{"id":10798,"date":"2022-03-08T13:00:00","date_gmt":"2022-03-08T13:00:00","guid":{"rendered":"http:\/\/ci029b9202b0002436"},"modified":"2022-03-08T13:00:00","modified_gmt":"2022-03-08T13:00:00","slug":"how-authorities-found-bitfinex-bitcoin","status":"publish","type":"post","link":"https:\/\/bitcoinmagazine.com\/technical\/how-authorities-found-bitfinex-bitcoin","title":{"rendered":"How Law Enforcement Seized 94,000 Bitcoin Stolen From Bitfinex"},"content":{"rendered":"
<\/div>

The U.S. Department of Justice (DOJ) announced in a February 2022 statement<\/a> that it had successfully seized the majority of the bitcoin drained in a 2016 hack of the cryptocurrency exchange Bitifinex after gaining control of the wallet supposedly containing the stolen funds.<\/p>\n

Despite the apparent unlikelihood of retaking long-gone funds, a complex but deterministic trail of evidence allowed law enforcement to catch Ilya Lichtenstein and Heather Morgan, a couple that was allegedly trying to obfuscate the illegal origins of the bitcoin they had been leveraging to flex shiny lifestyles<\/a> through a complex money laundering scheme.<\/p>\n

But what seemed to be a carefully-thought-out scam actually turned out to be a quite fragile one filled with missteps, which facilitated the work of special agent Christopher Janczewski, assigned to the Internal Revenue Service\u2019s criminal investigation unit (IRS-CI). This work ultimately led to Janczewski filing a complaint<\/a> with judge Robin Meriweather to charge Lichtenstein and Morgan for money laundering conspiracy and conspiracy to defraud the United States.<\/p>\n

This article takes a deep dive into the nuances of the law enforcement work that uncovered the identities of the accused Bitfinex hackers, and into the steps of the charged couple, relying on the accounts provided by the DOJ and special agent Janczewski. However, since crucial aspects of the investigation have not been disclosed by official documents, the author will provide plausible scenarios and possible explanations to questions that remain unanswered.<\/p>\n

How Did Law Enforcement Seize The Stolen Bitfinex Bitcoin?<\/h2>\n

Bitcoin proponents often boast about the monetary system\u2019s set of principles<\/a> that enables a high degree of sovereignty and resistance to censorship, making Bitcoin transactions impossible to be stopped and bitcoin holdings impossible to be seized. But, if that is true, how then was law enforcement able to take a hold of the launderers\u2019 bitcoin in this case?<\/p>\n

According to the complaint filed by special agent Janczewski, law enforcement was able to get inside Litchestein\u2019s cloud storage where he kept much if not all of the sensitive information related to his operations as he attempted to clean the dirty funds \u2014 including the private keys of the Bitcoin wallet holding the largest portion of stolen BTC.<\/p>\n

The censorship resistance of Bitcoin transactions and the sovereignty of bitcoin funds depend on the proper handling of the associated private keys<\/a>, as they are the only way to move bitcoin from one wallet to another.<\/p>\n

Even though Lichtenstein\u2019s private keys were kept in cloud storage, according to the DOJ they were encrypted with a password so long that even sophisticated attackers would probably not have been able to crack it in their lifetime. The DOJ did not respond to a request for comment on how it was able to decrypt the file and access the private keys.<\/p>\n

There are a few plausible scenarios for how law enforcement was able to crack Lichtenstein\u2019s encryption. Though not insecure in and of itself, symmetric encryption, which leverages an encryption password for both encrypt and decrypt functions, is only as secure as its password and that password\u2019s storage.<\/p>\n

Therefore, the first possibility relates to the security of the password\u2019s storage; law enforcement could have obtained access to the password somehow and didn\u2019t need to brute force its way through the files in the cloud. An alternative method for law enforcement being able to decrypt Lichtenstein\u2019s files could involve it having so much more personal information about the couple and computing power than any other sophisticated attacker in the world that a tailored attack to decrypt targeted files could actually be viable while not contradicting the DOJ\u2019s statements. We also don\u2019t know the algorithm used in the encryption scheme \u2014 some are more robust than others and variations in the same algorithm also pose different security risks \u2014 so the specific algorithm used might have been more susceptible to cracking, although this would contradict the DOJ claims regarding crackability above.<\/p>\n

The most likely case of the three is arguably that law enforcement didn\u2019t need to decrypt the file in the first place, which makes sense, especially given the DOJ comments above. Special agent Janczewski and his team could have gained access to the password somehow and wouldn\u2019t need to brute force its way through the cloud storage\u2019s files. This could be facilitated by a third party that Lichtenstein entrusted with the creation or storage of the decryption password, or through some sort of misstep by the couple that led to the password being compromised.<\/p>\n

Why Keep Private Keys On Cloud Storage?<\/h2>\n

The reason why Lichtenstein would keep such a sensitive file in an online database is unclear. However, some speculation relates to the underlying hack \u2014 an act for which the couple has not<\/em> been charged by law enforcement \u2014 and the need for having the wallet\u2019s private keys kept on the cloud \u201cas this allows remote access to a third party,\u201d according to a Twitter thread<\/a> by Ergo from OXT Research.<\/p>\n

The cooperation assumption also supports the case for symmetric encryption. While asymmetric encryption is well designed for sending and receiving sensitive data \u2014 as the data is encrypted using the recipient\u2019s public key and can only be decrypted using the recipient\u2019s private key \u2014 symmetric encryption is perfect for sharing access to a stationary file as the decryption password can be shared between the two parties.<\/p>\n

An alternative reason for keeping the private keys online would be simple lack of care. The hacker could simply have thought their password was secure enough and fell for the convenience of having it on a cloud service that can be accessed anywhere with an internet connection. But this scenario still doesn\u2019t answer the question of how the couple got access to the private keys related to the hack.<\/p>\n

Keeping the private key online for convenience makes sense, provided the hackers lacked sufficient technical knowledge to ensure a strong enough symmetric encryption setup or simply assumed their arrangement couldn\u2019t be breached.<\/p>\n

Bitfinex declined to comment on any details known about the hacker or whether they are still being tracked down.<\/p>\n

\u201cWe cannot comment on the specifics of any case under investigation,\u201d Bitfinex CTO Paolo Ardoino told Bitcoin Magazine<\/em>, adding that there are \u201cinevitably a variety of parties involved\u201d in \u201csuch a major security breach.\u201d<\/p>\n

How Did Lichtenstein And Morgan Get Caught?<\/h2>\n

The complaint and DOJ\u2019s statement alleges that the couple employed several techniques to attempt to launder the bitcoin, including chain hopping and the use of pseudonymous and business accounts at several cryptocurrency exchanges. So, how did their movements get spotted? It mostly boils down to patterns and similarities paired with carelessness. Bitfinex also \u201cworked with global law enforcement agencies and blockchain analytics firms\u201d to help recover the stolen bitcoin, Ardoino said.<\/p>\n

Lichtenstein would often open up accounts on bitcoin exchanges with fictitious identities. In one specific case, he allegedly opened eight accounts on a single exchange (Poloniex, according to Ergo), which at first were seemingly unrelated and not trivially linkable. However, all of those accounts shared multiple characteristics that, according to the complaint, gave the couple\u2019s identity away.<\/p>\n

First, all of the Poloniex accounts used the same email provider based in India and had \u201csimilarly styled\u201d email addresses. Second, they were accessed by the same IP address \u2014 a major red flag that makes it trivial to assume the accounts were controlled by the same entity. Third, the accounts were created around the same time, close to the Bitfinex hack. Additionally, all accounts were abandoned following the exchange\u2019s requests for additional personal information.<\/p>\n

The complaint also alleges that Lichtenstein joined multiple bitcoin withdrawals together from different Poloniex accounts into a single Bitcoin wallet cluster, after which he deposited into an account at a bitcoin exchange (Coinbase, according to Ergo), for which he had previously provided know-your-customer (KYC) information.<\/p>\n

\u201cThe account was verified with photographs of Lichtenstein\u2019s California driver\u2019s license and a selfie-style photograph,\u201d per the complaint. \u201cThe account was registered to an email address containing Lichtenstein\u2019s first name.\u201d<\/p>\n

By assuming that he had already cleansed the bitcoin, and sending it to a KYC\u2019d account, Lichtenstein undid the pseudonymity the previous accounts had accomplished with India-based email accounts, as he hinted to law enforcement that he owned the funds from those initial withdrawals that were clustered together. And the complaint alleges that Lichtenstein also kept a spreadsheet in his cloud storage containing detailed information about all eight Poloniex accounts.<\/p>\n

When it comes to on-chain data, Ergo told Bitcoin Magazine<\/em> that it is impossible for a passive observer to assess the validity of many of the complaint\u2019s claims since the darknet marketplace AlphaBay was used early on as a passthrough.<\/p>\n

<\/figure>\n

\u201cThe investigation is very straight-forward, but it requires insider knowledge of cross-custodial entity flows,\u201d Ergo told Bitcoin Magazine<\/em>. \u201cFor example, the [U.S. government] and chain surveillance firms have shared the AlphaBay transaction history which has no real on-chain fingerprint and we don\u2019t have access to that information. That\u2019s about where I have to stop any analysis as a passive observer.\u201d<\/p>\n

Another key piece of information is wallet cluster \u201c36B6mu,\u201d which was formed by bitcoin withdrawals from two accounts at Bittrex, according to Ergo, which had been entirely funded by Monero deposits. Wallet cluster 36B6mu was then used to fund different accounts at other bitcoin exchanges, which, although it did not contain KYC information on the couple, according to the complaint, five different accounts at the same exchange used the same IP address, hosted by a cloud provider in New York. As the provider handed its records to law enforcement, it was identified that that IP was leased by an account in the name of Lichtenstein and tied to his personal email address.<\/p>\n

<\/figure>\n

Ergo said the OXT team wasn\u2019t able to validate any claims about the 36B6mu cluster.<\/p>\n

\u201cWe searched for the 36B6mu address that would correspond to the cluster and found a single address,\u201d Ergo said, sharing a link to the address found<\/a>. \u201cBut the address is not part of a traditional wallet cluster. Further, the timing and volumes don\u2019t seem to correspond with those noted in the complaint.\u201d<\/p>\n

\u201cMaybe it\u2019s a typo? So we weren\u2019t able to really validate anything to do with the 36B6mu cluster,\u201d Ergo added.<\/p>\n

Bitcoin Privacy Requires Intention \u2014 And Attention<\/h2>\n

Aside from the sections that cannot be independently attested by external observers, after analyzing the complaint, it becomes clear that Lichtenstein and Morgan deposited different levels of trust in their setup and in several services as they allegedly attempted to use the bitcoin from the hack.<\/p>\n

First and foremost, Lichtenstein and Morgan maintained sensitive documents online, in a cloud storage service susceptible to seizure and subpoenas. This practice increases the chances that the setup could be compromised, as it makes such files remotely accessible and deposits trust in a centralized company \u2014 which is never a good idea. For hardened security, important files and passwords should be kept offline in a secure location, and preferably spread out in different jurisdictions.<\/p>\n

Trust compromised most of the couple\u2019s efforts in moving the bitcoin funds. The first service they trusted was the huge darknet market AlphaBay. Though it is unclear how law enforcement was able to spot their AlphaBay activity \u2014 even though the darknet market has suffered more<\/a> than<\/a> one security breach since 2016\u2014\u2013 the couple nonetheless seems to have assumed this could never happen. But perhaps most importantly, darknet markets often raise suspicion and are always a primary focus of law enforcement work.<\/p>\n

Assumptions are dangerous because they can lead you to drop down your guard, which often triggers missteps which a savvy observer or attacker can leverage. In this case, Lichtenstein and Morgan assumed at one point that they had employed so many techniques to obfuscate the source of funds that they felt safe in depositing that bitcoin into accounts possessing their personally-identifiable information \u2014 an action that can ensue a cascading, backwards effect to deanonymize most if not all of the previous transactions.<\/p>\n

Another red flag in the couple\u2019s handling of bitcoin relates to clustering together funds from different sources, which enables chain analysis companies and law enforcement to plausibly assume the same person controlled those funds \u2014 another backwards deanonymization opportunity. There is also no record of using mixing services by the couple, which can\u2019t erase past activity, but can provide good forward-looking privacy if done correctly. PayJoin is another tool that can be leveraged to increase privacy when spending bitcoin, though there is no record of the couple using it.<\/p>\n

Lichtenstein and Morgan did attempt to do chain hopping as an alternative for obtaining spending privacy, a technique that attempts to break on-chain fingerprints and thus, heuristic links. However, they performed it through custodial services \u2014 mostly bitcoin exchanges \u2014 which undermine the practice and introduce an unnecessary trusted third party that can be subpoenaed. Chain hopping is properly conducted through peer-to-peer setups or atomic swaps.<\/p>\n

Lichtenstein and Morgan also tried using pseudonymous, or fictitious, identities to open accounts at bitcoin exchanges to conceal their real names. However, patterns in doing so led observers to become more aware of such accounts, while an IP address in common removed doubts and enabled law enforcement to assume the same entity controlled all of those accounts.<\/p>\n

Good operational security generally requires<\/a> that each identity be completely isolated from others by using its own email provider and address, having its own unique name and most importantly, using a separate device. Commonly, a robust setup will also require each different identity to use a different VPN provider and account that does not keep logs and does not have any ties to that user\u2019s real world identity.<\/p>\n

Since Bitcoin is a transparent monetary network, funds can easily be traced across payments. Private use of Bitcoin, therefore, requires knowledge about the functioning of the network and utmost care and effort over the years to ensure the littlest amount of missteps as possible while abiding by clear operational guidelines. Bitcoin isn\u2019t anonymous, but it isn\u2019t flawed either; use of this sovereign money requires intention \u2014 and attention.<\/p>\n

What Will Happen To The Recovered Bitcoin?<\/h2>\n

Although the couple have been charged with two offenses by U.S. law enforcement, there will still be a judging process in court to determine whether they are found guilty or not. In the event that the couple is found guilty and the funds are sent back to Bitfinex, the exchange has an action plan, Ardoino told Bitcoin Magazine<\/em>.<\/p>\n

\u201cAfter the 2016 hack, Bitfinex created BFX tokens, and gave them to affected customers at the rate of one coin for each $1 lost,\u201d Ardoino said. \u201cWithin eight months of the security breach, Bitfinex redeemed all the BFX tokens with dollars or by exchanging the digital tokens, convertible into one common share of the capital stock of iFinex Inc. Approximately 54.4 million BFX tokens were converted.\u201d<\/p>\n

Monthly redemptions of BFX tokens started in September 2016, Ardoino said, with the last BFX token being redeemed in early April of the following year. The token had begun trading at roughly $0.20 but gradually increased in value to almost $1.<\/p>\n

\u201cBitfinex also created a tradeable RRT token for certain BFX holders that converted BFX tokens into shares of iFinex,\u201d Ardoino explained. \u201cWhen we successfully recover the funds we will make a distribution to RRT holders of up to one dollar per RRT. There are approximately 30 million RRTs outstanding.\u201d<\/p>\n

RRT holders have a priority claim on any recovered property from the 2016 hack, according to Ardoino, and the exchange may redeem RRTs in digital tokens, cash or other property.<\/p>\n","protected":false},"excerpt":{"rendered":"

Federal authorities tracked down and seized more than 94,000 bitcoin allegedly stolen from Bitfinex. But how did they get their hands on the pseudonymous funds?<\/p>\n","protected":false},"author":2572,"featured_media":7417,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35],"tags":[211,1961,422,594,542,991,1127,2511],"class_list":{"0":"post-10798","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technical","8":"tag-bitcoin-exchange","9":"tag-bitfinex","10":"tag-feature","11":"tag-hack","12":"tag-kyc","13":"tag-on-chain-analysis","14":"tag-regulations","15":"tag-u-s-department-of-justice"},"author_data":{"id":2572,"name":"Namcios","nicename":"namcios","avatar_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/12\/pfp-96x96.png"},"featured_image_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/11\/how-law-enforcement-seized-94000-bitcoin-stolen-from-bitfinex.png","_links":{"self":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/10798","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/users\/2572"}],"replies":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/comments?post=10798"}],"version-history":[{"count":0,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/10798\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media\/7417"}],"wp:attachment":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media?parent=10798"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/categories?post=10798"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/tags?post=10798"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}