Federal authorities spent years looking for information on the 2016 breach of the Bitfinex cryptocurrency exchange, during which $4.5 billion worth of bitcoin was stolen by hackers. In the end, something far more commonplace—a $500 Walmart gift card—was what helped them find two suspects.
According to a criminal complaint, Ilya “Dutch” Lichtenstein and Heather R. Morgan, a young Manhattan couple, were connected to emails and cloud service providers using that card and more than a dozen others like it, including those for Uber, Hotels.com, and PlayStation. Following the greatest financial seizure in Justice Department history—$3.6 billion worth of bitcoin purportedly under the couple’s control—authorities detained the pair.
Since then, more information has come to light on the investigation, particularly how it benefited from both cutting-edge forensic techniques and the expanding industry-wide effort to combat cybercrime. When bitcoin was a far-flung outlier in the financial world at the time of the attack, it would have been less possible for the discovery to occur.
Due to its apparent anonymity and capability for seamless international transactions, cryptocurrency has long been a popular choice for criminals of all sizes, including ransomware operators, drug traffickers, and street gangs. Analysts claim that despite its bad image, it might often be more straightforward to track than physical currencies. Every transaction is open to the public and leaves a record. The secret is connecting that money with actual individuals.
Ms. Morgan, 31, and Mr. Lichtenstein, 34, were accused of planning to defraud the federal government and launder money. The maximum jail time for the most serious count is 20 years. The hack was not allegedly carried out by Mr. Lichtenstein or Ms. Morgan, according to federal authorities.
Inquiries for comment were not answered by their attorneys. Their attorneys wrote in a court document that “the Government’s complaint’s allegations of money laundering are based on a number of circumstantial inferences and assumptions taken from a complicated network of intricate blockchain and cryptocurrency tracking statements.”
In a hearing on Monday, the court ruled that Ms. Morgan may be released to home confinement on a $3 million bail package while Mr. Lichtenstein was ordered to remain in custody until trial.
The couple, who have been together for seven years, both worked in technology, according to their attorneys. According to the couple’s acquaintances, Mr. Lichtenstein was an introvert who favored coding and building computer circuit boards to socializing. When he was 6 years old, his family left Russia for the United States to escape religious persecution, according to his attorneys.
Ms. Morgan, a native of Northern California, was a lot friendlier. She published pieces for Forbes in which she identified herself as a specialist committed to battling fraud and online crime. According to her Forbes.com bio, “when she’s not reverse-engineering underground marketplaces to come up with new strategies to combat fraud and cybercrime, she likes rapping and creating streetwear clothes.” She raps, “spear phish your password/all your cash moved,” among other things.
The incident occurred in August 2016, when hackers broke into the Hong Kong-based Bitfinex exchange’s network using malware. They then transferred the stolen bitcoin, which was then valued at around $71 million, through more than 2,000 illicit transactions to an external account. The funds were inactive for several months. According to a criminal complaint brought against Mr. Lichtenstein and Ms. Morgan, sophisticated transactions involving tiny sums started happening in January 2017.
The accusation claims that the stolen bitcoin was initially sent through AlphaBay, a dark web marketplace accessible only through specialized software where users may communicate anonymously. Is AlphaBay Market legal? was a query posted in the website’s FAQ section? Of course not, was the response. In order to assist prevent tracking, AlphaBay also promoted itself as a cryptocurrency “tumbler,” or a business that could convert deposited bitcoin for other cryptocurrencies.
Federal officials seized and shut down AlphaBay in July 2017. These crackdowns have made it more difficult to launder stolen cryptocurrency funds and assisted authorities in locating illicit monies. Tom Robinson, the co-founder of the cryptocurrency analytics company Elliptic Enterprises Ltd., stated that there are still certain locations where you may withdraw money without any restrictions in place but that they are becoming vanishingly rare.
According to prosecutor documents, the two took some bitcoin from Bitfinex and transferred it through AlphaBay accounts before depositing the funds into freshly formed accounts at several exchanges linked to foreign email addresses generated around the time of the breach. Prosecutors claim that the deposits immediately triggered anti-money-laundering compliance measures at cryptocurrency exchanges.
Some exchanges demanded proof of the account holders’ identity. When they didn’t hear back, the exchanges locked the accounts, abandoning more than $300,000.
According to documents filed by the authorities, Mr. Lichtenstein and Ms. Morgan then transferred bitcoin linked to the theft into accounts they had set up connected to their real names and companies. They claimed that their first contributions were the result of prior investments, gifts, or customer payments. When moving money from cryptocurrency exchange accounts to conventional banking institutions, they gave similar assurances.
The defense attorney for Ms. Morgan said during bail hearings that his client’s accounts were put up to manage lawful earnings for her business and there is no proof that she was aware of any link between receiving monies and illicit behavior.
According to acquaintances, Mr. Lichtenstein and Ms. Morgan resided in the San Francisco Bay Area in 2016. Mr. Lichtenstein was the CEO of MixRank, an internet marketing technology firm. At the age of 23, Ms. Morgan founded SalesFolk LLC, a company that specialised in unsolicited marketing emails.
In 2017, the two departed for New York, where they started a few firms and cultivated a reputation as tech-savvy businesspeople. Ms. Morgan stated in one Forbes essay that by the following year, she had been burned out and had made the decision to explore another interest. Under the stage name Razzlekhan, she began to create rap songs. She referred to herself as the “Crocodile of Wall Street” in one song and dedicated it to hackers and businesspeople.
She stated in her column that she was “certainly not hoping to win a Grammy for my voice, but I am addicted to rap.”
Buying electronic billboards in Times Square allowed her to display her visage on the city’s streets.
According to prosecution documents, the pair took a month-long vacation to Ukraine in August 2019. According to the prosecution, Mr. Lichtenstein, who is a dual citizen of the United States and Russia, updated papers on a cloud storage account that contained information on money laundering and forged identification documents with Ukrainian ties.
The couple’s attorneys insisted that Ms. Morgan’s frozen eggs, which are required for in vitro fertilization, remain in New York and that they had no intention of leaving the country. One of the couple’s attorneys, Samson Enzer, stated at the court on Monday that if they left, “they would essentially be leaving their future behind.”
Huge amounts of data are generated as a result of the public ledger that contains records of every bitcoin transaction. Finding groups that appear to have a similar source or relationship can be done by analyzing their patterns. According to court records, federal agents utilized software tools to do cluster analysis of the data to look for links and patterns.