2022.02.14如何失败地洗掉数十亿美元的被盗比特币

shiyi18

How a Young Couple Failed to Launder Billions of Dollars in Stolen Bitcoin
The case against Ilya Lichtenstein and Heather Morgan describes a big crime followed by a series of frustrations.

By Ed Caesar

February 14, 2022
Attorney Sam Enzer sits between Heather Morgan left and her husband Ilya Dutch Lichtenstein in federal court.
The Morgan and Lichtenstein case gestures at the potential and pitfalls of digital currency for criminal activity.Photograph by Elizabeth Williams / AP
In August, 2016, a hacker stole 119,754 bitcoin from a cryptocurrency exchange called Bitfinex. On Tuesday, in Manhattan, a young married couple, Ilya Lichtenstein and Heather Morgan, appeared in federal court, charged with attempting to launder the proceeds of that crime. When the exchange was hacked, the stolen bitcoin was worth about seventy-one million dollars. Today, its value is more than five billion dollars. Shortly before their arrest, one could argue that—on paper, at least—Lichtenstein and Morgan were richer than Peter Thiel, who founded PayPal.

Lichtenstein is a thirty-four-year-old with dual Russian-American citizenship, who describes himself on Medium as a “tech entrepreneur, explorer, and occasional magician.” He goes by “Dutch.” His Twitter feed (@unrealdutch) is a stream of aloof commentary on cryptocurrency, Web 3.0, and non-fungible tokens. On New Year’s Eve, he retweeted Edward Snowden’s picture of fireworks over the Kremlin. Morgan, who is thirty-one, married Lichtenstein last year. Among other pursuits, she is a journalist. In her biography for Forbes, which she wrote for until last year, Morgan describes herself as “an international economist, serial entrepreneur, and investor” and “an expert in persuasion, social engineering, and game theory.” “When she’s not reverse-engineering black markets to think of better ways to combat fraud and cybercrime,” her bio reads, “she enjoys rapping and designing streetwear fashion.”

Sign up for The Daily.
Receive the best of The New Yorker, every day, in your in-box.
E-mail address
Your e-mail address

Sign up
By signing up, you agree to our User Agreement and Privacy Policy & Cookie Statement.

Morgan really does seem to enjoy rapping. She spits bars as Razzlekhan, and styles herself the “Crocodile of Wall Street.” The keystone of Razzlekhan’s œuvre is a track called “Versace Bedouin,” a paean to grind culture and financial speculation, in which Morgan nods to her multi-hyphenate career. (“I’m many things: a rapper, an economist, a journalist, a writer, a C.E.O., and a dirty, dirty, dirty, dirty ho.”) In the video for “Versace Bedouin,” Morgan wears a gold lamé jacket and a baseball cap bearing the slogan “ØFCKS.” It was filmed on Wall Street itself, which is also where the couple lives, in a rented two-bed condominium.

Morgan and Lichtenstein were charged last week with conspiring to launder money and conspiring to defraud the United States. Most subsequent media coverage of the case has naturally focussed on their colorful online personae. (I am not immune. In my house, “Versace Bedouin” has been on repeat.) But the details of the case are equally intriguing, because they gesture at the potential and pitfalls of digital currency for criminal activity.

The case against Morgan and Lichtenstein, as detailed in the affidavit, describes a big crime followed by a series of frustrations. After the hack of Bitfinex, in 2016, the stolen bitcoin was transferred to an outside wallet. The government has not said that Lichtenstein and Morgan hacked the exchange; they are charged only with laundering the proceeds of the hack. But it appears that the couple never even tried to launder most of the stolen coins—94,636 bitcoin, or about eighty per cent of the total loot, never left the first wallet. The reason? Laundering digital currency is hard. And the level of difficulty rises as the sums grow larger.

As I discovered last year, while reporting on state-sponsored North Korean hackers, thefts from digital-currency exchanges happen with alarming regularity. North Korean operatives particularly enjoy hacking digital bourses in South Korea. As of last April, one exchange, Bithumb, had been raided four times. Exchanges are vulnerable because they often maintain escrow accounts holding coins in so-called hot wallets, which are connected to the Internet. (The more secure, but laborious, way to store coins is in a “cold wallet,” which is not connected to the Internet; the keys to the wallet are written down or memorized elsewhere.) Through some often-ingenious tricks, such as impersonating a trusted business partner in order to plant malware on an exchange employee’s computer, criminals find ways to commandeer the keys to hot wallets, and steal coins.

Last year, Tom Robinson, who is the chief scientist at the blockchain-analytics firm Elliptic, explained to me the appeal of this kind of crime. “Once the funds have moved out of the exchange, you can’t reverse those transactions, like you can maybe with a traditional bank payment,” Robinson said. “Once they’re gone, they’re gone. And there’s no intermediary, there’s no controller of bitcoin, who you can go to and say, ‘Those funds are stolen. Give them back to me.’ It’s completely decentralized. It can also be fairly anonymous—you don’t need to enact the scheme through accounts linked to your identity.”

But if digital currency creates opportunities for thieves it also presents giant obstacles. The desired end point of most exchange hacks is to convert stolen digital currency into fiat currency—pounds, euros, dollars. That’s hard to do if exchanges have adequate know-your-customer (K.Y.C.) or anti-money-laundering (A.M.L.) structures in place. If you dump a billion dollars’ worth of bitcoin at a reputable exchange’s feet and ask for dollars in response, its A.M.L. team should ask some tough questions.

VIDEO FROM THE NEW YORKER

Grasshopper-Catching, a Ugandan Hustle


Launderers must also contend with the fact that coins are traceable. The ledger on which trades occur is immutable. It should always be possible to track stolen loot through its digital footprint. The problem of handling stolen bitcoin is not unlike that of smuggling a Picasso in the trunk of your car. Everybody knows it’s a Picasso because it looks like a Picasso and it’s got Picasso’s signature on it. Stealing the painting is one thing; realizing any monetary gain for it is another.

Morgan and Lichtenstein seem to have understood some of the dangerous terrain of the crypto laundry. The affidavit claims that, among other techniques, the couple moved some of the bitcoin out of the holding wallet using “a series of small, complex transactions across multiple accounts and platforms,” adding that “this shuffling, which created a voluminous number of transactions, appeared to be designed to conceal the path of the stolen BTC, making it difficult for law enforcement to trace the funds.” This atomized transfer is sometimes known as a peel chain. Last year, Robinson, the Elliptic scientist, showed me a visualization of a peel chain. The diagram looked like an airline-magazine route map, in which several lines sprout from one dot and then converge on another.

The affidavit also details how the couple understood other, more sophisticated laundering techniques. One is known as chain hopping. This is when one type of coin is swapped for another—Bitcoin to Ethereum, for instance—to disguise its provenance. The blockchain-forensics firm Chainalysis recently published a report that detailed the growing use of chain hopping, particularly by North Korean criminal groups. The preferred method is to use what is known as a DeFi (decentralized finance) platform, which swaps currencies without ever taking custody of the funds. DeFis are not required to have any know-your-customer procedures. According to Chainalysis, in 2020, North Korean hackers used a DeFi called Uniswap to launder the proceeds of a two-hundred-and-seventy-five-million-dollar theft from the KuCoin exchange—one of the largest hacks of any exchange ever.

Morgan and Lichtenstein also allegedly moved coins to AlphaBay, a dark-Web marketplace that was shuttered by police in 2017. You can buy pretty much anything you want using digital currency on the dark Web, and nobody cares where you got your funds. But it seems that the sums Morgan and Lichtenstein were looking to launder were too unwieldy to cash out by buying products. AlphaBay was simply a conduit for the stolen coins. The couple is alleged to have moved their funds through the dark-Web marketplace and back into other coin exchanges, which landed them in the same predicament as when they started: with a bunch of digital currency that they couldn’t spend. When they attempted to open seven new accounts on one exchange using fake identities, the exchange could not verify the accounts, and froze their funds.

The couple ran into locked door after locked door. They spent some of the coins on N.F.T.s, and some on a five-hundred-dollar Walmart gift card. They cashed out small amounts using gold trades and other techniques. Gurvais Grigg, a former F.B.I. agent who is now the public sector chief technical officer for Chainalysis, told me that Morgan and Lichtenstein’s attempts to launder their bitcoin had shown them to be “pretty sophisticated.” But they never found a way to make good on the billions of dollars’ worth of loot burning a hole in their digital pocket. “Eventually,” Grigg said, “you’ve got to move it to a place, or an exchange, or an O.T.C. [over-the-counter trader] that can help you.”

Reading the affidavit, I found myself asking: How would the North Koreans have washed so many coins? They would have done it slowly. Criminal groups associated with North Korea leave large volumes of cryptocurrency untouched in digital wallets for years. They also would have used some of the same techniques that Morgan and Lichtenstein did: peel chains and chain hopping. But they would have kept their real identities far away from any accounts handling the stolen coins. (They would never have used a real driver’s license to verify their identity, or have used their own home address for a gold trade, as Lichtenstein did.) Certainly, they would have found a way to cash out large sums, probably using an exchange in a lax jurisdiction.

In 2018, a digital-currency exchange in Hong Kong was hacked by a North Korean group. About 10,800 bitcoin was stolen. Today, the bitcoins would be worth nearly half a billion dollars. According to an indictment in 2020, these coins were then diverted, via peel chains, to two Chinese citizens, Tian Yinyin and Li Jiadong, who had successfully opened accounts on other exchanges using fake pictures and fake names. Tian and Li then cashed out using a Chinese bank. According to the U.S. Treasury, several financial institutions in China offer accounts to North Koreans, or to front companies that have relationships with Pyongyang. In 2020, Tian and Li were accused in the United States of having laundered “stolen cryptocurrency to obscure transactions for the benefit of actors in North Korea.” (The men have been charged in absentia, and are still at large.)

The North Koreans prefer to cash out in China, but, according to the forensics firms that track cryptocurrency, there are also plenty of exchanges in Russia and Eastern Europe that will not ask awkward questions. Several exchanges in Moscow—including the over-the-counter brokerage Suex, which the Treasury sanctioned last fall—were named in a recent report by Chainalysis as “making a concerted effort to serve a cybercriminal clientele.” More than half of these Russian exchanges share a Moscow skyscraper: Federation Tower. The Chainalysis report noted that “nothing is more emblematic of the growth of Russia’s crypto crime ecosystem, and of cybercriminals’ ability to operate with apparent impunity, than the presence of so many cryptocurrency businesses linked to money laundering in one of the capital city’s most notable landmarks.”

It’s somewhat to Morgan and Lichtenstein’s credit that they appear not to have known where to cash out. They don’t seem like hardened criminals, although the courts may treat them as such. In a filing, the couple’s lawyer wrote, “Ms. Morgan and Mr. Lichtenstein have no reason to flee to avoid the government’s allegations, as the government’s complaint reveals significant holes in the government’s case against them.” He went on to write that “the money-laundering accusations in the government’s complaint are predicated on a series of circumstantial inferences and assumptions drawn from a complex web of convoluted blockchain-and cryptocurrency-tracing assertions.” There also remains the intriguing question of the bitcoin that the government has not yet found: some three hundred and thirty million dollars’ worth that is believed to be in wallets controlled by the couple. One wonders what will happen to that stash. Like most of the stolen loot from the Bitfinex raid, the answer is: probably nothing.



一对年轻夫妇如何失败地洗掉数十亿美元的被盗比特币
针对Ilya Lichtenstein和Heather Morgan的案件描述了一次大的犯罪，随后是一系列的挫折。

作者：埃德-凯撒

2022年2月14日
律师山姆-恩泽在联邦法庭上坐在希瑟-摩根左手和她的丈夫伊利亚-荷兰-利希滕斯坦之间。
摩根和利希滕斯坦的案件表明了数字货币在犯罪活动中的潜力和隐患。摄影：Elizabeth Williams / AP
2016年8月，一名黑客从一家名为Bitfinex的加密货币交易所偷走了119,754枚比特币。周二，在曼哈顿，一对年轻的已婚夫妇Ilya Lichtenstein和Heather Morgan在联邦法院出庭，被指控试图对该罪行的收益进行洗钱。当交易所被黑时，被盗的比特币价值约为七千一百万美元。今天，其价值已超过50亿美元。在他们被捕前不久，人们可以说，至少在纸面上，利希滕斯坦和摩根比创立贝宝的彼得-蒂尔更富有。

利希滕斯坦是一个拥有俄美双重国籍的34岁的人，他在Medium上把自己描述为 "科技企业家、探险家和偶尔的魔术师"。他的名字是 "荷兰人"。他的推特（@unrealdutch）是一个关于加密货币、Web 3.0和不可伪造的代币的冷漠评论流。在新年前夕，他转发了爱德华-斯诺登在克里姆林宫上空放烟花的照片。摩根今年三十一岁，去年与利希滕斯坦结婚。在其他追求中，她是一名记者。在她为《福布斯》撰写的直到去年的传记中，摩根将自己描述为 "国际经济学家、连续创业者和投资者 "以及 "说服力、社会工程和博弈论方面的专家"。"她的简历写道："当她不对黑市进行逆向工程以思考更好的方法来打击欺诈和网络犯罪时，"她喜欢说唱和设计街头时尚服装。

注册订阅《日报》。
每天在您的收件箱中收到《纽约客》的最佳内容。
电子邮件地址
您的电子邮件地址

注册
通过注册，您同意我们的用户协议和隐私政策及Cookie声明。

摩根似乎真的很喜欢说唱。她以Razzlekhan的身份进行说唱，并将自己称为 "华尔街的鳄鱼"。Razzlekhan的作品的基石是一首名为 "Versace Bedouin "的歌曲，这是一首对研磨文化和金融投机的颂歌，摩根在其中点头表示她有多个奖项的职业生涯。("我有很多身份：说唱歌手、经济学家、记者、作家、首席执行官，以及一个肮脏、肮脏、肮脏的妓女")。在 "Versace Bedouin "的视频中，摩根穿着一件金色薄片夹克，戴着印有 "ØFCKS "口号的棒球帽。这段视频是在华尔街拍摄的，这也是这对夫妇居住的地方，在一个租用的两居室公寓里。

摩根和利希滕斯坦上周被指控共谋洗钱和共谋欺诈美国。随后媒体对此案的大部分报道自然都集中在他们丰富多彩的网络形象上。(我也不能幸免，在我家，"Versace Bedouin "一直在重复播放。）但该案的细节同样耐人寻味，因为它们揭示了数字货币在犯罪活动中的潜力和隐患。

正如宣誓书中所详述的那样，针对摩根和利希滕斯坦的案件描述了一次大的犯罪，随后是一系列的挫折。在2016年Bitfinex被黑之后，被盗的比特币被转移到一个外部钱包。政府没有说利希滕斯坦和摩根黑了交易所；他们只被指控对黑客的收益进行洗钱。但是，这对夫妇似乎甚至从来没有试图清洗大部分被盗的硬币--94,636个比特币，或全部赃物的大约80%，从未离开第一个钱包。原因是什么？对数字货币进行洗钱是很难的。而且，随着金额的增加，难度也会增加。

正如我去年在报道国家支持的朝鲜黑客时发现的那样，数字货币交易所的盗窃案以惊人的频率发生。朝鲜特工人员特别喜欢入侵韩国的数字交易所。截至去年4月，一家交易所Bithumb已经被突袭了四次。交易所很容易受到攻击，因为它们通常在所谓的热钱包中维持存放硬币的托管账户，而热钱包是与互联网连接的。(更安全但费力的存储硬币的方式是 "冷钱包"，它不连接到互联网；钱包的钥匙被写下来或记在其他地方）。通过一些通常很狡猾的伎俩，例如冒充受信任的商业伙伴，在交易所员工的电脑上植入恶意软件，犯罪分子找到了征用热钱包钥匙的方法，并偷走了钱币。

去年，作为区块链分析公司Elliptic的首席科学家，汤姆-罗宾逊向我解释了这种犯罪的吸引力。"罗宾逊说："一旦资金从交易所转移出去，你就无法逆转这些交易，就像你也许可以用传统的银行付款一样。"一旦他们离开，他们就离开了。没有中间人，没有比特币的控制者，你可以去找他说，'这些资金被盗了。把它们还给我'。它是完全去中心化的。它也可以是相当匿名的--你不需要通过与你身份相关的账户来制定计划"。

但是，如果数字货币为盗贼创造了机会，它也带来了巨大的障碍。大多数交易所黑客所期望的终点是将被盗的数字货币转换成法定货币--英镑、欧元、美元。如果交易所有足够的了解客户（K.Y.C.）或反洗钱（A.M.L.）结构，这就很难做到。如果你把价值10亿美元的比特币扔在一个有信誉的交易所的脚下，并要求以美元作为回应，其A.M.L.团队应该问一些棘手的问题。

来自《纽约客》的视频

捕捉蚱蜢是乌干达的一项重要工作


洗钱者还必须面对一个事实，即硬币是可以追踪的。发生交易的账本是不可改变的。通过其数字足迹，应该总是可以追踪到被盗的战利品。处理被盗比特币的问题和在汽车后备箱里偷运毕加索的问题没什么不同。每个人都知道这是一幅毕加索的作品，因为它看起来像毕加索，上面还有毕加索的签名。偷画是一回事，实现任何金钱上的收益是另一回事。

摩根和利希滕斯坦似乎已经了解了加密货币洗衣店的一些危险地形。该宣誓书声称，除其他技术外，这对夫妇使用 "一系列跨越多个账户和平台的小型复杂交易 "将一些比特币从持有的钱包中转移出来，并补充说，"这种洗牌产生了大量的交易，似乎是为了掩盖被盗BTC的路径，使执法部门难以追踪这些资金。" 这种原子化的转移有时被称为剥皮链。去年，Elliptic公司的科学家罗宾逊向我展示了一个剥皮链的可视化图。这张图看起来就像一张航空杂志的航线图，其中有几条线从一个点发芽，然后汇聚到另一个点。

该宣誓书还详细说明了这对夫妇如何理解其他更复杂的洗钱技术。其中一个被称为 "链式跳跃"。这是指一种类型的硬币被换成另一种--例如，比特币换成以太坊，以掩盖其来源。区块链取证公司Chainalysis最近发布了一份报告，详细说明了跳链的使用越来越多，尤其是朝鲜犯罪集团。首选的方法是使用所谓的DeFi（去中心化金融）平台，该平台交换货币而不需要保管资金。DeFis不需要有任何 "了解你的客户 "程序。据Chainalysis报道，2020年，朝鲜黑客利用名为Uniswap的DeFi来清洗KuCoin交易所的两百七十五万美元的盗窃所得--这是有史以来任何交易所最大的黑客攻击。

摩根和利希滕斯坦还被指控将硬币转移到AlphaBay，这是一个黑暗网络市场，在2017年被警方关闭。你可以在暗网中使用数字货币购买任何你想要的东西，没有人关心你的资金来源。但是，摩根和利希滕斯坦想要清洗的金额似乎太大，无法通过购买产品来兑现。AlphaBay只是一个被盗硬币的渠道。据称，这对夫妇将他们的资金通过暗网市场转移到其他硬币交易所，这使他们陷入了与开始时相同的困境：有一堆数字货币，但他们无法使用。当他们试图用假身份在一个交易所开设七个新账户时，交易所无法验证这些账户，并冻结了他们的资金。

这对夫妇遇到了一扇又一扇上锁的门。他们把一些硬币花在了N.F.T.s上，还有一些花在了一张500美元的沃尔玛礼品卡上。他们利用黄金交易和其他技术兑现了少量资金。Gurvais Grigg，一位前F.B.I.特工，现在是Chainalysis的公共部门首席技术官，告诉我摩根和Lichtenstein对他们的比特币进行洗钱的尝试表明他们 "相当复杂"。但他们从来没有找到一个方法来兑现他们的数字口袋里烧着的价值数十亿美元的战利品。"最终，"格里格说，"你必须把它转移到一个地方，或一个交易所，或一个可以帮助你的O.T.C.（场外交易商）。"

在阅读宣誓书时，我发现自己在问：朝鲜人是如何洗掉这么多硬币的？他们会慢慢地做。与朝鲜有关的犯罪集团将大量加密货币留在数字钱包中多年不动。他们也会使用一些与摩根和利希滕斯坦相同的技术：剥皮链和跳链。但他们会将自己的真实身份与处理被盗币的任何账户相隔甚远。(他们不会使用真正的驾驶执照来验证自己的身份，也不会像利希滕斯坦那样使用自己的家庭地址进行黄金交易）。当然，他们会找到一种方法来兑现大笔资金，可能是利用一个不严格的司法管辖区的交易所。

2018年，香港的一家数字货币交易所被一个朝鲜团体入侵。大约10,800个比特币被盗。今天，这些比特币将价值近5亿美元。根据2020年的一份起诉书，这些硬币随后通过果皮链被转移到两名中国公民田银银和李家栋手中，他们用假照片和假名字在其他交易所成功开设了账户。田和李随后使用一家中国银行兑现。据美国财政部称，中国的一些金融机构向朝鲜人提供账户，或向与平壤有关系的幌子公司提供账户。2020年，田某和李某在美国被指控清洗 "偷来的加密货币，以掩盖交易，使朝鲜的行为人受益"。(这些人被缺席指控，目前仍然在逃）。

朝鲜人更喜欢在中国套现，但根据追踪加密货币的取证公司，在俄罗斯和东欧也有很多交易所，不会问一些尴尬的问题。在Chainalysis最近的一份报告中，莫斯科的几家交易所--包括去年秋天被财政部制裁的场外经纪商Suex--被称为 "协同努力，为网络犯罪客户提供服务"。这些俄罗斯交易所中有一半以上共用一栋莫斯科摩天大楼。联邦大厦。Chainalysis的报告指出，"没有什么比在首都最著名的地标之一出现这么多与洗钱有关的加密货币企业，更能体现俄罗斯加密货币犯罪生态系统的增长，以及网络犯罪分子明显不受惩罚的能力了。"

摩根和利希滕斯坦的功劳是，他们似乎不知道在哪里兑现。他们似乎并不像顽固的罪犯，尽管法院可能会这样对待他们。在一份文件中，这对夫妇的律师写道："摩根女士和利希滕斯坦先生没有理由逃跑以逃避政府的指控，因为政府的投诉揭示了政府针对他们的案件的重大漏洞。" 他继续写道："政府申诉中的洗钱指控是以一系列间接推论和假设为基础的，这些推论和假设来自于错综复杂的区块链和加密货币追踪断言的网络。" 还有一个耐人寻味的问题是，政府尚未找到的比特币：据信价值约3.3亿美元的比特币在这对夫妇控制的钱包中。人们不禁要问，这些钱会发生什么？就像Bitfinex突袭案中的大部分赃物一样，答案是：可能什么都没有。