Hacking the Unhackable and Tracing the Untraceable



A New York couple, Ilya Lichtenstein, 34, and his wife, Heather Morgan, 31, were recently arrested in connection with the theft of approximately 120,000 Bitcoin from the Bitfinex exchange in 2016.  The couple was charged however, not with computer hacking and theft but of violating 18 U.S.C. § 1956(h) (Money Laundering Conspiracy) and 18 U.S.C. § 371 (Conspiracy to Defraud the United States).


Famously, in 2016 someone hacked into the Bitfinex platform and engaged in roughly 2000 unauthorized transactions by which they transferred the Bitcoin out of Bitfinex to a digital wallet.  Maybe it was Lichenstien and Morgan maybe not.  This is another example that shows that, despite the secure nature of the blockchain to prevent fraud and theft, any exchange where you can trade Bitcoin can be a weak link.  The 2016 heist was the largest but there have been a string of Cryptocurrency thefts from trading platforms that are just increasing in number each year.

See  https://techcrunch.com/2021/06/02/what-10m-in-daily-thefts-tells-us-about-crypto-security/


A Department of Justice press release quoted Deputy Attorney, General Lisa O, Monaco, regarding the arrest and seizure who stated, “[t]oday’s arrests, and the department’s largest financial seizure ever, show that cryptocurrency is not a safe haven for criminals,”  Also quoted was Assistant Attorney General, Kenneth A. Polite Jr., who said, “[t]oday, federal law enforcement demonstrates once again that we can follow money through the blockchain, and that we will not allow cryptocurrency to be a safe haven for money laundering or a zone of lawlessness within our financial system.”


This is not the first time that the government has been able to track Bitcoin transactions back to criminals.  Perhaps most famously, the government was able to track the Colonial Pipeline hackers/blackmailers, known as Darkside, who disabled the pipeline and then sought to be paid their ransom in Bitcoin.   In that case, the FBI announced seizure of the Bitcoin in less than a month after the payment was made.


This most recent seizure is the largest in Bitcoin history but why did it take six years to catch Lichtenstein and Morgan?  Also, if the couple stole $4.6 worth of Bitcoin and the government seized $3.5 billion, what happened to the other $1.1 billion?  Is it waiting somewhere for the relatively young couple when they get out of jail?


The answer to the first question is likely that the delay was caused by the sheer amount of data that the government needs to sift through to track these transactions.  On the one hand, every single transaction in the history of Bitcoin’s operations is on an open ledger that can be tracked.  However, the ledger contains thousands upon thousands of transactions and the identity of the person behind each transaction is not part of the ledger.  A reading of the government’s statement of facts shows the very complicated web that Lichtenstein and Morgan wove to try and launder their stash.  To combat these schemes, the government has hired private contractors who have built analytics programs to track these transactions.  It can be assumed that this capability has increased dramatically since 2016.


The answer to the second question is not apparent from the Department of Justice’s filings.  There is no indication that the couple was able to launder and spend $1.1 billion.  In fact, they resorted to converting some of the Bitcoin into a $500 Walmart gift card.  That is not an easy way to spend over a billion dollars.  So the answer remains, where is the rest of it?


Also unclear at this stage is whether the Bitfinex customers from whom the Bitcoin was stolen are going to receive restitution.   Restitution in federal criminal cases is a matter of statute.  Federal crimes of violence, fraud, or property loss will usually require a sentencing court to order restitution.  In the present case, the crimes of money laundering and fraud against the United States may not require a court to order restitution to the account holders at sentencing.  Of course, the court can always order restitution at its discretion.


Several commentators have noted that the couple was not charged with the actual hacking of the Bitfinex and have pondered whether the hacker is still out there.  A possible explanation, however, is that for criminal prosecutions, the Computer Fraud and Abuse Act (which the hacking would likely fall under) does not contain a specific statute of limitations.  In the absence of a specific statute of limitations, the default federal limitations period of five years applies. See 18 U.S.C. § 3282.  The six-year delay in bringing the couple to justice may have made it impossible for the government to charge them for hacking Bitfinex.


An interesting side note in the government’s filing is that one of the shell companies set up to launder the Bitcoin also received approximately $11,000 from U.S. Small Business Administration Paycheck Protection Program (PPP) loan advance provided in response to the COVID-19 crisis.  Perhaps this is the basis for the charge under 18 U.S.C. § 371 (Conspiracy to Defraud the United States).


The ultimate takeaway perhaps is that Lichtenstein and Morgan went through extraordinary lengths to try and launder their Bitcoin and they still got caught.  Maybe hackers will decide that getting their hands on illicit Bitcoin just simply isn’t worth the trouble if you can’t spend it.  Then again, there is still  $1.1 billion dollars out there somewhere . . . .

Contact Information