The Bonnie and Clyde of Bitcoin
In 2016, Ilya Lichtenstein and Heather Morgan began their journey as the Bonnie and Clyde of blockchain after stealing 95,000 Bitcoin. At times, the proceeds of their theft were valued higher than $4.5 billion as the price of BTC soared in the years that followed.
But it all came to an end in February 2022 when the American Department of Justice (DOJ) used the forensic power of blockchain to make their largest-ever single seizure of funds and arrest the couple.
How a magician and an amateur rapper became Bitcoin bandits
Prior to becoming crypto’s most bizarre and infamous couple, Ilya Lichtenstein and Heather Morgan began their lives on either side of the Iron Curtain. Born in Russia, Lichtenstein moved to the US as a boy where he grew up in affluent Chicagoan suburbia. Early on in his life, Lichtenstein showed the makings of the tech entrepreneur he’d soon become; he was a mathlete and also captained the Academic Bowl – a quiz-based competition.
“Nice kid. Smart. Would be like if McLovin from Superbad ended up pulling off the heist,” says Steven Galanis, a former high-school classmate and the founder of Cameo, a platform for personalised shoutouts.
In 2011, Lichtenstein co-founded the customer discovery platform MixRank, before becoming an advisor at SalesFolk, a company founded by his future partner, Heather Morgan. This is also most likely where the couple met. Aside from his professional history, very little is known of Lichtenstein’s personal life; he describes himself on Medium as a “tech entrepreneur, explorer, and occasional magician,” going by the moniker “Dutch.”
On the contrary, his wife Heather Morgan frequently broadcasts her pastimes on social media, with an amateur rap career taking centre stage. Born and raised in Tehama, an American town of 400 people on the Oregon-Idaho border, she busts rhymes under the name of “Razzlekhan” with hits like Versace Bedouin and Turkish Martha Stewart. When she isn’t spitting bars, Morgan describes herself as “an economist, a journalist, a writer, and CEO,” among some expletives. To back her professional career, though, she holds an economics degree from the University of California Davis and previously travelled to Cairo for graduate work in Economics. She also keeps an interest in social engineering — the art of getting people to give you what you want, even when they don’t want to give it to you.
Then, in 2016 Lichtenstein went dark. He discretely left the company he’d co-founded and his LinkedIn profile became increasingly vague. Two years later, Morgan also quit her job, explaining to her friends, and later in a Forbes article for which she wrote that burnout was to blame for her departure.
Morgan said “It’s really strange to suddenly have free time after beasting nonstop for years. It was about this time that I discovered rapping.” But it was also during this time that the couple acquired the proceeds solicited from the 2016 hack of Hong Kong-based crypto exchange, Bitfinex.
Virtually nothing is known about the hack itself, and the DOJ hasn’t been able to pin it on anyone. But, it was confirmed in a 14 February hearing that Lichtenstein and Morgan received at least 95,000 of the 120,000 bitcoins looted from Bitfinex.
How they did it
At the time, Bitfinex was one of the world’s largest cryptocurrency exchanges when it suffered a security breach. Some 2,000 transactions were approved from users’ accounts and sent to one Bitcoin wallet where the coins were left in plain sight on the blockchain to appreciate over time. As New York Times writers Ali Watkins and Benjamin Weiser, explained, “It was as if a robber’s getaway car was permanently parked outside the bank, locked tight, money still inside.”
Then in early 2017, small amounts of bitcoin began to leave the wallet through AlphaBay, a currency exchange and coin mixer on the dark web. Coin mixers (often referred to as coin tumblers) are often used to obscure the transaction history of money launderers.
As well as coin mixers, Morgan and Lichtenstein assumed fake identities that helped them send stolen bitcoin from their digital wallet into various exchanges. Their fictitious identities were also used to create online accounts and initiate automated financial transactions while continuing to make deposits in accounts on virtual platforms and darknet markets.
The duo then allegedly converted some of their stolen bitcoin into millions worth of fiat currency, and used the cash to buy 70 pieces of gold, NFTs, a $500 Walmart gift card, as well as to make Uber and PlayStation purchases.
After three years of laundering, the crypto winter began to subside and the price of Bitcoin soared. At this point, Lichtenstein and Morgan started making transactions through Wasabi Wallet, a privacy wallet designed to conceal the tracks left behind on the blockchain.
Despite hundreds of millions of dollars in Bitcoin being converted into traditional currency, some 80% of the stolen crypto remained in the wallet. Laundering cryptocurrency is an extremely difficult and time-consuming process. That was until 31 January 2022, and the couple’s house of cards began to tremble.
Why they failed
Blockchain is a forensic tool to be reckoned with
Criminals often believe that using cryptocurrency to launder money is a little like using an invisibility cloak. But invisibility cloaks have one inherent problem: you still leave footprints behind.
To cover their tracks as best they could, Lichtenstein and Morgan made use of AlphaBay before making thousands of complex outbound transactions into other exchanges. What the couple didn’t count on was AlphaBay being seized by an international law enforcement effort led by the FBI.
Tom Robinson, a co-founder of Blockchain analytics company Elliptic believes “The fact that law enforcement took down AlphaBay probably led to [Lichtenstein and Morgan’s] downfall,” as investigators gained access to a series of internal transaction logs. From there, all law enforcement needed to do was join the dots between the wallet linked to the 2016 hack, and the smaller shell businesses and bank accounts that were also involved.
A peer of Robinson’s is Ari Redbord, the head of legal and government affairs at cryptocurrency regulatory startup TRM Labs, and he agrees that blockchain’s transparent nature aided investigations.
“Law enforcement investigators have never had a more open way to follow the money,” Redbord says. “This shows cybercriminals that just because it’s years after a hack, don’t think you’ve gotten away with it: We’re going to trace those funds until we can seize them.”
Bitcoin is totally transparent
It’s clear that Lichtenstein and Morgan understood the challenge they were facing, given their coin-mixing solutions and complex web of transactions. Despite their efforts, though, the couple never achieved complete anonymity. Chris Depow, a senior advisor at blockchain analytics firm Elliptic says criminals often underestimate the difficulty of laundering cryptocurrency.
“The idea of crypto being entirely anonymous is a bit of a misnomer. What it really is, is pseudonymous,” says Depow. “Although you don’t have know-your-customer (KYC) records, you can still publicly see all of the wallet addresses associated with these transactions and the transaction addresses as well.
“If you can continue following the funds, you’re going to be able to identify that individual. That’s what makes Bitcoin analytics unique.”
Regulation helps prevent illicit behaviour
For most crypto criminals, the endgame is to convert illicit funds into conventional currency, and the two needed exchanges to give them dollars for their crypto. Yet, regulations and anti-money laundering acts meant that dumping billions of dollars’ worth of Bitcoin would have raised questions and possibly had their accounts frozen. There was also a chance that Lichtenstein and Morgan could have encountered roadblocks should they have become entangled in their own web of fake identities.
The smoking gun
In January 2022, officials were able to obtain a search warrant for a cloud storage account belonging to Lichtenstein. Here, investigators found a list of wallet addresses linked to the hack with their passwords. One of these wallets contained the majority of the leftover 94,000 Bitcoin. By using these passwords, Lichtenstein’s funds were finally seized.
Adding to the suspicion, investigators also searched the couple’s luxury New York apartment and compiled a list of findings that included a bin containing various bags holding multiple cell phones, and SIM cards under their bed. There were at least 50 electronic devices, multiple digital wallets used to store cryptocurrency, and approximately $40,000 in cash, along with other foreign currency. “Lichtenstein’s office contained two hollowed-out books, whose pages appeared to be roughly cut out by hand,” prosecutors wrote about the apartment search.
With these findings, it’s safe to assume these weren’t the tools of a magician, nor the props for an amateur rapper’s music video…