Join us to hear the story of Ilya “Dutch” Lichtenstein, a Bitfinex hacker, and his bedazzled, rapping, and money laundering wife Heather “Razzlekhan” Morgan. Together they stole over $5 billion worth of bitcoin from Bitfinex. This is eCrimeBytes.com Season 2, Episode 10, Act 2: The Bitfinex Bitcoin Heist With Dutch And Razzlekhan – Act 2: The Launder.
Spoiler Alert: Razzlekhan’s music is so bad it makes BigRigBaby look like Dr. Dre.
For the background, please see the prior acts:
- https://nypost.com/2022/03/22/bitcoin-couple-ilya-lichtenstein-heather-morgan-talk-plea-deal/ (Photos)
00:00:10:00 – 00:00:32:10
Hey welcome back to eCrimeBytes season two episode ten. We’re here with Dutch and Razzlekhan. No, that’s not the people on the screen. If you’re watching this, we’re not Dutch and Razzlekhan. We’re talking about Dutch and Razzlekhan, which is a young couple in New York City that stole a bunch of money from Bitfinex, which is a cryptocurrency exchange.
00:00:32:12 – 00:01:01:10
At some point, Dutch had been kind of hacking away at them for several years, but at some point around 2018, he got the keys where he could authorize cryptocurrency transactions on behalf of Bitfinex because he stole them. And then he just went to town and just started stealing a bunch of money. At the time he stole it, it was $71 million, but at the time it was seized back from the government, it was 5 billion.
00:01:01:11 – 00:01:07:26
B big B billion dollars. That’s how much it appreciated over a couple of years. So
00:01:07:26 – 00:01:34:16
once Dutch is in the system, he doesn’t want to get caught. So one of the things he does is he starts destroying evidence. Now, why do I say this? Because a lot of times attorneys later on will say this is evidence he knew he was doing something bad because one of the usually easiest computer defenses is I accidentally ran the rm -rf command and it removed everything.
00:01:34:16 – 00:01:46:00
I didn’t know what it was going to do. Well, in this case, what they’re saying is Dutch went in and removed some evidence, so he definitely knew what he was doing, was not on the up and up.
00:01:46:00 – 00:02:03:21
He would go back to that victim’s computer logs and he would delete, you know, access credentials, certain log files that would give investigators someone like me when I used to do more computer forensic investigations, a lead into who to look at and who to investigate.
00:02:03:21 – 00:02:04:25
He deleted all that stuff.
00:02:04:25 – 00:02:11:00
Another thing he did is a term, a new term. Something was going to throw at you called credential spraying. Now,
00:02:11:00 – 00:02:22:10
probably sounds like a weird term if you’ve never heard it before. It’s a computer security term. All it really means is someone broke into one website, learned your usernames and passwords there,
00:02:22:10 – 00:02:24:24
and then went and used about other websites.
00:02:24:24 – 00:02:43:05
So for instance, let’s say I have an E-Trade account, right? And I have a user name of Bob and my password Sally. Someone might go to what is what’s another trading Robinhood so might go to Robinhood and try that same username a password of Bob and Sally and I might have an account there and they might be able to log in.
00:02:43:05 – 00:03:15:09
Well since Dutch had the information from the victim, he had those usernames and passwords, he was then able to use those usernames and passwords at other cryptocurrency exchanges and further exploit the victims that became a victim at Bitfinex. So imagine that being a victim at one spot. That’s rough being a victim. Two spots, three spots, four spots. That’s got to be even tougher because you’ve got to deal with all those companies and try to figure out what happened to your funds and so forth.
00:03:15:09 – 00:03:34:21
So I want to mention that this the big hack that we’re talking about, where they get the $5 billion, it didn’t just happen on thin air. Ever since Dutch was a I’m going to say kid younger, you know, not he’s probably not seven, eight years old doing this. But I’d say in his teens
00:03:34:21 – 00:03:39:21
he tried to exploit Bitfinex and at some points he was even successful.
00:03:39:21 – 00:04:03:17
He was able to get things like API access, which is the application programing interface access, which is people like me we can interface with computers that way in order to get data off them. So he was able to do it in a way that was unauthorized. He shouldn’t have been able to do that and get data, and because of that, then he was able to steal hundreds of thousands of dollars.
00:04:03:17 – 00:04:07:24
And in one instance, he stole $200,000 from that cryptocurrency exchange.
00:04:07:24 – 00:04:20:13
He also dabbled in other coins. We’ve been talking a lot about Bitcoin and we’re going to sprinkle other coins in here and there. But another one that he stole around that era when he was younger was something called pay coin.
00:04:20:16 – 00:04:27:07
So Dutch, you can imagine he’s been busy and he’s been squirreled away a bunch of virtual currency that he’s been stealing
00:04:27:07 – 00:04:41:07
in January 2018. He has all those thousands of transactions out of wallets in bitfinex into this other wallet, the four s wallet that we talked about earlier.
00:04:41:07 – 00:04:42:24
He transfers funds
00:04:42:24 – 00:04:48:09
illegally without authorization into that wallet he
00:04:48:09 – 00:04:55:28
transfers then money out of that wallet into a bunch of places to try to conceal where the money came from.
00:04:55:28 – 00:05:05:05
And this is where the money laundering starts to happen because he takes some of that money and he uses on Alphabay, he sets up, you know, sellers and
00:05:05:05 – 00:05:18:01
customers and all that kind of stuff to make it look like real accounts happening. But basically it’s just kind of funneling money. He used other sites like that called Hydra. He used technology that we talked about with Larry and
00:05:18:01 – 00:05:32:21
Gary Harmon with coin joins mixers and exchanges. He tried to use services that did not require a user to identify themselves through their own PII. And now
00:05:32:21 – 00:05:43:04
at some point, Razzlekhan starts to help him launder money. At first it was reported that she did not know where the money came from, but she did figure it came from illegal activities.
00:05:43:04 – 00:05:46:12
I imagine because the amount of money that he was bringing in
00:05:46:12 – 00:06:02:00
Sometime between 2017 and 2020 Dutch finally told Razzlekhan he was responsible for the Bitfinex heist. And what Razzlekhan do. Do you think she went and turned him in? Hell, no, she says. I’m in, you crazy bastard.
00:06:02:07 – 00:06:06:03
I mean, seriously, I thought about it. What would you do if your spouse came to vand said…
00:06:06:03 – 00:06:21:10
I got $5 billion of stolen money because you’re like, Well, if I turn him in, I’m. This is not going to be good for either one of us. I mean, you’re kind of that’s a that’s a pretty life changing decision you make, either splitting from your spouse or you’re going in with them.
00:06:21:10 – 00:06:22:24
And she decided to go in with them.
00:06:22:24 – 00:06:26:01
Yeah. I mean, it’s a Sophie’s Choice there. I’d probably turn my wife in.
00:06:26:01 – 00:06:26:25
00:06:26:27 – 00:06:46:24
Ish. Hopefully she won’t watch this episode. So let’s talk about the money laundering steps involved here. There are numerous accounts that were set up and used in this scheme. These were set up programmatically along with programmatically generated transactions. Right? So there’s a lot of money they had to launder here. They had to do it in very micro segmented chunks.
00:06:46:24 – 00:07:04:19
Right. So and some of these were for seemingly legit U.S. businesses. Funds were sometimes converted. Either currency through Russian and Ukrainian bank accounts converted some of them to Bitcoin. So they converted some of their bitcoin rather to other types. They call that chain hopping.
00:07:04:19 – 00:07:09:06
so they were mixers such as Helix that were used.
00:07:09:12 – 00:07:40:22
We talked about that in episode seven of this year with Larry and his other brother Gary. They would buy illicit fake accounts that were set up to look legit when they use their PII or personally identifiable information was required and they converted some of the funds into, this is in the news right now, gold coins. Reading about reading current Senator Bob Menendez has found with a bunch of gold in his basement for just in case purposes.
00:07:40:22 – 00:08:09:02
So Razzlekhan and Dutch converted some of their funds into gold and Razzlekhan, literally buried them and we’ll talk about that later on in the episode. So the court documents get really specific on this and they explain how the money was really laundered. They’re talking about how Dutch with they named her Morgan by the way Jones and the documents I’m going to rename her Razzlekhan. She should actually have a formal name change because it’s such a great name.
00:08:09:05 – 00:08:33:13
Dutch with Razzlekahn’s assistance would convert stolen funds through the use of debit cards, and these debit cards were linked to foreign bank accounts and the foreign bank accounts were registered to Russian and Ukrainian money mules who worked for brokers and who typically created the accounts in person. So they were literally hiring people in Russia and Ukraine to go to their local banks to convert these fees via debit cards.
00:08:33:16 – 00:08:47:02
The accounts were then offered for sale by brokers on Darknet markets in cybercriminal forums. I got to pause here for a second Jones. I have to imagine that this is like a goddamn full time job. This sounds like a ton of work. I mean, I guess if.
00:08:47:02 – 00:08:49:00
00:08:49:03 – 00:08:53:23
Even if it’s 71 million like, and you got to make it look like it’s not 71 million, that’s a lot of work.
00:08:53:23 – 00:09:11:17
So we learn more from the court documents. Dutch acquired numerous accounts through these platforms. The purchased account packages included a debit card as well as identity documents, scans and the SIM cards associated with the phone used to establish the account.
00:09:11:17 – 00:09:17:02
So it’s literally like a black box of illegal shit to your money laundering.
00:09:17:04 – 00:09:20:22
Oh, we got pictures. We got. Yeah, we’ll show pictures.
00:09:20:24 – 00:09:38:12
Lest you think you can buy anything on the internet, you can buy anything on the internet. Dutch had the packages delivered to him during trips with, I thought this was funny Jones, with Razzlekhan to Kazakhstan and Ukraine. And I can’t not think of Kazakhstan and not think of our friend Borat.
00:09:38:12 – 00:09:50:06
I assume Dutch speaks like Borat, By the way, the packages were typically shipped via a shipping service or handed off via by a courier or in a prearranged public meeting place such as like a train station or something.
00:09:50:09 – 00:10:03:20
Dutch then sent Bitcoin to Russian and Eastern European based instant exchange platforms, which converted the Bitcoin to currency and deposited the corresponding funds into the Russian and Ukrainian bank.
00:10:03:20 – 00:10:19:03
But clearly this was clearly well thought out and apparently effective for a while until it was it Dutch and Razzlekhan would travel to ATMs in the United States and use the purchased debit cards to withdraw funds.
00:10:19:06 – 00:10:40:19
That’s how they I guess, you know, literally use the money that they stole. Dutch and Razzlekhan would bring multiple cards per trip and they only use one card per ATM to avoid any suspicion. So this was not a bunch of rookies. They really thought this out and were making smart decisions on the criminal enterprises as they were very clever.
00:10:40:19 – 00:11:06:20
So like Seth said, you could tell they they thought this out. They knew they had some money. They tried to launder as best as they can, and it doesn’t stop there. Now. They involve some of Razzlekhan’s, it’s I think they’re legitimate businesses. They didn’t say exactly the court paperwork, but the way it read, it sounds like it was legitimate businesses that she funneled some of this money into to make it look like it was coming through.
00:11:06:20 – 00:11:07:07
00:11:07:07 – 00:11:30:23
So one of the companies is name EndPass that Razzlekhan owns. So she said this business is going to get a bunch of money and it’s because I produce some software that people pay for as software as a service. So you can think of like monthly payments from my customer in order to use my software, probably out there on the cloud or in the web.
00:11:30:23 – 00:11:45:02
But in reality, Dutch and Razzlekhan started stuffing their illegal proceeds in there and try to pretend it was just, you know, it was a software as a service, but it was the stuff that they stole that was just one of the spots that they used to try to launder some of the money out
00:11:45:02 – 00:11:48:28
In another one of our companies, which is called Sales Folk
00:11:48:28 – 00:12:05:22
spelled s a l e s f o l k, she said that and I say Razzlekhan said that they’ll focus a B2B customers that pay with cryptocurrency and that means business to business.
00:12:05:22 – 00:12:25:06
So you can think of more than your usual transaction, if you were giving your kid some money on Venmo or something like that. You know it would be thousands of dollars of one business paying an other business for invoices and things along those lines. But she says, I receive cryptocurrency.
00:12:25:06 – 00:12:34:15
She’s also said, additionally, I has a personal cryptocurrency of my own that I would like to sell to finance the development of some new software in this company that we’re beginning to build.
00:12:34:18 – 00:12:59:19
Because the company is an LLC taxed as an S corp, it has pass through taxation and I am the sole owner that’s going to use some of my personal crypto to fund out new software projects. So she’s trying to pretend that she has some personal crypto saved up and she’s going to fund some projects in her legitimate business with it and that’s how she stuffing more illegitimate cryptocurrency to do the money laundering.
00:12:59:22 – 00:13:20:24
We have more. We have another statement where she says, Hey, I have some cryptocurrency coming in that my boyfriend now husband gifted to me over several years. And this goes back, you know, she’s talking in 2019 and this goes back to 2014, 2015 is what she’s referring to.
00:13:20:24 – 00:13:32:05
So she says they’ve appreciated. You can imagine over several years they have. She says I have been keeping them in cold storage, which means typically off line.
00:13:32:07 – 00:13:33:05
00:13:33:05 – 00:13:42:18
you’re going to see something here in a minute. Another one of those trezor wallets that I think that’s what she’s referring to with a statement. I don’t know it to be a fact, but that’s what I put together when I read this.
00:13:42:18 – 00:13:50:08
Now, again, this is a money that her husband gave her. Well, I lied. She’s probably exactly telling the truth here.
00:13:50:10 – 00:13:59:27
Her husband boyfriend at the time probably did give her a bunch of Bitcoin that was fucking stolen from Bitfinex. And that’s where she lets a.
00:13:59:27 – 00:14:01:25
Little detail like the fact that it’s stolen.
00:14:01:25 – 00:14:22:24
Jones. Yeah. So that’s what she’s stuffing into this account. So you can imagine doing all the shenanigans, you would say, Oh, they probably got away with it. Nope, they were caught and I have to stop here because this is the end of Act two, because the next three we’re going to talk about the search warrant. And this is where this is going to be a very picture intensive act.
00:14:23:00 – 00:14:44:12
And if you can watch this one, I recommend it because we’re going to show where they live and the search warrant pictures and all that kind of stuff. And it’s a lot of fun. So please, whatever application you are on, like, subscribe. If you’re on Apple Podcasts, give us a five star review and let us know whatever episode you like the most and we’ll try to have more like them and visit our website.
00:14:44:12 – 00:14:59:16
It’s eCrimeBytes spelled the computer way b y as in yellow milk t e s dot com. Come back. Seth and I are very excited to walk you through the search warrant and all the pictures.
00:14:59:19 – 00:15:02:01
Well, the search warrant is great. The search warrant.
00:15:02:01 – 00:15:19:06
And act three and yeah. And it just sets it up from there. It’s, it’s wonderful. When I, when I found their address and found the pictures of their condo, I was in awe, but I was like, this is going to be the best act out of all these just going through these pictures, so please do come back. We look forward to seeing you then.
00:15:19:08 – 00:15:20:11