The story as we know it now sounds simple, but the investigation wasn’t.
It all started, according to court papers, with a security breach reported in August 2016 by the Bitcoin exchange Bitfinex.
(The court application for an arrest warrant refers to the company only as “VCE”, short for Virtual Currency Exchange, but the US Department of Justice explicitly identifies VCE as Bitfinex.)
The company’s original breach notification didn’t record how much cryptocurrency had vanished from its coffers, but it quickly emerged that the virtual bank robbers had made off with close to 120,000 bitcoins: BTC 119,756, to be precise, worth a whopping $72 million at the time:
Colossal Cave Adventure
After an investigation that sounds like the 1970s computer game Colossal Cave Adventure (“you are in a maze of twisty little passages, all alike”), law enforcement says that the stolen funds were spread around in various ways:
- Split between thousands of bitcoin addresses in cold wallets, some stored in the cloud.
- Moved into darkweb accounts on now-defunct underground site Alpha Bay.
- Spread amongst numerous cryptocoin accounts hosted on 10 other cryptocoin exchanges.
Ultimately, claims the investigation, many of the accounts created and used for shuffling the stolen funds around were traced back to a New York couple who have now been arrested on fraud and money laundering charges: Heather Morgan, 31, and her husband Ilya Lichtenstein, 34.
Technology website Engadget identifies Morgan as self-styled rapper/artist/activist/entrepreneur RazzleKhan, whose still-active website leads with:
The infamous Crocodile of Wall Street strikes again! More fearless and more shameless than ever before, she’s taking on everyone from big software companies to healthcare to finance bros.
Engadget even links to a video of one of Morgan’s YouTube rap songs in which she riffs: “Spearfish your password/All your funds transferred”, but that video is now marked private, so you can no longer watch for yourself.
Who hacked Bitfinex?
Whether Morgan and Lichtenstein pulled off the original hack against Bitfinex isn’t addressed in the arrest warrant affidavit.
In orotund legalese, the allegations deal not with the hack itself but what happened thereafter:
[This criminal investigator] submits that there is probable cause to believe that ILYA “DUTCH” LICHTENSTEIN and HEATHER MORGAN violated 18 U.S.C. § 1956(h), which makes it a crime in relevant part to conspire to conduct or attempt to conduct a financial transaction involving the proceeds of specified unlawful activity, knowing that the property involved in the financial transaction represents the proceeds of some form of unlawful activity, and knowing that the transaction is designed in whole or in part to conceal or disguise the nature, location, source, ownership, or control of the proceeds of specified unlawful activity. […]
[The investigator also] submits there is also probable cause to believe that ILYA “DUTCH” LICHTENSTEIN and HEATHER MORGAN violated 18 U.S.C. § 371, which makes it a crime in relevant part for two or more persons to conspire to defraud the United States, or any agency thereof, in any manner or for any purpose, and to do any act to effect the object of the conspiracy.
Simply put, the arrested couple are accused of trying to shift around cryptocurrency that they knew to be stolen, and of telling a bunch of lies along the way to make it sound as though they had legitimately acquired the cryptcoins they wanted to trade.
The maximum penalty for the former offence is 20 years in prison; for the latter, 5 years. (Note, however, that maximum sentences are unusual.)
Cracked at last!
One fascinating part of this obviously lengthy investigation (and, presumably, one reason why the arrest warrant was only issued on 2022-02-07) is that investigators managed to trace data relevant to the case to a cloud storage service account belonging to Lichtenstein.
A search warrant meant that law enforcement already had copies of those files – the affidavit doesn’t say when they were acquired – but couldn’t do much with them…
…until the last day of January 2022, when the investigation came up trumps:
The majority of the stolen funds remained in [this wallet] from August 2016 until January 31, 2022. On January 31, 2022, law enforcement gained access to [the wallet] by decrypting a file saved to LICHTENSTEIN’s cloud storage account, which had been obtained pursuant to a search warrant. The file contained a list of 2000 virtual currency addresses, along with corresponding private keys. Blockchain analysis confirmed that almost all of those addresses were directly linked to the hack.
Bingo!
Law enforcement then got a “probable cause” warrant to seize the funds in those 2000 addresses, which came to a total of BTC 94,636, just under 80% of the amount original plundered from Bitfinex.
Once the coins were safe, the arrest warrant application went ahead.
As you can imagine, law enforcement isn’t saying how long it took to crack the encrypted data to recover the bitcoin private keys, or what sort of encryption was used, or how the cracking was done.
But the astonishing fact is that those recovered bitcoins, worth about $57 million when the heist took place, are today valued at just over $4 billion.
John
I think the criminals were working with a dim bulb. Why didn’t they just move the bit coins around and leave the original value in an account which they would disclose and make restitution. If they were sentenced it would be a slap on the wrist of a few months and then you come out and live on the $3 billion. [SECTION REDACTED]. Theft is theft throughout most of the world’s societies and should be dealt with. Sometimes the obfuscatory and orotund legalese language of laws work to a criminal’s advantage.
John Eifenstein
Either sha256 can be broken or I’m guessing the suspects computer was compromised and the private keys recovered.
Paul Ducklin
Cracking SHA-256 isn’t relevant here. The affidavit explicitly says that they “decrypted a file saved to Lichtenstein’s cloud storage”, and inside that file was the relevant data.
The master key could have been found in numerous ways – dictionary attack, guesswork, key saved in plaintext elsewhere, poor encryption algorithm, passord re-use and so on. Or, as you say, via compromise of the suspect’s computer via “government keylogger”, but that feels unlikely – I suspect that the affidavit would mentioned that aspect for clarification if it were true. (Tying the key to the suspect’s own typing would surely enhance the case, assuming the keylogger were correctly warranted.)