Euro Security Watch with Mathew J. Schwartz

Cryptocurrency Fraud , Cybercrime , Cybercrime as-a-service

Bust of Cryptocurrency Couple Shows Money Laundering Risks

Thanks to Blockchain, Cashing Out Pseudoanonymized Bitcoins Often Leaves a Trail
Bust of Cryptocurrency Couple Shows Money Laundering Risks
Heather Morgan, aka @realrazzlekhan, and her husband have been charged with laundering stolen bitcoins. (Photo: TikTok)

"Menace to Society." That's how Heather Morgan, who styled herself as a technology entrepreneur, angel investor and "The Crocodile of Wall Street," described herself in her sideline gig as a surreal rapper known as "Razzlekhan."

See Also: 5 Requirements for Modern DLP

Unfortunately for Morgan, she's now gotten money laundering conspiracy and conspiracy to defraud the United States added to her rap sheet.

Federal prosecutors unsealed an indictment Tuesday against 31-year-old Morgan, who's a U.S. citizen, and her husband Ilya "Dutch" Lichtenstein, 34, who holds dual U.S. and Russian citizenship.

The pair, who reside in New York, have been accused of laundering bitcoins now worth $3.6 billion that were stolen from the Bitfinex virtual currency exchange in 2016. At least so far, the couple have not been charged with stealing the approximately 120,000 bitcoins that went missing, which were worth $71 million at the time of the theft.

But six years after the hack, with the missing bitcoins now worth more than $4.5 billion, the FBI says it successfully seized $3.6 billion of those funds from the New Yorkers.

The Perfect Crime?

This case highlights the challenges facing anyone who wants to launder large amounts of cryptocurrency and stay out of prison long enough to help bolster their alleged rap career.

Of course, many cryptocurrency exchanges remain notoriously bad at keeping their virtual currency secure, as criminal and nation-state hackers - especially North Korea - continue to demonstrate.

Add to that the fact that bitcoins have a reputation for allowing users to remain anonymous, and stealing cryptocurrency might appear to be the perfect crime.

But in reality, bitcoins are pseudonymous. Because thanks to the blockchain, there's an immutable ledger of all transactions. The identity of the individual who controls a wallet from which bitcoins leave, or into which they flow, isn't included on the ledger. Investigators, however, have other tools they can use, bolstered by patience, to potentially unmask wallet owners.

To AlphaBay, and Beyond

In this case, the FBI traced the funds despite the suspects employing a variety of sophisticated tactics to try and disguise that they'd come from the Bitfinex hack, says Deputy Attorney General Lisa O. Monaco.

"Thanks to good, old-fashioned police work, we traced the stolen funds from the exchange, which led us to a wallet containing over 2,000 bitcoin addresses," she says. "From there, investigators followed the money to an account at the notorious dark market AlphaBay, an online forum dismantled by law enforcement in 2017."

Deputy Attorney General Lisa O. Monaco details the arrest of two suspects charged with laundering bitcoins stolen from Bitfinex in 2016.

From AlphaBay, investigators "followed the stolen money on its complex journey through a labyrinth of virtual currency exchanges and wallets based here and abroad," via which the defendants attempted to launder the funds, she says.

Source: FBI

Unpeeling 'Peel Chains'

The FBI says the suspects used numerous tactics to try and obscure the origin of the bitcoins, aka BTC, including "peel chains," in which "a large amount of BTC sitting at one address is sent through a series of transactions in which a slightly smaller amount of BTC is transferred to a new address each time," according to the FBI's criminal complaint against the suspects.

"In each transaction, some quantity of BTC 'peel off' the chain to another address - frequently, to be deposited into a virtual currency exchange - and the remaining balance is transferred to the next address in the chain," the FBI said.

Last May, Tom Robinson, chief scientist at blockchain analysis firm Elliptic, reported that "the 119,756 bitcoins stolen from Bitfinex were initially sent to a single wallet, and 79% of them remain there."

Where did the other 21% go? In part, Robinson said they were laundered in 2017 using AlphaBay - then the world's largest darknet marketplace - and in 2020 via Russian-language marketplace Hydra, which is now the world's largest darknet market.

Number of bitcoins from the Bitfinex hack received each month by the largest destinations (Source: Elliptic)

Darknet markets such as Hydra don't just sell malware, stolen payment card data and firearms, but also cash-out services. "These allow Bitcoin to be converted into gift vouchers, prepaid debit cards or hard cash - rubles in the case of Hydra," Robinson said. "If you're a cybercriminal in that part of the world and you want to cash out your crypto without having to go through an exchange that might well be using blockchain analytics to identify proceeds of crime, then Hydra is an attractive option."

Intelligence Bolstered by Takedowns

But U.S. investigators were nevertheless able to trace the flow of funds, likely thanks in part to wallet address information they obtained by seizing AlphaBay's infrastructure in 2017.

Monaco says multiple cryptocurrency exchanges also raised red flags over transactions that investigators later tied to the suspects. "Many asked questions about where the money came from, or even froze funds based on their suspicions," she says. "Several exchanges enforced anti-money laundering policies and 'know your customer' requirements. That proved key to this investigation, showing how cryptocurrency can become safer and more reliable when we work together to root out its abuse."

Source: FBI

Most cryptocurrency exchanges are legally required to comply with those AML and KYC policies. For ones that fail to do so, the U.S. government has been targeting them with sanctions and other measures, Ari Redbord, head of legal and government affairs at blockchain intelligence company TRM Labs, recently told me.

But it's important to remember that for criminals and nation-states, bitcoins are just a means to an end. "People talk about cryptocurrency crime; there's no cryptocurrency crime," said Redbord, who's also an Information Security Media Group contributor.

"Cryptocurrency is a form of payment that is used in the commission of many crimes," he said. "When you talk about the crimes that are committed using cryptocurrency, you could be talking about human trafficking or child exploitation. You could be talking about terrorist financing or ransomware."

Correlating Crime With Blockchain Activity

Law enforcement and intelligence agencies, aided by the private sector, continue to devote extensive resources to building better tools to track this activity, as well as correlate what happens on the blockchain with external events, such as when cryptocurrency gets converted to fiat money and deposited into a bank account.

Because of authorities' ability to track bitcoins, some criminals - including ransomware attackers - prefer more privacy-preserving cryptocurrency such as monero, although it can be more difficult to obtain. The Alphv/BlackCat ransomware operation, for example, which is a rebranding of the DarkSide and then BlackMatter group, charges victims a 15% premium if they choose to pay with bitcoins instead of monero.

One potential gotcha for criminals who use cryptocurrency is that time is often on investigators' side. As darknet markets such as AlphaBay and Hansa get infiltrated, and suspects detained, investigators gain access to extensive intelligence that can allow them to unmask buyers and sellers as well as tie them to specific cryptocurrency addresses.

The same goes for when law enforcement officials infiltrate crypto-phone services, such as EncroChat in June 2020 and Sky ECC in March 2021, or via the Anom honeypot operation revealed last June.

On Tuesday, for example, a jury at the Central Criminal Court of England and Wales, aka the Old Bailey, heard that a firearm procured via EncroChat was used to commit a murder in London in 2020, and was intended to be used as part of another such plan that didn't take place, the Guardian reported.

In the case of the Bitfinex funds stolen in the 2016 hack attack, the FBI says in court documents that on Jan. 31 it executed a search warrant on a cloud storage account used by Lichtenstein and was able to decrypt a file that revealed "wallet 1CGA4s," which "contained a list of 2,000 virtual currency addresses, along with corresponding private keys."

The FBI's criminal complaint says: "Blockchain analysis confirmed that almost all of those addresses were directly linked to the hack."

Redbord of TRM Labs says the blockchain was key to cracking this case and seizing the bitcoins. "If the laundering had occurred through an opaque web of shell companies, hawalas and bulk cash smuggling, they would not have been recovered," he says. Live by the sword, die by the sword?

Laundering Crypto Is Getting Tougher

Something else notable about this case is that the vast majority of the stolen funds, now worth $3.6 billion, remained unlaundered.

Monthly outflows from the wallet that received the bitcoin stolen from Bitfinex, using the bitcoin (BTC) and U.S. dollar exchange rate at the time of the outflow (Source: Elliptic)

Indeed, they were allegedly just sitting in the wallet controlled by Lichtenstein, seemingly because the suspects had no way to try and safely cash it out.

According to Elliptic's Robinson, "The slow movement of the stolen funds, and the various ways in which they have been laundered or converted into other assets tells a story about the maturation of the crypto industry and how law enforcement capabilities, regulation and blockchain analytics have together made it very challenging to make crime pay in crypto."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.