> The 2017 transfers notwithstanding, the majority of the stolen funds remained in Wallet 1CGA4s from August 2016 until January 31, 2022. On January 31, 2022, law enforcement gained access to Wallet 1CGA4s by decrypting a file saved to LICHTENSTEIN’s cloud storage account, which had been obtained pursuant to a search warrant. The file contained a list of 2,000 virtual currency addresses, along with corresponding private keys.
> ...The connection among the VCE 1 accounts was further confirmed upon reviewing a spreadsheet saved to LICHTENSTEIN’s cloud storage account. The spreadsheet included the log-in information for accounts at various virtual currency exchanges and a notation regarding the status of the accounts
> ...Lichtenstein Email 2 was held at a U.S.-based provider that offered email as well as cloud storage services, among other products. In 2021, agents obtained a copy of the contents of the cloud storage account pursuant to a search warrant. Upon reviewing the contents of the account, agents confirmed that the account was used by LICHTENSTEIN. However, a significant portion of the files were encrypted
Reads suspiciously like Gmail. Oh no. You stored your keys weakly encrypted on Google Drive?!
There's selection bias going on because only dumb criminals get caught, so you only hear about the dumb opsec practices of those criminals. Conversely, you'll never hear about the opsec practices of that professional crew with perfect opsec that hacked an exchange/difi contract and disappeared into thin air.
I haven't studied criminology, but I alternatively suppose someone who does that just doesn't think that far ahead. This likely also explains why the vast majority of people with these capabilities choose to live a life in accordance to their country's laws.
That's backwards. It's how they wrapped it all up. The real trail is pretty clearly AlphaBay 2016/2017 transactions (under gov control around that timeframe), to KYC-flagged accounts at an exchange, with a web of accounts with real info linked together past there.
Or what if he decided to create his own crypto-currency and it just so happened that his dirty wallet was an early investor of ETH to his fund.
Seems like he could have done more to distance himself.
On a value system with an inherently public ledger that eventually has to hit a fiat off ramp with KYC/AML requirements? Nah. Everyone has quality opsec until they don't, and the record of your criminal activity is immutable and highly durable.
But you can refer to https://hashcat.net/hashcat/
Bitcoin's public ledger makes transactions into prosecution futures.
This is why it's such a poor choice for revolutionaries and funding the marginalized. You leave a permanent indelible public record in posterity that will in the course of time be de-anonymized, automatically, and traced back to you.
is the onus on an artist or on an "auction house" to vet buyers. If post sale it turns out the money was fraudulent, does the artist need to pay it back?
In crypto terms. You the artist simply put a NFT up for auction at OpenSea. You the scammer happened to purchase the artwork on OpenSea. However KYC is not well enforced, enabling for money laundering between the two wallets.
Especially since in general the likeliest failure mode would be the user forgetting the password to their millions of dollars worth of Bitcoin keys, followed by someone attacking the password.
With the Feds involved, that would be sufficient to crack the data.
Auction houses are known to be on the trick -- that is passively mainly/ they don't care and work to "pump" the prices of artwork. But of course law enforcement agencies know about it too.
It shouldn't be illegal: people should be free to buy what they want. But let's not hide behind our noses.
Of course that txn would show up on-chain, but if you don't have possession of the private key for the first account, and no digital device has ever "seen" the hardware account then he would've been fine.
This is assuming the key piece of evidence was his private key, and he wouldn't have been prosecuted without it.
Additionally, putting your key in cloud storage sounds like the dumbest thing ever... Just memorize your seed phrase and write it down. Its 4bn for christ sake.
"Approximate Crack Time: 61,103,576,810,655,170 centuries"
Yeah, sure:)
Maybe? IIRC, if you unknowingly buy stolen property, and they trace it to you, I think you have to surrender it to its rightful owner (without compensation from the police).
This absolutely sounds like parallel construction.
Or, the TLA involved have some sort of crack or acceleration procedure; the TLA say "the criminals were dumb" because the people involved can't combat that without admitting guilt, and who'd believe them. The real reason is the TLA used illegal access and tools that we wouldn't be happy they're using against the civilian population? Oh, and the people using the tools are guilty by association so they're inhibited from whistleblowing.
Memorizing a seed phrase leaves you vulnerable to a $5 wrench attack, I wouldn't recommend it.
Ps not condoning the theft but I just find it strange that people with the skills to steal this much get caught using bog standard cloud storage. You'd think they could afford something better ;) Something along the lines of "you don't take notes on a criminal f** conspiracy" :)
Of course the problem is the attacker may not know what method you used and resort to the $5 wrench attack anyway :)
Not stealing $3.6B might be an even safer bet.
https://www.wilsonelser.com/files/repository/PHLY_Article_Cl...
https://www.cnbc.com/2021/08/11/bitcoin-family-hides-bitcoin...
That’s 30+ years of storage for free.
The article mentions he had many wallets.
There might be prestige in some circles for taking down some dumbass Solidity coder, and some people seem to be getting some money out still (e.g. Wormhole).
But overall I’m short Trail of Bits consulting rate.
also, as time goes on, the proportion of btc that are "dirty" approaches 1, so these chainalysis strategies become less effective, assuming you aren't stupid enough to do some criminal act then cash out at a kyc exchange the next day from the same wallet
> Taihuttu is trying to put a crypto cold wallet on every continent so it’s easier to access his holdings.
I hope it’s at least encrypted with an additional passphrase, otherwise it’s only as strong as the weakest bank’s security.
> Taihuttu has two hiding spots in Europe, another two in Asia, one in South America, and a sixth in Australia.
> We aren’t talking buried treasure – none of the sites are below ground or on a remote island – but the family told CNBC the crypto stashes are hidden in different ways and in a variety of locations, ranging from rental apartments and friends’ homes to self-storage sites.
I hope this is all a decoy or else it’s the worst opsec I’ve seen since about five hours ago.
people in Tech will yak-shave choosing the "correct" cypher. Then get pwned by an implementation detail like a bug in enigmail.
1) Hacking, 2) opsec and 3) tradecraft are totally different skills. The most dangerous people (to themselves) are the ones who cover only one of 3. The more advanced among them _know_ they lack in the other areas, but think they can compensate going even deeper on whatever they already know.
Presumably, this would do the trick.
https://arstechnica.com/tech-policy/2020/02/man-who-refused-...
Doing business with criminals can bite you, even if you were not participating in a criminal enterprise.
Printing the paper wallets, putting them in a $1 glass jar with a silica packet and burying in your back yard would have been 100 times smarter.
No. Normally you have to return items that were stolen from someone even if you purchased them without knowing they were stolen. But money is an exception. See:
https://en.wikipedia.org/wiki/Nemo_dat_quod_non_habet
(I don’t know whether Bitcoin would be treated as money for these purposes…)
I don't follow what you're saying here. Nothing stops something from being dirty multiple times, does it? So nobody might care that it could be traced back to something sketchy 5 years ago, if more immediately it's traced back to last month's crime.
I’m also curious what here looks like parallel construction to you - I thought the statement of facts was surprisingly mundane, but perhaps I missed some red flags?
If gov got to you, it probably doesn't matter how well you got it protected.
With a bad choice like SHA256, a 7 word passphrase could be cracked in as little as a few months with a single ASIC. The US government probably has a bunch of them already, so I think that an 8 word passphrase is already within reach for current tech.
Of course, with a real key derivation function like Argon2id, things would look much better.
*cryptocurrency is too long
That’s “credit card”. We’ve already lost “crypto”(graphy), let’s avoid deliberately giving away other common shorthands.
Law on receiving stolen goods is vague, complex, and jurisdiction-dependent. But in some cases, if the money you get paid is "the same" money that was stolen (something that's actually much easier to show with Bitcoin, where every input to every transaction is another transaction's output), and you know about the crime, yes. See People ex Rel. Briggs v. Hanley.
Morgan and Ilya appear to be the original hackers as well so on top of the money laundering sentencing which is around 10~20 years, they now have to deal with the hacking charge which appears to be a separate trial.
Morgan and Ilya aren't the only ones involved and the rest of the guys will eventually appear on DOJ website.
https://www.reddit.com/r/CryptoCurrency/comments/sohojt/mela...
With SHA-256 it takes about $21 to crack a 6 character password.
$1500 to crack 7 characters.
$108,330 to crack 8 characters.
$7.8 million to crack 9 characters.
$561 million to crack 10 characters.
$40 billion to crack 11 characters.
$3 trillion to crack 12 characters.
$200 trillion to crack 13 characters.
Edit Note: BTC is kinda expensive per hash right now. Usually this would all be cheaper. Past 14 characters it could be 1 cent and still outrun the usual US budget for a couple years.
You can walk in the river instead of trying to cover your tracks.