A review of the Bitfinex Hack
The Justice Department announced that it seized more than $3.6 billion in allegedly stolen cryptocurrency linked to the 2016 hack of Bitfinex. Bitfinex is a cryptocurrency exchange owned and operated by iFinex Inc, registered in the British Virgin Islands. The Bitfinex hack of 2016 back then was the second largest bitcoin hack with a total of 119,756 BTC (then worth around US$72 million) stolen by hackers.
As part of the operation, authorities detained a New York-based couple named Ilya Lichtenstein and Heather Morgan on allegations they planned to launder the digital goods. For years, most of the money sat in a wallet untouched. But once the currency slowly began to move out of the wallet in 2017 and into the traditional banking system, investigators were able to start tracing the transactions and relating them to people in the real world.
From Breadcrumbs’ perspective, there are several interesting points we’re gonna share about this blockchain investigation.
Money Laundering VS Hack
The public would acquiesce that Lichtenstein and Morgan were arrested for hacking. But in fact, the Justice Department did not point out that Lichtenstein and Morgan were the hackers. Instead of accusing them of hacking, they charged them with money laundering and conspiracy to defraud the US government. It is not known whether they are the hackers themselves and the case is still under further investigation. And the evidence they laundered money is that they were storing the private keys for these stolen coins wallets using a cloud storage provider.
How law enforcement arrested them after 6 years
Law enforcement stated that they were able to seize 94,636 BTC left in several wallets because Lichtenstein allegedly uploaded a list to a third party cloud storage and email providers. The list contained addresses of wallets where Binfinex’s funds were dumped, as well as the private keys to access those wallets. The file was encrypted, but after obtaining it through a search warrant, law enforcement was able to decrypt it and several other documents. This allowed the government to seize the crypto left in the wallet, and also gave the government access to other potentially criminal documents, such as spreadsheets showing other accounts linked to the stolen funds and dark markets selling passports and ID cards list.
Money laundering techniques
Peel chain and mixer
From January 2017, the stolen funds began to be transferred to various addresses. Hackers used the peel chain technology to continuously split and break up the stolen funds, which were then transferred to AlphaBay, a darknet marketplace which was seized by law enforcement in July 2017. These platform accounts can also be used as mixers making the crypto untraceable. From the results, the Bitcoin mixed with AlphaBay is about 25,000 BTC.
Peel chain:
Definition from Hudson Intelligence:
“Peel chain is a technique to launder a large amount of cryptocurrency through a lengthy series of minor transactions.A small portion is ‘peeled’ from the subject’s address in a low-value transfer. These incremental outputs are often directed to exchanges where they can be converted to fiat currency (e.g., dollars) or other assets. The subject’s remaining UTXO passes to a new change address and the process repeats.Due to the small amounts of each individual transfer, outputs from the peel chain are less likely to raise red flags for AML compliance at virtual asset exchanges or trigger mandatory reporting to tax and regulatory authorities.”
An example of peel chain transaction using Breadcrumbs.app investigation tool:
https://www.breadcrumbs.app/reports/bc1qazcm763858nkj2dj986etajv6wquslv8uxwczt/2/10/10
Bitcoin Mixer:
Definition from The World Financial Review
“A cryptocurrency mixer or bitcoin mixer is an Internet platform that offers the service of mixing your coins with coins of other owners or previously cleaned coins that are in the platform’s reserve. Then, these mixed coins are returned to you in already cleaned condition (as a whole sum you deposited or in installments). After the coins have undergone the procedure described above, it becomes almost impossible to trace the source of their origin and the identity of their owner.”
Coinjoin transaction
In Jan 2021, there were some big movements of the stolen funds. They used Wasabi Wallet to conduct coinjoin transactions, which is a specific method of coin mixing. This method works by combining several transactions of participants into one pool and paying back the clients with relatively ‘clean’ coins, making crypto assets harder to be traced.
Below is an example of Coinjoin transactions visualized on Breadcrumbs.app
https://www.breadcrumbs.app/reports/bc1q0z0arzy7k3gakllefukt8mtwq94ss7avtwks0x/2/10/10
Create online accounts using a fictitious identity
The couple created as many accounts as possible on trading platforms that do not require KYC (Know Your Customer) and real-name authentication to avoid regulatory scrutiny. It can be seen that the role of KYC in AML (Anti Money Laundering) is crucial. Platforms that lack the KYC process present opportunities for money laundering.
Auto small amount transactions
The couple used computer programs to automate transactions, making multiple small transfers in a short period of time. The amount transferred is usually very small and therefore does not trigger the exchange’s security system, thereby avoiding regulation.
Convert Bitcoin to other assets
The couple converted Bitcoin to other forms of virtual currency, including anonymity-enhanced virtual currency (AEC), a practice known as “chain hopping”. And they also used U.S. business accounts to legitimize their banking activities.
Fund Seizure
On February 1, 2022, the stolen Bitfinex Bitcoins were transferred to a wallet that held approximately 94,643.29 Bitcoins after 23 transactions. When 94,643 BTC was transferred, the Global Financial Information Service (GFIS) team observed that the transaction merged to the wallet address:
bc1qazcm763858nkj2dj986etajv6wquslv8uxwczt
Using the blockchain investigation tool we can clearly see the detailed incoming funds of the destination wallet and we can also use this tool to further investigation of each of the addresses that transferred BTC to the wallet seized by the US Government. As of March 5, 2022, funds are still being moved to the Seized funds wallet.
Thoughts on blockchain traceability and law enforcement around virtual assets
There are plenty of discussion around the advantages and disadvantages of mainstreaming cryptocurrencies. One long standing argument against this is the use of cryptocurrencies for illicit activity including money laundering. But research has proven time and again that majority of crypto transactions continue to be low risk.
The news about the arrest of Lichtenstein and Morgan has highlighted not only the scale of illicit activity that can be facilitated by the blockchain, but also the traceability of these types of transactions. Blockchain analytics tools can track the whereabouts of a fund, understand the source of the fund, and trace transactions.
In the case of Lichtenstein and Morgan, they failed to cover their tracks in the Integration phase of a money laundering transaction and this is in part, due to the compliance mechanisms in place that is well-entrenched in traditional finance. Due to the anonymity and distribution of the crypto world, crimes are at times, non-linear. But once money laundering involves centralized exchanges that require KYC, then it is easier to tie transactions with actual and identifiable entities.
As cryptocurrencies get to be recognized by formal institutions, it is necessary for us to understand the neutrality of the technology to be able to tap its positive potential and address its negative use cases. The traceability and immutability of blockchain transactions are ideal for monitoring consumer patterns and behaviors whether they be low or high risk. But perhaps what is crucial is setting up clear international guidelines on prosecuting illegal activities that happen on the internet.
In this case, as this couple lived in the US and used the US IP domain to conduct money laundering transactions, it is obvious that they are supposed to be arrested by the US government. But the virtuality of cyberspace breaks the physical space limitations of the real world. In practice, it may be difficult to identify where criminal acts are carried out, the results of criminal acts are scattered, and multiple countries or regions have jurisdiction. In the case of jurisdictional conflicts, domestic jurisdictions may face difficulties in coordination and cumbersome reporting procedures for designated jurisdictions while international jurisdictions may also face problems such as different jurisdictional principles and lack of protection by international conventions.
More programs and policies are necessary not to strictly regulate the crypto space but to accommodate the nuances of decentralized finance to harness, and not temper its significant potential.
