Last week the crypto space erupted and markets fluttered following the news that the US Department of Justice (DOJ) seized around $3.6 billion in Bitcoin that was stolen off the centralized cryptocurrency exchange Bitfinex during a 2016 hack. The action marks the largest-ever seizure of funds by the agency. It exposed the myth that hacked crypto funds cannot be traced.
The DOJ announced on February 8, 2022, that married couple Ilya “Dutch” Lichtenstein and Heather Morgan, were arrested in connection with conspiring to commit money laundering and defrauding the US. However, they have not been accused of directly perpetrating the hack themselves, though it was strongly implied in the DOJ release.
The arrest went viral across social media for days due to Morgan, a female “TikTok rapper” whose viral videos created fodder for a crypto market currently struggling to break out of a bearish cycle. The case is so bizarre and the suspects so unusual that Netflix announced only days later that they would be making a series about the whole saga. Many in the crypto space expressed their skepticism that the couple were the real hackers due to the absolute rookie mistakes made according to authorities.
Incredibly, the duo was caught after authorities hacked an encrypted file stored on a cloud server and extracted their private key, despite the couple using several very advanced methods to obfuscate and move the stolen assets around by using privacy coins and coin mixers. A Wired article explains everything they did to move the funds.
In this article, we’ll look at what happened, 5 lessons for crypto investors to glean from this case, and also, we’ll be playing devil’s advocate and and discuss whether a hardware wallet would’ve saved them from the long arm of the law.
Couple HODLs and Launders Nearly 120,000 Stolen Bitcoins
In the 2016 hack, 119,752 Bitcoin were siphoned off of Bitfinex. At that time, the stolen crypto was worth a “mere” $72 million, though the value is now closer to $4.5 billion. The coins were extracted from the wallets of many individual users and funneled towards a single wallet held by the alleged thieves, where it mostly idled. It was only when the pair gradually began to steer the funds into the traditional financial system that investigators were able to get the drop on them.
Both defendants were initially freed on bond by a judge in New York City, where they had been living, but that was overruled by a federal judge who declared Lichtenstein and Morgan to be “sophisticated defendants” and flight risks. Lichtenstein, a dual-citizen of the US and Russia, reportedly had a document on his computer labeled “passport ideas,” containing a wealth of stolen biographical data purchased from the dark web. Morgan was said to be learning Russian at the time of her arrest, and the couple had been setting up bank accounts in Russia and the Ukraine over the last few years.
When DOJ agents searched the couple’s apartment in early January, they recovered a plastic bag full of cell phones and SIM cards labeled “burner phones.” Other items found at Lichtenstein’s office included hollowed-out books, $40,000 in cash, as well as an additional sum of foreign currency. A total of 70 ounces in gold coins the couple were suspected to have purchased with the stolen crypto has not yet been found, and investigators believe they are still hiding another $330 million in Bitcoin as well as large volumes of other assets. During the raid, Morgan attempted to lock her cell phone while pretending to search for her cat Clarissa, but agents managed to restrain her and grab the device out of her hands.
“Crocodile of Wall Street” Goes Down
Morgan, who maintained an active presence on social media apps such as TikTok, in the past has posted videos of herself rapping in front of the New York Stock Exchange, bragging that she is the “Crocodile of Wall Street,” a reference to the popular Scorcese film of a similar title. The crocodile, who has been described by YouTuber and crypto scam investigator Coffeezilla as the “world’s worst rapper,” has shockingly contributed columns to Forbes on cybersecurity. In a contradictory twist unlikely to be resolved, she also describes herself as a “communist” in her rap verses.
The husband and wife both state on LinkedIn that they work at a company called SalesFolk, which is owned by Morgan. SalesFolk was the final destination of some of the stolen Bitfinex crypto.
The DOJ managed to gain entry to the wallet that first received the stolen coins after they were able to decrypt a file from Lichtenstein’s cloud storage account. From there, they found thousands of wallet addresses as well as the keys needed to access them. These wallets were then linked to the hack. Other methods used by the pair to launder the funds included using the cryptocurrency Monero and passing coins through various dark net exchanges, including AlphaBay.
Bitfinex and DOJ to Restore Funds
Bitfinex said it is working with the DOJ to recover the stolen crypto for its users, which will be distributed to them through its UNUS SED LEO coin, itself a creation stemming from a previous crisis experienced by the company. The value of the token surged by more than 50% after news of the DOJ actions broke.
The Bitfinex hack is one of many breaches of centralized exchanges that have occurred over the years, including Mt. Gox in 2011; Binance, Cryptopia, and Upbit in 2019; as well as KuCoin in 2020.
5 Crypto Security Lessons From The Bitfinex Hacker
The Bitfinex hack and subsequent arrest of the suspects have reinforced a few very important lessons for cryptocurrency owners, lest you all forget so quickly:
Lesson 1: Centralized crypto exchanges (CEX) are vulnerable to hacks like the Bitfinex one. Since 2016, billions have been lost from hacks targeting both small and big exchanges, and these hacks are not stopping. This doesn’t mean you shouldn’t use exchanges, but use them for mainly trading if possible, not long term HODLing.
Lesson 2: CEXs are also vulnerable to interference from authorities, whether they’re in authoritarian countries like China or established democracies, as this week’s dramatic seizure of crypto in Canada proved. In order to operate their services, exchanges must meet very tough regulations and rules or they could be forced to shut down. Even the CEO of Kraken Jesse Powell weighed in and said your funds are not safe from the government. Not so CEXy anymore, eh?
Lesson 3: No matter how smart you are, if do bad things in crypto, the authorities will very likely find you, even if it takes 5 years. Crypto does not equate to anonymity. There is always a pseudonymous trail left behind that can and will lead to you. This is a feature, not a bug, and intended to help us rid our industry from bad apples over time in order to reach mass adoption.
Lesson 4: NEVER leave your private key or recovery seed online or in any digital format, even if encrypted? Whether it’s hackers or authorities like the police and tax man, if you leave it online, you’re an easy target.
Lesson 5: Use cold storage where possible, and preferably a hardware wallet with a secure element (SE) that only you can control (remember to keep that recovery seed somewhere safe as well). Even hot wallets as sophisticated as MetaMask are vulnerable if you’re not careful online. A number of very dangerous browser extensions and phishing tricks are just waiting for you to drop your guard so that they can steal your keys.
Verdict – Would a Hardware Wallet Have Saved the Hackers?
In short- very likely, if they never moved the funds. However, just because you managed to steal something, doesn’t mean you’re not going to get caught. Criminals are greedy by nature, and will eventually try to cash in on their loot. While the authorities wouldn’t be able to locate the private key and move the hackers’ funds, they simply needed to be patient. Eventually, the couple would’ve started offloading it on both centralized and decentralized marketplaces, and from here, eventually, they would need to cash out some of this laundered heist crypto for fiat currency. As the meme probably goes, one does not simply steal $4 billion in crypto and get away with it.
Hardware wallets don’t require KYC yet, although a paper trail exists when you buy them of course. That being said, your crypto addresses are generated completely offline and on the hardware wallet itself if you use a CoolWallet, and your public address is known only to you. Your private key is kept safely within a secure element chip, where nobody, not even you, can extract it. Your only vulnerability is your recovery seed, which you need to write down and store somewhere secret and secure.
Of course, once you share your public address with others and transact on the account, you leave behind a trail that will forever reside on a public blockchain. Investigators can take their time to comb through your actions in cooperation with incredibly smart blockchain analytics companies like Elliptic and Chainalysis and use increasingly smart Know-Your-Transaction (KYT) software to connect the dots.
Some hardware wallets can be glitched (made to behave erratically) in order to extract private information from them, like this white hat hacker did with a Trezor to reclaim $2 million for the owner. However, these require physical access to your device, incredible skill, and very specific conditions like outdated software. In general, cold storage devices are incredibly secure. However, if you’re going to do bad things with it, ultimately you’re going to attract the wrong attention and when it’s time to offload your crypto, you may very well make a mistake that will get you doxxed (identified) and land you in hot water.
The arrest of the Bitfinex hack crooks was overall great for crypto. It taught us the value of keeping your crypto offline and showed that bad actors can and will be held accountable, even if it takes 5 years. This means that hackers are less incentivized to steal from us (a number of hackers in 2021 actually returned the funds once it was clear they would outed once they moved the funds) and also proves to the public that cryptocurrencies are not the money laundering conduits that the media tells them they are.
Now if they had stolen fiat currency or diamonds, where would the trail have led after 5 years? Most likely nowhere.
For the 99.9% of us that are good crypto folks, stay in school and if you can, get Cool.
To keep your crypto truly secure, it’s an absolute necessity to use a cold wallet to store your funds offline where they are safe from thieves. We recommend both the CoolWallet S as well as our flagship model, the CoolWallet Pro, which boasts a CC EAL6+ secure element. With these wallets, both your cold wallet and phone must be within 10 meters from each other in order to work, and all transactions must be confirmed with a physical button press.
Now, if the Tik Tok rapper and her husband had gotten a hard wallet, they’d be looking at it instead of hard time for 25 years…
This article and the opinions shared within do not constitute financial advice of any kind and if for educational and entertainment purposes only.