A few weeks ago, the guy who stole $72 million worth of bitcoin back in 2016 was released from prison. He was sentenced to serve 5 years but got out after serving only 14 months. His wife, who helped him launder the money, was also released a few months earlier after serving about 8 months.You might've heard about these two if you watched the documentary on Netflix called "Biggest Heist Ever". If not, I suggest you check it out. You'll see just how... different this couple is.

Ilya Lichtenstein was an entrepreneur and investor. His wife, Heather Morgan, had a more interesting career. She was a Forbes contributor, publishing blogs about cybersecurity and protecting your business. Ironic, yes. But that's not the interesting part. What's more interesting is her rap career. She's also a prolific rapper who goes by the name Razzlekhan, the Turkish Martha Stewart, and the Crocodile of Wall Street.

Okay, but what I actually want to do is talk about how the hack went down. How did this company manage to lose nearly 120,000 bitcoin, which is roughly worth $10 billion today? And then how did law enforcement manage to catch the Bonnie and Clyde of crypto five and a half years later?

This is the story of the Bitfinex hack.

First, some context on Bitfinex. It's a crypto exchange based out of Hong Kong, registered in the British Virgin Islands. Back in 2016, it was one of the major platforms where people bought, sold, and stored bitcoin. Think of it like a brokerage where you deposit funds, you trade, and they hold your assets.

Now, Bitfinex wasn't running some amateur setup. They had partnered with a company called BitGo to implement multi-signature wallets. And this is where we need to get into the weeds a bit, because understanding the architecture is key to understanding how it failed.

Multi-sig means multiple private keys are required to authorize a transaction. The idea is that no single party can unilaterally move funds. Even if one key gets compromised, the attacker still can't do anything without the others. It's defense in depth.

Here's how Bitfinex configured it for trading accounts. They used 2-of-3 multi-sig, meaning three keys total and two required to move funds. Bitfinex held two of those keys. BitGo held the third.

If you're already seeing the problem, good. Bitfinex controlled two keys. BitGo controlled one. So what exactly was BitGo protecting against?

In theory, BitGo was supposed to be a check on Bitfinex. When Bitfinex initiated a withdrawal, they'd sign with one of their keys and send it to BitGo. BitGo would review it, apply their security policies like withdrawal limits and velocity checks, flag anything unusual, and if everything looked good, they'd co-sign with their key and the transaction would go through.

The security model assumed Bitfinex's keys would be properly isolated. One online for operations, one offline in cold storage. That way, even if an attacker got into Bitfinex's systems, they'd only get one key. They'd still need BitGo to sign off, and BitGo would catch anything suspicious.

That's not what happened.

In August 2016, Ilya Lichtenstein got into Bitfinex's network. We don't know the exact initial access vector. Could have been credential compromise, could have been a server vulnerability. But once he was inside, he found what he needed.

There was a confidential report from a firm called Ledger Labs that was later obtained by OCCRP, and it showed Bitfinex had some serious configuration problems. They stored multiple keys and security tokens on the same device. The tokens that got compromised were associated with a generic "admin" email and one tied to their CFO. They weren't logging server activity externally. They hadn't implemented withdrawal whitelists. And they hadn't fully implemented the security controls BitGo offered, like the withdrawal limits that were supposed to flag exactly this kind of bulk drain.

So Lichtenstein gets access to Bitfinex's systems, and here's where it gets interesting. Remember, Bitfinex held two of the three keys. They were supposed to keep them separated, but they stored both on the same device. So once Lichtenstein got in, he had access to both of Bitfinex's keys. That's two of three. He didn't need BitGo at all.

BitGo later said their systems weren't breached and their software functioned correctly. And that's true. But it also didn't matter. The whole point of bringing in a third party is to prevent a single point of failure. Bitfinex created exactly that by keeping both their keys in one place.

Over about three hours, he pushed through more than 2,000 transactions and drained 119,756 bitcoin from user wallets into a single address he controlled. That was $72 million at the time.

Then he cleaned up. He deleted access credentials, wiped log files, anything that could trace back to him.

Bitcoin's price dropped 20% almost immediately after the news broke. And here's something worth noting. Bitfinex socialized the losses, meaning every user on the platform took a 36% haircut even if their specific wallet wasn't touched. They issued BFX tokens as IOUs. Some people lost their life savings just because they happened to be on the same exchange as the compromised wallets.

After all that, the stolen bitcoin just sat there for almost five months without moving.

This is where the laundering operation gets interesting, because whoever did this was patient. They didn't panic, didn't rush to cash out. They just waited.

When the funds finally started moving in early 2017, they went to AlphaBay, which was the largest darknet marketplace at the time. Small amounts spread across multiple accounts under fake identities. This is OpSec 101 for moving dirty crypto. You don't consolidate, you don't rush, you blend in with normal traffic.

From AlphaBay, the bitcoin moved through a series of exchanges and got converted into other coins. This technique is called chain-hopping. You convert Bitcoin to Monero, Monero to Ethereum, Ethereum to something else. Each hop makes the trail harder to follow because you're jumping between blockchains with different transparency levels.

Monero is particularly useful here because it's built for privacy. It obscures sender, receiver, and amount by default using ring signatures and stealth addresses. So once you hop into Monero and back out, you've created a real problem for anyone trying to trace you. That public ledger advantage that Bitcoin gives investigators is gone for that segment of the trail.

Then the funds went through mixing services, also called tumblers. Bitcoin Fog was one of them, and it had been operating since 2011. The way mixers work is you deposit your bitcoin, it gets pooled with everyone else's bitcoin, and you get back the same amount minus a fee. But now there's no direct on-chain link between your input address and output address. You've broken the transaction graph.

Think of it like walking into a casino with marked bills, converting to chips, playing for a while, then cashing out. The bills you walk out with aren't the bills you walked in with. That's what mixing does for bitcoin.

When law enforcement shut down AlphaBay in mid-2017, the operation just adapted. The funds got rerouted to Hydra, a Russian darknet market that kept running until 2022.

But darknet markets were just one channel. They also set up shell companies to move money into traditional banking. Some funds got converted to gold coins, gift cards, NFTs. Even mundane stuff like Uber rides, a PlayStation, Walmart purchases. The goal was to create as much distance as possible between the stolen bitcoin and usable money, through as many layers as they could.

Here's the fundamental challenge with laundering crypto though. The blockchain is a public ledger. Every transaction is recorded permanently. Investigators can literally watch the money move. The hard part isn't seeing it, it's attribution. It's connecting wallet addresses to real human beings.

And for six years, they couldn't make that connection.

Bitfinex hired investigators. The FBI, IRS Criminal Investigation, and Homeland Security all ran parallel investigations. Blockchain analytics firms were mapping the flow of funds across wallets and exchanges.

Quick note on IRS-CI. Their Criminal Investigation unit has quietly become one of the best in the world at blockchain forensics. The lead investigator on this case, Chris Janczewski, basically built his reputation tracing crypto through the Silk Road and AlphaBay takedowns. He's at TRM Labs now.

The investigators could see the money moving. They could map the chain-hopping and identify when funds passed through mixers. But mixers work. The transaction graph was broken in enough places that they couldn't definitively tie it to a person.

So how did they eventually crack it? It was a combination of things.

Remember how the funds went through AlphaBay in early 2017? A few months later, in July 2017, the FBI led an international takedown of AlphaBay. When they seized the marketplace, they got access to its internal transaction logs. That let investigators trace the stolen Bitfinex funds through AlphaBay and out the other side to exchange accounts, including at least one registered to Lichtenstein.

But they needed more to build a case. And here's where it gets almost comically low-tech.

Gift cards.

Investigators traced bitcoin from a wallet cluster connected to the hack to an exchange that sells prepaid gift cards. A $500 Walmart gift card was purchased and sent to a Russian email address, but the transaction came from an IP address tied to a cloud provider in New York that investigators linked to Lichtenstein. Then portions of that gift card were redeemed through Walmart's iPhone app, with purchases made using Morgan's name, her email, and their Wall Street apartment address for delivery.

After years of sophisticated laundering through mixers, chain-hopping, darknet markets, and shell companies, they ordered stuff to their own apartment.

That gave investigators probable cause. They got warrants. And when agents searched Lichtenstein's cloud storage, they found a spreadsheet with over 2,000 wallet addresses and their private keys.

His master list for the entire operation, just sitting in the cloud.

Six years of careful laundering, and they kept the keys to everything in a spreadsheet on someone else's server.

In February 2022, federal agents arrested the couple in Manhattan.

The DOJ announced they'd seized about 94,000 bitcoin connected to the hack. Remember, that was $72 million when it was stolen and $3.6 billion by 2022. Same coins, just six years of appreciation. It was the largest crypto seizure in U.S. history.

At first they were only charged with money laundering. The working theory was maybe they'd acquired the stolen funds from someone else.

Then in August 2023, Lichtenstein pleaded guilty and dropped the bombshell. He was the hacker. He'd done the Bitfinex breach himself, exploited the multi-sig weaknesses, executed the theft, and spent years laundering it with his wife.

The guy who did it had been sitting on it the whole time, slowly cashing out while his wife posted rap videos about being the Crocodile of Wall Street.

Now here's where the sentencing gets interesting.

Lichtenstein was looking at up to 20 years but he got five. How? He flipped.

He testified against Roman Sterlingov, the guy who ran Bitcoin Fog, which was one of the mixers he'd used. That testimony helped put Sterlingov away for 12 and a half years. The feds got a bigger fish in the mixer ecosystem, and Lichtenstein's number came way down.

Morgan got 18 months. Prosecutors said she played a smaller role since Lichtenstein did the hack alone and brought her in later for the laundering part. She was willing, but she wasn't the architect.

In November 2024, Lichtenstein reported to prison. Morgan followed in February 2025.

Neither served their full sentence.

Morgan got out in October 2025 after about eight months. She credited the First Step Act, which is the 2018 prison reform law that lets non-violent federal inmates earn time credits through rehab programs. The White House told reporters they had nothing to do with it. She just qualified under existing rules.

On January 2nd, 2026, Lichtenstein posted on X that he was out. Same deal, the First Step Act. He served roughly 14 months of a five-year sentence and he's on home confinement until February 9th.

He says he wants to work in cybersecurity now.

So where are we?

The government recovered about 94,000 bitcoin. In January 2025, prosecutors recommended it go back to Bitfinex.

But roughly 25,000 bitcoin is still unaccounted for. At today's prices that's north of $2.5 billion still out there somewhere.

A lot of people still think crypto is untraceable. That was never really accurate, but it's definitely not true now.

Every Bitcoin transaction is recorded on a public ledger. The hard part was linking wallet addresses to actual people. That's what's changed. Companies like Chainalysis and TRM Labs have spent years building tools that can follow funds through mixers, track chain-hopping across different blockchains, and connect the dots back to real identities. Law enforcement uses this stuff every day now.

The Bitfinex case is proof of concept. They traced funds through AlphaBay, through mixers, through privacy coins, and eventually to a couple's apartment in Manhattan. The blockchain doesn't forget.

About $2.5 billion is still missing. Nobody knows where it is. Maybe it's in a wallet somewhere waiting to move. Maybe it's already been cashed out through channels we haven't traced yet.

Either way, this one's not over.

Protect your crypto and-

dontgetgot