It's difficult to hide a $4.5 BILLION dollar BTC heist (current value)
Updated: Mar 21, 2022
Ilya Lichtenstein and Heather Morgan, husband and wife, stole 119,754 Bitcoin (BTC) from a Hong Kong Bitcoin exchange, Bitfinex, worth, at that time, roughly $65 million. It is now worth $4.5 billion.
The IRS finally caught up with them. Here is the statement of facts filed by Christopher Janczewski, a Special Agent assigned to the Internal Revenue Service, Criminal Investigation (IRS-CI). The IRS hid some of the details to hide their methodology and some of the parties involved. Even then, the methodology used by the couple to hide the BTCs is very straightforward:
Picture from the Statement of Facts
2016: Steal BTCs from wallets stored in Bitfinex's wallets and store them in an offline wallet, 1CGA4s
January 2017: Start moving a portion of the funds into a darknet market, AlphaBay in an attempt to obfuscate the flow of money
Much of the activity was conducted using computer programs to execute small value transactions
Move the BTCs from AlphaBay to accounts in four US-based virtual currency exchanges (VCEs).
Move the BTCs to offline BTC wallets
Move BTCs from offline wallets to 6 other VCEs owned by the couple.
Why the couple got caught
I'll list the reasons below and then dive in deeper.
Here are the general reasons why the authorities can catch criminals:
Anonymity: Bitcoin transactions are not anonymous; they are pseudo-anonymous
Public Ledger: All transactions are made online and visible to all
Cryptographically unsound: For crypto people, a billion combinations is a constant
Mining of transactions: digital crumbs left by transactions can be mined
Darknet markets are special targets for mining
KYC Requirements: VCEs are now demanding Know Your Customer (KYC) information
Law Enforcement: VCEs will share transaction data with Law Enforcement
The IRS is looking for it: US Internal Revenue Service has launched "Operation Hidden Treasure"
Better Tools: Now, the US and other governments have advanced tools available to them, both technical, and legal.
Here are the notable mistakes the couple committed:
$4.5 Billion is a lot of money
Master file decrypted: The couple uploaded a master file with most of their accounts & private keys
Uploaded IP Addresses: Many of the logins were slowly traced back to the couple
Email Addresses: Many of the email ids were slowly traced back to the couple
KYC Requirements: The VCEs where anonymous wallets were stored started demanding KYC
In general, anonymity results when the number of combinations start reaching 2**128 or so. That is the number of combinations 128 bits, for example, an AES-128 key gives you. To give you an idea of how that big that number is:
2**128 = 340,282,366,920,938,463,463,374,607,431,768,211,456
If your PC can try 2**40 keys per day, it would take you about 847,904,136,496,835,804,725,427 (848 sextillion) years in the worst case. We expect the sun to run out of hydrogen and collapse into a white dwarf in only about 5 billion years.
The total number of BTC transaction to have taken place till now is around 708 million, around 600 million since the heist.
For people who deal with large data sets, 600 million is not a particularly big number.
The Math Behind the Couple's Anonymity
The couple had 2000 accounts in roughly 10 VCEs, some anonymous, some with KYC. Even with a large number of small value of transactions, the number crunchers at the IRS will have no difficulty finding patterns of movement.
There is a whole field of study of blockchain analysis and you can hire blockchain analysts.
Bitcoin Pseudo Anonymity
The Bitcoin ledger stores transaction details such as the amount, time, the wallet money were sent from, and the wallet that received the money.
So an offline wallet, in this case 1CGA4s, is opaque to others. The moment you want to do any transactions, you have to get on a VCE. So 1CGA4s was a marked wallet.
And that is where the trouble starts. You need email addresses. The couple used email addresses out of India and Russia. However, the couple created email addresses using a pattern.
All email can be intercepted.
Accessing the anonymous wallets in VCEs would leave a trail of IP addresses. Even a VPN service will end up giving up the privacy shield when faced with a warrant.
Many of the VCEs in the US started demanding KYC information from the couple for their anonymous wallets. The couple ended up abandoning those wallets as they were directly linked to AlphaBay, the darknet VCE.
The legitimate accounts already had KYC.
Uploading the Master File
For some reason, the couple uploaded their encrypted master file containing all the account numbers and private keys into the cloud. Moreover they had marked the abandoned wallets with the status, the number of BTC's in each account, etc.
The IRS was able to break the encryption and get BTCs that had not been spent.
What Don't We Know
There may be other mistakes that the couple committed which the IRS is not talking about.
The statement of facts just disclosed the bare minimum required to arrest the couple and take away their wallets.
The IRS, obviously, is keeping many of the entities involved private. They are not relevant to this discussion.
We don't know how they broke the encryption to the master file; without that they would have had a couple who could have used intermediaries to cash out the wallets.
We don't know how the IRS mines the ledgers. We can make educated guesses. But that is a topic for later.
Case 1:22-mj-00022 Statement of Facts, Complaint with Arrest Warrant. https://www.justice.gov/opa/press-release/file/1470186/download