Thursday, February 17, 2022

Inadequate OpSec

The February 8th arrest of Ilya Lichtenstein and Heather Morgan, accused of laundering the proceeds of the August 2016 theft of nearly 120K BTC from the BitFinex exchange, has been all over the media since, fuelled largely by her double life as a Forbes writer and rapper, and her cringe-worthy social media presence. Inside the Bitcoin Laundering Case That Confounded the Internet by Ali Watkins and Benjamin Weiser for the New York Times is an example.

The technical aspects of how law enforcement identified them and seized much of the loot have gained less coverage. Below the fold I look into this aspect of the case, using what information is public.

By far the most interesting source is the 20-page Statement of Facts filed by Christopher Janczewski, a Special Agent assigned to the Internal Revenue Service, Criminal Investigation (IRS-CI). It provides a detailed timeline of the important transactions, which in summary is:
  1. In August 2016 someone compromised Bitfinex, and made over 2000 unauthorized transfers totalling 119,754 BTC from Bitfinex wallets to a wallet the IRS names 1CGA4s.
  2. Starting in January 2017 a series of transfers that attempted to evade tracking moved some coins to at least 7 accounts at the darkweb marketplace AlphaBay.
  3. From January to April 2017 a series of similarly evasive transfers moved coins from AlphaBay accounts to 6 of 8 accounts at an exchange identified as VCE1 registered with addresses at an Indian e-mail service. Some or all of these transfers used "chain-hopping" via Monero.
  4. VCE1 was unable to verify the owners of these accounts, which were frozen in February and March 2017. The remaining contents were later seized by law enforcement.
  5. Then came the first key break in the case. No later than May 2017 law enforcement compromised AlphaBay, which had been breached twice before in April 2016 and January 2017. In July 2017 Candian police seized the servers, and Alexandre Cazes was arrested in Thailand. A few days later he was found dead in his cell. Presumably, law enforcement were able to connect the withdrawals from AlphaBay to the deposits from wallet 1CGA4s.
  6. Before they were frozen, these accounts transferred coins to an account at US-based VCE5 in Lichtenstein's name which had been created in January 2015, to a US-based VCE4 using an account with addresses at the Indian e-mail service, and to accounts at VCEs 6 through 10. Thus law enforcement were able to identify Lichtenstein as a probable launderer of Bitfinex loot by July 2017, and start tracking his activities.
  7. Between March 2017 and October 2021 Lichtenstein and Morgan converted about $2.1M worth of BTC from the VCE7 accounts and about $750K from the VCE8 accounts into USD at US banks.
  8. Between January 2019 and November 2020 transfers occurred between two VCE4 accounts using Russian e-mail IDs and accounts at VCEs 7 and 8 in the names of companies controlled by Lichtenstein and Morgan. The VCE4 accounts were funded only with Monero. Although the source for the Monero was unknown, the destination connected Lichtenstein to the two VCE4 accounts, and thus made it likely that the Monero was funded from 1CGA4s.
  9. VCE4 was unable to verify the owner of the two accounts and froze them, but not before the bulk of the funds had been converted to BTC and withdrawn.
  10. Between February 2019 and December 2020 about 117 BTC flowed through a cluster of wallets (Cluster 36B6mu) from the VCE4 accounts to accounts linked to Lichtenstein and Morgan. Some went to buy a $500 Walmart gift card which Morgan used for purchases delivered to Morgan's home address.
  11. In 2021 agents executed a search warrant for one of Lichtenstein's US e-mail accounts, and received a copy of the related cloud storage, which was encrypted.
  12. Then came the second key break in the case:
    On or about January 31, 2022, law enforcement was able to decrypt several key files contained within the account. Most notably, the account contained a file listing all of the addresses within Wallet 1CGA4s and their corresponding private keys. Using this information, law enforcement seized the remaining contents of the wallet, totaling approximately 94,636 BTC, presently worth $3.629 billion
    The Statement of Facts doesn't specify how the decryption was implemented. My guess would be that it was the result of a man-in-the-middle attack.
Overview Diagram
So it appears Lichtenstein and Morgan managed to move only 25,118 or 21% of the stolen BTC. Much of it ended up in frozen accounts at various VCEs when they were unable to satisfy KYC/AML requests.

David Gerard covered the Bitfinex hack in Chapter 8 of Attack of the 50 Foot Blockchain. He reports the explanation proffered by Phil Potter, not the most reliable source:
In 2016, Bitfinex kept customers’ bitcoins segregated — each customer’s holding was in its own separate multi-signature blockchain address.

You needed two of the three keys to the address to move bitcoins out of it. One key was held by Bitfinex, one by BitGo, and one by the customer.

BitGo had built an API for Bitfinex to use. This was not a public interface — only the two companies knew about it.

Bitfinex would pass transactions to BitGo via the private API. BitGo checked the transaction against their policy for that address, and signed if it was OK.

The API allowed policy changes — but a bug in the API meant you could set global limits, that applied to all customer addresses, without it being flagged for human review.

The hacker somehow got into Bitfinex’s systems, got access to an account that could change global limits, set the limit very high … and drained 2000 customer addresses into a single address.
Gerard speculates Could Morgan and Lichtenstein have done the 2016 Bitfinex hack?:
The hacker had information you’d need to be a Bitfinex or BitGo insider to know:
  • that the API existed;
  • code for the API, to see the bug in it;
  • access to Bitfinex systems to send valid requests to BitGo.
Could you get that information and access — or get to somewhere you could get that information — by talking your way past someone?
Morgan has bragged at length about her social engineering skills. [YouTube] How good she is, that’s questionable. But you don’t need to be very good at all to be better than crypto average.
Of course, the other reason I won’t say “they did it” is that if you were looking for patsies, Morgan and Lichtenstein fit the bill perfectly. Or the hacker was looking for a Reggie Fowler to turn the bitcoins into money in bank accounts.

If the Department of Justice won’t say Morgan and Lichtenstein are the hackers, I’m not going to declare they are. But I will say that they have the minimal skills needed to even try this. And definitely the bull-headed persistence.
It seems unlikely that Morgan and Lichtenstein were patsies. Lichtenstein had the key to the 1CGA4s wallet in the file law enforcement decrypted. A hacker looking for patsies would not give them the key to the whole stash.

Andy Greenberg writes $3.6 billion bitcoin seizure shows how hard it is to launder cryptocurrency:
“What was amazing about this case is the laundry list of obfuscation techniques [Lichtenstein and Morgan allegedly] used,” says Ari Redbord, the head of legal and government affairs for TRM Labs, a cryptocurrency tracing and forensics firm. Redbord points to the couple's alleged use of "chain-hopping"—transferring funds from one cryptocurrency to another to make them more difficult to follow—including exchanging bitcoins for "privacy coins" like monero and dash, both designed to foil blockchain analysis.
Greenberg discusses the Monero-funded VCE4 accounts:
It's possible that the IRS investigators didn't actually trace monero to draw that link, points out Matt Green, a cryptographer at Johns Hopkins University and one of the cocreators of the privacy-focused cryptocurrency zcash. They may have found other evidence of the connection in one of the defendant's records, just as they found other incriminating files in Lichtenstein's cloud storage account, though no such evidence is mentioned in the IRS's statement of facts. Or they could simply be making an assumption unsupported by evidence—though that's not a common practice for federal agencies prosecuting a high-profile criminal case years in the making. "The third possibility, which I would definitely not rule out, is that they have some tracing capabilities that they're not disclosing in this complaint," says Green.
VCE4 transfers
As I understand the Statement of Facts, the VCE4 accounts were identified because they transferred large amounts of BTC to "accounts at VCEs 7 and 8 in the names of companies controlled by Lichtenstein and Morgan". Absent any other plausible sources for the Monero, this may be an assumption "beyond a reasonable doubt".

Greenberg continues:
Tracing monero has long been suggested to be theoretically possible. A 2017 study by one group of researchera found that in many cases, they could use clues like the age of coins in a monero transaction to deduce who moved which coins, though Monero subsequently upgraded its privacy features to make that far harder to do.

The cryptocurrency tracing firm Chainalysis, which counts the IRS as a customer, has privately touted its own secret methods to trace monero. Last year hackers leaked a presentation to Italian police in which Chainalysis claimed it could provide a “usable lead” in 65 percent of monero tracing cases. In another 20 percent of cases, it could determine a transaction's sender but not its recipient. “In many cases, the results can be proven far beyond reasonable doubt,” the leaked presentation read in Italian, though it cautioned that “the analysis is of a statistical nature and as such any result has a confidence level associated with it.”
The unspoken message to the Lichtensteins and Morgans of the world: even if your rap videos and sloppy cloud storage accounts don't get you caught, your clever laundering tricks may still not save you from the ever-evolving sophistication of law enforcement's crypto-tracers.
Molly White has two timely blog posts, Anonymous cryptocurrency wallets are not so simple and Cryptocurrency off-ramps, and the shift towards centralization. In the first she writes:
It is fairly trivial at the moment for a person to operate at that second layer of anonymity, where their identity is known to various companies (and thus to law enforcement if need be), but not publicly. But that third level, what might be described as true anonymity, is what cryptocurrencies have been promising from the earliest days: no interference from governments and the legal system, no one to tell you whether or not you can send or receive currency based on who you are, no ability to tie a transaction back to an individual. And that level is becoming increasingly unachievable.

As I wrote previously, the true challenge with anonymity comes not from creating a fresh new wallet. It comes from funding that wallet without tying it back to an identifiable source.
Morgan and Lichtenstein definitely ran into this problem. Once law enforcement had identified them as suspects, they were able to work back from deposits into accounts they controlled to, for example, identify the VCE4 accounts.

White explains how difficult Bitcoin operational security is:
Let’s even generously assume that this person is able to maintain the surgical care that was required to create and fund an anonymous wallet, in perpetuity: They never confuse it with their other wallets and perform an ill-advised transaction that can be linked back to them, they never make enough transactions that can be compared to their known actions and used to infer a link, they never use the address with any of the many services that require KYC self-identification these days, and they are careful to always use a privacy-focused VPN when accessing web-based crypto services so their real IP isn’t logged.
But what we have begun to see with increasing frequency is users of wallets with anonymized funds encountering major difficulties when it comes to taking their cryptocurrencies and exchanging it back into traditional currency.
White delves into this barrier between the HODL-er and their Lamborghini in the second post:
Because the actions that enable privacy and anonymity with crypto are the same as the ones that enable criminal behavior—using cash to buy crypto, mixing currency through tumblers, and using less-popular and less-centralized exchanges and platforms, for example—cryptocurrency exchanges and financial institutions appear to be increasingly unwilling to allow anyone who engaged in these behaviors to cash out, particularly as regulators begin to turn their eyes to the space. It seems that people who wish to engage with cryptocurrencies are more and more being pressured into using only the parts of the system that look a whole lot like traditional banking (but with fewer protections): a small number of highly-centralized platforms with strong KYC. If they don’t, they have to accept the risk that they may not be able to cash their money back out down the line: issues that people are increasingly beginning to encounter.
White cites two recent examples. A woman whose bank refused to accept a cash-out transaction because, years before, she had deposited cash with the exchange to buy the Bitcoin. A HODL-er who tried to borrow cash from BlockFi, but was refused because the HODL-er from whom he purchased the Bitcoin had passed it through a mixer. In both cases the institutions were scared of being accused of violating KYC/AML rules.

Morgan and Lichtenstein definitely ran into this problem too. They lost significant amounts in accounts frozen because they failed KYC/AML verification.

What can we learn from this?
  • Morgan and Lichtenstein were able to transact significant amounts using newly-created accounts at exchanges before KYC/AML verification. Exchanges should prevent withdrawals until KYC/AML checks are complete.
  • Nevertheless, KYC/AML verification by exchanges was partly successful; Morgan and Lichtenstein lost significant funds in frozen accounts and were unable to convert most of the loot to fiat currency.
  • The Statement of Facts doesn't have much information on the effect of KYC/AML at banks, but it does describe Morgan and Lichtenstein committing fraud by providing false information to US banks. Clearly, improving the rigor of these verification processes is important.
  • Mixers and tumblers are high-value targets; compromising them should be a priority for law enforcement.
Sarah Emerson provides an entertaining tailpiece in The NFTs They Bought From The Crypto Rapper Disappeared. Now They Want A Refund:
Twitter user Ethmuppet said they scored “a piece of crypto history” when they purchased two NFTs from Heather Morgan, the eccentric entrepreneur arrested alongside her husband on Tuesday for attempting to launder $4.5 billion in looted cryptocurrency. But hours later, the NFTs were gone. They had suddenly disappeared from OpenSea, the NFT marketplace where Ethmuppet paid roughly $600 to own images made by Morgan’s rap persona, Razzlekhan.

Ethmuppet told BuzzFeed News that OpenSea hasn’t refunded their money and said they feel “rugged” by the $13 billion company. They believe they could have sold the NFTs at an enormous profit — Razzlekhan’s brand has since ascended from failed criminal mastermind to unlikely antihero — and had even listed one of the images at $100,000 before it was taken down.
Not to worry, Ethmuppet! The NFT you purchased is immutably stored on "the blockchain". In this decentralized world no-one can take it away from you (maybe). Whether the link in it resolves to the image you expect, or to anything at all is another matter, as is your ability to profit from your investment if it isn't visible on OpenSea. Isn't decentralization wonderful?


David. said...

Business Rapper Was Bad at Bitcoin Laundering, Matt Levine's take on Lichtenstein and Morgan is a good read. And Joe Weisenthal responds with teh helpful suggestion that It’s Time for Bitcoin to Become a Better Tool for Laundering Money:

"Ultimately [Alex Gladstein] thinks Bitcoin’s goal should be the equivalent of other open projects, like Signal, Tor, or even email itself. Yes, they can be used by people you don’t like. But if they couldn’t be used by them, then they couldn’t be used by the people you do like.

And if Bitcoin never achieves this status — where it can be used by anyone without influence from a centralized entity like a government — then it’s really not clear at all what the point is."

David. said...

Laura Shin's Austrian Programmer And Ex Crypto CEO Likely Stole $11 Billion Of Ether is another interesting example of how cryptocurrency transactions can be deanonymized. It includes this revelation:

"blockchain analytics company Chainalysis saw the presumed attacker had sent 50 BTC to a Wasabi Wallet, a private desktop Bitcoin wallet that aims to anonymize transactions by mixing several together in a so-called CoinJoin. Using a capability that is being disclosed here for the first time, Chainalysis de-mixed the Wasabi transactions and tracked their output to four exchanges."

David. said...

More details on Heather Morgan's past in Razzlekhan: The Untold Story Of How A YouTube Rapper Became A Suspect In A $4 Billion Bitcoin Fraud by Cyrus Farivar, David Jeans and Thomas Brewster.

David. said...

Andy Greenberg's Inside the Bitcoin Bust That Took Down the Web’s Biggest Child Abuse Site shows in disturbing detail how belief that Bitcoin was "anonymous" was the undoing of a huge child sex abuse site and its customers.

David. said...

U.S. hasn’t stopped N. Korean gang from laundering its crypto haul shows the difficulty even professional cryptocurrency thieves have in laundering their loot:

"North Korean hackers who last month carried out one of the largest cryptocurrency thefts ever are still laundering their haul more than a week after they were identified as the thieves.
The gang, which the Treasury Department identified as the Lazarus Group, also known for the 2014 hacking of Sony Pictures, so far has laundered nearly $100 million — about 17 percent — of the stolen crypto, according to blockchain analytics firm Elliptic. They moved their haul beyond the immediate reach of U.S. authorities by converting it into the cryptocurrency Ethereum, which unlike the cryptocurrency they stole cannot be hobbled remotely. Since then, the gang has worked to obscure the crypto’s origins primarily by sending installments of it through a program called Tornado Cash, a service known as a mixer that pools digital assets to hide their owners."

David. said...

Nicholas Weaver's OFAC, the DPRK and the Tornado of Cash outlines an interesting approach to the Tornado Cash decentralized mixer:

"OFAC should consider a creative sanction against Tornado Cash, particularly the 100 Ethereum wallet. This wallet itself should be listed as a sanctioned entity because it is known to be hiding a large amount of the DPRK’s stolen cryptocurrency. Tornado Cash itself has no way to prevent the DPRK from withdrawing from the pool anonymously, and can not prevent further deposits by the DPRK which bypasses the web interface.

All others who participate in this pool are acting to help hide the DPRK’s ill-gotten gains since they are all contributing to the anonymity set in which the DPRK is hiding. Any withdraws by Tornado Cash users after March 23 are thus contaminated by the DPRK unless the withdrawer publicly discloses the receipt."

David. said...

Daniel Flatley's U.S. Sanctions Virtual Currency Mixer Tied to North Korea shows the Feds are still behind Nicholas Weaver's curve:

"The U.S. Treasury Department on Friday sanctioned, a virtual currency mixer it said was tied to North Korea’s hacking and money laundering activities.

The action marks the first time Treasury has sanctioned a so-called “mixer,” which is used to hide the origin of illicit funds."