Those linked to Bitfinex-stolen assets traced after AlphaBay closure

The 2017 closure of the dark market AlphaBay gave law enforcement access to records of transfers of assets stolen in 2016 from the Bitfinex bitcoin exchange to accounts on other services. This enabled the connection to the arrested Ilya Lichtenstein and Heather Morgan.

On February 8, the arrest of the individuals was announced. US authorities charged them with conspiring to launder proceeds of 119,754 BTC. The seizure of 94,636 BTC (~$3.6 billion) could be the largest in history.

According to the filing, the married couple employed several methods to launder the proceeds:

• using accounts based on fake identity documents;
• moving the stolen funds in a series of small amounts across thousands of transactions;
• using computer programs to automate the transfers;
• dispersing the funds by depositing them into accounts at various bitcoin exchanges and dark-net markets followed by withdrawals;
• converting bitcoin into other cryptocurrencies, including those with enhanced anonymity;
• using U.S. business accounts to launder the activity.

According to Elliptic, over the last five years the perpetrators managed to move and launder around 21% of the stolen BTC — the AlphaBay funds flowed to exchange accounts, as well as to the services Wassabi, JoinMarket and the Hydra darknet market.

To launder the stolen assets, gold, NFTs, crypto ATMs and gift cards for Uber, Hotels, PlayStation and Walmart were also used.

Earlier attempts to move funds to exchanges were blocked, requiring KYC procedures, after which the couple simply declined to proceed.

Telegram channel Goldfoundinshit explained how the couple was tracked:

• one of the accounts was opened on January 13, 2015 in Lichtenstein’s name, using his home address in San Francisco and verified with a personal photo and a screenshot of his driver\’s license;
• Lichtenstein provided his real home address for receiving gold and precious metals;
• the accounts through which XRM was cashed out were registered in the name of a Russian citizen and to a Russian email address;
• Lichtenstein and Morgan used their accounts from the same IP addresses;
• when Morgan sought to increase the daily withdrawal from $500 to $8,000 on one of the accounts, the exchange asked for the source of funds, and Heather Morgan said: “My boyfriend (now husband) gave me cryptocurrency over several years (2014–2015), which I stored in a cold wallet”;
• Morgan and Lichtenstein claimed that the bitcoin deposited into their accounts came from their own investments before 2015. However, a detailed blockchain analysis showed that the accounts opened in 2017 after the hack played a key role;
• all wallet data and keys the couple stored in a cloud service along with screenshots of all documents. On January 31, 2022, law enforcement managed to decrypt several key files in their accounts. The record contained a file listing all addresses and private keys.

Ilya Lichtenstein and Heather Morgan themselves are of interest.

According to a LinkedIn profile, Morgan is CEO of the copywriting agency SalesFolk and a columnist for Inc. and Forbes. Specifically, she authored the article “Experts share tips for protecting your business from cybercriminals.” It includes comments from BitGo representatives, which provided Bitfinex with security tools during the hack.

Lichtenstein is a partner in the investment fund Demandpath (Morgan invested in it) and an adviser to SalesFolk.

The couple led an active life on social media. Morgan adopted the alias Razzlekhan and positioned herself as a rapper, as well as an artist specializing in collages, sculpture, painting and clothing design.

Earlier, on February 1, the movement of 94,643 BTC, stolen in 2016 from Bitfinex, took place. Whale Alert logged more than 20 transactions.

Subscribe to ForkLog news on Telegram: ForkLog Feed — the full feed, ForkLog — the most important news, infographics and opinions