Could Morgan and Lichtenstein have done the 2016 Bitfinex hack? I’m not ruling it out

New York crypto scenesters Ilya “Dutch” Lichtenstein and his wife Heather Morgan have been arrested for money laundering. They’re alleged to have tried to cash out the proceeds of the 2016 hack of the Bitfinex crypto exchange. [Department of Justice]

This hack hit crypto like a bombshell. 120,000 BTC was stolen from customer addresses. Bitfinex gave all its customers — hacked or not — a 36% “haircut.” The exchange eventually made up the “haircut” with Bitfinex’s stablecoin Tether in mid-2017.

This is also when the issuance of Tether started going through the roof — even as they had no banking. This launched the 2017 crypto bubble. I detail the process in Attack of the 50 Foot Blockchain, chapter 8.

Lichtenstein and Morgan were charged with money laundering — but not with doing the hack itself.

(I’m not sure the US would even have jurisdiction for the hack itself. But the US most certainly has jurisdiction for the money laundering.)

Lichtenstein and Morgan are absolutely standard crypto bros who think they’re startup geniuses. They’re loud, brash and nowhere near as smart as they think they are.

But the Bitfinex hack reeks of social engineering for insider information, not sophisticated computer science brilliance. This is cryptocurrency — standards are low.

Could Morgan have been that social engineer? I’m not ruling it out.

How the hack was done

In 2016, Bitfinex kept customers’ bitcoins segregated — each customer’s holding was in its own separate multi-signature blockchain address.

You needed two of the three keys to the address to move bitcoins out of it. One key was held by Bitfinex, one by BitGo, and one by the customer.

BitGo had built an API for Bitfinex to use. This was not a public interface — only the two companies knew about it.

Bitfinex would pass transactions to BitGo via the private API. BitGo checked the transaction against their policy for that address, and signed if it was OK.

The API allowed policy changes — but a bug in the API meant you could set global limits, that applied to all customer addresses, without it being flagged for human review.

The hacker somehow got into Bitfinex’s systems, got access to an account that could change global limits, set the limit very high … and drained 2000 customer addresses into a single address.

This was how the hack was described to me by Phil Potter of Bitfinex/Tether, when I spoke to him for Attack. Tether principals have been caught in many, many lies — see the New York and CFTC settlements — so you may or may not want to take this with a grain of salt. However, Potter’s description largely matches the version I’d heard from others before this. [Reddit]

The hacker had information you’d need to be a Bitfinex or BitGo insider to know:

  • that the API existed;
  • code for the API, to see the bug in it;
  • access to Bitfinex systems to send valid requests to BitGo.

Could you get that information and access — or get to somewhere you could get that information — by talking your way past someone? Possibly.

 

 

But then, Morgan and Lichtenstein

Morgan and Lichtenstein are alleged to have tried to launder the BTC directly from the Bitcoin address the stolen coins were sent to — they weren’t sent to another address first. In fact, a lot of the stolen BTC is still in that address.

If the government’s allegations are true, Morgan and Lichtenstein were clearly goddamn dumbasses: [Statement of Facts, PDF; Government’s reply in support of review of Detention Order, PDF]

  • IRS investigators first spotted the couple trying to launder bitcoins out via darknet market AlphaBay — when AlphaBay had just been taken over by international authorities. This was the key to cracking the case and busting Morgan and Lichtenstein.
  • A WalMart gift card was bought with some of the stolen coins — and used for purchases in Morgan’s name, sent to her address.
  • A text file on cloud storage, listing all of the Bitcoin addresses and keys, was registered in Lichtenstein’s name.
  • A plastic bag was found in their apartment labeled “BURNER PHONE.”

“Being smart in no way stops you from being stupid,” as I said to the Financial Times. [FT, paywalled]

And then there’s Morgan’s Bitcoin rap career as “Razzlekhan.” [Vice]

But look around you. Crypto finance systems are made of cardboard and gaffer tape. Coinbase, the most popular consumer crypto exchange, can barely stay online. Hacks and dumb errors happen all the time. “Bozo” is standard in this space.

Morgan has bragged at length about her social engineering skills. [YouTube] How good she is, that’s questionable. But you don’t need to be very good at all to be better than crypto average.

Slight cleverness and persistence at doorknob rattling is how a huge amount of actual hacking is done. Per the Statement of Facts, the two had allegedly been rattling doorknobs at a whole pile of exchanges already.

But did they do it?

Of course, the other reason I won’t say “they did it” is that if you were looking for patsies, Morgan and Lichtenstein fit that bill perfectly. Or the hacker was looking for a Reggie Fowler to turn the bitcoins into money in bank accounts.

If the Department of Justice won’t say Morgan and Lichtenstein are the hackers, I’m not going to declare they are. But I will say that they have the minimal skills needed to even try this. And definitely the bull-headed persistence.

And really — how much social engineering skill do you need to fox crypto people? I mean, they already bought cryptos.

 

 



Become a Patron!

Your subscriptions keep this site going. Sign up today!

8 Comments on “Could Morgan and Lichtenstein have done the 2016 Bitfinex hack? I’m not ruling it out”

    1. A wonderful story and a very old story. Utopian communities always involve a new form of currency, which always turns out to be a direct pipeline into the founder’s wallet.

      Since Vanuatu is already nothing but a money laundry, at least the utopians won’t have to fight the local government. They’ll just need to keep paying the extortion rent.

  1. My belated discovery of your blog and your books has been a great joy, not only for the information (I don’t know anything about coding, have never made an ‘investment’ in my life etc) but for your excellent and hilarious prose style. I’m particularly excited by your dedication to dropping in lyrics and song titles from The Fall into the text as subheds and titles — ‘ Wireless enthusiast intercepts government secret radio band and uncovers secrets and scandals of deceitful-type proportions!’ had me falling on the floor laughing with irrationally exuberant excitement. Less spectacularly, the subhed ‘Craigness’ was not only perfectly judged for the person under discussion, it re-started a train of philosophical thought in my head from decades ago about that song title word and the possible philosophical gold to be mined from turning Christian names into pseudo-meaningful substantives. Anyhow great writing — and knowing that a distributed ledger is basically an environmentally-catastrophic giant excel spread sheet is of great value to me in dealing with the sudden shifting of political valences, as one-time personal friends, philosophers, and ‘thinkers’ that were reliably skeptical leftists have turned overnight into Mencius Moldbug-quoting anti-vaxxers too busy Doing Their Own Research to bother me directly but absolutely a huge danger to themselves and others. And you are undoubtedly already aware of this great resource, but if not it’s a treasure trove: http://annotatedfall.doomby.com/pages/the-annotated-lyrics/new-face-in-hell.html

    1. It was “Craigness” that started me on this good and correct path. You’ll be unsurprised to hear that I routinely hit Annotated Fall for the news of the day.

    1. I looked at that – and probably should have mentioned it – couldn’t find any more detail on these two or what the claim actually was. There was also some guy in India, again no more detail.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.