How a Young Couple Failed to Launder Billions of Dollars in Stolen Bitcoin


In August, 2016, a hacker stole 119,754 bitcoin from a cryptocurrency exchange called Bitfinex. On Tuesday, in Manhattan, a young married couple, Ilya Lichtenstein and Heather Morgan, appeared in federal court, charged with attempting to launder the proceeds of that crime. When the exchange was hacked, the stolen bitcoin was worth about seventy-one million dollars. Today, its value is more than five billion dollars. Shortly before their arrest, one could argue that—on paper, at least—Lichtenstein and Morgan were richer than Peter Thiel, who founded PayPal.

Lichtenstein is a thirty-four-year-old with dual Russian-American citizenship, who describes himself on Medium as a “tech entrepreneur, explorer, and occasional magician.” He goes by “Dutch.” His Twitter feed (@unrealdutch) is a stream of aloof commentary on cryptocurrency, Web 3.0, and non-fungible tokens. On New Year’s Eve, he retweeted Edward Snowden’s picture of fireworks over the Kremlin. Morgan, who is thirty-one, married Lichtenstein last year. Among other pursuits, she is a journalist. In her biography for Forbes, which she wrote for until last year, Morgan describes herself as “an international economist, serial entrepreneur, and investor” and “an expert in persuasion, social engineering, and game theory.” “When she’s not reverse-engineering black markets to think of better ways to combat fraud and cybercrime,” her bio reads, “she enjoys rapping and designing streetwear fashion.”

Morgan really does seem to enjoy rapping. She spits bars as Razzlekhan, and styles herself the “Crocodile of Wall Street.” The keystone of Razzlekhan’s œuvre is a track called “Versace Bedouin,” a paean to grind culture and financial speculation, in which Morgan nods to her multi-hyphenate career. (“I’m many things: a rapper, an economist, a journalist, a writer, a C.E.O., and a dirty, dirty, dirty, dirty ho.”) In the video for “Versace Bedouin,” Morgan wears a gold lamé jacket and a baseball cap bearing the slogan “ØFCKS.” It was filmed on Wall Street itself, which is also where the couple lives, in a rented two-bed condominium.

Morgan and Lichtenstein were charged last week with conspiring to launder money and conspiring to defraud the United States. Most subsequent media coverage of the case has naturally focussed on their colorful online personae. (I am not immune. In my house, “Versace Bedouin” has been on repeat.) But the details of the case are equally intriguing, because they gesture at the potential and pitfalls of digital currency for criminal activity.

The case against Morgan and Lichtenstein, as detailed in the affidavit, describes a big crime followed by a series of frustrations. After the hack of Bitfinex, in 2016, the stolen bitcoin was transferred to an outside wallet. The government has not said that Lichtenstein and Morgan hacked the exchange; they are charged only with laundering the proceeds of the hack. But it appears that the couple never even tried to launder most of the stolen coins—94,636 bitcoin, or about eighty per cent of the total loot, never left the first wallet. The reason? Laundering digital currency is hard. And the level of difficulty rises as the sums grow larger.

As I discovered last year, while reporting on state-sponsored North Korean hackers, thefts from digital-currency exchanges happen with alarming regularity. North Korean operatives particularly enjoy hacking digital bourses in South Korea. As of last April, one exchange, Bithumb, had been raided four times. Exchanges are vulnerable because they often maintain escrow accounts holding coins in so-called hot wallets, which are connected to the Internet. (The more secure, but laborious, way to store coins is in a “cold wallet,” which is not connected to the Internet; the keys to the wallet are written down or memorized elsewhere.) Through some often-ingenious tricks, such as impersonating a trusted business partner in order to plant malware on an exchange employee’s computer, criminals find ways to commandeer the keys to hot wallets, and steal coins.

Last year, Tom Robinson, who is the chief scientist at the blockchain-analytics firm Elliptic, explained to me the appeal of this kind of crime. “Once the funds have moved out of the exchange, you can’t reverse those transactions, like you can maybe with a traditional bank payment,” Robinson said. “Once they’re gone, they’re gone. And there’s no intermediary, there’s no controller of bitcoin, who you can go to and say, ‘Those funds are stolen. Give them back to me.’ It’s completely decentralized. It can also be fairly anonymous—you don’t need to enact the scheme through accounts linked to your identity.”

But if digital currency creates opportunities for thieves it also presents giant obstacles. The desired end point of most exchange hacks is to convert stolen digital currency into fiat currency—pounds, euros, dollars. That’s hard to do if exchanges have adequate know-your-customer (K.Y.C.) or anti-money-laundering (A.M.L.) structures in place. If you dump a billion dollars’ worth of bitcoin at a reputable exchange’s feet and ask for dollars in response, its A.M.L. team should ask some tough questions.

Launderers must also contend with the fact that coins are traceable. The ledger on which trades occur is immutable. It should always be possible to track stolen loot through its digital footprint. The problem of handling stolen bitcoin is not unlike that of smuggling a Picasso in the trunk of your car. Everybody knows it’s a Picasso because it looks like a Picasso and it’s got Picasso’s signature on it. Stealing the painting is one thing; realizing any monetary gain for it is another.

Morgan and Lichtenstein seem to have understood some of the dangerous terrain of the crypto laundry. The affidavit claims that, among other techniques, the couple moved some of the bitcoin out of the holding wallet using “a series of small, complex transactions across multiple accounts and platforms,” adding that “this shuffling, which created a voluminous number of transactions, appeared to be designed to conceal the path of the stolen BTC, making it difficult for law enforcement to trace the funds.” This atomized transfer is sometimes known as a peel chain. Last year, Robinson, the Elliptic scientist, showed me a visualization of a peel chain. The diagram looked like an airline-magazine route map, in which several lines sprout from one dot and then converge on another.

The affidavit also details how the couple understood other, more sophisticated laundering techniques. One is known as chain hopping. This is when one type of coin is swapped for another—Bitcoin to Ethereum, for instance—to disguise its provenance. The blockchain-forensics firm Chainalysis recently published a report that detailed the growing use of chain hopping, particularly by North Korean criminal groups. The preferred method is to use what is known as a DeFi (decentralized finance) platform, which swaps currencies without ever taking custody of the funds. DeFis are not required to have any know-your-customer procedures. According to Chainalysis, in 2020, North Korean hackers used a DeFi called Uniswap to launder the proceeds of a two-hundred-and-seventy-five-million-dollar theft from the KuCoin exchange—one of the largest hacks of any exchange ever.

Morgan and Lichtenstein also allegedly moved coins to AlphaBay, a dark-Web marketplace that was shuttered by police in 2017. You can buy pretty much anything you want using digital currency on the dark Web, and nobody cares where you got your funds. But it seems that the sums Morgan and Lichtenstein were looking to launder were too unwieldy to cash out by buying products. AlphaBay was simply a conduit for the stolen coins. The couple is alleged to have moved their funds through the dark-Web marketplace and back into other coin exchanges, which landed them in the same predicament as when they started: with a bunch of digital currency that they couldn’t spend. When they attempted to open seven new accounts on one exchange using fake identities, the exchange could not verify the accounts, and froze their funds.

The couple ran into locked door after locked door. They spent some of the coins on N.F.T.s, and some on a five-hundred-dollar Walmart gift card. They cashed out small amounts using gold trades and other techniques. Gurvais Grigg, a former F.B.I. agent who is now the public sector chief technical officer for Chainalysis, told me that Morgan and Lichtenstein’s attempts to launder their bitcoin had shown them to be “pretty sophisticated.” But they never found a way to make good on the billions of dollars’ worth of loot burning a hole in their digital pocket. “Eventually,” Grigg said, “you’ve got to move it to a place, or an exchange, or an O.T.C. [over-the-counter trader] that can help you.”

Reading the affidavit, I found myself asking: How would the North Koreans have washed so many coins? They would have done it slowly. Criminal groups associated with North Korea leave large volumes of cryptocurrency untouched in digital wallets for years. They also would have used some of the same techniques that Morgan and Lichtenstein did: peel chains and chain hopping. But they would have kept their real identities far away from any accounts handling the stolen coins. (They would never have used a real driver’s license to verify their identity, or have used their own home address for a gold trade, as Lichtenstein did.) Certainly, they would have found a way to cash out large sums, probably using an exchange in a lax jurisdiction.

In 2018, a digital-currency exchange in Hong Kong was hacked by a North Korean group. About…

Read More: How a Young Couple Failed to Launder Billions of Dollars in Stolen Bitcoin

Notify of
Inline Feedbacks
View all comments