Bitfinex money launderers plead guilty in the “Razzlekhan” case

TRM InsightsInsights
Bitfinex money launderers plead guilty in the “Razzlekhan” case

Today, Ilya Lichtenstein and Heather “Razzlekhan” Morgan pled guilty to money laundering charges related to their roles in laundering over 120,000 Bitcoin stolen from the cryptocurrency exchange Bitfinex in 2016. In addition to admitting to the laundering today, Lichtenstein also admitted to executing the hack on the exchange. This is the first time Lichtenstein has been publicly identified as the hacker. No sentencing date was set at the plea hearing due to the ongoing cooperation of the couple.

In addition to revealing Lichtenstein's role as the hacker, Lichtenstein's plea colloquy, for the first time, highlighted additional ways in which the couple attempted to launder stolen funds. For example, Lichtenstein admitted that he had converted some assets to gold coins, and that Morgan had buried those gold coins at a location now known to law enforcement officials. It also was revealed that Lichtenstein traveled to Ukraine and Kazakhstan in order to exchange stolen crypto for cash through Russian and Ukrainian middlemen. The cash was then shipped to addresses in Russia and Ukraine where Lichtenstein then took that physical cash and deposited it into U.S. accounts so he could finally recover it in New York.

TRM Insights wrote about the case when the couple was arrested in February 2022 and we held a special TRM Talks with former United States Attorney Jessie Liu and former IRS-Criminal Investigations Special Agents Tigran Gambaryan and Matthew Price.

Lichtenstein and Morgan went to great lengths to conceal their connections to the stolen assets, laundering the stolen Bitcoin in multiple waves in the years after the hack. Initially cautious, withdrawals in the months immediately after the theft could be measured in tens and hundreds of thousands of dollars. During a long hiatus of nearly two years between April 2017 and April 2019, no funds at all were withdrawn. Then, beginning in April 2019 tens of millions were withdrawn and laundered. These periodic withdrawals culminated in April 2021 when nearly $800 million of the stolen funds awakened and dispersed to thousands of intermediary addresses en-route to a mixing service. The alleged launderers used mixing services and darknet markets to move funds over the years. 

Today's guilty pleas mark a dramatic milestone in an investigation that spanned seven years and involved billions of dollars in assets. At the time of the breach, 119,754 BTC was valued at approximately $71 million. Due to the increase in the value of BTC since the breach, the stolen funds were valued at over $4.5 billion as of the time of the February 2022 arrests and unprecedented seizure of $3.6 billion.

So, how did IRS-Criminal Investigations, Homeland Security Investigations, and the FBI investigate the Bitfinex hack? According to reporting in the Wall Street Journal, "Investigators linked the stolen bitcoin to the defendants with the help of software that can track the movement of digital currency, even after it has been laundered through obfuscation techniques, said Ari Redbord of TRM Labs, a blockchain-intelligence company involved in the probe."

Here is a timeline based on the Statement of Facts in support of the Complaint. That document was sworn out by former IRS-CI Special Agent Chris Janczewski, TRM’s Head of Global Investigations.

  • In August 2016 a hacker breached the Bitfinex exchange's systems and initiated more than 2,000 unauthorized transactions stealing 119,754 bitcoin valued, at that time, at around USD 71 million. Those unauthorized transactions sent the stolen bitcoin to a digital wallet - 1CGA4s - that authorities have associated with defendant Ilya Lichtenstein.
  • In January 2017 a portion of the stolen bitcoin - about 25,000 - moved out of the wallet in a series of small, complex transactions across multiple accounts and platforms.
  • From January 2017-January 31, 2022, the defendants, according to the Statement of Facts in support of the Complaint in the case, moved the 25,000 bitcoin through a web of complex transactions including:
  • The use of fictitious identifies to set up accounts;
  • Utilizing computer programs to automate transactions;
  • Depositing stolen funds into accounts at multiple exchanges;
  • Using darknet market AlphaBey as a mixer to launder funds;
  • Converting bitcoin to other forms of crypto, including anonymity-enhanced coins;
  • Using U.S.-based business accounts to legitimize their banking activity.

TRM Graph: Excerpt of thousands of deposits to the Wasabi mixing service conducted by the Bitfinex hackers in April 2021

  • However, from August 2016-January 31, 2022 the majority of the stolen funds remained in Wallet 1CGA4s.
  • On January 31, 2022, law enforcement gained access to Wallet 1CGA4s pursuant to a search warrant.
  • On February 4, 2022, a court issued a seizure warrant authorizing the seizure of the Wallet 1CGA4’s remaining balance of approximately 94,636 BTC, worth $3.629 billion - amounting to the largest seizure in US history.
  • On February 8, 2022, Lichtenstein and Morgan were arrested and charged with conspiring to launder the $3.6 billion in stolen cryptocurrency.
  • On February 12, 2022, Lichtenstein was ordered held pending trial while Morgan was released in a detention hearing.
  • From February 12, 2022-July 21, 2023, the government and the defendants continued a series of hearings in order to try to reach a plea agreement. It is likely that the defendants have been cooperating with the government in order to seek a downward departure from their very high federal sentencing guideline range.
  • On July 21, 2023, the court docket reflected a plea hearing set for August 3, 2023 indicating that the parties have reached an agreement.
  • On August 3, 2023, Lichtenstein and Morgan pled guilty to money laundering conspiracy after admitting to a statement of offense which laid out their conduct. In addition to admitting to the money laundering charges today, Lichtenstein also admitted to executing the hack on the exchange.Until the admission in court by Lichtenstein, it was not publicly known who had hacked the bitcoin from the cryptocurrency exchange Bitfinex. No sentencing date was set at the plea hearing due to ongoing cooperation by the couple.

The arrests, historic seizure, and today, guilty pleas are the result of the dedication of law enforcement to fight cryptocurrency related financial crime no matter how long it takes. The case also highlights the native properties of blockchains - traceable, transparent, permanent. Every transaction is permanently recorded on the blockchain, which allowed investigators to “follow the money” even if the transactions were several years old.

The story of Bitfinex is one of agents and blockchain intelligence becoming increasingly sophisticated over the years in order to investigate money laundering that began in 2016 and resulted in an arrest seven years later. Investigators in this case were able to trace stolen funds as they were laundered over the years, through mixers, across blockchains and other obfuscation techniques. The convictions in this case were the result of a combination of great police work and cutting edge technology.

For more on the Bitfinex case check out TRM Insights and TRM Talks.

This is some text inside of a div block.
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
No items found.