The DOJ’s $3.6B Bitcoin Seizure Shows How Hard It Is to Launder Crypto

A cou­ple alleged­ly used a “laun­dry list” of tech­ni­cal mea­sures to cov­er their tracks. They didn’t work.

The IRS detailed the wind­ing and tan­gled routes the cou­ple alleged­ly took to laun­der a por­tion of the near­ly 120,000 bit­coins stolen from the cryp­tocur­ren­cy exchange Bitfinex in 2016.

ON TUESDAY, ILYA Lichtenstein and Heather Morgan were arrest­ed in New York and accused of laun­der­ing a record $4.5 bil­lion worth of stolen cryp­tocur­ren­cy. In the 24 hours since, the cyber­se­cu­ri­ty world has ruth­less­ly mocked their oper­a­tional secu­ri­ty screwups: Lichtenstein alleged­ly stored many of the pri­vate keys con­trol­ling those funds in a cloud-stor­age wal­let that made them easy to seize, and Morgan flaunt­ed her “self-made” wealth in a series of cringe-induc­ing rap videos on YouTube and Forbes columns.

But those gaffes have obscured the remark­able num­ber of mul­ti-lay­ered tech­ni­cal mea­sures that pros­e­cu­tors say the cou­ple did use to try to dead-end the trail for any­one fol­low­ing their mon­ey. Even more remark­able, per­haps, is that fed­er­al agents, led by IRS Criminal Investigations, man­aged to defeat those alleged attempts at finan­cial anonymi­ty on the way to recoup­ing $3.6 bil­lion of stolen cryp­tocur­ren­cy. In doing so, they demon­strat­ed just how advanced cryp­tocur­ren­cy trac­ing has become—potentially even for coins once believed to be prac­ti­cal­ly untraceable. 

What was amaz­ing about this case is the laun­dry list of obfus­ca­tion tech­niques [Lichtenstein and Morgan alleged­ly] used,” says Ari Redbord, the head of legal and gov­ern­ment affairs for TRM Labs, a cryp­tocur­ren­cy trac­ing and foren­sics firm. Redbord points to the cou­ple’s alleged use of “chain-hop­ping”— trans­fer­ring funds from one cryp­tocur­ren­cy to anoth­er to make them more dif­fi­cult to follow—including exchang­ing bit­coins for “pri­va­cy coins” like mon­ero and dash, both designed to foil blockchain analy­sis. Court doc­u­ments say the cou­ple also alleged­ly moved their mon­ey through the Alphabay dark web mar­ket—the biggest of its kind at the time—in an attempt to stymie detectives.

Yet inves­ti­ga­tors seem to have found paths through all of those obsta­cles. “It just shows that law enforce­ment is not going to give up on these cas­es, and they’ll inves­ti­gate funds for four or five years until they can fol­low them to a des­ti­na­tion they can get infor­ma­tion on,” Redbord says.

In a 20-page “state­ment of facts” pub­lished along­side the Justice Department’s crim­i­nal com­plaint against Lichtenstein and Morgan on Tuesday, IRS-CI detailed the wind­ing and tan­gled routes the cou­ple alleged­ly took to laun­der a por­tion of the near­ly 120,000 bit­coins stolen from the cryp­tocur­ren­cy exchange Bitfinex in 2016. Most of those coins were moved from Bitfinex’s address­es on the Bitcoin blockchain to a wal­let the IRS labelled 1CGa4s, alleged­ly con­trolled by Lichtenstein. Federal inves­ti­ga­tors even­tu­al­ly found keys for that wal­let in one of Lichtenstein’s cloud stor­age accounts, along with logins for numer­ous cryp­tocur­ren­cy exchanges he had used.

What was amaz­ing about this case is the laun­dry list of obfus­ca­tion tech­niques.”
ARI REDBORD, TRM LABS

But to get to the point of iden­ti­fy­ing Lichstenstein—along with his wife, Morgan—and locat­ing that cloud account, IRS-CI fol­lowed two branch­ing paths tak­en by 25,000 bit­coins that moved from the 1CGa4s wal­let across Bitcoin’s blockchain. One of those branch­es went into a col­lec­tion of wal­lets host­ed on AlphaBay’s dark web mar­ket, designed to be impen­e­tra­ble to law enforce­ment inves­ti­ga­tors. The oth­er appears to have been con­vert­ed into mon­ero, a cryp­tocur­ren­cy designed to obfus­cate the trails of funds with­in its blockchain by mix­ing up the pay­ments of mul­ti­ple mon­ero users—both real trans­ac­tions and arti­fi­cial­ly gen­er­at­ed ones—and con­ceal­ing their val­ue. Yet some­how, the IRS says it iden­ti­fied Lichtenstein and Morgan by trac­ing both those branch­es of funds to a col­lec­tion of cryp­tocur­ren­cy exchange accounts in their names, as well as in the names of three com­pa­nies they owned, known as Demandpath, Endpass, and Salesfolk.

The IRS has­n’t entire­ly spelled out how its inves­ti­ga­tors defeat­ed those two dis­tinct obfus­ca­tion tech­niques. But clues in the court document—and analy­sis of the case by oth­er blockchain analy­sis experts—suggest some like­ly theories.

Lichtenstein and Morgan appear to have intend­ed to use Alphabay as a “mix­er” or “tum­bler,” a cryp­tocur­ren­cy ser­vice that takes in a user’s coins and returns dif­fer­ent ones to pre­vent blockchain trac­ing. AlphaBay adver­tised in April 2016 that it offered that fea­ture to its users by default. “AlphaBay can now safe­ly be used as a coin tum­bler!” read a post from one of its admin­is­tra­tors. “Making a deposit and then with­draw­ing after is now a way to tum­ble your coins and break the link to the source of your funds.”

In July 2017, however—six months after the IRS says Lichtenstein moved a por­tion of the Bitfinex coins into AlphaBay wallets—the FBI, DEA, and Thai police arrest­ed AlphaBay’s admin­is­tra­tor and seized its serv­er in a data cen­ter in Lithuania. That serv­er seizure isn’t men­tioned in the IRS’s state­ment of facts. But the data on that serv­er like­ly would have allowed inves­ti­ga­tors to recon­struct the move­ment of funds through AlphaBay’s wal­lets and iden­ti­fy Lichtenstein’s with­drawals to pick up their trail again, says Tom Robinson, a cofounder of the cryp­tocur­ren­cy trac­ing firm Elliptic. “The data that inves­ti­ga­tors appear to have got from AlphaBay is the key to all of this,” says Robinson. According to the IRS, those AlphaBay with­drawals were ulti­mate­ly traced through numer­ous move­ments around the blockchain to a col­lec­tion of cryp­tocur­ren­cy exchange accounts, some of which Lichtenstein and Morgan controlled.

IRS inves­ti­ga­tors say that the oth­er branch of funds from Lichtenstein’s 1CGa4s wal­let was laun­dered through “chain-hopping”—but they only par­tial­ly describe how that obfus­ca­tion worked, not to men­tion how the IRS defeat­ed it. One chart in the IRS’s state­ment of facts shows a col­lec­tion of bit­coins mov­ing from the 1CGa4s wal­let into two accounts on an unnamed cryp­tocur­ren­cy exchange. Yet those two accounts, reg­is­tered with Russian names and email address­es, were fund­ed entire­ly with mon­ero rather than bit­coin, the IRS says. (Both accounts were even­tu­al­ly frozen after the exchange demand­ed more iden­ti­fy­ing infor­ma­tion from the account hold­ers and they failed to pro­vide it. But by that time much of the mon­ero had been con­vert­ed into bit­coin and withdrawn.)

The IRS’s expla­na­tion does­n’t men­tion at what point the mon­ey in Lichtenstein’s bit­coin wal­let was con­vert­ed into the mon­ero that lat­er appeared in those two exchange accounts. Nor, more impor­tant­ly, does it say how inves­ti­ga­tors con­tin­ued to fol­low the cryp­tocur­ren­cy despite Monero’s fea­tures designed to thwart that tracing—a feat of cryp­to-trac­ing that has nev­er before been doc­u­ment­ed in a crim­i­nal case.

A chart from the IRSs statement of facts about cryptocurrency tracing
A chart from the IRS’s inves­ti­ga­tion includes a con­nec­tion (indi­cat­ed by a red arrow added by WIRED) between a bit­coin wal­let that alleged­ly belonged to Lichtenstein and two accounts fund­ed with the pri­va­cy-focused cryp­tocur­ren­cy mon­ero at a vir­tu­al cur­ren­cy exchange, labelled VCE 4. This link seems to show that the IRS might have traced mon­ero, an unprece­dent­ed capa­bil­i­ty. COURTESY OF DEPARTMENT OF JUSTICE

It’s pos­si­ble that the IRS inves­ti­ga­tors did­n’t actu­al­ly trace mon­ero to draw that link, points out Matt Green, a cryp­tog­ra­ph­er at Johns Hopkins University and one of the cocre­ators of the pri­va­cy-focused cryp­tocur­ren­cy zcash. They may have found oth­er evi­dence of the con­nec­tion in one of the defen­dan­t’s records, just as they found oth­er incrim­i­nat­ing files in Lichtenstein’s cloud stor­age account, though no such evi­dence is men­tioned in the IRS’s state­ment of facts. Or they could sim­ply be mak­ing an assump­tion unsup­port­ed by evidence—though that’s not a com­mon prac­tice for fed­er­al agen­cies pros­e­cut­ing a high-pro­file crim­i­nal case years in the mak­ing. “The third pos­si­bil­i­ty, which I would def­i­nite­ly not rule out, is that they have some trac­ing capa­bil­i­ties that they’re not dis­clos­ing in this com­plaint,” says Green.

Tracing mon­ero has long been sug­gest­ed to be the­o­ret­i­cal­ly pos­si­ble. A 2017 study by one group of researchers found that in many cas­es, they could use clues like the age of coins in a mon­ero trans­ac­tion to deduce who moved which coins, though Monero sub­se­quent­ly upgrad­ed its pri­va­cy fea­tures to make that far hard­er to do.

The cryp­tocur­ren­cy trac­ing firm Chainalysis, which counts the IRS as a cus­tomer, has pri­vate­ly tout­ed its own secret meth­ods to trace mon­ero. Last year hack­ers leaked a pre­sen­ta­tion to Italian police in which Chainalysis claimed it could pro­vide a “usable lead” in 65 per­cent of mon­ero trac­ing cas­es. In anoth­er 20 per­cent of cas­es, it could deter­mine a trans­ac­tion’s sender but not its recip­i­ent. “In many cas­es, the results can be proven far beyond rea­son­able doubt,” the leaked pre­sen­ta­tion read in Italian, though it cau­tioned that “the analy­sis is of a sta­tis­ti­cal nature and as such any result has a con­fi­dence lev­el asso­ci­at­ed with it.”

IRS Criminal Investigations declined to com­ment on the Bitfinex case beyond the pub­lic doc­u­ments it’s released, and Chainalysis declined to say whether it had been part of the investigation—much less whether it had helped the IRS to trace monero.

If these analy­sis firms aren’t work­ing on anonymi­ty-enhanced coins, then they’re not doing their jobs,” Green says. “And I think we should assume that they are look­ing at these sys­tems, and they’re prob­a­bly hav­ing some success.”

The unspo­ken mes­sage to the Lichtensteins and Morgans of the world: Even if your rap videos and slop­py cloud stor­age accounts don’t get you caught, your clever laun­der­ing tricks may still not save you from the ever-evolv­ing sophis­ti­ca­tion of law enforce­men­t’s crypto-tracers.

Original source of arti­cle: WIRED.COM