(Bloomberg Businessweek) — The hackers had been inside the Bitfinex servers for weeks before attempting the heist. They’d watched users on the cryptocurrency exchange buy and sell Bitcoins. They’d studied the commands that controlled the security system. It was as if they were hiding in an air duct above a bank’s vault, watching as tellers meticulously moved cash in and out, looking for vulnerabilities.
They weren’t after Bitcoins, exactly. Bitcoins only exist as entries in a database maintained by computers around the world. What they needed were the private keys: cryptographic passwords that would allow them to unlock the coins and move them. Once they found the keys, they struck. At 10:26 a.m. on Aug. 2, 2016, the hackers raised the exchange’s daily withdrawal limit from 2,500 Bitcoins to 1 million, more than enough to empty out the whole vault. Then, using the private keys, they started broadcasting instructions to transfer Bitfinex’s Bitcoins to addresses they controlled on the blockchain. Over the next 3 hours and 51 minutes, the hackers stole 119,754 coins—more than half the holdings of what was then one of the world’s largest cryptocurrency exchanges.
When Bitfinex executives realized what had happened, they hired a security team to search the servers’ memory for clues. The hack was ambitious and sophisticated, and some users suspected an inside job. Or perhaps the culprits were part of North Korea’s elite hacking corps, which, six months earlier, had stolen $81 million from Bangladesh’s central bank. But the researchers had little to go on. Before logging off, the hackers had effectively wiped their digital fingerprints.
The only information Bitfinex had was the 34-character addresses on the blockchain where the hackers sent the money. In an attempt to get help from the public, the company put those addresses on the internet for all to see. For years, most of the funds stayed in those digital wallets, more or less untouched, even as Bitcoin went from being a nerdy curiosity to fueling a global mania that pushed its price up more than 100-fold. By 2021 the stolen Bitcoins were worth more than $8 billion, making the theft the richest in history. The money was sitting right there, but there was no obvious way to figure out who’d taken it. And without the hackers’ private keys, there was no way for police to get it back.
But in Grand Rapids, Mich., an Internal Revenue Service agent working from his basement had found a clue. The wallets seemed to be connected to a New York City couple in their early 30s: Ilya Lichtenstein and Heather Morgan.
Judging from social media, these two didn’t exactly appear to be criminal geniuses. Lichtenstein, who goes by Dutch, had curly hair and an impish grin, like a baby-faced Elijah Wood. He seemed very fond of the couple’s Bengal cat, Clarissa. Morgan’s thing was music—extravagantly bad music that she wrote, performed, and released in videos on YouTube and TikTok. In one, she danced and pretended a toy reptile was her penis. In another, she gyrated down the streets of the Financial District wearing a gold track jacket, a fanny pack, and a flat-brimmed hat reading “0FCKS.” She called herself the “motherf—ing crocodile of Wall Street.” In one song, she even bragged about her hacking skills: “Spearphish your password / All your funds transferred.” Her rap name was Razzlekhan.
Morgan, then 31, was the founder of a small copywriting business called SalesFolk. She was living with Lichtenstein in a $6,500-a-month high-rise apartment on Wall Street. On her TikTok posts, the apartment was stuffed with knickknacks, including a crocodile skull, a camel figurine, and an unexplained item described only as “Ukrainian sewer rocks.” A zebra pelt hung on the wall near a zebra-striped elliptical trainer. Two long-horned antelope skulls were mounted there, too, along with a framed X-ray of Morgan’s lungs from when she contracted MERS in Egypt.
She portrayed herself as an always hustling, rule-breaking tech disrupter, like Uber’s Travis Kalanick or Airbnb’s Brian Chesky. She wrote a regular column for ; her author bio read: “When she’s not reverse-engineering black markets to think of better ways to combat fraud and cybercrime, she enjoys rapping and designing streetwear fashion.” Or, as she put it in her song : “I’m many things. / A rapper, an economist, a journalist, / a writer, a CEO, / and a dirty, dirty, dirty, dirty ho.”
As a performer, Razzlekhan is both hypersexual and aggressively unappealing. She alternates jokes about diarrhea and sex with boasts about her edgy business practices. Her signature move, if you can call it that, is to throw up her hand with her fingers split into a “V,” stick out her tongue, and say, “Razzle Dazzle!” Then she makes a loud phlegmy cough.
Her songs, from to , are full of painfully forced rhymes, with a delivery so stilted she makes Chet Hanks sound like Kendrick Lamar. Her lyrics are nonsensical. In , she describes a hallucination in which she’s given a magic lamp and meets a genie who offers to fulfill her wishes in exchange for “a handie.” Only later does she learn the genie’s true identity: “This was no ordinary perv / It was Mark Zuckerberg.”
In her columns and self-help YouTube videos, Morgan explained that she created her rap persona as a way to embrace the weirdness that used to make her a target of ridicule. She’d grown up outside Chico, Calif., where she was “bullied mercilessly” about her lisp and braces. While at the University of California at Davis, she studied abroad in South Korea and Turkey. After graduating, she found a home among the backpacker set, first in Hong Kong, then Cairo. “When she meets someone, it’s like they’re forever her friend,” says Amina Amoniak, who stayed in touch with Morgan after meeting her a decade ago through the website Couchsurfing.
Morgan met Lichtenstein about seven years ago in San Francisco, where she’d moved to work at a startup. Traces of their early flirting can still be found on LinkedIn, where Lichtenstein left Morgan a recommendation. “Heather crafts precisely targeted messaging that sticks in customers’ brains like a finely sharpened meat hook,” he wrote.
Born in Russia, he’d grown up in Chicago, where his parents had moved to avoid religious persecution. While at the University of Wisconsin at Madison, he discovered a shady practice of the internet known as “affiliate marketing,” where people buy ad space in bulk on Facebook or Google and craft ads for diet pills, brain boosters, and offshore gambling sites. Lichtenstein claimed in forum posts that he made more than $100,000 a year from affiliate marketing while he was still a student.
Ryan Eagle, an affiliate marketer who says he did business with Lichtenstein, says that even in an industry full of obnoxious bros, Lichtenstein’s intelligence and arrogance stood out. “He was one of these f—ing nerds that tries to get under your skin,” Eagle says.
After graduation, Lichtenstein co-founded an advertising technology company, then left it in 2016 and became an angel investor. In Morgan’s TikTok videos, he often seems like a grudging participant. “You keep filming me, expecting something to happen, what do you want me to do? You want me to shove something up my ass and do a little dance?” he asks in one video, after Morgan asks him about his habit of tasting Clarissa’s cat chow. (“It needs salt, it needs pepper, but other than that it’s pretty good,” he says.) Lichtenstein didn’t respond to requests for comment.
I’d hoped to ask Morgan for her side of the story. I thought about calling, but in , she’d recommended against it: “Email me, f— your message at the beep, beep, beep.” Then I realized she’d given entire presentations about how to get people to respond to emails. Her first rule was to “e-stalk” your audience to understand them. Having subjected myself to hours of her songs and videos, I figured I had that one covered. Then it said to think about what the competition is doing. I’d read that Netflix Inc. had already commissioned a documentary about her from one of the makers of . “Heather,” I wrote, “the documentary people are out to make you the next Tiger King. Your input could help reshape the narrative.” She didn’t reply.
It seems unlikely that someone who tried to rhyme “Razzlekhan’s the name” with “that hot grandma you really wanna bang” could in fact be a master thief. Then again, this is the crypto world, where a lack of experience or competence hasn’t always been a barrier to fame and fortune and where large-scale hacks are a regular occurrence.
Bitcoin exchanges basically have one job—to keep the cash and crypto sent by users safe—and since the beginning of the industry, they’ve failed at it. The first big exchange, Mt. Gox, repurposed a website created as a place to trade virtual Magic: The Gathering cards. It had security and record keeping that was so poor, hackers would steal Bitcoins as soon as users deposited them. Mt. Gox filed for bankruptcy in 2014, saying it had lost 7% of all Bitcoins in existence. The hacks of exchanges kept coming. Among the biggest: Coincheck was taken for $530 million in 2018 and KuCoin for $280 million in 2020. Last year, according to crypto-security firm Chainalysis, a total of $3.2 billion in cryptocurrency was stolen from exchanges and decentralized finance (or DeFi) apps, in which crypto traders make deals directly with one another. That’s 100 times more than the total stolen in all bank robberies in an average year in the US, Federal Bureau of Investigation statistics show. Much of the money was taken by North Korea’s Lazarus hacker group, Chainalysis says.
At the time it was hacked, Bitfinex was seen as one of the most reputable exchanges, but it wasn’t exactly Fort Knox, either. It was originally based on code copied by a young Frenchman from an exchange called Bitcoinica that had been widely seen as insecure, and it was run by a plastic-surgeon-turned-low-end-electronics-importer, Giancarlo Devasini. Based in Milan, Devasini invested in Bitfinex in 2012 and became the de facto head of the exchange, though on paper he’s the chief financial officer. He’s also the boss of Tether, the issuer of a so-called stablecoin that’s supposed to be backed 1-to-1 with dollars but has been fined by US regulators for lying about its $67 billion in assets.
Bitfinex set up a new security system after it lost about $400,000 of cryptocurrencies in a 2015 hack. Other exchanges generally mixed users’ coins together and stored the private keys on computers that weren’t connected to the internet, a practice known as “cold storage.” The new system kept each user’s balance in a separate address on the blockchain, allowing customers to see for themselves where their money was. It used software from San Francisco-based crypto-security company BitGo. “This new level of transparency and security makes breaches such as those of Mt. Gox impossible,” Mike Belshe, BitGo’s chief executive officer, said in a press release announcing the deal.
The BitGo software was programmed to automatically approve transfers under a certain limit, so small withdrawals wouldn’t be delayed, but it required a Bitfinex executive to manually sign off on large ones. This was supposed to mean that even if Bitfinex got hacked, only a small number of Bitcoins would be stolen at most. But the system configuration was flawed. The limit could be changed with a computer command sent by someone with a Bitfinex executive’s electronic credentials.
That’s what the hackers did after first using a “remote-access Trojan” to infiltrate the exchange, according to court documents. Such malware lets attackers gain full control of a target’s computer, as if they were sitting at the keyboard. The hackers were only stopped when someone at Bitfinex happened to check account balances and noticed something was off.
Bitfinex executives have said they considered filing for bankruptcy after the attack. Instead, to give themselves a chance to make up the losses and stay in business, they simply reduced the balances of all customers by 36% and issued IOUs to cover the losses. Within eight months the exchange had earned enough to pay them back, either in cash or in Bitfinex stock.
Bitfinex reported the hack to authorities, but there were no leads. The hackers erased the servers’ memory on their way out, wiping any pointers to their location. Ledger Labs, which investigated the breach on behalf of Bitfinex, was unable to determine how exactly the hackers got into the exchange’s servers. BitGo has maintained that its software functioned properly, though it changed its rules so that withdrawal limits could only be raised after a video call with a BitGo employee. BitGo and Bitfinex declined to comment, as did Ledger Labs’ lead investigator.
Michael Shaulov, a former coder for the Israeli Intelligence Corps and the co-founder of crypto-security firm Fireblocks Inc., says hacks like these generally don’t require a high level of technical expertise. Often, he says, the hardest part is crafting an email that tricks an insider into opening a malicious attachment. “The social-engineering vector is key,” he says.
That seemed like a clue. Morgan had given a talk titled “How to Social Engineer Your Way Into Anything” in 2019 at an event called NYC Salon. In a promotional flyer for the speech, she posed in a tight, snakeskin-print metallic dress while holding a large pipe wrench. “I hate the term ‘manipulating,’ ” she said in the talk, after attempting to warm up the bemused crowd by rapping a few lines from . Social engineering, she said, involves “getting someone to share information or take an action that they otherwise would not.” And in what was either an unfortunate coincidence or another stunning act of hubris, on the day before the hack Morgan posted a photo on Instagram of her and Lichtenstein sitting on a blue plush couch, with the caption “I will always love getting into trouble with this crazy guy.”
On the day of the hack, a Bitfinex employee logged in to the main Bitcoin forum on Reddit and posted all the addresses where the hackers had sent stolen Bitcoins. It didn’t look like much—it was just a list of thousands of 34-character codes. But it was like setting off a dye pack to mark the money in a bank robber’s bag of loot.
All transactions on the Bitcoin blockchain are public, so anyone can look up an address and see all the other addresses it sent coins to or received coins from. Few people would accept Bitcoins from the addresses Bitfinex had disclosed on Reddit. Even if they had no qualms with stolen money, they’d be concerned about whether they could spend it themselves—or if they’d become suspects.
For five months the stolen Bitcoins didn’t move. It seemed the hackers had forgotten a crucial part of their plan: To actually use the Bitcoins they’d stolen, they’d have to find a way to erase the connection to the hack. One place where stolen Bitcoins were welcome was AlphaBay. It was a marketplace on the dark web, a hidden part of the internet only accessible through an anonymous browser, where users posted classified ads offering opioids, guns, and stolen credit cards in exchange for crypto. On its website, AlphaBay said it wanted to be “the largest eBay-style underworld marketplace.” In case anyone missed the point, its FAQ had the question “Is AlphaBay Market legal?” Answer: “Of course not.”
In January 2017, about $22,000 worth of the hacked Bitcoins were moved to AlphaBay in a series of small transactions. All Bitcoins sent to AlphaBay were mixed together, making them harder to connect to wherever they’d come from on the blockchain. Once a user withdrew their funds to a new address, their Bitcoins could be traced back only as far as AlphaBay. Although all the major exchanges were unwilling to accept Bitcoins that had come from addresses associated with the hack, some smaller exchanges were willing to take coins that came from a dark web drug bazaar.
From AlphaBay, those hacked Bitcoins were sent to one crypto exchange, then another. The second exchange account was opened by Lichtenstein, using his real name. He’d even sent in a selfie to verify his identity. The only person who’d know the connection between Lichtenstein and the hacked funds would be the person running AlphaBay, who went only by Alpha02.
Unfortunately for the thieves, AlphaBay was already the target of a separate investigation. Police from several countries thought they’d figured out that Alpha02 was a 25-year-old Canadian named Alexandre Cazes, who’d moved to Thailand and bought three properties, a Lamborghini, and a Porsche with his profits. Among his mistakes: On some early messages he used an address, Pimp_Alex_91@hotmail.com, that he’d also used under his real name.
On July 5, 2017, the investigators put in motion what they called Operation Bayonet. Royal Thai Police rammed a car into the front gate of a compound in Bangkok where they and US authorities suspected Cazes was living. The commotion lured him out, and, while police detained him, other agents rushed inside. Cazes was arrested and died in prison a week later in an apparent suicide, according to the . But he left behind lots of evidence. Inside his compound, police found his laptop, open and logged in to AlphaBay.
Among the US federal agents who’d traveled to Bangkok for the AlphaBay bust was Chris Janczewski, then 33, a special agent with the IRS. Strange as it sounds, Janczewski had wanted to work for the IRS ever since a special agent had visited his accounting fraternity at Central Michigan University. The speaker had regaled Janczewski and his fellow aspiring accountants with stories of high-speed chases and kicking in doors. But at his first job there were no chases and no doors to kick in—just audits of a bunch of plumbers and car dealers in and around Charlotte. “As you can imagine, people aren’t super excited that you’re there,” says Janczewski.
In 2015 he was recruited to a new cybercrime unit in Washington. The team of about a dozen agents first focused on hacked data used to commit tax fraud. Then they shifted to cryptocurrency cases. The agents realized that while the blockchain was anonymous and criminals often shuffled their coins from wallet to wallet, the trail of transactions almost always led to an exchange, which would ask for identification before allowing someone to sell their Bitcoins for cash. Even if the crooks used an intermediary or a fake ID, they would leave clues. All the agents had to do was follow the transactions long enough. “Eventually everybody screws up,” says Tigran Gambaryan, another member of the IRS cybercrime unit, who now runs investigations for crypto exchange Binance.
Crypto tracing led Janczewski and his colleagues to drug dealers, money-laundering services, and even a site that had been selling child abuse videos. With each bust, they gathered data that allowed them to link more crimes to more Bitcoin addresses and more Bitcoin addresses to more people.
Janczewski declines to say when he and his colleagues made the connection between the stolen Bitcoins and Lichtenstein and Morgan or to discuss other details of the hack investigation. But by 2020, legal filings show, they had started the painstaking process of turning leads into evidence usable in court. They sent legal requests to exchanges that touched the stolen funds and to internet service providers the couple used. It took more than a year to gather enough evidence to justify a search warrant.
On Jan. 5, 2022, Janczewski and other federal agents entered the apartment at 75 Wall St. Morgan’s parents were visiting and had brought a batch of her favorite persimmon cookies, baked by her grandmother. As the agents started looking for phones and computers, she and Lichtenstein said they wanted to leave the apartment and take Clarissa with them, according to court filings. Then, Morgan clumsily attempted to create a diversion.
She said the cat was hiding under their bed and crouched down next to a nightstand. While calling the cat, she grabbed a phone off the nightstand and started frantically hitting the lock button. Janczewski pulled it from her hands.
Under the bed, the agents found a bin full of electronics, including a zip-top bag labeled “Burner Phone” and a red-and-white-striped toiletries bag holding nine more phones. They seized at least four hardware wallets—thumb drives that hold the cryptographic passwords to a user’s Bitcoins—and a pocketbook stuffed with $40,000 in cash. In Lichtenstein’s office, they found two books that had been hollowed out to create hidden cavities. The couple had a brief conversation in Russian, which Morgan had been studying. None of the agents understood it.
After an initial search of their electronic devices, the agents hadn’t found the private keys to the stolen Bitcoins. They didn’t have enough evidence to arrest the couple.
Five days after the search, Morgan released a new song, . Over a spooky-sounding drum-and-organ beat, Razzlekhan raps for five and a half minutes about her connection with Lichtenstein—their shared weirdness, his green eyes and “nice bottom,” and their inside jokes, such as how he always keeps snacks in his pockets or how they both can’t drive. She says she doesn’t want a regular job and takes risks to feel alive, and at one point she even says, “Don’t forget an exit plan.” She and Lichtenstein had married a few months earlier. In the song she says she wants to be with him “until the goddamn end.”
Her delivery in the song is as awkward as ever, but knowing she posted it while she must have already been contemplating a long prison sentence, the lyrics take on a poignant tone. “We’re too weird for average Joes / Everyone knows,” Razzlekhan raps in the last verse. “You’re the best for me / This is how our story goes. / This is the Razzlekhan and Dutchie shows. / Ready to party down and let’s get weird!” As the song ends, Razzlekhan says, in Russian with a thick American accent, “I love you.”
The agents had also gotten warrants to search Lichtenstein’s cloud-storage accounts. In one of them they found a list of fake IDs, both male and female, and notes suggesting the couple had gone to Kyiv in 2019 to buy debit cards under pseudonyms. It looked to the agents as if Lichtenstein and Morgan had been preparing to flee the country. On Jan. 31 they cracked the encryption on one of Lichtenstein’s files and found something even more explosive: the private keys to nearly 2,000 Bitcoin addresses tied to the Bitfinex hack. The government now had control of $3.6 billion.
A week later the agents returned to the couple’s apartment and arrested them. Lichtenstein and Morgan were charged with conspiracy to commit money laundering. Prosecutors said they’d lied to exchanges to move the funds that had been stolen from Bitfinex. The question of who did the actual social engineering and hacking wasn’t addressed, and, since the data were deleted, it may never be.
The arrest was national news. It was the largest seizure of stolen funds ever. “Today, the Department of Justice has dealt a major blow to cybercriminals looking to exploit cryptocurrency,” Deputy Attorney General Lisa Monaco said at a press conference. The TikTok commentariat tore through Morgan’s music videos, and within hours Razzlekhan was already a social media legend, having air-humped her fanny pack into the ranks of famous grifters. “The Bitcoin crimes are nothing compared to calling this shit rap,” Trevor Noah said on . True-crime producers saw parallels to fake heiress Anna Delvey or Theranos founder Elizabeth Holmes. In addition to the Netflix documentary, which was ordered just three days after the arrest, there’s a podcast, a fictionalized series from the producer of the heist movie , and a competing documentary from , the publisher of Morgan’s columns.
They both pleaded not guilty. Lichtenstein was held without bail, and Morgan was released on $3 million bond. She argued that she wasn’t a flight risk because she was storing frozen embryos in New York and planned to have a child with Lichtenstein via in vitro fertilization. Morgan returned to her apartment, but in May she put many of her belongings up for sale on the building’s message board, including three electronic deadbolts and a fake Banksy print. According to copies of the posts provided by a neighbor, she’s moving and needs to downsize. Prosecutors said in a May 30 court filing that they were talking with the couple’s lawyers about a plea bargain. The next hearing is scheduled for August.
In March, Janczewski left the IRS to become head of global investigations for blockchain intelligence firm TRM Labs. The government is still holding the seized Bitcoins—the US Marshals Service keeps crypto on encrypted thumb drives in a locked safe in an undisclosed federal building. With the cryptocurrency market crashing, their value has fallen to about $2 billion. Bitfinex’s owners say the exchange already paid most users back and owes only about $30 million more. That would mean when the Bitcoins are returned, most of the money will go to Bitfinex’s investors, including its executives. But some traders who lost Bitcoins will no doubt argue that the coins should be returned to them.
A fifth of the missing Bitcoins are still unaccounted for. Roughly $70 million worth was sent to Hydra Market, a Russian dark web site, according to crypto-analysis firm Elliptic Enterprises Ltd. No one knows where the money went from there, but on Hydra, vendors called treasure men offer to exchange crypto for shrink-wrapped packets of rubles that they bury in secret locations. It’s possible there are underground bundles somewhere in Russia, waiting for Morgan and Lichtenstein to dig them up.
Back in New York, on a traffic pole just across from the entrance through which criminal suspects are led into Manhattan federal court, someone has placed a sticker with a cartoon that depicts a topless Razzlekhan riding a crocodile, her tongue sticking out, her fingers split into her trademark “V.” It looks new.