Man
Professional
- Messages
- 3,061
- Reaction score
- 586
- Points
- 113
Bitfinex
Raphael Nicollet had only three years of experience as a systems administrator when he created and launched the Bitfinex exchange in 2012 under the alias Uncle Scrooge. The exchange quickly gained popularity because it was built from the ground up with the needs of ordinary users in mind. It offered peer-to-peer margin lending and other advanced trading features that attracted Wall Street bettors. Raphael now had a huge Bitcoin exchange on his hands, trading huge volumes of digital assets every day. The dude was making more money than he could have ever dreamed of.
But there was a problem: he was too inexperienced to run an exchange of that size, and the number of users was constantly growing. The rapid growth in popularity, in turn, attracted a large number of hackers. In August 2016, Bitfinex was hacked. Someone broke into their computer system and gained access to the keys - the cryptographic passwords for the Bitcoins that they use for their customers. It was a perfect target for an attack. It's a kind of real bug bounty program: hack the system, steal cryptocurrency, carefully cover your tracks, make no mistakes and enjoy life.
To enhance security, Bitfinex entered into a strategic partnership with BitGo, a leading provider of insured digital wallets based in Palo Alto, California. This solution ensured that customer funds were protected. As part of this partnership, customer funds were stored in multi-signature wallets that required approval from both BitGo and Bitfinex to access. After years of this, Rafael was finally able to find peace of mind knowing that his customers’ funds were secure. A Bitfinex spokesperson said, “The days of mixing customer bitcoins and all the security risks that came with it are over.”
Hacking
And here’s where it gets interesting. Less than a year later, the second-largest hack in cryptocurrency history, second only to the Mt. Gox hack, occurred. Over the course of three hours, 2,000 separate Bitcoin transactions were approved from different user accounts and sent to an unknown hacker’s wallet. Before anyone could stop the hackers, they had stolen 119,755 BTC, which was worth $71 million at the time and accounted for almost 1% of all coins in existence in 2016. The theft couldn’t have come at a worse time. After all, just a year later, Bitcoin’s value had reached a staggering $2.4 billion, which is already a lot.
In the morning, exchange users, looking forward to another day of high-risk margin trading, were stunned: their accounts were empty. This was not due to their mistakes. Panic gripped not only traders, but the entire cryptocurrency market, which was shaken to the core. That day, the price of Bitcoin dropped by more than 20% as soon as the news hit the headlines. Bitfinex had no choice: trading on the platform was suspended while the company’s employees tried to figure out what had happened.
Bitfinex commissioned Canadian company Ledger Labs to investigate the incident and compile a detailed report on the events leading up to the hack. Ledger Labs discovered a fatal flaw in the security measures used by Bitfinex. Coins were stored in unique accounts for each user, and the security system required the administrator to have two of the three security keys to make Bitcoin transfers. In theory, one key should be held by BitGo, one by Bitfinex, and the third by the user.
The problem was that BitGo’s key was initiated by Bitfinex via a special API key, which instructed BitGo to provide a signature. This rendered the entire system meaningless. This meant that hacking Bitfinex would give hackers complete control over customer funds – exactly what they were trying to avoid. BitGo was pissed about this, tweeting that they hadn’t been hacked – Uncle Scrooge. But why hadn’t they audited the system?
And here’s another thing. Only an admin was supposed to do that, so the API key was tied to an admin. And Ledger Labs was able to figure out who exactly it belonged to – Bitfinex CFO and former Italian plastic surgeon Giancarlo Devasini. Things were getting weird. There was a lot of controversy surrounding this guy, but we’ll get to that.
Someone, whether deliberately or not, had taken advantage of his access. Very interesting, but identifying someone specific would require a lot of work. Bitfinex had a difficult job of tracking down the missing funds to compensate customers for their losses, and they couldn’t waste time. However, the deeper they dug into the investigation, the more investigators realized how clever and meticulously planned the hack had been. Whoever the hacker was, they had covered their tracks with a data-wiping tool. They couldn’t figure out how the hackers had gotten into the system.
The only lead Ledger Labs had was that the hacker was from Poland, based on IP address analysis. However, Bitfinex quickly denied this information, calling it incomplete and incorrect, and claimed that there was evidence of negligence on the part of other counterparties that led to the hack. Yes, that’s just a statement – they were trying to cover their ass from a lawsuit. But in reality, no one had any idea who took all the money.
So Bitfinex now had to notify the affected users, some of whom lost their entire savings. You’d have to be crazy to put all your savings into crypto, but people did. And so Bitfinex posted a blog post: “After much consideration, we have concluded that the losses should be distributed across all accounts and assets.” Remember, we previously reported that about 2,000 accounts were emptied. The stolen coins represented 36% of the total amount stored on Bitfinex.
Rather than risk the wrath of wealthy customers who might take legal action, Bitfinex management made a drastic decision: to distribute the losses equally among all users of the platform. Regardless of whether you had $10 or a million in your account, you lost 36% of your assets stored on the exchange. Users who initially believed their money was safe were at a disadvantage. This, of course, caused a storm of indignation and outrage.
As compensation, customers were given a Bitfinex token at a rate of one Bitfinex for every dollar they lost. This was the cheapest way out. Bitcoin is so volatile that they were essentially converting their Bitcoin debt into dollar debt to hedge against a bull market that could potentially turn that debt into billions, as it later did. Except they didn’t actually convert it into dollar debt — they just created a new coin and promised to buy back the tokens for a dollar apiece once they could raise $70 million. People were unsure about the idea and not too happy. “What about our fucking bitcoins?” they asked.
What’s amazing is that Bitfinex not only managed to stay in business, but also made a solid profit. After only eight months, they bought back all the Bitfinex tokens that had been issued or offered users the option to exchange them for shares in iFinex, the company that owned Bitfinex. Bitfinex kept their promise, but those who chose to participate were given a new token, the Recovery Rights Token. This meant that if the stolen coins were ever recovered, they would be distributed among these people. Despite the complexity of the system, Bitfinex managed to regain the trust of its users and strengthen its position in the market.
We’ll get to this later, but for now, remember this. All attempts by Bitfinex and the authorities to find the missing bitcoins were futile. At the same time, they could see on the blockchain the wallet where all these stolen funds were stored. After all, bitcoin is the most transparent financial system ever created. The only way to get them back is to patiently monitor the blockchain, waiting for the hackers to get bold enough to spend them, and then track where they were spent so they can be returned or, better yet, the perpetrator can be identified.
By the end of 2017, when BTC experienced a historic run, pushing the value of the stolen coin into the billions, it would have become too tempting a prize to pass up.
Heather Morgan and Ilya Lichtenstein.
For 6 years, no one knew who did this hacking. For 6 months, the bitcoin lay dead weight. Eventually, investigators managed to find the ends that led to a couple - Heather Morgan and Ilya Lichtenstein. And this is where we need to dive deeper into Heather's story. While we're on the subject of Heather, let me show you something interesting.
As you'll soon find out, Heather took the easy way out, but it didn't go without consequences. The more and more of her past was revealed, the more it was confirmed that she was ruthlessly motivated to get rich by any means necessary.
"I actually grew up in a small town. I didn't have a lot of friends growing up. No one was trying to do what I wanted to do professionally," Heather said.
Those who were close to Heather in her youth admit that she was quite peculiar. After graduating from the University of California, Davis with a bachelor’s degree in economics, she began working a low-level job at the World Bank in Cairo. However, she was not satisfied with a conventional career and dreamed of becoming a thought leader in Silicon Valley. During this time, Heather signed her blogs as “economist and writer,” even though, aside from her bachelor’s degree, she had not worked as an economist. That didn’t stop her from stating on LinkedIn that she had a master’s degree from the American University in Cairo. At the same time, an AU spokesperson told Forbes that she had dropped out after one semester.
This trait would become increasingly apparent: She had no qualms about lying if it gave her an advantage. She realized that money could be made with the right connections. She said she gave numerous talks on the topic. She used social engineering to successfully climb the social ladder.
“Social engineering is manipulation at its core… I hate the term manipulation, but it’s getting someone to share information or do something they otherwise wouldn’t do,” Heather said in a 2019 talk.
Funny, at the end of her talk, someone asked if she thought these things were moral. “I don’t think my end goals are bad or evil. Like, I’m not trying to get money out of someone.”
She wasn’t getting what she wanted, so she moved back to the US in search of opportunities. According to a Forbes article, she was attracted to guys who were above her level and who she could rely on to help her career. Honestly, there’s nothing wrong with networking. And that’s when she meets a young entrepreneur who had just been accepted into the 500 Startups accelerator program to launch a gaming company.
Since the startup didn’t have enough budget to pay her, Heather decided to compensate by meeting investors and other entrepreneurs in the program. It was the opportunity she’d been waiting for, and shortly after joining the accelerator, she appeared in a promotional video they’d made called “The Frugal Startup,” a parody of Macklemore’s hit “Thrift Shop.” In the video, some of the accelerator’s entrepreneurs rapped about their plans to raise funds and make millions. According to the crew, Heather suddenly stripped down to her bra and panties for no apparent reason.
“Everyone didn’t know how to react,” one person on the set told Forbes. “It was a culture shock for me,” added another. She tried her best to be the center of the video.
As silly as she was, it worked to her advantage because she definitely didn’t go unnoticed. It helped her make friends in high places. After all this, during a short visit to New York, she began a turbulent relationship with a Brazilian entrepreneur who was working on a pet-tracking startup. She married him to get a visa and stay with him in Brazil. But it didn’t work out, they quickly broke up, and she ended up back in the U.S., this time in San Francisco.
Before their divorce was final, Heather’s friend came over for dinner and was surprised to find that she had a new man. He stood awkwardly next to Heather when she introduced him. “This is Ilya,” Heather said. “He’s a hacker in a black hat.” Ilya was born in Russia and grew up near Chicago, in Glenview, Illinois.
Ilya was, according to one of Heather’s friends, the first guy I’d ever met who was as weird as Heather. After graduating from USC with a degree in psychology, he headed west to California, where he got into tech, launching several online ventures, including a dating site and an online store selling brain supplements. On the Y Combinator forums, Ilya described himself as a huge nerd. Check out this post he made during a heated debate: “I’m out of the black hat space a long time ago, but I’m still interested in it from a security research perspective.” His most successful company to date is MixRank, a data-driven marketing startup that helped generate leads by uncovering competitors’ ad campaigns and showing what was working for them. MixRank took off after he pitched to Y Combinator in 2011 and received funding from Mark Cuban. The guy was living the startup dream, and given his success, organizations like 500 Startups invited him to mentor and share his expertise with newcomers. It was during one of his pitches that he met Heather, a girl who listened, admired, and interacted with him. She was arguably the first girl who ever paid attention to him.
Fast forward a few months. Right after Heather’s breakup with the Brazilian entrepreneur, they move in together, and now, with Ilya as an advisor, Heather launches her own startup, SalesFolk, which offers companies cold email campaigns. Before long, they were traveling the world together, visiting exotic places like Hong Kong, Panama, Mexico, you name it. For a year, it seemed like Ilya and Heather had finally found the secret to their business’s success. But suddenly, in 2015, Heather started firing her SalesFolk employees left and right, many of whom were her close friends. It seemed like something very bad was going on behind the scenes. At the same time, Ilya was gradually retreating from his professional duties, and by May 2016, just a few months before the Bitfinex hack, he had left his startup entirely, despite its revenues growing at a record pace. According to one MixRank employee, “We were all trying to figure out why he left now? We were doing really well, revenues were growing rapidly.” Heather soon returned to the network, more publicly visible than ever.
Alpha Bay
In January 2017, with the scent of New Year’s tangerines still in the air, investigators finally got what they’d been waiting for: movement on the blockchain. Someone had started cashing out from a secret Bitfinex account. Now they had the difficult task of following the money’s movements on the blockchain in the hopes that they would lead to the identity of the criminal. Investigators saw that someone had started sending small amounts of bitcoin in a zig-zagging fashion through several accounts until they landed on AlphaBay, a dark web marketplace used to trade drugs, weapons, and other illegal goods.
Bitcoin mixing services made it nearly impossible for authorities to track the money. Whoever was cashing out was smart enough to know that they had to carefully manage the trail they left on the blockchain to avoid getting caught. AlphaBay became a massive underworld information black hole, where thousands of cybercriminals laundered money. That is, until July 2017, when AlphaBay was shut down by law enforcement in a darknet crackdown. Suddenly, with the marketplace offline, the money laundering hype died down. Law enforcement was long overdue for a prosecution of AlphaBay’s files, but they had to deal with the thousands of drug dealers and gun smugglers first.
Around this time, Heather started writing for Forbes. In fact, in her talk about social engineering, she says she got into the Forbes column. But what’s interesting is that she describes herself as an “international economist, entrepreneur, investor, and expert in persuasion, social engineering, and game theory.” Many cybercriminals get caught because they feel like their crimes are real accomplishments, and they want the attention and admiration that comes with accomplishments. But they can’t talk about what they did because it’s illegal.
So they do things like this: they create a seemingly fake but somewhat truthful identity to satisfy their need for self-validation. During the Sales Folk presentation, she even claimed that her company had $64.7 million in revenue in 2016 — a figure oddly comparable to the value of Bitcoin at the time of the hack.
In Alpha Bay, investigators discovered a new technology used to hide where cryptocurrency was being cashed out. At the time, the cutting-edge laundering scheme was CoinJoins. Think of it this way: the blockchain is a public record of every transaction, viewable by anyone. So by combining multiple people’s coins into one address and then redistributing them, it’s hard to identify the original sender, since it’s unclear which address the coins were returned to. If there are multiple people involved, tracking the movement of the money becomes extremely difficult.
The hackers, apparently feeling safe using this method, then cashed out their loot into more conventional financial accounts. The problem is that, especially when it comes to large sums, even with CoinJoins, tracking the movement of the money is easy. Just look at who sent the biggest pile and where it’s being sent.
And so investigators discovered the use of a new technique called chain hopping. This technique involves exchanging bitcoins for other cryptocurrencies, often at high speeds, to break the trail and make it difficult to track. Meanwhile, analysts have begun developing more advanced blockchain analysis tools to combat the effectiveness of such methods. One such company is Chainalysis, which specializes in blockchain tracking. For reference, it is valued at $8.6 billion. This is a significant amount, reflecting the importance of providing services to track illicit funds on the blockchain. The problem is that blockchains are eternal. So, sooner or later, investigators will be able to catch up with the criminals and unravel the complex web of transactions.
At this point, the stakes have never been higher. In December 2017, bitcoin peaked at $20,000, bringing the stolen amount to more than $4 billion. However, attempts by Bitfinex and the authorities to recover the bitcoins, even after they were laundered, have been unsuccessful. And so it went on for a few years until dramatic news broke in June 2019 that two brothers had been arrested for their alleged involvement in the hack, as well as other phishing schemes. Police allegedly seized two luxury cars along with a wallet, but upon investigation it turned out that it did not contain the funds stolen from Bitfinex. The boys had been using a scheme to lure Reddit and Telegram users to a fake website created to look like a real cryptocurrency exchange in order to steal their coins. However, at the hearing, one of the brothers admitted to his involvement in the Bitfinex hack.
The situation was starting to turn into an absurdity. Why would these brothers plead guilty if they had no assets related to the hack? If that wasn’t weird enough, just two months after the brothers’ arrest, Heather posted her location on social media. She was in Kiev, Ukraine, and they were literally on a trip abroad to launder their stolen bitcoins. And yet, the two brothers took the blame. No one understood what was going on.
For Heather and Ilya, the trip was a success. Almost 25,000 coins were sold, worth tens of millions of dollars. They were rich beyond their wildest dreams, and most of the coins were still sitting in her wallet, untouched. And the Bitfinex victims, who thought the story would end with the brothers being caught, sadly realized that while the two brothers stole millions by creating fake crypto exchanges and tricking people into using them, they had nothing to do with the Bitfinex hack. Once again, the case reached a dead end.
It is unknown whether the billions got to Heather’s head, or she had nothing better to do, but this is when she creates her rapper persona, Razzlekhan, releasing the most terrible music imaginable. “What’s up, Razzlekhan is here, like Genghis Khan with too much pizza.” By this time, they had moved into a luxury apartment on Wall Street. And then she began calling herself “The Crocodile of Wall Street.” “I’m the fucking Crocodile of Wall Street, Wall Street.” Basically, she wanted to present herself as a hacker, an economist, and a failed entrepreneur all at once.
And so life went on, and Ilya and Heather were preparing to officially become husband and wife. In June 2019, he proposed by renting billboards all over New York City to promote her rap. And now, in 2021, it was time for the wedding, and no expense was spared. However, on the eve of the big day, investigators again discovered the movement of bitcoins from the marked wallets. Over the next two months, more than 3,500 stolen coins, worth about $39 million, were moved in a series of transactions. The news quickly made headlines.
A Twitter bot was created to track these transfers. The world knew that the hackers were still at large, trying to slowly withdraw their billions, tens of millions of dollars at a time. And more than 80% of the stolen funds were still in the main wallet. With this discovery, Bitfinex decided to up the ante. They announced a reward for information about the hackers and even made the controversial statement that the hackers themselves would receive a reward if they returned the stolen funds. More precisely, they stated that according to the program, a hacker could receive up to $400 million if he returned all the coins.
Heather and Ilya wanted to make a small transfer from the wallet address associated with the hack to an address controlled by Bitfinex to initiate the transaction. But as you might have guessed, that didn't happen.
Exposure
Investigators, meanwhile, had finally gotten their hands on the Alpha Bay files. During the Alpha Bay shutdown, investigators had gotten their hands on the darknet market’s internal transaction logs. The mixing protocols that had previously seemed like a black hole suddenly became brighter. Now they could track where the funds were going after being mixed through the site. Tying Bitcoin addresses to real people was no easy task, but after cross-referencing a lot of data, they found links to shell companies and bank accounts where the funds were being transferred. And they belonged to none other than Heather and Ilya.
At that point, agents began following the couple, gathering evidence to build a case against them. After all, they were business owners. All that money could be explained somehow. Ilya had founded a new company, NASS, which was creating a privacy-focused crypto wallet.
It’s probably easy to mix billions of dollars in Bitcoin when you have thousands of users to hide behind and complete control over the wallet mixing protocol. I think that was his master plan.
At the same time, the guy had millions, but he wasn’t about to spend it. He applied for an $11,000 grant through the Paycheck Protection Program, designed to save jobs in the early days of the pandemic. Weeks later, investigators monitoring the couple discovered that the Bitcoin associated with the hack had been used to, among other things, buy a $500 Walmart gift card, with purchases made in Heather’s name.
In 2022, they probably should have known something was up, because their ISP notified them of a subpoena for their internet traffic as part of a lawsuit. For some reason, the ISP hadn’t gotten a gag order. Things like that could jeopardize the entire operation. They could start destroying evidence or planning an escape. The authorities were inches away from capturing them. All that was left was to raid the apartment in the hopes of catching them red-handed.
Sometime after the wedding, agents from the FBI and the IRS burst into the apartment. The agents’ best hope was to recover the coins. As a last ditch effort, Heather told the agents she wanted to take the cat and ran into another room. Quickly pursuing her, an agent noticed her trying to lock her phone. She was stopped in her tracks. It was over. They found fake passports, phones, $40,000 in cash, and evidence that the couple was planning to flee, most likely to Russia, one of the only countries impenetrable to Western law enforcement. After all, Ilya had dual citizenship.
By the end of the month, the feds had obtained a search warrant for Ilya’s cloud storage account, where they found a list of wallets linked to the hack and their passwords. One of those wallets held the bulk of the remaining money: 94,000 bitcoins. Using Ilya’s password, they logged into the account and seized the funds, making it the largest seizure in Justice Department history — $3.6 billion, thanks to bitcoin’s astronomical rise.
The department charged Ilya Lichtenstein and Heather Morgan for their alleged roles in a conspiracy to launder stolen cryptocurrency obtained in a 2016 hack of a virtual currency exchange. Ilya, who now sits in jail, was deemed a possible fugitive, with a judge noting that he has the skills necessary to launder the stolen funds and take steps to flee the country, and Heather was released on $3 million bail, posting her parents’ home as collateral.
What’s more interesting is that investigators told the judge that they never found any evidence that the couple actually committed the hack. All they had was a vast network of accounts through which the couple laundered money. They were also charged with conspiracy to commit money laundering, as well as defrauding the United States because taxes must be paid even on illegally acquired funds. They faced a maximum sentence of 25 years behind bars. However, on July 21, 2023, they both agreed to a plea deal. Elijah pleaded guilty to conspiracy to commit money laundering, which carries a maximum sentence of 20 years in prison. Heather was present when he pleaded guilty. He smiled at her and kissed her as they made eye contact; it was the first time they had seen each other in over a year. She pleaded guilty to one count of money laundering and one count of conspiracy to defraud the United States, each carrying a maximum sentence of five years in prison.
A sentencing hearing has not yet been scheduled. Before her arrest, Heather wrote on her Facebook page, “With words and software, you can write your own destiny.” As for the stolen funds, there is currently a fight over who gets them. Bitfinex claims ownership, of course, but many users who have since been compensated claim ownership of their share of the coins. It is likely that they will be distributed to users if they can prove they owned them before the hack, such as receipts and the like. But we may be old before the government has a system in place to distribute the seized coins, or even how that system works.
Source
