So most likely,
1) they didn't launder it properly, leading to police being able to trace it to their bank accounts. I wonder if tornado.cash was used.
2) then police had their names, leading to warrants for all online accounts - google account, apple account, etc.
3) they made the big blunder of keeping their private keys in their online account. Most likely a txt file in google drive. That is such a silly blunder. Without the private keys, the police has zero proof of anything. They could have made a hundred excuses for how they got money in their bank account, as long as the police didn't have the private keys. Who keeps their private keys in an online account?
Apparently the biggest criminals make too many silly mistakes. The old saying applies here: "you don't have to be smart, just don't be an idiot"
Sure, they could have destroyed them, losing the money but maybe not getting arrested?
A USB is tiny, and you can shrink it's footprint with USB-C. You can also buy USB keys with tamper-proof housings that will blow a fuse if opened to be physically compromised. Coupled with strong post-quantum crypto, that key is relatively secure, even if physically discovered.
That's just the technical bit. You can also split the key in half and transfer the other half somewhere, which creates legal protection. You could also create a housing for the key so it's not easily discoverable.
If all that sounds a bit extra, circle back to that the perpetrator has 4.5 Billion worth of something.
It does sound like a lot of work. I think I'd go with the $5 wrench option.