Ilya Lichtenstein and Heather "Razzlekhan" Morgan Sentenced In The Bitfinex Case As Government Recovers $10 Billion in Stolen Funds
Editor's note: This post was updated on November 18, 2024 with the addition of Heather "Razzlekhan" Morgan's sentencing. Ilya Lichtenstein was sentenced on November 14, 2024.
{{horizontal-line}}
Today, Heather "Razzlekhan" Morgan was sentenced to 18 months in prison for her role in laundering over 120,000 Bitcoin, stolen from the crypto exchange Bitfinex in 2016. Her husband, Ilya Lichtenstein was sentenced, last week, to 60 months — the sentence recommended by DOJ Trial Attorney Jessica Peck.
The Bitfinex investigation, which resulted in the largest seizure in US history, was led by former IRS-CI Special Agent Chris Janczewski — now TRM’s Head of Global Investigations. Mr. Janczewski investigated the case with the FBI, HSI, and prosecutors at the US Department of Justice.
{{infocard-bitfinexsentencing-1}}
Lichtenstein and Morgan pled guilty to money laundering conspiracy charges in August 2023, and Lichtenstein admitted to being the original hacker responsible for the Bitfinex breach. Their arrest and subsequent investigation captivated the public due to the couple’s unconventional online personas and the staggering amount of stolen cryptocurrency involved.
In August 2016, as set forth in the detailed criminal complaint, Lichtenstein stole 119,754 BTC (then worth approximately USD 71 million). In 2022, just before Lichtenstein and Morgan were arrested for laundering the proceeds of the 2016 theft, law enforcement was able to seize approximately 94,000 BTC (then worth USD 3.6 billion) —which is the largest seizure in the history of the United States.
After the arrests, law enforcement continued to investigate; and with the help of the defendants, additional seizures of US currency, gold coins, BTC, ETH, USDC, USDT, and other assets — all connected to the original theft — were made. Due to the additional seized assets and increased price of cryptocurrencies, the government has recovered approximately USD 10 billion in assets, according to forfeiture documents filed in court.
TRM Labs covered the story following the arrest in February 2022, later hosting a special TRM Talks session — with former US Attorney Jessie Liu and former IRS-Criminal Investigations Special Agents Tigran Gambaryan and Matthew Price — to explore the investigation and the far-reaching impact of this case.
The heist
Lichtenstein exploited a vulnerability in Bitfinex’s security protocols in August 2016, enabling him to execute one of the largest cryptocurrency thefts in history. Lichtenstein also admitted that, while inside of Bitfinex, he was able to capture usernames and passwords for users. He then used this information to attempt to log into other exchanges. If a Bitfinex user reused their credentials on another exchange, Lichtenstein was able to gain access and steal that user’s funds.
Bitfinex, at the time, was using a security model involving multi-signature wallets provided by BitGo, which added an extra layer of authorization for withdrawals to prevent unauthorized transfers. However, Lichtenstein discovered and exploited a flaw in this multi-signature setup. Here’s a step-by-step breakdown of the attack.
Exploiting the multi-signature flaw
Bitfinex’s setup required two out of three possible signatures to approve a withdrawal. Normally, one signature would come from Bitfinex, and the other from BitGo, providing additional security by involving a third-party service in the withdrawal process. However, Lichtenstein found a way to bypass BitGo’s approval process, effectively allowing him to initiate and authorize withdrawals from Bitfinex without triggering the required BitGo approval.
Creating unauthorized withdrawals
With access to Bitfinex’s wallet system, Lichtenstein programmatically initiated over 2,000 unauthorized transactions, transferring funds from Bitfinex’s hot wallet (a wallet connected to the internet) to his personal wallet. These unauthorized transactions moved a total of 119,754 BTC to wallet addresses he controlled, valued at around USD 71 million at the time.
Covering tracks
After the hack, Lichtenstein took steps to cover his tracks by waiting nearly five months before moving any amount of the stolen Bitcoin. The initial transfers were cautious, with small transactions spread across various accounts to avoid detection.
Over time, Lichtenstein developed a complex network of wallets, exchanges, false personas, front companies, and darknet marketplaces to launder the stolen funds, gradually converting Bitcoin into other assets and spreading the funds across multiple platforms.
The laundering
As set out in the detailed criminal complaint, following the 2016 hack, Lichtenstein and Morgan embarked on a sophisticated and complex money-laundering operation.
In the initial months after the breach, the couple moved relatively small amounts, transferring funds in the tens to hundreds of thousands to avoid detection. For nearly two years — from April 2017 to April 2019 — there was a complete pause in fund movement, suggesting extreme caution as they considered how to access the larger sum.
However, beginning in 2019, they grew bolder, transferring tens of millions of dollars at a time. This culminated in April 2021, when the couple executed numerous transactions. The withdrawals, followed by rapid dispersal to tens of thousands of intermediary addresses and subsequent use of mixing services, marked a significant escalation in their efforts to obscure the trail of stolen funds.
The pair used a variety of laundering methods, including darknet markets, chain-hopping, peel chains, coinjoins, and privacy-focused coins like Monero — highlighting the evolution of money-laundering techniques within the crypto space.
In a surprising revelation at their plea hearing, Lichtenstein disclosed that some of the stolen assets were converted to physical gold coins — which Morgan later buried in a hidden location, and law enforcement excavated from "a premises in California," per the forfeiture complaint.
The couple’s money-laundering tactics went beyond the digital realm, as Lichtenstein reportedly traveled to Ukraine and Kazakhstan, exchanging cryptocurrency for cash through Russian and Ukrainian middlemen. The cash was subsequently shipped to addresses in Russia and Ukraine, ultimately finding its way into US-based accounts so Lichtenstein could recover the funds within New York. Mr. Lichtenstein was born in Russia and speaks Russian, according to investigators.
The case
On January 5, 2022, IRS-CI, FBI, and HSI agents — including Mr. Janczewski — executed a search warrant at Lichtenstein and Morgan’s residence on Wall Street in New York. Notably, Lichtenstein and Morgan were not under arrest and free to leave as law enforcement conducted their search.
During subsequent court hearings, we learned that law enforcement located a hollowed-out book that could be used to conceal items, a bag of cell phones labeled as “burners” stored under a bed, along with other items. Forfeiture documents filed with the court reveal that electronic devices seized from the residence contained crypto assets related to the hack. Prior to departing, Morgan, while trying to gather her cat, grabbed her cell phone from a nightstand and appeared to attempt to lock it so that law enforcement would be unable to search it.
Arrest and court proceedings
On February 8, 2022, just a month after the search warrant was executed on their residence in New York City, Lichtenstein and Morgan were arrested and charged with money laundering related to the stolen Bitcoin. Over a series of hearings and negotiations, it became evident that the defendants were likely cooperating with the government to mitigate their sentences. This period was characterized by legal maneuvers, as both parties worked toward a plea agreement.
One interesting, and relatively unreported, legal development in the case was the issuance of a memorandum opinion by DC Federal Magistrate Judge Zia Faruqui. In January 2021, Judge Faruqui granted a search warrant for multiple email accounts linked to the investigation. The opinion outlines several key areas, including the nature of blockchain technology, the concept of Bitcoin transactions, and the use of blockchain intelligence software to analyze transactions on the blockchain.
The court found that blockchain intelligence software is highly reliable and can serve as a basis for establishing probable cause. The opinion draws parallels to the credibility checks used for human confidential sources, noting the software’s previous successes in other investigations. The clustering technology identified specific wallet addresses and linked transactions, which provided detailed insights into the flow of funds.
{{infocard-bitfinexsentencing-2}}
Guilty plea and cooperation
On August 2, 2023, Lichtenstein and Morgan pled guilty to money laundering conspiracy. Lichtenstein admitted not only to laundering the funds, but to executing the Bitfinex hack itself — a revelation that clarified lingering questions about the theft’s origins. A sentencing date was not immediately set, as the couple continued cooperating with authorities.
Part of that cooperation entailed Lichtenstein testifying in the case of Roman Sterlingov. Sterlingov, who was convicted by a jury and sentenced to 12.5 years, was the administrator of mixing service Bitcoin Fog. At trial, the jury found that Bitcoin Fog processed more than USD 400 million in transactions, including some from illicit markets like Silk Road, Agora, and AlphaBay.
Lichtenstein testified about how he used Bitcoin Fog as many as ten times to launder some of the stolen Bitfinex funds. He said he eventually stopped using Bitcoin Fog because he found other mixers that “suited his purposes better.” One of them was Helix, which was operated by Larry Harmon, who pleaded guilty in 2021.
Lichtenstein and Morgan’s sentencings this week mark the conclusion of a seven-year investigation that utilized cutting-edge blockchain analytics and law enforcement collaboration to bring the defendants to justice.
A timeline of the Bitfinex investigation and key events
{{infocard-bitfinexsentencing-3}}
The monumental scale of the case highlights the power of blockchain intelligence in criminal investigations. Every transaction tied to the stolen funds was permanently recorded on the blockchain, enabling investigators to painstakingly trace the laundered Bitcoin, even years after the initial theft.
As Ari Redbord of TRM Labs noted in the Wall Street Journal, blockchain intelligence software played a pivotal role in identifying and tracking the laundered funds, with agencies like IRS-CI, Homeland Security Investigations, and the FBI leveraging the technology to connect Lichtenstein and Morgan to the stolen assets.
The significance of public and private sector collaboration
The Bitfinex case exemplifies the essential role of collaboration between public and private entities.
TRM Labs and other blockchain analytics firms worked alongside law enforcement to analyze transactions, identify patterns, and provide key insights that ultimately led to the arrest and seizure. The ability to track complex laundering techniques, such as the use of mixers, peel chains, and privacy coins, speaks to the growing sophistication of blockchain forensics and the continued evolution of cyber-crime-fighting strategies.
Lessons learned and the future of crypto investigations
This case showcases how far cryptocurrency investigations have come, particularly as blockchain technology becomes more integral to financial crime enforcement. The convictions of Lichtenstein and Morgan demonstrate both the possibilities and the challenges of blockchain intelligence, as investigators unraveled years of obfuscation tactics through continuous innovation in investigative techniques. As crypto crime continues to evolve, so too must the tools and techniques used by law enforcement — and cases like Bitfinex highlight the need for ongoing advancements in crypto tracking.
{{horizontal-line}}
For more on the Bitfinex case and the evolution of blockchain intelligence in crypto investigations, tune into TRM Insights and TRM Talks, where industry experts — including those involved in the Bitfinex case — offer deeper insights into the intersection of law enforcement, technology, and crypto-related crime.
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.