Uncover the story behind the 'Biggest Heist Ever' — a gripping new Netflix documentary! Watch the trailer.

Ilya Lichtenstein and Heather "Razzlekhan" Morgan Sentenced In The Bitfinex Case As Government Recovers $10 Billion in Stolen Funds

TRM InsightsInsights
Ilya Lichtenstein and Heather "Razzlekhan" Morgan Sentenced In The Bitfinex Case As Government Recovers $10 Billion in Stolen Funds

Editor's note: This post was updated on November 18, 2024 with the addition of Heather "Razzlekhan" Morgan's sentencing. Ilya Lichtenstein was sentenced on November 14, 2024.

{{horizontal-line}}

Today, Heather "Razzlekhan" Morgan was sentenced to 18 months in prison for her role in laundering over 120,000 Bitcoin, stolen from the crypto exchange Bitfinex in 2016. Her husband, Ilya Lichtenstein was sentenced, last week, to 60 months — the sentence recommended by DOJ Trial Attorney Jessica Peck.

The Bitfinex investigation, which resulted in the largest seizure in US history, was led by former IRS-CI Special Agent Chris Janczewski — now TRM’s Head of Global Investigations. Mr. Janczewski investigated the case with the FBI, HSI, and prosecutors at the US Department of Justice.

{{infocard-bitfinexsentencing-1}}

Lichtenstein and Morgan pled guilty to money laundering conspiracy charges in August 2023, and Lichtenstein admitted to being the original hacker responsible for the Bitfinex breach. Their arrest and subsequent investigation captivated the public due to the couple’s unconventional online personas and the staggering amount of stolen cryptocurrency involved. 

In August 2016, as set forth in the detailed criminal complaint, Lichtenstein stole 119,754 BTC (then worth approximately USD 71 million). In 2022, just before Lichtenstein and Morgan were arrested for laundering the proceeds of the 2016 theft, law enforcement was able to seize approximately 94,000 BTC (then worth USD 3.6 billion) —which is the largest seizure in the history of the United States.

After the arrests, law enforcement continued to investigate; and with the help of the defendants, additional seizures of US currency, gold coins, BTC, ETH, USDC, USDT, and other assets — all connected to the original theft — were made.  Due to the additional seized assets and increased price of cryptocurrencies, the government has recovered approximately USD 10 billion in assets, according to forfeiture documents filed in court.

TRM Labs covered the story following the arrest in February 2022, later hosting a special TRM Talks session — with former US Attorney Jessie Liu and former IRS-Criminal Investigations Special Agents Tigran Gambaryan and Matthew Price — to explore the investigation and the far-reaching impact of this case.

The heist

Lichtenstein exploited a vulnerability in Bitfinex’s security protocols in August 2016, enabling him to execute one of the largest cryptocurrency thefts in history. Lichtenstein also admitted that, while inside of Bitfinex, he was able to capture usernames and passwords for users. He then used this information to attempt to log into other exchanges. If a Bitfinex user reused their credentials on another exchange, Lichtenstein was able to gain access and steal that user’s funds. 

Bitfinex, at the time, was using a security model involving multi-signature wallets provided by BitGo, which added an extra layer of authorization for withdrawals to prevent unauthorized transfers. However, Lichtenstein discovered and exploited a flaw in this multi-signature setup. Here’s a step-by-step breakdown of the attack.

Exploiting the multi-signature flaw

Bitfinex’s setup required two out of three possible signatures to approve a withdrawal. Normally, one signature would come from Bitfinex, and the other from BitGo, providing additional security by involving a third-party service in the withdrawal process. However, Lichtenstein found a way to bypass BitGo’s approval process, effectively allowing him to initiate and authorize withdrawals from Bitfinex without triggering the required BitGo approval.

Creating unauthorized withdrawals

With access to Bitfinex’s wallet system, Lichtenstein programmatically initiated over 2,000 unauthorized transactions, transferring funds from Bitfinex’s hot wallet (a wallet connected to the internet) to his personal wallet. These unauthorized transactions moved a total of 119,754 BTC to wallet addresses he controlled, valued at around USD 71 million at the time.

Covering tracks

After the hack, Lichtenstein took steps to cover his tracks by waiting nearly five months before moving any amount of the stolen Bitcoin. The initial transfers were cautious, with small transactions spread across various accounts to avoid detection. 

Over time, Lichtenstein developed a complex network of wallets, exchanges, false personas, front companies, and darknet marketplaces to launder the stolen funds, gradually converting Bitcoin into other assets and spreading the funds across multiple platforms.

The laundering

As set out in the detailed criminal complaint, following the 2016 hack, Lichtenstein and Morgan embarked on a sophisticated and complex money-laundering operation.

In the initial months after the breach, the couple moved relatively small amounts, transferring funds in the tens to hundreds of thousands to avoid detection. For nearly two years — from April 2017 to April 2019 — there was a complete pause in fund movement, suggesting extreme caution as they considered how to access the larger sum. 

However, beginning in 2019, they grew bolder, transferring tens of millions of dollars at a time. This culminated in April 2021, when the couple executed numerous transactions. The withdrawals, followed by rapid dispersal to tens of thousands of intermediary addresses and subsequent use of mixing services, marked a significant escalation in their efforts to obscure the trail of stolen funds.

The pair used a variety of laundering methods, including darknet markets, chain-hopping, peel chains, coinjoins, and privacy-focused coins like Monero — highlighting the evolution of money-laundering techniques within the crypto space.

Lichtenstein and Morgan first sent the hacked funds through several unhosted addresses, and then to now-defunct darknet marketplace AlphaBay.
Lichtenstein and Morgan then moved the funds from AlphaBay via dozens of transactions to additional unhosted addresses, then to multiple accounts at VCE 1 (Virtual Currency Exchange).
From there, Lichtenstein and Morgan moved funds through US-based VASPs, peer-to-peer marketplaces like LocalBitcoins, and started to cash out value to buy gold, US dollars, and other items of value.

In a surprising revelation at their plea hearing, Lichtenstein disclosed that some of the stolen assets were converted to physical gold coins — which Morgan later buried in a hidden location, and law enforcement excavated from "a premises in California," per the forfeiture complaint. 

The couple’s money-laundering tactics went beyond the digital realm, as Lichtenstein reportedly traveled to Ukraine and Kazakhstan, exchanging cryptocurrency for cash through Russian and Ukrainian middlemen. The cash was subsequently shipped to addresses in Russia and Ukraine, ultimately finding its way into US-based accounts so Lichtenstein could recover the funds within New York. Mr. Lichtenstein was born in Russia and speaks Russian, according to investigators. 

The case

On January 5, 2022, IRS-CI, FBI, and HSI agents — including Mr. Janczewski — executed a search warrant at Lichtenstein and Morgan’s residence on Wall Street in New York. Notably, Lichtenstein and Morgan were not under arrest and free to leave as law enforcement conducted their search. 

During subsequent court hearings, we learned that law enforcement located a hollowed-out book that could be used to conceal items, a bag of cell phones labeled as “burners” stored under a bed, along with other items. Forfeiture documents filed with the court reveal that electronic devices seized from the residence contained crypto assets related to the hack. Prior to departing, Morgan, while trying to gather her cat, grabbed her cell phone from a nightstand and appeared to attempt to lock it so that law enforcement would be unable to search it.

Arrest and court proceedings

On February 8, 2022, just a month after the search warrant was executed on their residence in New York City, Lichtenstein and Morgan were arrested and charged with money laundering related to the stolen Bitcoin. Over a series of hearings and negotiations, it became evident that the defendants were likely cooperating with the government to mitigate their sentences. This period was characterized by legal maneuvers, as both parties worked toward a plea agreement.

One interesting, and relatively unreported, legal development in the case was the issuance of a memorandum opinion by DC Federal Magistrate Judge Zia Faruqui. In January 2021, Judge Faruqui granted a search warrant for multiple email accounts linked to the investigation. The opinion outlines several key areas, including the nature of blockchain technology, the concept of Bitcoin transactions, and the use of blockchain intelligence software to analyze transactions on the blockchain.

The court found that blockchain intelligence software is highly reliable and can serve as a basis for establishing probable cause. The opinion draws parallels to the credibility checks used for human confidential sources, noting the software’s previous successes in other investigations. The clustering technology identified specific wallet addresses and linked transactions, which provided detailed insights into the flow of funds.

{{infocard-bitfinexsentencing-2}}

Guilty plea and cooperation

On August 2, 2023, Lichtenstein and Morgan pled guilty to money laundering conspiracy. Lichtenstein admitted not only to laundering the funds, but to executing the Bitfinex hack itself — a revelation that clarified lingering questions about the theft’s origins. A sentencing date was not immediately set, as the couple continued cooperating with authorities.

Part of that cooperation entailed Lichtenstein testifying in the case of Roman Sterlingov. Sterlingov, who was convicted by a jury and sentenced to 12.5 years, was the administrator of mixing service Bitcoin Fog. At trial, the jury found that Bitcoin Fog processed more than USD 400 million in transactions, including some from illicit markets like Silk Road, Agora, and AlphaBay. 

Lichtenstein testified about how he used Bitcoin Fog as many as ten times to launder some of the stolen Bitfinex funds. He said he eventually stopped using Bitcoin Fog because he found other mixers that “suited his purposes better.” One of them was Helix, which was operated by Larry Harmon, who pleaded guilty in 2021.

Lichtenstein and Morgan’s sentencings this week mark the conclusion of a seven-year investigation that utilized cutting-edge blockchain analytics and law enforcement collaboration to bring the defendants to justice.

A timeline of the Bitfinex investigation and key events

{{infocard-bitfinexsentencing-3}}

The monumental scale of the case highlights the power of blockchain intelligence in criminal investigations. Every transaction tied to the stolen funds was permanently recorded on the blockchain, enabling investigators to painstakingly trace the laundered Bitcoin, even years after the initial theft. 

As Ari Redbord of TRM Labs noted in the Wall Street Journal, blockchain intelligence software played a pivotal role in identifying and tracking the laundered funds, with agencies like IRS-CI, Homeland Security Investigations, and the FBI leveraging the technology to connect Lichtenstein and Morgan to the stolen assets.

The significance of public and private sector collaboration

The Bitfinex case exemplifies the essential role of collaboration between public and private entities. 

TRM Labs and other blockchain analytics firms worked alongside law enforcement to analyze transactions, identify patterns, and provide key insights that ultimately led to the arrest and seizure. The ability to track complex laundering techniques, such as the use of mixers, peel chains, and privacy coins, speaks to the growing sophistication of blockchain forensics and the continued evolution of cyber-crime-fighting strategies.

Lessons learned and the future of crypto investigations

This case showcases how far cryptocurrency investigations have come, particularly as blockchain technology becomes more integral to financial crime enforcement. The convictions of Lichtenstein and Morgan demonstrate both the possibilities and the challenges of blockchain intelligence, as investigators unraveled years of obfuscation tactics through continuous innovation in investigative techniques. As crypto crime continues to evolve, so too must the tools and techniques used by law enforcement — and cases like Bitfinex highlight the need for ongoing advancements in crypto tracking.

{{horizontal-line}}

For more on the Bitfinex case and the evolution of blockchain intelligence in crypto investigations, tune into TRM Insights and TRM Talks, where industry experts — including those involved in the Bitfinex case — offer deeper insights into the intersection of law enforcement, technology, and crypto-related crime.

This is some text inside of a div block.
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Mr. Janczewski joined the author of Tracers in the Dark on TRM Talks, where they discussed the Bitfinex hack and other large crypto investigations.

Listen to the episode here

The decision sets a precedent for using blockchain analysis in investigations, recognizing it as both a valuable tool for transparency and a legal basis for establishing probable cause in digital financial crimes.

August 2016

The Bitfinex exchange suffered a massive security breach. In one of the most significant crypto hacks to date, over 119,754 Bitcoin — valued at approximately USD 71 million — was siphoned from the exchange’s wallets in a series of unauthorized transactions. All stolen Bitcoin was directed to a single wallet, designated as 1CGA4s, which authorities later linked to Ilya Lichtenstein.

January 2017

The first major movement of the stolen Bitcoin occurred, with 25,000 BTC transferred through a series of small, complex transactions designed to mask the trail. These initial movements suggested a cautious approach, with small amounts moving across multiple accounts and platforms.

2017–2022

Over the years, Lichtenstein and Morgan laundered funds through a sophisticated array of methods, including:

  • Use of fictitious identities: They created multiple accounts under fake names and used falsified documents to establish a web of accounts
  • Automated transactions: Employing computer programs, they managed and concealed transfers across multiple platforms
  • Layered deposits: They deposited stolen funds into accounts at numerous exchanges, creating multiple entry and exit points
  • Darknet markets and mixers: They leveraged AlphaBay, a notorious darknet marketplace, as a mixer to obscure transactions
  • Conversion to anonymity-enhanced coins: They diversified their holdings by converting Bitcoin into Monero and other privacy-focused cryptocurrencies
  • US-based business accounts: By funneling funds through legitimate business accounts, they disguised the transactions as normal business activity, lending an air of legitimacy to the transfers

April 2021

In a high-stakes attempt to further hide the funds, nearly USD 800 million worth of Bitcoin was moved to intermediary wallets before being funneled through a Wasabi mixing service. TRM Labs traced this series of deposits, revealing thousands of micro-transactions that fed into Wasabi’s privacy mixer, further complicating the trail.

January 5, 2022

IRS-CI, FBI, and HSI agents executed a search warrant at Lichtenstein and Morgan’s residence on Wall Street in New York. Agents located a hollowed-out book that could be used to conceal items, and a bag of cell phones labeled as “burners” stored under a bed, in addition to other items. Electronic devices seized from the residence contained crypto assets related to the hack.

January 31, 2022

US law enforcement gained access to Wallet 1CGA4s, with a search warrant allowing authorities to access the wallet and the funds within.

February 4, 2022

A court issued a seizure warrant authorizing the confiscation of 94,636 BTC from Wallet 1CGA4s, worth approximately USD 3.6 billion. This seizure, the largest in US history, represented a landmark achievement in the field of crypto forensics.

February 8, 2022

Lichtenstein and Morgan were arrested and charged with money laundering related to the stolen Bitcoin. News of the arrest spread quickly, and the couple became known as “Bitcoin’s Bonnie and Clyde” due to their colorful personalities and the high-profile nature of their crimes.

February 12, 2022 – July 2023

Over a series of hearings and negotiations, it became evident that the defendants were likely cooperating with the government to mitigate their sentences. This period was characterized by legal maneuvers, as both parties worked toward a plea agreement.

August 3, 2023

Lichtenstein and Morgan pled guilty to money laundering conspiracy. Lichtenstein admitted not only to laundering the funds, but to executing the Bitfinex hack itself — a revelation that clarified lingering questions about the theft’s origins. A sentencing date was not immediately set, as the couple continued cooperating with authorities.

November 15, 2024

Lichtenstein and Morgan’s sentencings mark the conclusion of a seven-year investigation that utilized cutting-edge blockchain analytics and law enforcement collaboration to bring the defendants to justice.