On Tuesday, Ilya Lichtenstein and Heather Morgan were arrested in New York and charged with laundering a record $4.5 billion worth of stolen cryptocurrency. In the 24 hours since, the cybersecurity world has mercilessly mocked the security flaws of their operations: Lichtenstein allegedly stored multiple private keys controlling those funds in a hosted wallet. clouds make it easy for them to take over, and Morgan brags that she “made up” her wealth in one series cringe rap videos on YouTube and Forbes column.
But those scrutiny obscured the substantial amount of multi-layered technical measures that prosecutors allege the couple did used to try to get into a dead end for anyone tracking their money. More remarkable, perhaps, is that federal agents, led by the IRS Criminal Investigation Agency, have managed to thwart efforts to allegedly anonymize financials on the 3.6-mile road to recovery. billion dollars in crypto stolen. In doing so, they demonstrated how advanced crypto tracing has become — potentially even for coins that were once thought to be practically untraceable.
“The surprising thing about this case is the laundry list of tampering techniques [Lichtenstein and Morgan allegedly] Ari Redman, head of legal and government affairs for TRM Labs, a crypto forensics and tracing firm. Redman points to the pair’s alleged use of “chain jumps” — transferring funds from one cryptocurrency to another to make them harder to track — including exchanging bitcoin for a “privacy coin.” ” like monero and dash, both of which are designed for blockchain analysis. Court documents say the couple also allegedly transferred their money through Alphabay’s Dark Web Market– the largest of its kind at the time – in an attempt to fool detectives.
However, investigators seem to have found a way through all of those obstacles. “It just goes to show that law enforcement isn’t going to give up on these cases and they’re going to investigate the fund for four or five years until they can track them down to a destination they have,” Redman said. information can be obtained.
In one 20 pages “statement of truth” published alongside the Justice Department’s criminal complaint against Lichtenstein and Morgan on Tuesday, the IRS-CI detailed the tortuous and tangled routes the pair allegedly took to launder part of the nearly 120,000 bitcoins stolen from crypto exchange Bitfinex in 2016. Most of those coins were moved from Bitfinex addresses on the Bitcoin blockchain to an IRS wallet labeled 1CGa4s, believed to be controlled by Lichtenstein. Federal investigators eventually found the keys for that wallet in one of Lichtenstein’s cloud storage accounts, along with login information for multiple cryptocurrency exchanges he used.
But to get to the point of identifying Lichstenstein — along with his wife, Morgan — and locating that cloud account, the IRS-CI followed two fork paths made possible by 25,000 bitcoins moving from the 1CGa4s wallet on Bitcoin’s blockchain. One of those affiliates went into AlphaBay’s collection of dark web-hosted wallets, designed to be inaccessible to law enforcement investigators. The other seems to have been converted to monero, a cryptocurrency designed to obfuscate cash flows in its blockchain by mix payments of multiple users monero—Real transactions and artificially created transactions — and conceal their value. Somehow, however, the IRS said it identified Lichtenstein and Morgan by tracing both of those fund affiliates to a set of crypto exchange accounts bearing their names, as well as the names of the three companies. companies they own, called Demandpath, Endpass and Salesfolk.
The IRS hasn’t quite shown how its investigators beat those two distinct perturbation techniques. But clues in the court document — and analysis of the case by other blockchain analysts — suggest several possible theories.
Lichtenstein and Morgan appear to have intended to use Alphabay as a “mixer” or “tumbler,” a cryptocurrency service that takes user funds and returns different coins to prevent blockchain tracking. AlphaBay advertised in April 2016 that they make that feature available to users by default. “AlphaBay can now be safely used as a flipper!” read a post from one of its admins. “Depositing and then withdrawing is now a way to reduce your money and break the link with your source of funds.”
