Federal investigators spent years hunting for clues in the 2016 hacking of the Bitfinex cryptocurrency exchange, when thieves stole bitcoin now worth $4.5 billion. In the end, what helped lead them to two suspects was something much more quotidian: a $500 Walmart gift card.
That card and more than a dozen others like it, including for Uber, Hotels.com and PlayStation, were linked to emails and cloud service providers belonging to a young Manhattan couple, Ilya “Dutch” Lichtenstein and Heather R. Morgan, according to a criminal complaint. Authorities arrested the couple after seizing $3.6 billion worth of bitcoin allegedly in their control—the Justice Department’s largest financial seizure ever.
New details have since emerged about the investigation, in particular how it took advantage of not only advanced forensic tools but also the growing push to rein in crypto crime, including by the industry itself. The discoveries would have been less likely to happen around the time of the hack, when bitcoin was far outside the mainstream of the financial world.
|SONY||SONY GROUP CORP.||85.60||-2.55||-2.89%|
|UBER||UBER TECHNOLOGIES INC.||30.83||-0.85||-2.68%|
|EXPE||EXPEDIA GROUP INC.||181.65||-1.74||-0.95%|
Cryptocurrency has long been a preferred option for criminals big and small, including ransomware operators, drug traffickers and street gangs due to its perceived anonymity and capacity for frictionless international transfers. Despite its reputation as hard to trace, analysts say it is sometimes easier to track than hard currencies. Every transaction is public, leaving a permanent trail. The trick is tying that money to real people.
Mr. Lichtenstein, 34, and Ms. Morgan, 31, were charged with conspiring to launder money and defraud the federal government. The most serious count carries a maximum sentence of 20 years in prison. Federal prosecutors haven’t alleged that Mr. Lichtenstein and Ms. Morgan committed the hack.
Their lawyers didn’t respond to requests for comment. In a memo filed to court, their lawyers said, “The money laundering accusations in the Government’s complaint are predicated on a series of circumstantial inferences and assumptions drawn from a complex web of convoluted blockchain and cryptocurrency tracing assertions.”
At a hearing on Monday, a judge ordered Mr. Lichtenstein to be held in jail but allowed Ms. Morgan to be released to home incarceration on a $3 million bond package while they await trial.
The pair, who have been together for seven years, their lawyers said, both worked in technology. Mr. Lichtenstein was an introvert who preferred coding and making computer circuit boards over socializing, friends of the couple said. His family emigrated to the U.S. from Russia when he was 6 years old to avoid religious persecution, his lawyers said.
Ms. Morgan, from Northern California, was much more outgoing. She wrote columns for Forbes where she described herself as an expert dedicated to fighting fraud and cybercrime. “When she’s not reverse-engineering black markets to think of better ways to combat fraud and cybercrime, she enjoys rapping and designing streetwear fashion,” according to her Forbes.com bio. Her rap lyrics include: “spear phish your password/all your funds transferred.”
The theft came in August 2016, when hackers used malware to infiltrate the Hong Kong-based Bitfinex exchange’s network and moved the bitcoin—then worth about $71 million—through more than 2,000 unauthorized transfers to an outside account. The money lay dormant for several months. In January 2017, small amounts began moving in a series of complex transactions, according to a criminal complaint filed against Mr. Lichtenstein and Ms. Morgan.
Early on, according to the complaint, the stolen bitcoin was channeled through AlphaBay, an online marketplace operating on the dark web—a section of the internet only accessible by special software where people can interact anonymously. A question on the website’s FAQ section asked “Is AlphaBay Market legal?” The answer: “Of course not.” AlphaBay also advertised itself as a cryptocurrency “tumbler,” a service that could exchange deposited bitcoin for others to help prevent tracing.
In July 2017, federal authorities seized and shut down AlphaBay. Such crackdowns have made it harder to launder stolen crypto funds, and helped investigators track dirty money. “There are places where you can still cash out anonymously and without controls in place, but they’re vanishingly few now,” said Tom Robinson, co-founder of crypto analytics firm Elliptic Enterprises Ltd.
Prosecutor filings said that some of the stolen Bitfinex bitcoin that had been tumbled by the pair through AlphaBay accounts were then deposited into newly created accounts at several exchanges registered to foreign email addresses created around the time of the hack. The deposits quickly ran afoul of anti-money-laundering compliance efforts at crypto exchanges, prosecutors allege.
Some exchanges asked to verify the identities of some of the account holders. When they received no response, the exchanges froze the accounts, with more than $300,000 abandoned.
Authorities said in filings that cryptocurrency tied to the hack was then moved into accounts Mr. Lichtenstein and Ms. Morgan had created tied to their actual identities and businesses. They represented their opening deposits as having come from earlier investments, gifts or payments from clients. They made similar representations when wiring funds from crypto exchange accounts to traditional financial institutions.
In bail hearings, Ms. Morgan’s lawyer said his client’s accounts were set up to handle legitimate revenue for her business and there is no evidence that she knew of any connection from incoming funds to illegal activity.
In 2016 Mr. Lichtenstein and Ms. Morgan were living in the San Francisco Bay Area, according to friends. Mr. Lichtenstein was running an online marketing tech company called MixRank. Ms. Morgan at age 23 started SalesFolk LLC, which specialized in unsolicited marketing emails.
The two left for New York in 2017, where they founded a couple of startups and worked to bolster their image as tech-savvy entrepreneurs. By the following year Ms. Morgan was burned out and decided to pursue a different passion, she wrote in one Forbes column. She started making rap music under the name Razzlekhan. She dedicated one song to hackers and entrepreneurs, and described herself as the “Crocodile of Wall Street.”
“I’m definitely not trying to win a Grammy for my voice, but I am addicted to rap,” she wrote in her column.
In June 2019, Mr. Lichtenstein asked Ms. Morgan to marry him. As part of the proposal, he wrote in a Facebook post, he hired a marketing agency to put up Razzlekhan posters on New York City streets and purchased electronic billboards in Times Square showing pictures of her face.
In August 2019, the couple traveled to Ukraine for a monthlong trip, according to prosecutor filings. During that time, Mr. Lichtenstein, who holds dual U.S. and Russian citizenship, updated files on a cloud storage account that had information on money laundering and fake identity documents with Ukrainian connections, prosecutors said.
Lawyers for the couple said they had no intention of leaving the country, stressing that Ms. Morgan’s frozen eggs necessary for in vitro fertilization are in New York. “They would literally be leaving their future behind if they left,” said Samson Enzer, one of the couple’s lawyers, in the Monday hearing.
Every transaction of bitcoin is recorded in a public ledger for anyone to see—resulting in huge volumes of data. Analyzing their patterns can reveal groups that seem to share a common source or connection. Court documents show federal agents used software tools to sift through the data in search of connections and patterns, a process called cluster analysis.
One cluster of bitcoin addresses, identified in court filings as 36B6mu, caught investigators’ attention.
On May 3, 2020, a fraction of a bitcoin went from the cluster to an exchange that sells prepaid gift cards. In return, a $500 gift card for Walmart was sent to a Russian-registered email. The transaction, however, was conducted via an IP address linked to a cloud service provider in New York that investigators linked to Mr. Lichtenstein, according to the agents.
Portions of the gift card, filings said, were then redeemed through Walmart’s phone app. Three purchases were conducted online using Ms. Morgan’s name, using one of her emails, and the couple’s apartment address was provided for delivery.
Between February 2019 and December 2020, bitcoin worth about $7.8 million today flowed through the cluster to and from accounts at various crypto exchanges that investigators said in court documents are tied to Mr. Lichtenstein and Ms. Morgan.
Investigating agents in January 2021 asked U.S. Magistrate Judge Zia Faruqui in Washington to issue a warrant to search email accounts connected to the couple. Judge Faruqui approved the warrant in August, noting the public nature of the blockchain ledger meant that those using it had no constitutional right to privacy. Relying on cluster analysis to guide searches, he wrote, was akin to relying on a confidential source providing tips to investigators.
The judge wrote that cryptocurrency and related software analytics tools are the “wave of the future, Dude. One hundred percent electronic,” referencing a line from the movie “The Big Lebowski.”
Mr. Lichtenstein and Ms. Morgan learned of the investigation in November, when an internet service provider told them that authorities had sought records pertaining to the couple in a subpoena a year earlier, their lawyers said in court filings.
That same month they held a wedding. They talked about starting a family through in vitro fertilization, according to their lawyers.
On Jan. 5, federal agents showed up at the couple’s Wall Street apartment with a search warrant.
At the apartment, investigators seized a plastic baggie marked “burner phone,” more than $40,000 in cash and more than 50 electronic devices, prosecutors said in court filings.
According to prosecutors’ filings, the couple chose to leave the premises while the agents searched. They asked to bring their cat, which was hiding under the bed.
As Ms. Morgan attempted to coax the cat out from hiding, she grabbed a phone from a nightstand, the filings said. She tried to repeatedly press the lock button, which prosecutors said appeared to be an attempt to keep investigators from being able to search it, and law-enforcement officials had to wrest the phone from her.
By then, investigators had access to Mr. Lichtenstein’s email and cloud account, according to court filings. On Jan. 31, the government was able to break the encryption for several of the files. Among them was a spreadsheet listing various accounts, including some of those that had been abandoned when exchanges asked for identity verification in 2017. There was a folder named “personas” that had identification documents, and another named “passport_ideas.”
Investigators also said they found a file listing all the addresses within the digital wallet where most of the bitcoin that had been stolen from Bitfinex were being kept. The currency, worth $3.6 billion, was seized. The seizure was visible on the blockchain ledger.