“We searched for the 36B6mu address that would correspond to the cluster and found a single address,” Ergo said, sharing a link to the address found . “But the address is not part of a traditional wallet cluster. Further, the timing and volumes don’t seem to correspond with those noted in the complaint.”
“Maybe it’s a typo? So we weren’t able to really validate anything to do with the 36B6mu cluster,” Ergo added.
Bitcoin Privacy Requires Intention — And Attention
Aside from the sections that cannot be independently attested by external observers, after analyzing the complaint, it becomes clear that Lichtenstein and Morgan deposited different levels of trust in their setup and in several services as they allegedly attempted to use the bitcoin from the hack.
First and foremost, Lichtenstein and Morgan maintained sensitive documents online, in a cloud storage service susceptible to seizure and subpoenas. This practice increases the chances that the setup could be compromised, as it makes such files remotely accessible and deposits trust in a centralized company — which is never a good idea. For hardened security, important files and passwords should be kept offline in a secure location, and preferably spread out in different jurisdictions.
Trust compromised most of the couple’s efforts in moving the bitcoin funds. The first service they trusted was the huge darknet market AlphaBay. Though it is unclear how law enforcement was able to spot their AlphaBay activity — even though the darknet market has suffered more than one security breach since 2016—– the couple nonetheless seems to have assumed this could never happen. But perhaps most importantly, darknet markets often raise suspicion and are always a primary focus of law enforcement work.
Assumptions are dangerous because they can lead you to drop down your guard, which often triggers missteps which a savvy observer or attacker can leverage. In this case, Lichtenstein and Morgan assumed at one point that they had employed so many techniques to obfuscate the source of funds that they felt safe in depositing that bitcoin into accounts possessing their personally-identifiable information — an action that can ensue a cascading, backwards effect to deanonymize most if not all of the previous transactions.
Another red flag in the couple’s handling of bitcoin relates to clustering together funds from different sources, which enables chain analysis companies and law enforcement to plausibly assume the same person controlled those funds — another backwards deanonymization opportunity. There is also no record of using mixing services by the couple, which can’t erase past activity, but can provide good forward-looking privacy if done correctly. PayJoin is another tool that can be leveraged to increase privacy when spending bitcoin, though there is no record of the couple using it.
Lichtenstein and Morgan did attempt to do chain hopping as an alternative for obtaining spending privacy, a technique that attempts to break on-chain fingerprints and thus, heuristic links. However, they performed it through custodial services — mostly bitcoin exchanges — which undermine the practice and introduce an unnecessary trusted third party that can be subpoenaed. Chain hopping is properly conducted through peer-to-peer setups or atomic swaps.
Lichtenstein and Morgan also tried using pseudonymous, or fictitious, identities to open accounts at bitcoin exchanges to conceal their real names. However, patterns in doing so led observers to become more aware of such accounts, while an IP address in common removed doubts and enabled law enforcement to assume the same entity controlled all of those accounts.
Good operational security generally requires that each identity be completely isolated from others by using its own email provider and address, having its own unique name and most importantly, using a separate device. Commonly, a robust setup will also require each different identity to use a different VPN provider and account that does not keep logs and does not have any ties to that user’s real world identity.
Since Bitcoin is a transparent monetary network, funds can easily be traced across payments. Private use of Bitcoin, therefore, requires knowledge about the functioning of the network and utmost care and effort over the years to ensure the littlest amount of missteps as possible while abiding by clear operational guidelines. Bitcoin isn’t anonymous, but it isn’t flawed either; use of this sovereign money requires intention — and attention.
What Will Happen To The Recovered Bitcoin?
Although the couple have been charged with two offenses by U.S. law enforcement, there will still be a judging process in court to determine whether they are found guilty or not. In the event that the couple is found guilty and the funds are sent back to Bitfinex, the exchange has an action plan, Ardoino told Bitcoin Magazine .
“After the 2016 hack, Bitfinex created BFX tokens, and gave them to affected customers at the rate of one coin for each $1 lost,” Ardoino said. “Within eight months of the security breach, Bitfinex redeemed all the BFX tokens with dollars or by exchanging the digital tokens, convertible into one common share of the capital stock of iFinex Inc. Approximately 54.4 million BFX tokens were converted.”
Monthly redemptions of BFX tokens started in September 2016, Ardoino said, with the last BFX token being redeemed in early April of the following year. The token had begun trading at roughly $0.20 but gradually increased in value to almost $1.
“Bitfinex also created a tradeable RRT token for certain BFX holders that converted BFX tokens into shares of iFinex,” Ardoino explained. “When we successfully recover the funds we will make a distribution to RRT holders of up to one dollar per RRT. There are approximately 30 million RRTs outstanding.”
RRT holders have a priority claim on any recovered property from the 2016 hack, according to Ardoino, and the exchange may redeem RRTs in digital tokens, cash or other property.