then took steps to cover his tracks by going back into Bitfinex’s network and deleting access credentials and other log files that may have given him away to law enforcement. Following the hack, Lichtenstein enlisted the help of his wife, Morgan, in laundering the stolen funds.

Lichtenstein, at times with Morgan’s assistance, employed numerous sophisticated laundering techniques, including using fictitious identities to set up online accounts; utilizing computer programs to automate transactions; depositing the stolen funds into accounts at a variety of darknet markets and cryptocurrency exchanges and then withdrawing the funds, which obfuscates the trail of the transaction history by breaking up the fund flow; converting bitcoin to other forms of cryptocurrency, including anonymity-enhanced cryptocurrency (AEC), in a practice known as “chain hopping”; depositing a portion of the criminal proceeds into cryptocurrency mixing services, such as Bitcoin Fog, Helix, and ChipMixer; using US-based business accounts to legitimize their banking activity; and exchanging a portion of the stolen funds into gold coins, which Morgan then concealed by burying them.

Lichtenstein now faces up to 20 years in prison when he’s sentenced, while the Crocodile Lady faces up to 10 years behind bars.

As the law requires, and as the DOJ reminds everyone, “there will be a formal process at the conclusion of the case […] for third-party claimants to submit claims for any seized and forfeited property”.

Fascinatingly, that restitution process could produce some peculiar results for different claimants, depending on which stolen bitcoins got traded out and recovered in the form of gold, which ones were still in BTC form when seized, and how the assests are divided up amongst the claimants.

For example, if your bitcoins were stolen in 2016, cashed out for gold by the Crocodile Lady in early 2017, and were returned to you right now in the form of gold bullion, you’d end up with a reasonably healthy return of somewhere between 250% and 300%.

That’s because BTC went from about $600 in mid 2016 to roughly double that by early 2017 (x2), and gold has gone up from $1500 an ounce to $2000 an ounce since then (x1.3), for an overall gain of approximately 2×1.3 = 260%.

If your specific bunch of bitcoins ended up untouched by the guilty pair, however, and you were to get them back directly, they’d now be worth about 50 times what they were at the time of the heist, for a 5000% return.

But if your coins were swapped out for gold in late 2021, just before the Crocodile Lady was taken into custody, they’d have been worth more than 100 times their 2016 value at the time of the trade, and although the value of BTC is now less than half what it was then, gold has declined only very slightly, so you’d still be looking at a return of better than 10,000%.

In practice, we’re assuming that the total amount recovered will be divided proportionally between all claimaints, including those whose specific cryptocoins were cashed out along the way and spent on high living…

…but it’s an intriguing reminder of how complex the and confusing the cryptocoin ecosystem can be.


HOW CRYPTOCOINS CAN BE TRACKED

If you’re wondering how stolen and laundered transactions can be traced in a pseudoanonymous trading system such as Bitcoin…

…you’ll enjoy this special episode of the Naked Security podcast in which we talk to best-selling US author Andy Greenberg about his awesome book on this very subject, Tracers in the Dark – The Global Hunt for the Crime Lords of Cryptocurrency:

Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.

You can also find our podcasts on Apple Podcasts, Google Podcasts, Spotify and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.


3 Comments

RazzleKhan was the answer to a question during a cybersecurity class I took. Because I knew that, I won a $100 hacker gift card. No one knew who she was so after the question, the instructor played her rap song, and the entire class was horrified. HAHA.

Reply

While reading the article title I had a cringe moment at the word ‘cryptocrimes’.

– Which weapon was used for the crimes?
– Was it a RIPEMD-160 or a full-size RSA-4096 model?

The cybersecurity & by extension you (Sophos, security company) is doing itself a massive disservice by using the slander word ‘cryptocrimes’.

There’s no such thing as a cryptocrime.
The crime was theft, not cryptography.

There’s no ‘computer crime’ either, computers don’t beat people up.

Now one point that might appear sketchy is if justice might try to resize the asset forfeitures of the victims at USD level.

If you had 5 BTC stolen (example) that were worth USD ~5000 at the time, I would think that the sensible thing to do is to return exactly 5 BTC, not USD ~5000.

Returning USD 5000 would be akin to having lost a racing car and being compensated with tons of bicycles instead.

Will justice have to actually analyze the blockchain to determine the exact BTC addresses to return BTC currency to?

In such a case, then why even ask the theft victims to apply for compensation?

The BTC blockchain already has the list of all the ‘victim BTC addresses’ in its history.

Just do a big batch of automatic BTC transfers to all thieved BTC addresses for what they lost.

If not perfectly possible because of payment/miner fees, then approximately the amount in BTC minus a little fee.

Last point about whether to return assets in BTC instead of USD might be worth asking those who will decide about it.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!