Two individuals were arrested last week in Manhattan, NYC, for an alleged conspiracy to launder cryptocurrency that was stolen during the 2016 hack of Bitfinex, a virtual currency exchange, presently valued at approximately $4.5 billion. Thus far, law enforcement has seized over $3.6 billion in cryptocurrency linked to that hack.
The proceeds—worth $72 million then, but $4.5 billion now—were siphoned from users’ accounts into a single crypto wallet.
For years, most of the money sat in that wallet untouched. But, once the currency slowly began to move out of the wallet and into the traditional banking system, investigators were able to start tracing the transactions to people in the real world.
On Tuesday, a married couple in New York, Ilya Lichtenstein and Heather Morgan, age 34 and 31, were arrested and charged with conspiracy to commit money laundering and conspiracy to defraud the United States.
How was Bitfinex hacked?
In 2016, Bitfinex—one of the largest cryptocurrency exchanges at the time—suffered a security breach. Some 2,000 transactions were approved from users’ accounts, sending the Bitcoin to one wallet.
The hack upended the entire crypto ecosystem, with the value of Bitcoin plunging about 20% within hours.
However, it is worth noting that neither Lichtenstein nor Morgan is accused of perpetrating the actual hack. “It’s potentially more difficult to prove the hack,” Ari Redbord, the head of legal and government affairs at TRM Labs, a cryptocurrency regulatory startup, says.
How did the Bitfinex crypto gang launder the BTC?
After the hack, the wallet in question had tens of millions of dollars worth of Bitcoin in a single account. But to extract it in large withdrawals would arouse plenty of suspicions. Most of the cryptocurrency was simply left in the account to appreciate in value.
In a futile effort to maintain digital anonymity, the defendants laundered stolen funds through a labyrinth of cryptocurrency transactions.
In early 2017, small amounts of money began to exit the wallet through Alphabay, a currency exchange on the dark web that was often used to transact deals for drugs, weapons, and other illicit goods, according to investigators.
By routing crypto through Alphabay, the trail of money on the blockchain itself would run cold. The launderers could then simply deposit the money in another Bitcoin wallet with its provenance obscured.
When Alphabay was shut down by law enforcement in 2017, the perpetrators switched to routing the money through the Russian-language marketplace Hydra, according to Tom Robinson, a co-founder of the Blockchain analytics company Elliptic says, who has been tracking the money flow of the hack using tracing techniques and other software.
Three years later, as Bitcoin prices spiked, the launderers employed a type of transaction known as a “coinjoin,” using Wasabi Wallet, a privacy wallet designed to prevent blockchain tracing. These methods amounted to the most “state-of-the-art laundering techniques” at the time, Tom Robinson says.
How the hackers were chased down
As the launderers tried technique after technique to move the money, efforts to combat scammers were escalating—particularly in the U.S. Regulatory agencies were taking notice, investigating large scams. U.S.-based cryptocurrency exchanges were falling in line under the purview of the Department of Treasury, which required that they establish anti-money laundering (AML) programs and KYC (know-your-customer) protocols to make it harder for anonymous users to transfer money.
Meanwhile, crypto researchers and coders were building out more sophisticated tracking tools, hoping to bring some order and accountability to a space rife with scamming and bad actors.
But while experts like Robinson knew which cryptocurrency accounts stored the stolen Bitcoin, linking blockchain addresses to actual people was another matter entirely. Robinson says that the Justice Department’s efforts were aided tremendously by the fact that AlphaBay had been shut down in 2017 by an international law enforcement effort led by the FBI. This shutdown, Robinson believes, gave law enforcement access to the service’s internal transaction logs, which helped officials concretely connect the dots between the wallet linked to the 2016 Bitfinex hack and the laundered accounts.
“The fact that law enforcement took down AlphaBay probably led to [Lichtenstein and Morgan’s] downfall,” Robinson says.
With the biggest piece of the puzzle found, officials began finding links between the smaller shell accounts and bank accounts that belonged to Lichtenstein and Morgan, according to the charging papers.
In January, they obtained a search warrant for a cloud storage account belonging to Lichtenstein, where they found a list of wallet addresses linked to the hack with their passwords. One of those wallets stored the majority of the remaining money: 94,000 Bitcoin, documents alleged. Using Lichtenstein’s passwords in the cloud, they entered the account and seized the funds, investigators said.
Who gets the $3.6BN in Bitcoin seized in Bitfinex hack?
After the attack in August 2016, when a hacker made away with more than 119,000 Bitcoin, Bitfinex allocated losses of more than 30% to all customer accounts. It then created and credited BFX tokens to customers at a ratio of one for every $1 lost. Within eight months, all holders had those tokens redeemed, or had exchanged them for iFinex capital stock.
Bitfinex also created another coin named Recovery Right Token, or RRT, for holders that had converted their BFX tokens into iFinex shares. In case the stolen Bitcoins were ever recouped, recovered funds would be distributed to RRT holders, at up to $1 per RRT. There are currently 30 million RRT tokens outstanding, according to Bitfinex. That could lead to a reimbursement of up to $30 million.
Bitfinex plans to use a portion of at least 80% of the recovered net funds to buy up and destroy another token called Leo it issued in 2019 to beef up its coffers
Are we going to see similar seizures to the Bitfinex hack?
This may only be the beginning of the DOJ’s efforts to crack down on crypto scams. The feds have been highly active, launching a National Cryptocurrency Enforcement Team last year to expand investigations of money laundering and other financial crimes.
Last June, it recovered millions of dollars from the Colonial Pipeline ransomware attack. Meanwhile, other regulatory bodies, including the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) are positioning themselves to get a piece of the regulatory action.