Did Razzlekhan and Dutch Pull Off History’s Biggest Crypto Heist? @BW [continued]
Then I realized she’d given entire presentations about how to get people to respond to emails. Her first rule was to “e-stalk” your audience to understand them.
Having subjected myself to hours of her songs and videos, I figured I had that one covered. Then it said to think about what the competition is doing.
I’d read that Netflix Inc. had already commissioned a documentary about her from one of the makers of Tiger King.
“Heather,” I wrote, “the documentary people are out to make you the next Tiger King. Your input could help reshape the narrative.” She didn’t reply.
Morgan had given a talk titled “How to Social Engineer Your Way Into Anything”
It seems unlikely that someone who tried to rhyme “Razzlekhan’s the name” with “that hot grandma you really wanna bang” could in fact be a master thief.
Then again, this is the crypto world, where a lack of experience or competence hasn’t always been a barrier to fame and fortune and where large-scale hacks are a regular occurrence.
Bitcoin exchanges basically have one job—to keep the cash and crypto sent by users safe—and since the beginning of the industry, they’ve failed at it.
The first big exchange, Mt. Gox, repurposed a website created as a place to trade virtual Magic: The Gathering cards.
It had security and record keeping that was so poor, hackers would steal Bitcoins as soon as users deposited them.
Mt. Gox filed for bankruptcy in 2014, saying it had lost 7% of all Bitcoins in existence. The hacks of exchanges kept coming.
Among the biggest: Coincheck was taken for $530 million in 2018 and KuCoin for $280 million in 2020.
Last year, according to crypto-security firm Chainalysis, a total of $3.2 billion in cryptocurrency was stolen from exchanges and decentralized finance (or DeFi) apps, in which crypto traders make deals directly with one another.
That’s 100 times more than the total stolen in all bank robberies in an average year in the US, Federal Bureau of Investigation statistics show.
Much of the money was taken by North Korea’s Lazarus hacker group, Chainalysis says.
At the time it was hacked, Bitfinex was seen as one of the most reputable exchanges, but it wasn’t exactly Fort Knox, either.
It was originally based on code copied by a young Frenchman from an exchange called Bitcoinica that had been widely seen as insecure, and it was run by a plastic-surgeon-turned-low-end-electronics-importer, Giancarlo Devasini.
Based in Milan, Devasini invested in Bitfinex in 2012 and became the de facto head of the exchange, though on paper he’s the chief financial officer.
He’s also the boss of Tether, the issuer of a so-called stablecoin that’s supposed to be backed 1-to-1 with dollars but has been fined by US regulators for lying about its $67 billion in assets.
Bitfinex set up a new security system after it lost about $400,000 of cryptocurrencies in a 2015 hack.
Other exchanges generally mixed users’ coins together and stored the private keys on computers that weren’t connected to the internet, a practice known as “cold storage.”
The new system kept each user’s balance in a separate address on the blockchain, allowing customers to see for themselves where their money was.
It used software from San Francisco-based crypto-security company BitGo.
“This new level of transparency and security makes breaches such as those of Mt. Gox impossible,” Mike Belshe, BitGo’s chief executive officer, said in a press release announcing the deal.
The BitGo software was programmed to automatically approve transfers under a certain limit, so small withdrawals wouldn’t be delayed, but it required a Bitfinex executive to manually sign off on large ones.
This was supposed to mean that even if Bitfinex got hacked, only a small number of Bitcoins would be stolen at most.
But the system configuration was flawed. The limit could be changed with a computer command sent by someone with a Bitfinex executive’s electronic credentials.
That’s what the hackers did after first using a “remote-access Trojan” to infiltrate the exchange, according to court documents.
Such malware lets attackers gain full control of a target’s computer, as if they were sitting at the keyboard.
The hackers were only stopped when someone at Bitfinex happened to check account balances and noticed something was off.
Bitfinex executives have said they considered filing for bankruptcy after the attack.
Instead, to give themselves a chance to make up the losses and stay in business, they simply reduced the balances of all customers by 36% and issued IOUs to cover the losses.
Within eight months the exchange had earned enough to pay them back, either in cash or in Bitfinex stock.
Bitfinex reported the hack to authorities, but there were no leads. The hackers erased the servers’ memory on their way out, wiping any pointers to their location.
Ledger Labs, which investigated the breach on behalf of Bitfinex, was unable to determine how exactly the hackers got into the exchange’s servers.
BitGo has maintained that its software functioned properly, though it changed its rules so that withdrawal limits could only be raised after a video call with a BitGo employee.
BitGo and Bitfinex declined to comment, as did Ledger Labs’ lead investigator.
Michael Shaulov, a former coder for the Israeli Intelligence Corps and the co-founder of crypto-security firm Fireblocks Inc., says hacks like these generally don’t require a high level of technical expertise.
Often, he says, the hardest part is crafting an email that tricks an insider into opening a malicious attachment. “The social-engineering vector is key,” he says.
That seemed like a clue. Morgan had given a talk titled “How to Social Engineer Your Way Into Anything” in 2019 at an event called NYC Salon.
In a promotional flyer for the speech, she posed in a tight, snakeskin-print metallic dress while holding a large pipe wrench.
“I hate the term ‘manipulating,’ ” she said in the talk, after attempting to warm up the bemused crowd by rapping a few lines from Versace Bedouin.
Social engineering, she said, involves “getting someone to share information or take an action that they otherwise would not.”
And in what was either an unfortunate coincidence or another stunning act of hubris, on the day before the hack Morgan posted a photo on Instagram of her and Lichtenstein sitting on a blue plush couch, with the caption “I will always love getting into trouble with this crazy guy.”
On the day of the hack, a Bitfinex employee logged in to the main Bitcoin forum on Reddit and posted all the addresses where the hackers had sent stolen Bitcoins. It didn’t look like much—it was just a list of thousands of 34-character codes.
But it was like setting off a dye pack to mark the money in a bank robber’s bag of loot.
All transactions on the Bitcoin blockchain are public, so anyone can look up an address and see all the other addresses it sent coins to or received coins from.
Few people would accept Bitcoins from the addresses Bitfinex had disclosed on Reddit.
Even if they had no qualms with stolen money, they’d be concerned about whether they could spend it themselves—or if they’d become suspects.
For five months the stolen Bitcoins didn’t move. It seemed the hackers had forgotten a crucial part of their plan: To actually use the Bitcoins they’d stolen, they’d have to find a way to erase the connection to the hack.
One place where stolen Bitcoins were welcome was AlphaBay. It was a marketplace on the dark web, a hidden part of the internet only accessible through an anonymous browser, where users posted classified ads offering opioids, guns, and stolen credit cards in exchange for crypto.
On its website, AlphaBay said it wanted to be “the largest eBay-style underworld marketplace.”
In case anyone missed the point, its FAQ had the question “Is AlphaBay Market legal?” Answer: “Of course not.”
In January 2017, about $22,000 worth of the hacked Bitcoins were moved to AlphaBay in a series of small transactions.
All Bitcoins sent to AlphaBay were mixed together, making them harder to connect to wherever they’d come from on the blockchain.
Once a user withdrew their funds to a new address, their Bitcoins could be traced back only as far as AlphaBay.
Although all the major exchanges were unwilling to accept Bitcoins that had come from addresses associated with the hack, some smaller exchanges were willing to take coins that came from a dark web drug bazaar.
From AlphaBay, those hacked Bitcoins were sent to one crypto exchange, then another. The second exchange account was opened by Lichtenstein, using his real name.
He’d even sent in a selfie to verify his identity. The only person who’d know the connection between Lichtenstein and the hacked funds would be the person running AlphaBay, who went only by Alpha02.
Unfortunately for the thieves, AlphaBay was already the target of a separate investigation.
Police from several countries thought they’d figured out that Alpha02 was a 25-year-old Canadian named Alexandre Cazes, who’d moved to Thailand and bought three properties, a Lamborghini, and a Porsche with his profits.
Among his mistakes: On some early messages he used an address, Pimp_Alex_91@hotmail.com
, that he’d also used under his real name.
On July 5, 2017, the investigators put in motion what they called Operation Bayonet. Royal Thai Police rammed a car into the front gate of a compound in Bangkok where they and US authorities suspected Cazes was living.
The commotion lured him out, and, while police detained him, other agents rushed inside.
Cazes was arrested and died in prison a week later in an apparent suicide, according to the Bangkok Post.
But he left behind lots of evidence. Inside his compound, police found his laptop, open and logged in to AlphaBay.
Among the US federal agents who’d traveled to Bangkok for the AlphaBay bust was Chris Janczewski, then 33, a special agent with the IRS.
Strange as it sounds, Janczewski had wanted to work for the IRS ever since a special agent had visited his accounting fraternity at Central Michigan University.
The speaker had regaled Janczewski and his fellow aspiring accountants with stories of high-speed chases and kicking in doors.
But at his first job there were no chases and no doors to kick in—just audits of a bunch of plumbers and car dealers in and around Charlotte.
“As you can imagine, people aren’t super excited that you’re there,” says Janczewski.
In 2015 he was recruited to a new cybercrime unit in Washington. The team of about a dozen agents first focused on hacked data used to commit tax fraud. Then they shifted to cryptocurrency cases.
The agents realized that while the blockchain was anonymous and criminals often shuffled their coins from wallet to wallet, the trail of transactions almost always led to an exchange, which would ask for identification before allowing someone to sell their Bitcoins for cash.
Even if the crooks used an intermediary or a fake ID, they would leave clues. All the agents had to do was follow the transactions long enough.
“Eventually everybody screws up,” says Tigran Gambaryan, another member of the IRS cybercrime unit, who now runs investigations for crypto exchange Binance.
Crypto tracing led Janczewski and his colleagues to drug dealers, money-laundering services, and even a site that had been selling child abuse videos.
With each bust, they gathered data that allowed them to link more crimes to more Bitcoin addresses and more Bitcoin addresses to more people.
Janczewski declines to say when he and his colleagues made the connection between the stolen Bitcoins and Lichtenstein and Morgan or to discuss other details of the hack investigation.
But by 2020, legal filings show, they had started the painstaking process of turning leads into evidence usable in court.
They sent legal requests to exchanges that touched the stolen funds and to internet service providers the couple used.
It took more than a year to gather enough evidence to justify a search warrant.
On Jan. 5, 2022, Janczewski and other federal agents entered the apartment at 75 Wall St. Morgan’s parents were visiting and had brought a batch of her favorite persimmon cookies, baked by her grandmother.
As the agents started looking for phones and computers, she and Lichtenstein said they wanted to leave the apartment and take Clarissa with them, according to court filings. Then, Morgan clumsily attempted to create a diversion.
She said the cat was hiding under their bed and crouched down next to a nightstand.
While calling the cat, she grabbed a phone off the nightstand and started frantically hitting the lock button. Janczewski pulled it from her hands.
Under the bed, the agents found a bin full of electronics, including a zip-top bag labeled “Burner Phone” and a red-and-white-striped toiletries bag holding nine more phones.
They seized at least four hardware wallets—thumb drives that hold the cryptographic passwords to a user’s Bitcoins—and a pocketbook stuffed with $40,000 in cash.
In Lichtenstein’s office, they found two books that had been hollowed out to create hidden cavities.
The couple had a brief conversation in Russian, which Morgan had been studying. None of the agents understood it.
After an initial search of their electronic devices, the agents hadn’t found the private keys to the stolen Bitcoins. They didn’t have enough evidence to arrest the couple.
Five days after the search, Morgan released a new song, Moon n Stars. Over a spooky-sounding drum-and-organ beat, Razzlekhan raps for five and a half minutes about her connection with Lichtenstein—their shared weirdness, his green eyes and “nice bottom,” and their inside jokes, such as how he always keeps snacks in his pockets or how they both can’t drive.
She says she doesn’t want a regular job and takes risks to feel alive, and at one point she even says, “Don’t forget an exit plan.”
She and Lichtenstein had married a few months earlier. In the song she says she wants to be with him “until the goddamn end.”
Her delivery in the song is as awkward as ever, but knowing she posted it while she must have already been contemplating a long prison sentence, the lyrics take on a poignant tone.
“We’re too weird for average Joes / Everyone knows,” Razzlekhan raps in the last verse.
“You’re the best for me / This is how our story goes. / This is the Razzlekhan and Dutchie shows. / Ready to party down and let’s get weird!”
As the song ends, Razzlekhan says, in Russian with a thick American accent, “I love you.”
The agents had also gotten warrants to search Lichtenstein’s cloud-storage accounts.
In one of them they found a list of fake IDs, both male and female, and notes suggesting the couple had gone to Kyiv in 2019 to buy debit cards under pseudonyms.
It looked to the agents as if Lichtenstein and Morgan had been preparing to flee the country.
On Jan. 31 they cracked the encryption on one of Lichtenstein’s files and found something even more explosive: the private keys to nearly 2,000 Bitcoin addresses tied to the Bitfinex hack. The government now had control of $3.6 billion.
A week later the agents returned to the couple’s apartment and arrested them. Lichtenstein and Morgan were charged with conspiracy to commit money laundering.
Prosecutors said they’d lied to exchanges to move the funds that had been stolen from Bitfinex.
The question of who did the actual social engineering and hacking wasn’t addressed, and, since the data were deleted, it may never be.
The arrest was national news. It was the largest seizure of stolen funds ever. “Today, the Department of Justice has dealt a major blow to cybercriminals looking to exploit cryptocurrency,” Deputy Attorney General Lisa Monaco said at a press conference.
The TikTok commentariat tore through Morgan’s music videos, and within hours Razzlekhan was already a social media legend, having air-humped her fanny pack into the ranks of famous grifters.
“The Bitcoin crimes are nothing compared to calling this shit rap,” Trevor Noah said on The Daily Show.
True-crime producers saw parallels to fake heiress Anna Delvey or Theranos founder Elizabeth Holmes.
In addition to the Netflix documentary, which was ordered just three days after the arrest, there’s a podcast, a fictionalized series from the producer of the heist movie Den of Thieves, and a competing documentary from Forbes, the publisher of Morgan’s columns.
They both pleaded not guilty. Lichtenstein was held without bail, and Morgan was released on $3 million bond.
She argued that she wasn’t a flight risk because she was storing frozen embryos in New York and planned to have a child with Lichtenstein via in vitro fertilization.
Morgan returned to her apartment, but in May she put many of her belongings up for sale on the building’s message board, including three electronic deadbolts and a fake Banksy print.
According to copies of the posts provided by a neighbor, she’s moving and needs to downsize.
Prosecutors said in a May 30 court filing that they were talking with the couple’s lawyers about a plea bargain. The next hearing is scheduled for August.
In March, Janczewski left the IRS to become head of global investigations for blockchain intelligence firm TRM Labs.
The government is still holding the seized Bitcoins—the US Marshals Service keeps crypto on encrypted thumb drives in a locked safe in an undisclosed federal building.
With the cryptocurrency market crashing, their value has fallen to about $2 billion.
Bitfinex’s owners say the exchange already paid most users back and owes only about $30 million more.
That would mean when the Bitcoins are returned, most of the money will go to Bitfinex’s investors, including its executives.
But some traders who lost Bitcoins will no doubt argue that the coins should be returned to them.
A fifth of the missing Bitcoins are still unaccounted for. Roughly $70 million worth was sent to Hydra Market, a Russian dark web site, according to crypto-analysis firm Elliptic Enterprises Ltd.
No one knows where the money went from there, but on Hydra, vendors called treasure men offer to exchange crypto for shrink-wrapped packets of rubles that they bury in secret locations.
It’s possible there are underground bundles somewhere in Russia, waiting for Morgan and Lichtenstein to dig them up.
Back in New York, on a traffic pole just across from the entrance through which criminal suspects are led into Manhattan federal court, someone has placed a sticker with a cartoon that depicts a topless Razzlekhan riding a crocodile, her tongue sticking out, her fingers split into her trademark “V.” It looks new.