> “After the execution of court-authorized search warrants of online accounts controlled by Lichtenstein and Morgan, special agents obtained access to files within an online account controlled by Lichtenstein,” the press release said. “Those files contained the private keys required to access the digital wallet that directly received the funds stolen from Bitfinex, and allowed special agents to lawfully seize and recover more than 94,000 bitcoin that had been stolen from Bitfinex. The recovered bitcoin was valued at over $3.6 billion at the time of seizure.”
So most likely,
1) they didn't launder it properly, leading to police being able to trace it to their bank accounts. I wonder if tornado.cash was used.
2) then police had their names, leading to warrants for all online accounts - google account, apple account, etc.
3) they made the big blunder of keeping their private keys in their online account. Most likely a txt file in google drive. That is such a silly blunder. Without the private keys, the police has zero proof of anything. They could have made a hundred excuses for how they got money in their bank account, as long as the police didn't have the private keys. Who keeps their private keys in an online account?
Apparently the biggest criminals make too many silly mistakes. The old saying applies here: "you don't have to be smart, just don't be an idiot"
You have to keep in mind that a lot of those highlighted "trivial" series of mistakes can be just the result of parallel construction, and what evidence really "did them in" can be completely different from what's stated by the prosecution. It is very easy to find tons of small mistakes once you already know what you have to look for thanks to an undisclosed huge exploit/honeypot/technically-illegal-seizures that you can use.
Proving this is hard by design, but a good example of that would be how they used the Hansa market as a honeypot by running the market themselves for months.
The entire investigation around Alphabay and how they got to the owner is a bit shady, too, and there have been tons of rumors of the entire official case being based on ad-hoc parallel construction.
Shortly after he committed suicide I pulled up the French language technical board where he had linked an alias to a real email address. Which mirrors the same mistake as the Silk Road operator.
When you dig deeper into these cases it’s clear that they aren’t properly washing the money. There’s no placement or layering. They go straight to laundering on a public ledger and cash out under their own names.
The simplest explanation is usually the correct one.
I think my comment was not really clear. Yes, the apparent mistake Alex made was glaring and obvious, but the entire operation was very weird. They shut down alphabay right before turning off The Hansa, which they had been operating for months at that point. It was the coup de grace, basically trying to get as many people to sign in to the Hansa before it also goes off.
To me that indicates they have been able to turn off alphabay for a long time, considering how easily and well timed they did it. That also means they have had tons of time to build the case. Of course you can argue that the simplest explanation is the best one but considering law enforcement literally operated the biggest DNM for months, completely under the radar I'm not sure why "they found an email he used for a few weeks 4 years ago" would be more simple.
You can read what DeSnake, another admin of the website had to say about the takedown. He's extremely security conscious (he hasn't been caught yet afaik which is another can of worms) and he's adamant that it was not a simple bust. Actually, the whole thing was kind of a mess, with some mods getting arrested (even without making obvious mistakes like Alex did ). You can read up on the confusion here:
https://www.darkowl.com/blog-content/alphabay-marketplace-re...
If I had to guess, some mod/admin informed on him (maybe even snake!) hence why they had access to an early email. But who knows? Now in cases like the silk road I'd agree that it was simply trash OPSEC but the Alphabay/Hansa takedown was so sophisticated that anything is possible
> You have to keep in mind that a lot of those highlighted "trivial" series of mistakes can be just the result of parallel construction, and what evidence really "did them in" can be completely different from what's stated by the prosecution.
If you had such capabilities, the moment it is known you have it would immediately neutralize any value you derive from that capability.
What is the logical course of action?
Deny. Deny. Deny.
Disavowing, deception, secrecy of such capability is what gives them the edge.
Again, there is no proof that Satoshi Nakamoto was some good hearted criminal/spook.
A good guess is that "laundering" billions of dollars is inherently a non-trivial problem, and perhaps not feasible at all without cooperation from shady real-world actors outside the whole cryptocurrency ecosystem. This is actually good news for small-scale users who just want to keep their microtransactions reasonably private - the usual mechanisms might actually work well enough for that case.
I agree. But if not for privacy, why use crypto at all? Even bank accounts are reasonably private, if you are not doing anything considered suspicious by society.
Also, with mixers such as tornado_cash, laundering money is ,sadly, pretty trivial.
The difference is that laundering provides you with an explanation for wealth and/or income. Example of laundering: buy a business (with clean or borrowed money), have fictional customers "spend" their cash money at your business every day, then report your income and pay taxes. Now if anybody asks about where you got your money, you have a seemingly legit explanation.
Mixing does none of that. So mixing may be trivial, but laundering is not.
edit: now that I think about it, is that why NFTs are so popular? Are people pretending to have gotten capital gains, while in reality they're buying these things from themselves? That would explain a lot.
Regarding NFTs, that's how the high art market works. It's for money laundering. "I just sold this Picasso, that's where this money came from Mr Taxman"
tornado.cash puts your crypto in a completely fresh account (using smart contracts). You can claim that you earned this crypto mining it back in 2010. You can definitely come up with a decent excuse for this.
Then you can convert those crypto (in new account) into fiat money.
Everyone will know you are lying, but they will never be able to prove it.
If you read the indictment, they claimed they had bitcoin from mining in 2011, the exchange asked for further proof, and they just abandoned the bitcoin (~$150k). The exchange surely notified the authorities, because who abandons $150k of legit bitcoin?
So claiming it was from mining didn't work in this particular instance.
They don't need to prove you are lying in all instances, it's enough to prove you are lying in one instance. They will get you for that one instance where you didn't launder it properly if they are after you.
I love how you're just realizing that NFTs are a pure money-laundering scheme. Just wash trade your bored ape and "sell" it to your alter ego and bam! Legitimate income for the cost of some ETH gas.
> This is called “money laundering,” and the essential component of money laundering is generating fake taxable income. If you take $13,800 out of your (legitimate, previously taxed) bank account, and you use it to buy cryptocurrency in a wallet that you tell your accountant and the IRS about, and you then use that cryptocurrency to buy a Meebit, and then you take $50 million out of your sack of illegal money, and you use it to buy cryptocurrency in a wallet that you don’t tell your accountant about, and then you use that cryptocurrency to buy the Meebit from your declared wallet, and then you take the $50 million of cryptocurrency out of the declared wallet and put it back in your (legitimate) bank account, and then you write the IRS a check for $20 million saying “ah I’ve been selling NFTs, what fun I have had, but I have to pay the IRS my fair share,” then … I am obviously not going to give you advice on crime but it’s possible you’ve got something there? Like, nobody has any idea what a Meebit is worth, so this string of outlandish numbers is somewhat plausible? It’s possible that some number of NFT wash trades have a purpose other than pumping up volume on NFT platforms?
You can do that by owning crypto. No need to use it.
> Self-sovereignty
Majority people use centralized exchanges, which regularly control transactions.
> Ease of use/trade/leverage/exchange
Fiat banking is much easier to use than crypto. It's also faster. Now everyone uses 1-tap payments. Crypto transactions are more complicated than that. They also take longer. Also are bad for the environment (not as bad as media portrays, but bad nonetheless)
Even the apps built off of the "blockchain" rarely touch the blockchain. Companies aren't looking up NFTs on the chain, they're just hitting OpenSea APIs.
Speculation for IDOs usually requires directly interacting with the contract with your wallet. Likewise new tokens are found on DEXes which requires taking custody of the token.
Borrowing against crypto, leveraging it, going delta neutral, buying options are all available on chain, typically with better yields, and with a higher variety of tokens.
If the Sinaloa cartel can just walk into an HSBC bank with literally blood stained cash then it would've been okay for everybody else.
The true professionals in this industry only use crypto as a reference in their private ledger stored far far out of reach to any Western government.
It's funny that these successful professionals are also the most paranoid and least trusting of crypto (they are convinced Bitcoin was created by the US Government itself).
Well you don't want to lose those keys ... there is a bit of a conundrum there (granted you don't have to do it the way they did either).
As far as how exactly they got caught, there was a reward offered by the company it was stolen from. It may have been someone tipped the feds off for the reward.
I'm not invested in crypto or really at all interested in it. That said, my mentor seems pretty excited about it and is pretty heavily invested as of the past few months. I advised him to do something like https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing and distribute it across a wide number of storage mechanisms, physical, digital, and custodial. For instance, in google drive, in drop box, in a bank safety deposit box, engraved in a gold bar buried in your yard, in your house safe, etc.
Why anyone with a significant amount of crypto assets isn't going to insane extremes in terms of secrecy and durability is beyond me.
I don't understand the math but I think I have seen that style of secret management where any 3 of say 10 secrets can access something but no 2 or any 1 secret can do it.
It would seem to solve a lot of just organizational problems where "jan is out of the office today" and nobody can do the thing ... but if access is spread out among 10 people ... 3 probably are in the office when needed.
Granted I've never seen it used in production personally, not / seen it on a granular level.
> In order to prevent one person from having complete access to the system, Vault employs Shamir's Secret Sharing Algorithm. Under this process, a secret is divided into a subset of parts such that a subset of those parts are needed to reconstruct the original secret. Vault makes heavy use of this algorithm as part of the unsealing process.
I have used it. It works. Tooling is still pretty poor. Every use, we ended up bringing the necessary people into a room, booting up an offline laptop from a sha-summed live USB, QR code scanning each of our secrets, combining them, then using the key to sign whatever we needed to sign, photographing the signature as a QR code. We use software from 2008 because an OS stack contains code from tens of thousands of developers, and we felt old software was less likely to have an active 'steal these keys and exfiltrate them via open wifi' malware.
We would first go through the process with 'dummy' keys to check everyone was happy with the process and what we were going to do (ie. which commands, what software, what exactly will be signed). We would then do it again with the real thing. And then we'd power off the computer till next time it needed to be used.
"Clunky" would be a good way to describe it... But it's hard to make it better without relying on a bunch of software we don't have the resources to audit.
This plan doesn't really scale to the 2000 wallets mentioned in the OP. But maybe that scenario only comes up when you're looking to launder billions of dollars worth of BTC?
There's an unbalanced relationship there, however, in that the criminal only has to be an idiot (or even just "not smart enough") once, to ruin an entire chain of previously smart actions. Law enforcement may only need one thread to unravel an otherwise finely crafted crime.
There's also a lot of time for law enforcement to try and find these threads as well, meaning the perpetrator could well be living in paranoia for as long as the statute of limitations lasts.
People that are capable of getting away with life-changing money type crimes would often be better off being entrepreneurs at the edges of existing regulation. Hello cryptocurrency...
3) they made the big blunder of keeping their private keys in their online account. Most likely a txt file in google drive. That is such a silly blunder. Without the private keys, the police has zero proof of anything. They could have made a hundred excuses for how they got money in their bank account, as long as the police didn't have the private keys. Who keeps their private keys in an online account?
Not necessarily. If they can spend stolen $, presumably that may be enough to persuade a jury they own it.
I agee. Also, intimidation tactics can work here - e.g. telling them they might go to prison for life bec justice wants to make an example out of them.
The (alleged) criminal only has to make one mistake to get caught, if the pursuers are good. Steal enough money and the best pursuers will be assigned to catch the perp.
I don’t think Bitwarden would be helpful. You still need to protect your master password and the company is still subject to the will of law enforcement.
While I do partially agree that some of it may be grandstanding. The whole:
"Thanks to the meticulous work of law enforcement, the department once again showed how it can and will follow the money, no matter what form it takes.”
and suggesting AEC and chain hopping is futile is an effective propaganda tool. I mean its possible something major changed, but I think your thoughts are closer to reality.
If true, this is interesting, because apparently fake identity accounts on exchanges are cheap ( partially 'thanks' to all the breaches over the years ).
At the same time this crime shows the weakness of crypto: with an ever appreciating linked asset with no ability to truly "gap" transfers, you can always trace where the money goes, even with a mixer (you just then need to track many more targets, but eventually the money re-concentrate somewhere you can see), transfering just once with someone who knows your name instantly gives you traceback ability to all the transaction (can't fund a wallet without tracing back to the first ever source of fund on chain), and the fact it appreciate is the greatest enemy of money laundering: where a Mexican kingpin would understand that there's value in losing 40% of their money rather than have it stashed in USD bills in a warehouse, crypto is tempting to keep, this guy couldn't realistically forfeit a large majority of the fund by for instance randomly giving it to 5000 honest wallets with 1 being his for instance.
It's great for us non criminals, but it's one more utility of crypto going down the drain. What is it good for, if not even crime.
Sorry, yes. I used the term propaganda, but I briefly forgot its negative connotation. In this particular instance, I meant it more along the lines of 'shock and awe' your adversaries. I am hardly cheering on an alleged hacker/thief/launderer. The point stands, but thank you for pointing the perception issue out.
Even I encrypt my keys before uploading them to the cloud, and I don't give them a descriptive name, and I have less than $2000 worth of cryptocurrencies, and it wasn't stolen.
You only need to remember a big random number (can be a long phrase from a book you like), and a rule that generates keys, e.g. (keyid, seed) -> hash(keyid + seed). Needless to say, you never write the seed phrase down. At most you keep a vague pointer to the author of that book.
You use a 2048 word dictionary (a random choice in that wordlist represents [log 2048 =] 11 bits of entropy) then you generate a random string of 132 bits to be your cryptographic seed which is a sequence of 12 words from the wordlist which you memorize.
From that seed you can generate for all practical purposes an infinite number of private keys for any and all purposes in existence. Using cryptographic one way functions such as a hash or PRNG.
Have a google for BIP-32, about Hierchical Deterministic Wallets. A secret key is nothing but a number, so it's not too hard to generate more numbers from that seed. If you have the seed and the parameters for the child numbers, you have all the private keys you want.
Just to clarify: the statement is not that you could encode those existing 2000 private keys with one short seed (you cannot, indeed), but rather that you could easily and safely generate 2000 distinct private keys from one relatively short seed.
Keys are conspicuously easy to hide. My PGP master key that I've been using for some time is hidden on two devices which would be difficult to identify much less locate and are encrypted as well.
Even with the fervor of the federal government they'd be easy to hide.
A USB is tiny, and you can shrink it's footprint with USB-C. You can also buy USB keys with tamper-proof housings that will blow a fuse if opened to be physically compromised. Coupled with strong post-quantum crypto, that key is relatively secure, even if physically discovered.
That's just the technical bit. You can also split the key in half and transfer the other half somewhere, which creates legal protection. You could also create a housing for the key so it's not easily discoverable.
If all that sounds a bit extra, circle back to that the perpetrator has 4.5 Billion worth of something.
You are pushing it. 1000 words is 10 bits of entropy per randomly chosen word. 70 bits of entropy is probably crackable by a government agency.
Edit: I checked and unless I mixed some zeroes somewhere it looks like the current bitcoin hash rate of 200 million TH/s can crack 92 bits within a year. log (200,000,000,000,000,000,000*3600*24*365) / log 2 = 92.35
TBH, with 4B at stake, I wouldnt blindly rely on AES. I'd use it as the 1st step, and then additionally encrypt its output with a custom AES-like algorithm (change tge s-box, change the number of rounds, maybe upgrade it to 512 bits). Even if my homebrew algo is weak, there's still standard AES behind it.
vitalik (ethereum founder) used an interesting system. He split the key in 2. Wrote both on paper. Gave 1 paper to family and kept the other. Even if the police raid him (hypothetically), they cannot raid the houses of his family and friends at the same time
This way the police or anybody else cannot get your private key.
You really think the government would have trouble doing a handful of raids at once? They have enough officers to do a thousand raids at once. The FBI and Interpol did just that recently, coordinated across more than a dozen countries:
No, but if you don't have your half memorized and they take it from you, the other half is useless. This is more useful if you want to leave your crypto to your family if you die, provided that you make it easy for them to find your half if you're not around.
The police wouldn't have to raid the family members, they'd likely give up what they know immediately, to avoid become accessories to whatever crime the police were alleging.
There's a lot of evidence in the statement_of_facts however it's unclear how much of it can only be reconstructed with the private keys. Interested parties should really look to what was known to grant the search warrant.
They don't usually give details of how they caught them, because the next bad-actor will read that to know their tactics.
Search warrants are given on reasonable doubt. When it comes to cryptocurrencies, the feds have reasonable doubt on everyone. So it is always possible for them to get a search warrant.
I emphasized private keys, bec without them, no matter how much doubt the feds had, they couldn't prove anything.
good point. If they had tried to use a bridge to convert their bad bitcoin with good ethereum, would they have been denied service since everyone knew that these btc were bad?
As to your 2nd point, I agree. Another mistake was uploading private keys to google drive.
There are very few exchanges left which don't require KYC and even then the real final step is cashing to some kind of bank account. I don't think crypto->fiat privacy is possible beyond a certain level of wealth.
OFAC has broadened enforcement to the point that pretty much any financial transaction across the world has a US nexus. Moving that much stolen crypto without the feds noticing? No chance.
lol using a mixer means that the feds don't know which account contains the bad funds. So they don't find the identity of the perp. So no possibility of beating the perp.
So most likely,
1) they didn't launder it properly, leading to police being able to trace it to their bank accounts. I wonder if tornado.cash was used.
2) then police had their names, leading to warrants for all online accounts - google account, apple account, etc.
3) they made the big blunder of keeping their private keys in their online account. Most likely a txt file in google drive. That is such a silly blunder. Without the private keys, the police has zero proof of anything. They could have made a hundred excuses for how they got money in their bank account, as long as the police didn't have the private keys. Who keeps their private keys in an online account?
Apparently the biggest criminals make too many silly mistakes. The old saying applies here: "you don't have to be smart, just don't be an idiot"