The private key is stored in the cloud! US agents recover $3.6 billion in Bitcoin from Bitfinex hack

This week the U.S. Department of Justice announced the seizure of 94,000 stolen bitcoins and has arrested two suspects in New York. At current bitcoin prices, those 94,000 bitcoins are worth about $3.6 billion. This case became the largest cryptocurrency theft ever seized by the U.S. government and the largest financial crime seized to date.

The press release states :

Ilya Lichtenstein, 34, and his wife, Heather Morgan, 31, were arrested in Manhattan, New York, on the morning of February 8 on suspicion of laundering money in cryptocurrencies.

The cryptocurrencies were stolen money they obtained by hacking the Bitfinex exchange in 2016. At current prices, the nearly 120,000 bitcoins stolen at the time were worth about $4.5 billion. Today, law enforcement seized 94,000 bitcoins (about $3.6 billion). The remaining 25,000 bitcoins have been cashed out by two suspects over the past five years through sophisticated money laundering techniques and deposited into their financial accounts. After obtaining a court search ticket, the agents found the wallet's private key from Lee Heddenstein's cloud file, and legally seized a total of 94,000 bitcoins on February 1.

This article restores how the Bitfinex exchange was hacked in 2016, what the hackers have been doing in the past 5 years, and why they were finally caught by the US government.

Bitfinex hacked

On the evening of August 2, 2016, Bitfinex, the cryptocurrency exchange with the largest trading volume in the world at that time, issued an emergency announcement :

Today we discovered a security breach, so all asset trading and deposit and withdrawal services on Bitfinex must be stopped immediately. The incident is still under investigation, but we know of some users whose bitcoins were hacked. Although we have suspended all website operations, we can confirm that the scope of the impact is limited to Bitcoin accounts, and other cryptocurrencies on Bitfinex have not been affected.

As soon as the news came out, the price of Bitcoin fell by 23%.

A follow-up investigation found that hackers stole a total of about 120,000 bitcoins from the Bitfinex exchange, worth about $71 million at the time. This was already the second-highest cryptocurrency theft at the time, after the 740,000 bitcoins hacked on the Mt.Gox exchange at the end of 2011. The average Bitfinex user lost 36% of their assets.

However, the Bitfinex exchange was not knocked down by this incident. The exchange resumed operations after being suspended for less than a week, and proposed a compensation plan- the issuance of BFX tokens . Each BFX token is worth $1, like a "bond token" issued by the Bitfinex exchange.

Each Bitfinex user will receive varying amounts of BFX tokens according to the amount of loss, representing the money Bitfinex owes the user. In the future, users can exchange BFX tokens for stocks issued by iFinex (the parent company of Bitfinex) or exchange them for cash. Although it has been considered very sincere, back in 2016, no one was willing to pay.

At that time, few people had heard of Bitcoin, not to mention that the world's largest exchange Mt.Gox was hacked and closed down a few years ago, and everyone was not optimistic that Bitfinex could continue to operate. Therefore, the BFX token, which should be worth 1 US dollar, once fell to only 0.2 US dollars in the market price. It can be seen that almost no one believes that Bitfinex can compensate users for losses.

Unexpectedly, the end of 2016 ushered in a rise in the price of Bitcoin, rising from $600 to $20,000 at the end of 2017. In the end, it took only 8 months for the Bitfinex exchange to repurchase BFX tokens in full with the company's income, which is equivalent to fully compensating everyone for their economic losses. It also made many people fall out of the glasses.

In addition to compensating users for losses, Bitfinex also issued a sky-high bounty on the 4th anniversary of the hack. Bitfinex is willing to set aside 5% and 25% of the total recovered amount to inform the informants and hackers if they can provide clues and allow the hackers to return the stolen bitcoins voluntarily. At current prices, the bounty amounts to $1.6 billion.

But according to the U.S. Department of Justice's investigation report, the hackers probably did not intend to return the money at all. Hackers have been trying to cash out bitcoin since 2017 through the dark web, mixers and gift cards. At the same time, the hackers have started a new startup to fight cybercrime(!)

Hackers now

The investigation report stated:

According to the on-chain transaction data of Bitcoin, 120,000 bitcoins hacked on the Bitfinex exchange were transferred to personal wallets starting with 1CGA4s, and from January 2017, they were transferred to the dark via thousands of small transactions. Internet and exchange money laundering. Even some bitcoins are exchanged for virtual currencies with higher anonymity to avoid tracing.

These actions are obscuring the flow of bitcoin funds, making it difficult for law enforcement to trace the funds. But law enforcement still traced multiple accounts managed by Russian-American Ilya Lichtenstein and his wife Heather Morgan through on-chain transaction data and the exchange’s head account mailbox.

Lee Heidenstein was not only selected for the Y Combinator start-up accelerator, but also an entrepreneurial mentor for the start-up accelerator 500 Startups.

He and his wife, Morgan, later founded Endpass , a start-up that uses artificial intelligence to fight identity counterfeiting and cybercrime. Pretty ironic. Morgan is not only the co-founder of EndPass, but also a columnist for Forbes , Inc , and a rapper.

But no one thought that there was another identity behind the glamorous husband and wife team - a cryptocurrency hacker.

IRS special agent Christopher Janczewski, who was in charge of the case, drew the criminal cash flow as shown below. The VCE in the picture is the English abbreviation of virtual currency exchange, and AlphaBay Market is the darknet market.

As can be seen from the figure, 120,000 bitcoins were first transferred from the top Bitfinex exchange to the hacker's 1CGA4s personal wallet. Next, the cash flow is split into two parts. Part of it flows into the dark web, and the other part is transferred through multiple exchanges and wallets, and finally taken to Walmart, Uber, Hotels.com and Play Station for consumption.

It's just that the vast majority of bitcoins remain in personal wallets run by hackers. That's because it may be more difficult for hackers to cash out stolen bitcoins than to hack exchanges. According to an analysis by information security firm Elliptic in 2021:

Only 21% of the 120,000 bitcoins stolen from Bitfinex by hackers in the past five years have been transferred, and only 4% of them have been successfully monetized. Why?

In the early days of cryptocurrencies, many hacked funds may have been transferred directly to exchanges and exchanged for dollars and euros. That's because regulation was lax at the time, and law enforcement didn't have the tools to track the money. But things are very different today. Law enforcement and major exchanges use on-chain data analysis tools to identify “dark money,” making it increasingly difficult for criminals to cash in on their gains.

Early cryptocurrency exchanges not only did not have on-chain data analysis tools to identify illegal funds, they may not even have real-name authentication. Therefore, exchanges are easy to become a hotbed for hackers to launder money.

But most exchanges now know that not every deposit of cryptocurrency can be received, and it is necessary to confirm that the source of the funds is not "dark money" through analysis tools. This greatly reduces the channels for hackers to cash in, so that even if hackers can steal cryptocurrencies, they cannot exchange for money, so they have to keep cryptocurrencies in their wallets.

This time, the agents of the IRS followed the clues to find the real identities of the two, and then entered their cloud hard drives to search, only to find the wallet address and private key where they stored the stolen money.

The private key is stored in the cloud

According to the survey report:

One of Lee Heddenstein's e-mail addresses is provided by an American company. In addition to providing email services, the company also has a cloud drive function, but agents found that the vast majority of files are encrypted. It was not until January 31, 2022 that the agents decrypted the files one by one, and it was unexpectedly discovered that one of the files contained more than 2,000 wallet addresses and corresponding private keys. This allowed law enforcement to seize the remaining 94,636 bitcoins based on these private keys.

The report did not say how the agents learned where the hackers hid the private keys. But perhaps the agent deduced that if the hackers were to put the stolen money into more than 2,000 wallets, they would definitely need a list to uniformly manage the correspondence between each address and the private key. Lee Heddenstairs is not a stupid thief, he has encrypted and protected the files stored in the cloud drive, but the American agents are indeed slightly better.

The U.S. Department of Justice issued a press release on February 8 and formally arrested the two suspects, but the hackers likely had a hunch about being caught a week earlier.

On February 1, several currency media reported that the Bitcoins hacked on the Bitfinex exchange in 2016 were transferred in large quantities. These media are not prophets, but the data on the chain is public information. When a large amount of funds moves, monitoring robots such as Whale Alert will be triggered to immediately warn users to be careful of currency price fluctuations.

If Lee Heddenstair and Meghan were monitoring their wallets or following the news, they would have known that the money wasn't theirs. When assets are transferred from multiple wallets to the same wallet, hackers probably have a good idea, and it is either other hackers or special agents who crack the files.

Judging from the results, although the 94,000 bitcoins recovered by the US government this time only accounted for 80% of the total stolen at that time, the amount has broken many historical records. The Bitfinex exchange also announced that it will use 80% of the recovered funds to repurchase and destroy its own platform currency LEO. This caused the LEO price to rise by 50%.

Cryptocurrencies have always been said to be a money laundering haven for criminals, but that may be a thing of the past. With more and more analytical tools for on-chain data, not only law enforcement agencies have the ability to track illicit financial flows, but exchanges can also join the ranks of containment. Even individuals can see the real-time flow of funds by tracking the bot's push notifications.

Cryptocurrencies are safer "money" than cash, which is difficult to trace.

If you liked this article, maybe you will also be interested in the past content of the block potential. In addition, please recommend the block potential to your relatives and friends 🙏