On Tuesday, Ilya Lichtenstein and Heather Morgan were arrested in New York and charged with laundering a record $4.5 billion worth of stolen cryptocurrency. In the 24 hours since then, the cybersecurity world has mercilessly mocked their operational security lapses: Lichtenstein claimed to have stored many of the private keys controlling these funds in a cloud storage wallet, making them easy to seize, and Morgan flaunted with his “self-made” wealth in a a series of goosebump-inducing rap videos on youtube and Forbes columns.
But those blunders obscured the remarkable number of layered technical measures that prosecutors say the couple used I did use to try to close the tracks on anyone following their money. Perhaps even more remarkably, federal agents led by IRS criminal investigations were able to defeat these alleged attempts at financial anonymity en route to recovering $3.6 billion in stolen cryptocurrency. In doing so, they demonstrated how sophisticated cryptocurrency tracking has become – potentially even for coins that were once thought to be virtually untraceable.
“What was amazing about this case is the full list of confusion techniques [Lichtenstein and Morgan allegedly] used,” says Ari Redbord, head of legal and government affairs for TRM Labs, a cryptocurrency tracking and forensics firm. Redboard points to the pair’s alleged use of “chain jumping” — transferring funds from one cryptocurrency to another to make them harder to trace — including exchanging bitcoins for “privacy coins” like monero and dash, both intended to thwart blockchain analysis. Court documents say the pair also moved their money through Alphabay’s dark web marketplace – the largest of its kind at the time – in an attempt to thwart detectives.
Yet researchers seem to have found ways around all these obstacles. “It just shows that law enforcement is not going to give up on these cases, and they’re going to investigate funds for four or five years until they can trace them to a destination that they can get information about,” Redbord said.
In a 20-page “statement of facts” released with the Justice Department’s criminal complaint against Lichtenstein and Morgan on Tuesday, the IRS-CI detailed the tortuous and convoluted routes the pair allegedly took to launder some of the nearly 120,000 bitcoins stolen from cryptocurrency exchange Bitfinex in 2016. Most of these coins were moved from Bitfinex Addresses on the Bitcoin blockchain to a wallet designated by the IRS as 1CGa4s, allegedly controlled by Liechtenstein. Federal investigators eventually found keys to that wallet in one of Lichtenstein’s cloud storage accounts, along with logins for multiple cryptocurrency exchanges he had used.
But to get to the point of identifying Lichtenstein — along with his wife, Morgan — and locating that cloud account, IRS-CI followed two forked paths taken by the 25,000 bitcoins that moved from the 1CGa4s wallet through the Bitcoin blockchain. One of those branches tapped into a collection of wallets hosted on the AlphaBay dark web marketplace designed to be impervious to law enforcement investigators. The other appears to have been converted to monero, a cryptocurrency designed to obscure the trail of funds on its blockchain by mixing the payments of multiple monero users – both real transactions and artificially generated – and obscuring their value. Yet somehow the IRS says it identified Lichtenstein and Morgan by tracing both fund branches to a collection of cryptocurrency exchange accounts in their names, as well as the names of three companies they own, known as Demandpath , Endpass and Salesfolk.
The IRS has not fully explained how its investigators defeated these two different confusion techniques. But clues in the court document — and analysis of the case by other blockchain analytics experts — suggest some likely theories.
Lichtenstein and Morgan appear to have intended to use Alphabay as a “mixer” or “tumbler,” a cryptocurrency service that accepts a user’s coins and returns a different one to prevent blockchain tracking. AlphaBay advertised in April 2016 that it offered this feature to its users by default. “AlphaBay can now be safely used as a coin cup!” read a post from one of its admins. “Making a deposit and then withdrawing afterwards is already a way to spoil your coins and disconnect from the source of your funds.”
