What caught the crypto scammers who hacked Bitfinex for ₿119,754 ($5.2 billion)

Cryptocurrencies are often attributed to super-anonymity, which is used by scammers all over the world. In fact, most networks, including Bitcoin, store a complete transaction history. This allows investigators to unwind even the most intricate traces of thousands of transactions and dozens of accounts.

The other day it became known about the arrest of a married couple from the United States – Ilya Lichtenstein and Heather Morgan, who are charged with fraud, a crime against the United States and laundering funds obtained illegally. The Ministry of Justice has already carried out the largest confiscation in its history, seizing the remaining 94 thousand from the hacking of the Bitfinex crypto exchange in the amount of $4.1 billion.

The Bitfinex hack occurred in 2016: after conducting 2000 transactions to an external wallet 1CGA4s5…, hackers managed to steal ₿119 754, which at that time was $71 million. In order to cover their tracks and cash out the funds, in subsequent years, the attackers created accounts in the AlphaBay darknet and a dozen accounts on various crypto exchanges under fictitious names or with the participation of fictitious persons.

To hide the transaction history, Lichtenstein and Morgan carried out transfers from account to account, often resorting to coins with increased anonymity, in particular, Monero.

But, as is usually the case, bread crumbs were left everywhere

So, when creating accounts on one of the cryptocurrency exchanges (VCE1), scammers prescribed similar e-mail addresses using the same provider from India. After the exchange requested additional documents, Ilya and Heather stopped contacting, as a result of which 18 accounts with a total deposit of $ 186 thousand were frozen.

Due to the stylistic similarity of the accounts, the investigators went through the chain of transactions of each of them, establishing kinship. Several of them led to accounts in the name of LICHTENSTEIN cryptocurrency exchange in the USA (VCE5), opened back in 2015.

Since Liechtenstein used a driver’s license to open an account on a cryptocurrency exchange in the United States, investigators identified the suspect and other accounts and accounts in the United States. So it turned out that Liechtenstein created a fictitious company SalesFolk, allegedly accepting cryptocurrency as payment for services provided. Further analysis of the transactions confirmed a direct connection with the stolen funds from Bitfinex, which flowed through numerous links of the chain to the bank accounts of Liechtenstein and Morgan.

At some point, the attackers believed in their impunity and began to use the “cluster 3686mu” to pay for purchases in cryptocurrency, thereby reducing the complexity of the chain. For example, on May 3, 2020, a gift card payment in Walmart (NYSE:WMT) for $500 was made through him. The IP address was used as a substitute, but at the request of the special services, the “cloud provider” opened the tenant’s name and mail – they led directly to Liechtenstein. Similarly, the purchase of a new iPhone was paid for, which was delivered to the couple’s address.

After enough evidence was collected against the couple, the special services turned to the network provider with a search warrant and requested copies of all personal documents stored on the cloud. After decrypting the encoded files, the investigators gained access to all the crypto addresses used in the chain, as well as private keys. This made it possible to withdraw the entire amount of the remaining funds to the accounts of the Ministry of Justice without the knowledge of the fraudsters.

At the moment, the evidence collected is not enough to bring charges of hacking Bitfinex, however, investigators are counting on a frank confession, since under the remaining articles Lichtenstein and Morgan face up to 20 years in prison.