On Tuesday, Ilya Lichtenstein and Heather Morgan were arrested in New York and accused of laundering a record $4.5 billion worth of stolen cryptocurrency. In the 24 hours since, the cybersecurity world has ruthlessly mocked their operational security screwups: Lichtenstein allegedly stored many of the private keys controlling those funds in a cloud-storage wallet that made them easy to seize, and Morgan flaunted her “self-made” wealth in a series of cringe-inducing rap videos on YouTube and Forbes columns.
But those gaffes have obscured the remarkable number of multi-layered technical measures that prosecutors say the couple did use to try to dead-end the trail for anyone following their money. Even more remarkable, perhaps, is that federal agents, led by IRS Criminal Investigations, managed to defeat those alleged attempts at financial anonymity on the way to recouping $3.6 billion of stolen cryptocurrency. In doing so, they demonstrated just how advanced cryptocurrency tracing has become—potentially even for coins once believed to be practically untraceable.
“What was amazing about this case is the laundry list of obfuscation techniques [Lichtenstein and Morgan allegedly] used,” says Ari Redman, the head of legal and government affairs for TRM Labs, a cryptocurrency tracing and forensics firm. Redman points to the couple’s alleged use of “chain-hopping”— transferring funds from one cryptocurrency to another to make them more difficult to follow—including exchanging bitcoins for “privacy coins” like monero and dash, both designed to foil blockchain analysis. Court documents say the couple also allegedly moved their money through the Alphabay dark web market—the biggest of its kind at the time—in an attempt to stymie detectives.
Yet investigators seem to have found paths through all of those obstacles. “It just shows that law enforcement is not going to give up on these cases, and they’ll investigate funds for four or five years until they can follow them to a destination they can get information on,” Redman says.
In a 20-page “statement of facts” published alongside the Justice Department’s criminal complaint against Lichtenstein and Morgan on Tuesday, IRS-CI detailed the winding and tangled routes the couple allegedly took to launder a portion of the nearly 120,000 bitcoins stolen from the cryptocurrency exchange Bitfinex in 2016. Most of those coins were moved from Bitfinex’s addresses on the Bitcoin blockchain to a wallet the IRS labelled 1CGa4s, allegedly controlled by Lichtenstein. Federal investigators eventually found keys for that wallet in one of Lichtenstein’s cloud storage accounts, along with logins for numerous cryptocurrency exchanges he had used.
But to get to the point of identifying Lichstenstein—along with his wife, Morgan—and locating that cloud account, IRS-CI followed two branching paths taken by 25,000 bitcoins that moved from the 1CGa4s wallet across Bitcoin’s blockchain. One of those branches went into a collection of wallets hosted on AlphaBay’s dark web market, designed to be impenetrable to law enforcement investigators. The other appears to have been converted into monero, a cryptocurrency designed to obfuscate the trails of funds within its blockchain by mixing up the payments of multiple monero users—both real transactions and artificially generated ones—and concealing their value. Yet somehow, the IRS says it identified Lichtenstein and Morgan by tracing both those branches of funds to a collection of cryptocurrency exchange accounts in their names, as well as in the names of three companies they owned, known as Demandpath, Endpass, and Salesfolk.
The IRS hasn’t entirely spelled out how its investigators defeated those two distinct obfuscation techniques. But clues in the court document—and analysis of the case by other blockchain analysis experts—suggest some likely theories.
Lichtenstein and Morgan appear to have intended to use Alphabay as a “mixer” or “tumbler,” a cryptocurrency service that takes in a user’s coins and returns different ones to prevent blockchain tracing. AlphaBay advertised in April 2016 that it offered that feature to its users by default. “AlphaBay can now safely be used as a coin tumbler!” read a post from one of its administrators. “Making a deposit and then withdrawing after is now a way to tumble your coins and break the link to the source of your funds.”