Analysis of the $3.6 Billion Recovered by the U.S Government from the 2016 Bitifnex hack

SlowMist
5 min readFeb 9, 2022

--

The U.S. Department of Justice (DOJ) announced on Tuesday (February 8) that it has seized $3.6 billion worth of bitcoins linked to the 2016 hack of cryptocurrency exchange Bitfinex. Ilya Lichtenstein, 34, and his wife Heather Morgan, 31, were arrested in New York and charged with conspiracy to commit money laundering and defraud.

The U.S. Department of Justice announcement said that this is the largest financial seizure in the history of the Department of Justice (HSI) New York office, and the German Ansbach Police Department assisted during this investigation.

Some background information

According to the analysis of intelligence data held by SlowMist AML, Bitfinex suffered a cyber attack in August 2016. 2,072 Bitcoin transactions were transferred out of Bitfinex’s without authorization. The funds were scattered and stored in 2,072 wallet addresses. Statistics show that Bitfinex lost a total of 119,754.8121 BTC. It was worth about $60 million at the time of the incident, but about $4.5 billion in today’s prices.

SlowMist MistTrack detected a large number of funds stolen from Bitfinex on February 1, and it was later confirmed that the funds were the 94,643.2984 BTC seized by the Department of Justice, accounting for about 79% of the total stolen funds. These funds are currently under the custody Of the US government in the address bc1qazcm763858nkj2dj986etajv6wquslv8uxwczt.

Events leading to the recovery

We will be sharing the key points according to the statement_of_facts.pdf document published by the US Department of Justice. These are the details of the case.

1.By gaining access to Lichtenstein’s cloud storage account, U.S. law enforcement obtained a document with more than 2,000 wallet addresses and corresponding private keys. The addresses in this document are the wallet addresses the hackers used in the 2016 incident mentioned above. The US Department of Justice then had the ability to seize and transfer the bitcoins to bc1qazcm763858nkj2dj986etajv6wquslv8uxwczt.

2.Only in January 2017, did some of the stolen funds begin to transfer out. Using the peel chain method, causes some of the funds to be continuously split and broken up. It was then deposited into 7 different AlphaBay accounts. These accounts were used mainly for deposits and withdrawals so that BTC could not be easily traced. The accounts were seized and closed by law enforcement agencies around July of 2017. Using blockchain analysis, the amount of Bitcoin mixed with AlphaBay is about 25,000 BTC.

3.After the funds were mixed, most of the funds were transferred to 8 separate accounts registered in Exchange-1 (VCE 1), and the email for these accounts were all used by the same Indian email service provider. In addition, these 8 accounts used the same login IP and were all registered around August 2016. What’s even crazier is that there is an excel sheet in Lichtenstein’s cloud storage, which records various information of these 8 accounts, and 6 of them are also marked as FROZEN (frozen) by him. Analysis from the U.S. Department of Justice found that eight accounts in Exchange-1 (VCE 1) had a total of $186,000 worth of assets frozen.

4.Some of the funds were transferred to Exchange-2 (VCE 2) and an American exchange (VCE 4). Some of the accounts registered on these two exchanges also used the same emails mentioned above. The login info was also found in the above-mentioned Excel spreadsheet in Lichtenstein’s cloud storage. Through VCE 2 and VCE 4, Lichtensteins successfully exchanged the stolen BTC from Bitfinex for fiat currency and transferred it into bank accounts. They also had 2 accounts registered using Russian e-mails services on VCE 4. Due to the frequent deposit of XMR (Monero) and the inability to explain the source of these funds, the accounts were frozen by the exchange. The US Department of Justice that the frozen assets were worth around $155,000.

5.Before the accounts from Exchange-1 were frozen, most of the funds were withdrawn and sent to another American exchange (VCE 5). This account was created on January 13, 2015, before the Bitfinex incident. Lichtenstein registered the account with his real identity and private email address on the VCE 5 exchange and performed KYC authentication (real-name authentication). On the VCE 5 exchange, Lichtenstein bought gold with BTC from merchants on the platform and had it delivered to his home address.

6.In addition to the aforementioned exchanges of VCE 1, VCE 2, VCE 4, and VCE 5, which were used by them for money laundering, the Lichtensteins also registered with exchanges VCE 7, VCE 8, VCE 9, and VCE 10. These were also used to launder BTC. These exchanges got their funds mainly through withdrawals from VCE 1. Some accounts registered on exchanges such as VCE 7–10 use the real identities of the couples and their companies (Endpass, Inc and SalesFolk LLC) for KYC verifications. Analysis from the U.S. Department of Justice found that from March 2017 to October 2021, the couple had three accounts on VCE 7 that received a total of around $2.9 million in bitcoin. On these exchanges, Lichtenstein further laundered the funds by buying and selling altcoins (non-mainstream coins), NFTs, etc., and also realized cash through Bitcoin ATM machines.

Money Laundering link

Some afterthoughts

About 6 years have passed since the Bitfinex incident in August of 2016. U.S agencies were able to conduct in-depth investigations during this period. From the content of the published statement_of_facts.pdf file, it was discovered that most of the information in regards to money laundering accounts and details of transactions are stored in Lichtenstein’s cloud storage. Thus leading to the arrest of the couple.

Some questions to consider:

How did law enforcement agencies pinpoint Lichtenstein as a suspect?

Why did the US Department of Justice only indict the couple for money laundering and defraud but not for hacking Bitfinex and stealing funds?

Did the couple actually commit the hacks or was there always another mastermind behind the incident?

What happened in the 5 months between the funds being stolen in August 2016 and the transfer of the stolen funds in January 2017?

References:

https://www.justice.gov/opa/press-release/file/1470186/download

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.