How Law Enforcement Tracked Down 94,000 Bitcoins Stolen From Bitfinex?

Original Author: NAMCIOS-Bitcoin Magazine

The U.S. Department of Justice announced in a February 2022 statement that it had successfully seized most of the bitcoin lost in the 2016 hack of crypto exchange Bitifinex after taking control of the wallets of the stolen funds.

While recovery of funds spanning such a wide cycle is clearly unlikely, the complex and definitive trail allowed law enforcement to catch Ilya Lichtenstein and Heather Morgan, a couple who sought to obfuscate their ill-gotten bitcoins by laundering them.

But what appeared to be a well-thought-out move was actually very fragile and fraught with missteps, which facilitated the work of Special Agent Christopher Janczewski, assigned to the IRS's Criminal Investigations Division. That work eventually led to Janczewski charging Lichtenstein and Morgan with money laundering and conspiracy to defraud.

This article delves into the nuances of law enforcement efforts to uncover the identity of the alleged Bitfinex hacker, and the steps taken by the accused couple, based on accounts provided by the Justice Department and Special Agent Janczewski. However, since the official documents do not disclose the key steps of the investigation, the authors will provide plausible scenarios and possible explanations to address unanswered questions.

How can law enforcement seize stolen bitcoins?

Bitcoin's monetary autonomy and resistance to censorship make it impossible for Bitcoin transactions to be blocked and Bitcoin assets to be confiscated. But how can law enforcement seize the money launderers' bitcoins in this case?

According to the lawsuit filed by Special Agent Janczewski, law enforcement was able to gain access to Litchestein's cloud storage, and while he was trying to clean up the stolen funds, he kept most of the sensitive information related to his operations -- including the private keys to the Bitcoin wallet, which owns most of the stolen assets.

The censorship resistance of bitcoin transactions and the sovereignty of bitcoins depend on the proper handling of private keys, since they are the only way to transfer bitcoins from one wallet to another.

Although Lichtenstein's private keys are kept in cloud storage, according to the Justice Department, they use complex symmetric cryptography so complex that even a skilled technician may not be able to crack it in his lifetime. However, the Justice Department did not respond to questions about how to decrypt the files and access the private keys.

There are some plausible guesses as to how law enforcement might have cracked Lichtenstein's encrypted cloud storage.

The first possibility has to do with the security of password storage: there is a way for law enforcement to gain access to passwords without brute-forcing files in the cloud.

Another approach could be that law enforcement has more personal information and computing power on the couple than any other technologist in the world, so declassification of the targeted files is actually feasible and doesn't contradict the DOJ's statement.

The most likely scenario is that law enforcement didn't need to declassify the files in the first place, which makes sense given the DOJ's comments. Agent Janczewski and his team could have obtained the password somehow without brute-forcing the cloud-stored files. This could be facilitated by a third party that Lichtenstein commissioned to create or store the cryptographic codes, or by chasing down some sort of blunder by the couple.

Why save private keys on cloud storage?

It is unclear why Lichtenstein kept such sensitive documents in an online database. However, some have hypothesized that this could be related to the hack, which required him to keep the wallet's private keys in the cloud. Ergo from OXT Research said on social media: "Because this allows remote access to third parties". However, the couple has not been charged with "hacking" by law enforcement.

The assumption of cooperation with others also supports the circumstances of this case. While asymmetric cryptography is great for sending and receiving sensitive data (because the data is encrypted with the recipient's public key and can only be decrypted with the recipient's private key), symmetric cryptography is great for sharing access to fixed files because passwords Can be shared by two parties.

Another assumption is negligence. Hackers may simply think their passwords are safe enough and, for the convenience of putting them on a cloud service, can be accessed from anywhere in the world using the internet. But the situation still doesn't answer the question of how the couple obtained the private keys associated with the hack.

Bitfinex did not comment on any known details about the hackers or whether they are still being pursued.

"We are unable to comment on the details of any cases under investigation," said Paolo Ardoino, Bitfinex's chief technology officer, adding that "a security breach of this magnitude inevitably involves multiple parties."

How did LICHTENSTEIN and MORGAN get caught?

The DOJ statement said the couple used a variety of techniques in an attempt to launder bitcoin, including cross-chaining and using false identities on several crypto exchanges. So how was their behavior discovered?

Lichtenstein often opens accounts with virtual identities on bitcoin exchanges. For example, he opened 8 accounts on a certain exchange (Poloniex according to Ergo), which at first appeared to be unrelated and not weakly connected. However, according to the information in the lawsuit, all of these accounts share multiple characteristics that give away the couple's identities.

First, all Poloniex accounts use the same email provider based in India and have "similar style" email addresses. Second, they were accessed from the same IP address—a major red flag that presumably indicates that these fake accounts are all controlled by the same entity. Third, the accounts were created around the same time as the Bitfinex hack. Furthermore, none of these accounts were used after the KYC required by the exchange.

The suit also alleges that Lichtenstein consolidated multiple bitcoin withdrawals from different Poloniex accounts into a single bitcoin wallet cluster, which he then deposited into an account on a bitcoin exchange (Coinbase, according to Ergo), which he previously worked for This account has passed KYC.

The exact words in the lawsuit read: "The account was verified with a photo of Lichtenstein's California driver's license and a selfie-style photo; the account was registered to an email address containing Lichtenstein's name."

Information in the suit also shows that Lichtenstein kept a spreadsheet in his cloud storage containing details for all eight Poloniex accounts.

image description

The lawsuit details the flow of funds following the Bitfinex hack, but AlphaBay transaction information cannot be audited by law enforcement, so they cannot trace the funds themselves. Image credit: U.S. Department of Justice

According to Ergo, “Investigation is very straightforward, but requires internal knowledge across regulatory entities, for example, the [U.S. government] shared AlphaBay transaction history with data surveillance companies, but we don’t have access to that information. That’s what I have to do as a passive investigator.” Where the analysis stops."

image description

The couple funded via Monero deposits and withdrew BTC in an attempt to launder the funds. However, law enforcement uses KYC trails to de-anonymize their fictitious identities in different escrow services. Image credit: U.S. Department of Justice

Ergo said the OXT team was unable to verify any claims about the 36B6mu wallet cluster.

“We searched for the 36B6mu address corresponding to the wallet cluster and found an address, but it is not part of the legacy wallet cluster. Also, the timing and amount do not seem to match what was mentioned in the complaint. Perhaps a clerical error? Therefore, we cannot Really verify anything to do with the 36B6mu cluster."

The Intentions of Bitcoin Privacy

In addition to portions that passive investigators could not independently prove, after analyzing the lawsuit, it became clear that Lichtenstein and Morgan had built varying degrees of "trust" into several of the services they used.

First, Lichtenstein and Morgan kept sensitive documents online in a cloud storage service that was vulnerable to censorship. In order to strengthen the security of Bitcoin enthusiasts, important files or private keys should be kept offline in a safe place, and it is best to store them in a decentralized manner, rather than centralized storage in the same custodian.

The first service they trusted was AlphaBay, a dark web marketplace. Although we don't know exactly how law enforcement was able to discover their AlphaBay transaction records, dark web markets often attract suspicion from law enforcement and remain the main focus of law enforcement efforts.

Second, blind assumptions are dangerous because they cause you to let your guard down, which often leaves gaps that a savvy investigator or hacker can exploit. In the case of this case, at one point Lichtenstein and Morgan assumed they used so many techniques to obfuscate the source of funds that they thought it was safe to deposit bitcoin into an account with their personally identifiable information — an act that could potentially This has the cascading effect of deanonymizing most of the previous transactions.

Another red flag in the couple's handling of Bitcoin involves pooling funds from different sources, which allows blockchain analysis firms and law enforcement to reasonably assume that the same person controls the funds -- another deanonymized Chance.

Lichtenstein and Morgan did try to cross-chain as an alternative to gaining privacy, however, they enforced it through custodial services (primarily crypto exchanges), which undermined the viability of such a scheme and introduced a subpoenaable Trust a third party.

Lichtenstein and Morgan also tried opening accounts on crypto exchanges using aliases or fictitious identities to hide their real names. But the pattern of doing so gives investigators more insight into such accounts, and common IP addresses can allow law enforcement to assume the same entity controls all of them.

Since Bitcoin is a transparent network, funds can be easily traced. While bitcoin is anonymous, it's not without its flaws: using it requires privacy and care.

What happens to recovered bitcoins?

Although the couple have been charged with two crimes by U.S. law enforcement, there will still be a trial process in court to determine whether they are found guilty. Paolo Ardoino, Bitfinex’s chief technology officer, said the exchange would have a plan of action if the couple were found guilty and the funds were returned to Bitfinex.

“Following the 2016 hack, Bitfinex created BFX tokens and offered them to affected customers for $1. Within eight months of the security breach, Bitfinex redeemed them in U.S. dollars or cryptocurrency 54.4 million BFX tokens were converted, or converted BFX tokens for customers into shares of the parent company iFinex Inc.”

According to Ardoino, the monthly redemption of BFX tokens began in September 2016, with the last BFX token redeemed in early April of the following year. The token started trading at around $0.20 but gradually increased in value to almost $1.

“Bitfinex has also created tradable RRT tokens for certain customers who convert BFX tokens into iFinex shares,” explained Ardoino. “When we successfully withdraw funds, we will distribute up to $1 per RRT to RRT holders. There are approximately 30 million RRT outstanding.”

According to the "Notice on Further Preventing and Dealing with the Risk of Hype in Virtual Currency Transactions" issued by the central bank and other departments, the content of this article is only for information sharing, and does not promote or endorse any operation and investment behavior. Participate in any illegal financial practice

risk warning:

According to the "Notice on Further Preventing and Dealing with the Risk of Hype in Virtual Currency Transactions" issued by the central bank and other departments, the content of this article is only for information sharing, and does not promote or endorse any operation and investment behavior. Participate in any illegal financial practice