Every piece of the story of married couple Ilya Lichtenstein and Heather Morgan, who were charged this week with laundering roughly $4.5 billion worth of stolen cryptocurrency, feels kind of unbelievable—more like it belongs in a slightly far-fetched movie plot than a real-life financial crime story. Some of those elements are simply entertaining: For instance, much has been made of their online rap videos and penchant for handing out public advice on the cryptocurrency market. Other details are more startling: how much money the couple was handling, and how long they were able to move those funds around and spend them after the initial theft of 119,754 Bitcoin from cryptocurrency exchange Bitfinex in 2016.
According to the Justice Department’s announcement of the arrests, law enforcement officials have now seized more than $3.6 billion in cryptocurrency linked to that breach. Undoubtedly, that’s a big victory for the government. But do their arrests mark a new era of law enforcement being able to trace stolen cryptocurrency? Or were Lichtenstein and Morgan just unlucky?
There’s no doubt which of those messages the Justice Department is hoping to send with these arrests. The department’s press release includes two lengthy quotes right at the beginning about how this should be a clear signal to criminals everywhere that they cannot hide their ill-gotten gains in cryptocurrency wallets.
One quote is from deputy attorney general Lisa Monaco: “Today’s arrests, and the department’s largest financial seizure ever, show that cryptocurrency is not a safe haven for criminals.”
And then, just to drive the point home, immediately following her statement is a nearly identical one from assistant attorney general Kenneth Polite Jr.: “Today, federal law enforcement demonstrates once again that we can follow money through the blockchain, and that we will not allow cryptocurrency to be a safe haven for money laundering or a zone of lawlessness within our financial system.”
When two law enforcement officials tell you in the span of two paragraphs that using cryptocurrency is not a “safe haven” for criminals anymore, you have to wonder whether they’re not perhaps protesting a bit too much.
It’s no secret or surprise that criminals worldwide use cryptocurrencies to transfer ill-gotten gains, hiding the proceeds of breaches like the one of Bitfinex, for processing ransomware payments, or for purchasing illegal goods. The Justice Department, along with law enforcement entities around the world, has put a lot of effort into ramping up its abilities to trace these transactions and link them back to individuals, most recently with the creation of a National Cryptocurrency Enforcement Team in October 2021.
But while the U.S. government has clearly made progress in its ability to police illegal cryptocurrency dealings, as shown by the painstaking analysis required to link the funds back to Lichtenstein and Morgan, the complaint against the couple also makes clear just how many opportunities there still are for criminals to shield their funds via cryptocurrency wallets, and just how many things had to go right for the Justice Department to be able to track down these two particular people.
The 20-page statement of the facts given by IRS special agent Christopher Janczewski for the case lays out the details of all the different transactions and accounts that law enforcement officers traced the stolen funds through to link them back to Morgan and Lichtenstein. What it describes is impressive and skillful policing work—but also policing that relied on a confluence of fortunate events that began with the couple living in New York, well within the jurisdiction of U.S. law enforcement, and relying on the services of companies that were also within that jurisdiction.
For instance, to gain access to one of the couple’s cryptocurrency wallets, where the majority of the stolen funds were stored (94,636 Bitcoin in total, worth more than $4.2 billion as of Thursday morning), law enforcement officers obtained a search warrant in January to access Lichtenstein’s cloud storage account and decrypted a file stored in that account which turned out to contain “a list of 2,000 virtual currency addresses, along with corresponding private keys.” Those were the funds that the government was then able to seize, in early February.
If you were a cybercriminal reading this narrative, you might think: That’s it, the game’s over, the government knows everything about cryptocurrencies now. But you might think: I probably shouldn’t keep a list of my cryptocurrency wallet private keys on iCloud (or any other cloud storage service that does business in the United States).
Another crucial element of the investigation was the couple’s use of the darknet market AlphaBay to move cryptocurrency to different wallets and accounts. According to Janczewski, some of the stolen funds were “deposited gradually” into AlphaBay accounts, which were then “used as a pass-through” for the stolen cryptocurrency “to break up the stolen BTC trail on the blockchain. After being moved into accounts at AlphaBay, the stolen BTC was withdrawn, layered, and ultimately deposited into [virtual currency exchanges] around the world.”
In 2017, the FBI together with other law enforcement agencies seized AlphaBay servers around the world and shut down the website, offering them a possible opportunity to “access AlphaBay’s internal transaction logs and connect them to a cryptocurrency account in Lichtenstein’s name,” Reuters reported.
None of this detracts from the Justice Department’s triumph in catching Lichtenstein and Morgan—in fact the takedown of AlphaBay is to its credit, at least partially, as well. But it does serve as a reminder that arresting cybercriminals who deal primarily in cryptocurrency remains the exception, not the rule—that there are lots of ways that those criminals can make themselves harder to catch by not operating in certain countries or relying on services that answer to the law enforcement orders issued by those countries. And there’s a vast criminal infrastructure out there for criminals to use instead—sometimes takedowns of that infrastructure mean it’s possible to trace some of those people, as in the case of AlphaBay, but there are always more online forums ready to take the place of those that have been removed.
So it’s misleading to say that cryptocurrency is no longer a safe haven for criminals when we still haven’t come close to solving any of the fundamental factors that make it so useful for online crime, including the inconsistency of cryptocurrency-related regulations and their enforcement around the world. But perhaps it is fair to say after the most recent arrests that that safe haven is getting smaller—that there are fewer online service providers and darknet marketplaces beyond the reach of law enforcement coalitions than there once were, that the criminals have to be more and more careful about who they rely on and where they are and that even one or two small slip-ups can quickly unravel a years-long operation like Lichtenstein and Morgan’s. And that’s a victory in itself, and an important one. Even if cryptocurrency is still a safe haven for criminals.