In August, 2016, a hacker stole 119,754 bitcoin from a cryptocurrency exchange called Bitfinex. On Tuesday, in Manhattan, a young married couple, Ilya Lichtenstein and Heather Morgan, appeared in federal court, charged with attempting to launder the proceeds of that crime. When the exchange was hacked, the stolen bitcoin was worth about seventy-one million dollars. Today, its value is more than five billion dollars. Shortly before their arrest, one could argue that—on paper, at least—Lichtenstein and Morgan were richer than Peter Thiel, who founded PayPal.
Lichtenstein is a thirty-four-year-old with dual Russian-American citizenship, who describes himself on Medium as a “tech entrepreneur, explorer, and occasional magician.” He goes by “Dutch.” His Twitter feed (@unrealdutch) is a stream of aloof commentary on cryptocurrency, Web 3.0, and non-fungible tokens. On New Year’s Eve, he retweeted Edward Snowden’s picture of fireworks over the Kremlin. Morgan, who is thirty-one, married Lichtenstein last year. Among other pursuits, she is a journalist. In her biography for Forbes, which she wrote for until last year, Morgan describes herself as “an international economist, serial entrepreneur, and investor” and “an expert in persuasion, social engineering, and game theory.” “When she’s not reverse-engineering black markets to think of better ways to combat fraud and cybercrime,” her bio reads, “she enjoys rapping and designing streetwear fashion.”
Morgan really does seem to enjoy rapping. She spits bars as Razzlekhan, and styles herself the “Crocodile of Wall Street.” The keystone of Razzlekhan’s œuvre is a track called “Versace Bedouin,” a paean to grind culture and financial speculation, in which Morgan nods to her multi-hyphenate career. (“I’m many things: a rapper, an economist, a journalist, a writer, a C.E.O., and a dirty, dirty, dirty, dirty ho.”) In the video for “Versace Bedouin,” Morgan wears a gold lamé jacket and a baseball cap bearing the slogan “ØFCKS.” It was filmed on Wall Street itself, which is also where the couple lives, in a rented two-bed condominium.
Morgan and Lichtenstein were charged last week with conspiring to launder money and conspiring to defraud the United States. Most subsequent media coverage of the case has naturally focussed on their colorful online personae. (I am not immune. In my house, “Versace Bedouin” has been on repeat.) But the details of the case are equally intriguing, because they gesture at the potential and pitfalls of digital currency for criminal activity.
The case against Morgan and Lichtenstein, as detailed in the affidavit, describes a big crime followed by a series of frustrations. After the hack of Bitfinex, in 2016, the stolen bitcoin was transferred to an outside wallet. The government has not said that Lichtenstein and Morgan hacked the exchange; they are charged only with laundering the proceeds of the hack. But it appears that the couple never even tried to launder most of the stolen coins—94,636 bitcoin, or about eighty per cent of the total loot, never left the first wallet. The reason? Laundering digital currency is hard. And the level of difficulty rises as the sums grow larger.
As I discovered last year, while reporting on state-sponsored North Korean hackers, thefts from digital-currency exchanges happen with alarming regularity. North Korean operatives particularly enjoy hacking digital bourses in South Korea. As of last April, one exchange, Bithumb, had been raided four times. Exchanges are vulnerable because they often maintain escrow accounts holding coins in so-called hot wallets, which are connected to the Internet. (The more secure, but laborious, way to store coins is in a “cold wallet,” which is not connected to the Internet; the keys to the wallet are written down or memorized elsewhere.) Through some often-ingenious tricks, such as impersonating a trusted business partner in order to plant malware on an exchange employee’s computer, criminals find ways to commandeer the keys to hot wallets, and steal coins.
Last year, Tom Robinson, who is the chief scientist at the blockchain-analytics firm Elliptic, explained to me the appeal of this kind of crime. “Once the funds have moved out of the exchange, you can’t reverse those transactions, like you can maybe with a traditional bank payment,” Robinson said. “Once they’re gone, they’re gone. And there’s no intermediary, there’s no controller of bitcoin, who you can go to and say, ‘Those funds are stolen. Give them back to me.’ It’s completely decentralized. It can also be fairly anonymous—you don’t need to enact the scheme through accounts linked to your identity.”
But if digital currency creates opportunities for thieves it also presents giant obstacles. The desired end point of most exchange hacks is to convert stolen digital currency into fiat currency—pounds, euros, dollars. That’s hard to do if exchanges have adequate know-your-customer (K.Y.C.) or anti-money-laundering (A.M.L.) structures in place. If you dump a billion dollars’ worth of bitcoin at a reputable exchange’s feet and ask for dollars in response, its A.M.L. team should ask some tough questions.
Launderers must also contend with the fact that coins are traceable. The ledger on which trades occur is immutable. It should always be possible to track stolen loot through its digital footprint. The problem of handling stolen bitcoin is not unlike that of smuggling a Picasso in the trunk of your car. Everybody knows it’s a Picasso because it looks like a Picasso and it’s got Picasso’s signature on it. Stealing the painting is one thing; realizing any monetary gain for it is another.
Morgan and Lichtenstein seem to have understood some of the dangerous terrain of the crypto laundry. The affidavit claims that, among other techniques, the couple moved some of the bitcoin out of the holding wallet using “a series of small, complex transactions across multiple accounts and platforms,” adding that “this shuffling, which created a voluminous number of transactions, appeared to be designed to conceal the path of the stolen BTC, making it difficult for law enforcement to trace the funds.” This atomized transfer is sometimes known as a peel chain. Last year, Robinson, the Elliptic scientist, showed me a visualization of a peel chain. The diagram looked like an airline-magazine route map, in which several lines sprout from one dot and then converge on another.
The affidavit also details how the couple understood other, more sophisticated laundering techniques. One is known as chain hopping. This is when one type of coin is swapped for another—Bitcoin to Ethereum, for instance—to disguise its provenance. The blockchain-forensics firm Chainalysis recently published a report that detailed the growing use of chain hopping, particularly by North Korean criminal groups. The preferred method is to use what is known as a DeFi (decentralized finance) platform, which swaps currencies without ever taking custody of the funds. DeFis are not required to have any know-your-customer procedures. According to Chainalysis, in 2020, North Korean hackers used a DeFi called Uniswap to launder the proceeds of a two-hundred-and-seventy-five-million-dollar theft from the KuCoin exchange—one of the largest hacks of any exchange ever.
Morgan and Lichtenstein also allegedly moved coins to AlphaBay, a dark-Web marketplace that was shuttered by police in 2017. You can buy pretty much anything you want using digital currency on the dark Web, and nobody cares where you got your funds. But it seems that the sums Morgan and Lichtenstein were looking to launder were too unwieldy to cash out by buying products. AlphaBay was simply a conduit for the stolen coins. The couple is alleged to have moved their funds through the dark-Web marketplace and back into other coin exchanges, which landed them in the same predicament as when they started: with a bunch of digital currency that they couldn’t spend. When they attempted to open seven new accounts on one exchange using fake identities, the exchange could not verify the accounts, and froze their funds.
The couple ran into locked door after locked door. They spent some of the coins on N.F.T.s, and some on a five-hundred-dollar Walmart gift card. They cashed out small amounts using gold trades and other techniques. Gurvais Grigg, a former F.B.I. agent who is now the public sector chief technical officer for Chainalysis, told me that Morgan and Lichtenstein’s attempts to launder their bitcoin had shown them to be “pretty sophisticated.” But they never found a way to make good on the billions of dollars’ worth of loot burning a hole in their digital pocket. “Eventually,” Grigg said, “you’ve got to move it to a place, or an exchange, or an O.T.C. [over-the-counter trader] that can help you.”
Reading the affidavit, I found myself asking: How would the North Koreans have washed so many coins? They would have done it slowly. Criminal groups associated with North Korea leave large volumes of cryptocurrency untouched in digital wallets for years. They also would have used some of the same techniques that Morgan and Lichtenstein did: peel chains and chain hopping. But they would have kept their real identities far away from any accounts handling the stolen coins. (They would never have used a real driver’s license to verify their identity, or have used their own home address for a gold trade, as Lichtenstein did.) Certainly, they would have found a way to cash out large sums, probably using an exchange in a lax jurisdiction.
In 2018, a digital-currency exchange in Hong Kong was hacked by a North Korean group. About 10,800 bitcoin was stolen. Today, the bitcoins would be worth nearly half a billion dollars. According to an indictment in 2020, these coins were then diverted, via peel chains, to two Chinese citizens, Tian Yinyin and Li Jiadong, who had successfully opened accounts on other exchanges using fake pictures and fake names. Tian and Li then cashed out using a Chinese bank. According to the U.S. Treasury, several financial institutions in China offer accounts to North Koreans, or to front companies that have relationships with Pyongyang. In 2020, Tian and Li were accused in the United States of having laundered “stolen cryptocurrency to obscure transactions for the benefit of actors in North Korea.” (The men have been charged in absentia, and are still at large.)
The North Koreans prefer to cash out in China, but, according to the forensics firms that track cryptocurrency, there are also plenty of exchanges in Russia and Eastern Europe that will not ask awkward questions. Several exchanges in Moscow—including the over-the-counter brokerage Suex, which the Treasury sanctioned last fall—were named in a recent report by Chainalysis as “making a concerted effort to serve a cybercriminal clientele.” More than half of these Russian exchanges share a Moscow skyscraper: Federation Tower. The Chainalysis report noted that “nothing is more emblematic of the growth of Russia’s crypto crime ecosystem, and of cybercriminals’ ability to operate with apparent impunity, than the presence of so many cryptocurrency businesses linked to money laundering in one of the capital city’s most notable landmarks.”
It’s somewhat to Morgan and Lichtenstein’s credit that they appear not to have known where to cash out. They don’t seem like hardened criminals, although the courts may treat them as such. In a filing, the couple’s lawyer wrote, “Ms. Morgan and Mr. Lichtenstein have no reason to flee to avoid the government’s allegations, as the government’s complaint reveals significant holes in the government’s case against them.” He went on to write that “the money-laundering accusations in the government’s complaint are predicated on a series of circ*mstantial inferences and assumptions drawn from a complex web of convoluted blockchain-and cryptocurrency-tracing assertions.” There also remains the intriguing question of the bitcoin that the government has not yet found: some three hundred and thirty million dollars’ worth that is believed to be in wallets controlled by the couple. One wonders what will happen to that stash. Like most of the stolen loot from the Bitfinex raid, the answer is: probably nothing.
