Thoughts on the Bitfinex Hack Story

The arrests of Heather Morgan and Ilya Lichtenstein, the husband and wife duo who were allegedly involved in the Bitfinex hack and attempt at laundering the proceeds, is all over the news.

[Technically, they are not being charged for hacking Bitfinex, only for money laundering and defrauding the U.S. government, which leads to the question of who actually did it or were they some sort of intermediary or money mule.]

119,754 BTC were stolen in the hack, in 2016, and 94,636 BTC were recovered, so that leaves 25,000 of BTC unaccounted for, which when the duo attempted to launder, in spite of an intricate web of transactions to conceal their identities, led to their eventual identification and arrest.

A few things stand out:

1. It’s funny or odd how defrauding the U.S. government punishable by a maximum of 5 years (for not paying taxes on $4 billion in stolen crypto), but the money laundering charge is punishable by up to 20 years. Same for wire fraud, also punishable by 20. Lesson: defrauding the all-mighty federal government is ‘only’ 1/4 as severe/bad as defrauding a person/company or obfuscating a money trail. I am not sure why it is this way…you would think it would be reversed.

2. The duo are damn fortunate to not be charged with multiple counts of wire fraud. That could put them away for life easily, like what happened with Madoff or Allen Stanford. Luckily, they are only getting a max of 20 years for being involved in such a massive fraud and profiting so much from it.

This could actually work out well for them in the end: usually judges do not give the maximum possible sentence, so they may only get 10 years, to be served at a minimum security prison camp, which they will only do 8, and then upon release Mr. Lichtenstein, who is a Russian national, and his wife can return to Russia (why they stayed in the U.S. after having committed or being involved in arguably the biggest heist ever, is a mystery), where some fraction of 25,000 BTC await their return. Assuming BTC is above $40,000 or so, just 1,000 BTC is worth tens of millions of dollars.

[The official .gov report shows that some of the 25,000 BTC was cashed out for at least $3 million in 2017-2019, so there is still at least $100-300 million of the 25,000 BTC unspent. Even if they refused to disclose this, they would still only get 20 years.]

3. Bitcoin and even possibly Monero are useless for anonymity if an adversary is sufficiently determined and well-funded to go down a rabbit hole of transactions. A major point of failure is when off-ramping and on-ramping crypto into fiat or fiat to crypto. When the coins are converted into actual spendable dollars, requires that the coins be linked to some sort of identity.

4. If I had to guess, the duo did not work alone and some other entity or individual carried out the actual hack. However, the duo demonstrated strong proficiency at mixing crypto and seemed fairly knowledgeable (save for storing the wallet address on a poorly-encrypted file on a cloud service), so it’s definitely possible they did the hack too (at least Lichtenstein did), so that again leaves the question of who did it.