New York crypto scenesters Ilya “Dutch” Lichtenstein and his wife Heather Morgan have been arrested for money laundering. They’re alleged to have tried to cash out the proceeds of the 2016 hack of the Bitfinex crypto exchange. [Department of Justice]
This hack hit crypto like a bombshell. 120,000 BTC was stolen from customer addresses. Bitfinex gave all its customers — hacked or not — a 36% “haircut.” The exchange eventually made up the “haircut” with Bitfinex’s stablecoin Tether in mid-2017.
This is also when the issuance of Tether started going through the roof — even as they had no banking. This launched the 2017 crypto bubble. I detail the process in Attack of the 50 Foot Blockchain, chapter 8.
Lichtenstein and Morgan were charged with money laundering — but not with doing the hack itself.
(I’m not sure the US would even have jurisdiction for the hack itself. But the US most certainly has jurisdiction for the money laundering.)
Lichtenstein and Morgan are absolutely standard crypto bros who think they’re startup geniuses. They’re loud, brash and nowhere near as smart as they think they are.
But the Bitfinex hack reeks of social engineering for insider information, not sophisticated computer science brilliance. This is cryptocurrency — standards are low.
Could Morgan have been that social engineer? I’m not ruling it out.
How the hack was done
In 2016, Bitfinex kept customers’ bitcoins segregated — each customer’s holding was in its own separate multi-signature blockchain address.
You needed two of the three keys to the address to move bitcoins out of it. One key was held by Bitfinex, one by BitGo, and one by the customer.
BitGo had built an API for Bitfinex to use. This was not a public interface — only the two companies knew about it.
Bitfinex would pass transactions to BitGo via the private API. BitGo checked the transaction against their policy for that address, and signed if it was OK.
The API allowed policy changes — but a bug in the API meant you could set global limits, that applied to all customer addresses, without it being flagged for human review.
The hacker somehow got into Bitfinex’s systems, got access to an account that could change global limits, set the limit very high … and drained 2000 customer addresses into a single address.
This was how the hack was described to me by Phil Potter of Bitfinex/Tether, when I spoke to him for Attack. Tether principals have been caught in many, many lies — see the New York and CFTC settlements — so you may or may not want to take this with a grain of salt. However, Potter’s description largely matches the version I’d heard from others before this. [Reddit]
The hacker had information you’d need to be a Bitfinex or BitGo insider to know:
- that the API existed;
- code for the API, to see the bug in it;
- access to Bitfinex systems to send valid requests to BitGo.
Could you get that information and access — or get to somewhere you could get that information — by talking your way past someone? Possibly.
But then, Morgan and Lichtenstein
Morgan and Lichtenstein are alleged to have tried to launder the BTC directly from the Bitcoin address the stolen coins were sent to — they weren’t sent to another address first. In fact, a lot of the stolen BTC is still in that address.
If the government’s allegations are true, Morgan and Lichtenstein were clearly goddamn dumbasses: [Statement of Facts, PDF; Government’s reply in support of review of Detention Order, PDF]
- IRS investigators first spotted the couple trying to launder bitcoins out via darknet market AlphaBay — when AlphaBay had just been taken over by international authorities. This was the key to cracking the case and busting Morgan and Lichtenstein.
- A WalMart gift card was bought with some of the stolen coins — and used for purchases in Morgan’s name, sent to her address.
- A text file on cloud storage, listing all of the Bitcoin addresses and keys, was registered in Lichtenstein’s name.
- A plastic bag was found in their apartment labeled “BURNER PHONE.”
“Being smart in no way stops you from being stupid,” as I said to the Financial Times. [FT, paywalled]
And then there’s Morgan’s Bitcoin rap career as “Razzlekhan.” [Vice]
But look around you. Crypto finance systems are made of cardboard and gaffer tape. Coinbase, the most popular consumer crypto exchange, can barely stay online. Hacks and dumb errors happen all the time. “Bozo” is standard in this space.
Morgan has bragged at length about her social engineering skills. [YouTube] How good she is, that’s questionable. But you don’t need to be very good at all to be better than crypto average.
Slight cleverness and persistence at doorknob rattling is how a huge amount of actual hacking is done. Per the Statement of Facts, the two had allegedly been rattling doorknobs at a whole pile of exchanges already.
But did they do it?
Of course, the other reason I won’t say “they did it” is that if you were looking for patsies, Morgan and Lichtenstein fit that bill perfectly. Or the hacker was looking for a Reggie Fowler to turn the bitcoins into money in bank accounts.
If the Department of Justice won’t say Morgan and Lichtenstein are the hackers, I’m not going to declare they are. But I will say that they have the minimal skills needed to even try this. And definitely the bull-headed persistence.
And really — how much social engineering skill do you need to fox crypto people? I mean, they already bought cryptos.
thinking of just dming every account I see with a laser eyes profile or a bitcoin symbol and explaining that I'm the bitcoin wallet inspector. https://t.co/Nw131y68Ww
— James Palmer (@BeijingPalmer) February 9, 2022
Your subscriptions keep this site going. Sign up today!