Bitfinex hacker gets 5 years in prison for 120,000 bitcoin heist

by · BleepingComputer

A hacker responsible for stealing 119,754 Bitcoin in a 2016 hack on the Bitfinex cryptocurrency exchange was sentenced to five years in prison by U.S. authorities.

The man, Ilya Lichtenstein, was arrested in February 2022 in Manhattan following a lengthy investigation led by the IRS, HSI, and the FBI, which managed to recover roughly 80% of the stolen cryptocurrency (94,000 Bitcoin)/

At the time of the theft, the 119,754 bitcoins were worth $78,000,000 but equaled $3.6 billion at the time of the seizure.

Lichtenstein faced money laundering accusations, with evidence pointing to him using multiple schemes, including setting up multiple online accounts using fictitious identities, transaction-automating software tools, spreading stolen funds across multiple darknet markets, and engaging in "chain hopping."

"According to court documents, Lichtenstein, 35, hacked into Bitfinex's network in 2016, using advanced hacking tools and techniques," reads yesterday's U.S. Department of Justice announcement.

"Once inside the network, Lichtenstein fraudulently authorized more than 2,000 transactions transferring 119,754 bitcoin from Bitfinex to a cryptocurrency wallet in Lichtenstein's control."

The hack was made possible through a vulnerability in Bitfinex's multi-signature withdrawals system, which allowed the cybercriminal to bypass the required approval from BitGo to withdraw the funds.

The hacker exploited the flaw to authorize direct withdrawals and also steal user credentials. If the same credentials were used on other exchanges, he emptied their accounts from those too.

Lichtenstein attempted to obscure his trace and hamper investigations by deleting log files that contained evidence of his activities from Bitfinex's network.

He also patiently waited several months before attempting to move the stolen money around, starting with small transfers spread across various accounts. Lichtenstein was also helped by his wife, Heather Morgan, to launder the stolen funds.

By 2019, Lichtenstein's money laundering operation had grown to full scale, involving tens of thousands of intermediary addresses, mixing services, and multiple obfuscation steps.

Overview of the money laundering process
Source: TRM Labs

On August 3, 2023, Lichtenstein pleaded guilty to the money laundering charges, which incurred a maximum 20 years imprisonment sentence.

Eventually, the man got one fourth of that, with the judge setting the punishment to five years, starting from November 18, 2024, plus three years of supervised release.

Moreover, as this case is governed by Rule 32.2 of the Federal Rules of Criminal Procedure, the authorities give anyone who believes they have the right to the seized assets (Bitcoin, USDC, USDT, Ether, and gold coins) to submit a claim for restitution.

Lichtenstein's wife, Heather "Razzlekhan" Morgan, who is considered an accomplice in the money laundering process, is scheduled to be sentenced on November 18, 2024.