Hacked - Crocodile of Wall Street
Episode Date: November 1, 2022The story of a rapping crypto-couple allegedly at the heart of a multi billion dollar social engineering heist. Learn more about your ad choices. Visit podcastchoices.com/adchoices...
Transcript
Discussion (0)
So before we get to the rapping, and there is wrapping, before we get to how that rapper
allegedly pulled off a multi-billion dollar social engineering hack, we're going to start with
a different question, which is how do you pay back the billions in crypto that that rapper
allegedly helped steal.
Earlier this year, the Department of Justice seized a few billion dollars in stolen
crypto from a 2016 heist of the troubled Bitcoin exchange BitFinex.
Back in August 2nd of 2016, about 120,000 Bitcoin, then worth a paltry $60 million was stolen.
And for the victims of that hack, the DOJ seizing the now $3 billion worth of Bitcoin
was, you know, it seems like great news, right?
Everyone's going to get their money back.
But now, those victims are wrapped in a new battle, not with.
the original hackers, but with BitFinex.
Is it a rap battle?
It's a rap battle, Scott.
Okay.
We're doing rap battles this episode.
Hell yeah.
Hell yeah.
I got bars.
I got bars, Jordan.
Let's go.
You got bars from me, dude?
Oh, man.
Let's see if you've got these,
let's see if your bars rise to the level of the bars in this story.
In a public statement,
Bitfinex has intuitively stated that they want the Department of Justice to give
them back these stolen bitcoins, the specific coins, saying, quote, Bitfinex will work with the DOJ
and follow appropriate legal processes to establish our rights to a return of the stolen Bitcoin.
But importantly, for those people whose money was stolen, BitFinex believes they've already paid
these customers back. And whether or not you agree with them is tricky because BitFinex did
pay them back in a token that they issued. It was redeemable for money, but who's
value tanked immediately after issuing is like a very sloppy crypto drama. And now
BitFenex wants those coins. So I do want to talk with you a little bit about that, about what
BitFinex did in the wake of that hack and whether or not you think those victims were made
whole, because it's interesting. But we're going to get to that later. Because here's the
thing. You and I don't normally talk about crypto hacks, right? Because there's just so many of them.
So many.
And at a certain point, what's even left to say?
If we covered them all, it would eat this show.
If you mess with the bull, you get the horns.
I think that's what's left to say.
And I feel like there's a lot of people out there that wish that crypto was a bull in the investor sense.
But it turns out it's just a wild animal.
And when I read about this one, I found the nitty-gritty details of paying back to seize crypto interesting,
but maybe not enough for us to spend a whole episode talking about it.
But then I asked the question, if Bitfinex seized the crypto, they must know who the hackers are, right?
Which brought me to the rapping.
K. Alad, I can't watch any more of this.
That's not, that's not, you're not into it?
It's not going on heavy rotation.
My musical senses have been offended enough for the week.
Those bars are brought to you by Heather Morgan.
aka Razlcon, who along with her partner, Ilya Lichtenstein, aka Dutch,
have been charged in relation to this hack, this multi-billion dollar hack.
In this story, the story of Razl Khan and Dutch, is not untold by any means,
depending on when folks are listening to this,
the creators of Tiger King either are going to or already have released
what I'm sure is going to be the next big Netflix doc series about it.
There's a scripted version in development over at Hulu.
It's a whole thing.
It seems very Tiger King,
just from the 34 seconds of this video that I watched.
Contained in that 34 seconds is a whole Tiger King.
I get real strong, you know, Tiger King vibes.
I could see this being a very successful media property.
I think it's going to do well.
And you and I have not talked about it, Scott.
So we're going to.
I'm taking bets on what these still untitled
Doc series is going to be called, but I'm going to put my money on a line from this track of
Razzlecons.
This is the Crocodile of Wall Street here on Hacked.
It was like one of the first lines she said, like, on the crocodile of Wall Street or something,
and it's like I could see Crocodile of Wall Street being the line.
It's pretty good.
If they really, they could reach for something like Razzle-Dazzle because it's RazzleCon
and Dutch, but I'm not sure, I'm not sure.
But it's not really Razzle Dazzle, it's Razzle and Dutch.
and it's not as cool as the crocodile of Wall Street.
The crocodile Wall Street's pretty cool.
I will say we're reaching, we're not there yet.
I'm probably going to call this episode that.
So I'm going to say we're not there yet.
But we're getting close to needing to retire
the Wolf of Wall Street naming structure.
It's becoming our like Generations Watergate naming structure
where everything just gets shoehorned into that framing.
I was reading an article today about the wolf of Airbnb,
crocodile of Wall Street.
We got to pump the brakes before this thing gets used up.
Come on, everybody.
Show a little discretion.
Oh, man.
This one just feels very crypto.
You know, we got...
So, it's the most crypto thing I've ever heard.
We got the crocodile of Wall Street, who's also, you know, an up-and-coming rap anthem
singer for Misfits, Versace Bedewin.
Oh, that's the name of the song.
I thought that was...
The name of the song.
Yeah.
this has just got crypto all over it.
Is there a...
In every single direction.
Like, you know the term crypto bro.
What is the female version of that?
Is there a female version of that?
Is there a gender version of crypto bro?
Or is crypto bro?
Just like a...
At the heart non-gendered, even though it has the word bro in it.
But like, can you be a female crypto bro?
I'm not sure, but this has got...
A cryptoficionado?
Yeah.
A crypto.
Yeah, I don't know.
It's so synonymous with the crypto bro.
Exactly.
I think anyone can be a crypto bro.
I think it's like an essence.
It's a quality.
It's like a steadfast sureness in the face of a line going up and down.
No matter what that line's doing, you just know in your bones.
Yeah, yeah.
I think that's the essence of it, you know?
I feel like Rosal Khan, you know, aka huddle gang chief, aka.
I don't know.
But I feel like
she seems like she's got some
hardcore crypto bro energy.
I would agree with that.
CBE,
crypto bro energy.
Is that a thing?
Should be a thing.
Crypto bro energy.
Yeah, CBE.
She's got big CBE.
Anyway.
So the crypto trial of the century
is set for, I believe,
March, 2023.
We don't know what's going to happen.
We don't know if they'll actually
be convicted of the charges that are laid against them.
So I'm going to put that over here.
And though the wrapping is pretty cringe,
I don't think it's necessarily what's most interesting about this.
What's most interesting about this is assuming these are the people behind this
is what happens when technological prowess and social engineering prowess meet,
not in one person but in a couple.
Two people, one with each skill, kind of coming together
with allegedly pretty extraordinary results.
Isn't that the recipe for this podcast, Jordan?
Which one of us is RazlCon?
I don't know, you tell me.
There's no good.
There's none that I want to be.
Let's start with who and what BitFinex is.
Let's just lay the groundwork here.
What is your sense of Bitcoin exchanges?
Scott, do you have a preferred one?
Oh, yeah, yeah, yeah.
My preferred one is to stay as far away from all of them as possible
and stay in real exchanges with regulations and oversight.
But, you know, that's a crazy concept these days.
Yeah, that's no fun.
Yeah, I don't even know who the big players are.
I feel like there's like, I see them on F1 cars,
crypto.com, FTCX.
didn't is it FTCX
FTX said that they were going to buy
Coinbase or like we're thinking
about buying Coinbase which is you know
great Coinbase probably another big one
starting to think of the ones that are publicly traded
Coinbase is the one that comes to mind for me
there was sort of this one magical summer
when crypto exchanges and legalized gambling
ads hit
hard where we live
if you watched any kind of live
you were getting those in spades
they all had celebrity endorsers
it was a real fun time.
It's funny enough to the exact same product.
The Bitcoin Exchange is, very broadly speaking, have one job to do,
which is to keep users' cryptocurrency and cash safe and secure.
They are historically not very good at this at all.
The first big one was called Mount Gocks.
Have you heard of it?
Oh, yeah. Famous.
You know about Mount Gox?
Yeah, he disappeared, right?
The founder.
I can't remember how many hundreds and millions of dollars,
but I don't.
Has he ever been seen again?
I'm trying to remember if I can remember the details of this,
but I'm pretty sure that the person disappeared and took all the money and left.
I was never seen again.
So Mount Gox, Mount Gox took the money and ran in the old school way,
which was filing bankruptcy, actually.
Oh.
But there is a chance you might have heard of Mount Gox,
not because of your obvious love for decentralized finance,
but because of your love of Magic the Gathering.
Oh, I do love Magic the Gathering for everybody listening.
just so you know, big fan.
Mount Gox originally stood for Magic the Gathering Online Exchange.
And it stood for that because Mount Gox, the cryptocurrency exchange, is a repurposed website
for trading magic cards like stocks.
When they pivoted, they quite cleverly said, we already own this URL, Magic the Gathering
online exchange, MTGOX.
They don't want to buy a new URL, so they just put kind of an implied period between
M.T. and Gawks, and Magic the Gathering online exchange became Mount Gawks.
That is arguably the most clever part of their operation.
They just couldn't handle giving up the SEO, you know?
They put so much work into it, you know?
All of that earned views over the years. They just couldn't give it up.
I understand. All that brand equity.
I get it. I get it.
Mount Gox filed for bankruptcy in 2014. At the time, it had through the countless times it was
since its inception, lost single-handedly 7% of all Bitcoins in existence.
Wow.
We could spend this entire episode talking about hacked crypto exchanges, but that would be boring.
So we're just going to spend like 20 seconds, just to establish a pattern here.
Coin check was taken for 530 million in 2018.
Ku-coin for 280 million in 2020.
Last year alone, 3.2 billion in cryptocurrency was sold from exchanges.
specifically, which would make it, according to an LA Times article, 100 times more than all of the money stolen in every bank robbery in the United States added together.
Yep.
Great place to steal money.
Great place to store your wealth.
Bringing us to BitFinex.
When it was hacked, BitFinex was actually considered to be pretty legitimate, like pretty safe.
The story of its development and creation is one that's probably going to be pretty familiar to,
script kitty types everywhere.
It was copy and pasted code from a different exchange called Bitcoinsica.
Grab that code, popped somewhere else and said,
call it BitFinex.
That operation was then invested in and run by a multi-hyphenate plastic surgeon
slash electronics importer named Giancarlo Devacini.
Devacini invested in BitFinex in 2012 and basically became the boss of the operation.
He is, and this is sort of just trivia, but he's also the boss.
I don't know if he's crater or chief big investor, but he's the man behind something called Tether.
Oh, yeah.
You heard of Tether?
Oh, yeah.
As much as you can tell that I love crypto by the tone of my voice, I do stay relatively up on it as I find it very fascinating.
It's almost more fascinating if you aren't actively participating in because you don't have any, I don't like to say bias, but you don't have any reason to root for it.
You can kind of just watch it all unfold.
Exactly.
as it always is.
It's a very,
very dynamic and well-written drama show that I watch.
I think judging by the number of things that are in the development pipeline,
it is also probably going to be a bunch of literally written drama shows over the next coming years.
Absolutely.
But I digress.
Tether, Giancarlo Deficini's other large crypto project,
is a stable coin that is supposed to be backed one-to-one with the,
US dollar but has been fined by US regulators for lying about the $67 billion in assets that they
would have needed to have to make that true, a fact that we will consider foreshadowing.
So, let's get into the hack itself.
BitFinex had set up this new security system after it lost about $400,000 in a different
crypto hack a few years ago.
The way most other exchanges at the time worked with something called cold storage, generally
they would mix users' coins together and store the private keys on computers that weren't connected
to the internet. BitFinex alternatively used something, this piece of software from a San Francisco
based company, a piece of software called BitGo. And their new system that was supposed to keep
BitFinex secure and make it the safest place to store your crypto was that each user's balance
was kept on a separate address on the blockchain allowing customers to actually see where on the
chain their money wise. On the security side of things, to keep things
fast. BitGo was programmed to automatically approve transfers underneath a certain limit.
To do a big transfer, the kind of transfer someone might do in a hack, it required a BitFinex
executive to manually sign off. The idea here is if BitFinex did get hacked, the thieves wouldn't
be able to steal more than a little bit of crypto. So far so good. But in what would prove to be
kind of the big vulnerability, that threshold that distinguishes a small, automatic,
automatic transaction from one requiring that executive approval, that limit could be changed
with a command sent by someone with executive electronic credentials.
Beautiful.
It's incredible.
Though we don't know the exact social engineering tactic used, the hackers were able to get
a remote access Trojan, which we've talked about, onto the computers of someone on the
Bitfinex executive team.
Remote access Trojan, for anyone doesn't know, essentially lets you operate an infected
computers though you're sitting at it. With those credentials, they were able to do two important
things. First, they got access to all the private keys, the cryptographic passwords that would allow
them to unlock the coins and move them. But the coins were still trapped inside the system because
of that threshold. But with this access, they were able to change the automatic transfer limit,
the distinguished, you know, a transaction that needed approval versus one that didn't. And then they
got to work draining this whole thing.
I love that the main barrier was like changing a value in an I-N-I file.
Yeah, you know, the config file says that the limit is like, you know, 10,000 USD, but let's just
change it to like a billion USD and forget that it exists.
Yeah, you build all of this security infrastructure, but you want it to be easy to use for
your real customers who are these executives.
And as long as that's the case, all of that security is only as good as the security of the individuals with easy access.
Hey, we've said it before on the show.
You know, convenience is the counterpart.
You know, it is the reason for insecurity lots of the times.
Every step you take towards convenience, you take a step away from secure.
And at 1026 a.m. on August 2nd, 2016, we got to see that.
play out at a pretty incredible scale.
At that moment, the hackers cranked up the exchanges daily withdrawal limit from
$2,500 Bitcoin to a million, which was enough to basically drain the whole site.
And then using those private keys they had, they transferred BitFinex's Bitcoins to addresses
that they controlled on the blockchain.
And over the three hours and 51 minutes that followed, the hackers stole about 120,000
coins.
Wow.
More than half of the holdings in what was then one of the largest, you know,
crypto exchanges in the world.
This drain only gets
plugged when someone at BitFinex, someone else,
happens to check the account balances,
notices that half of the company's holdings
are gone and throws an alarm.
Site goes into lockdown.
Everything shuts down, but the hackers
are already gone. If you were
fleeing the scene of a hack
heist thing like this,
on your way out, what would you do,
Scott?
RM slash RF
you know, root and
just delete everything.
Be like, see you guys.
Later.
Format hard drives and move on.
That's exactly what they did.
Hackers erased the server's memory on their way out,
wiping out pretty much any indication of who they were or where they went,
leaving just sort of a big, them-shaped hole where all that crypto used to be.
Just to talk about that,
I'm not sure what the dates were here, but today's valuation,
which is quote-unquote low for what we've seen.
the last like 16 months.
Yeah, sure.
That's 2.4,000, 120,000 Bitcoin is around 2.4 billion, 2.5 billion USD.
Yeah.
That's a sizable heist, you know?
Yeah.
Some might say it's the single largest heist ever recorded.
Like famous Hollywood heist.
Like, what was the heist value of Oceans 11?
I want to say it was like 140 million or something like that.
It just seems so paltry now.
Yeah.
It's like these 160,000.
million was the planned heist value versus 2.4 billion and literally like you didn't have to
leave your keyboard.
Well, and if you sold it at the right time, which they did not.
Of course.
But if you had sold it at the peak, I've been saying $3 billion.
I think right now it's at $2.4.
At its peak it was $8 billion, which I wasn't being facetious.
That would literally make it the biggest recorded heist of any kind ever.
The most money stolen in one go.
Well, I'm just trying to think what companies on like the NASDAQ have a market capitalization less than $8 billion.
There's got to be a few.
Yeah, sure.
Did you steal a Skechers?
You could buy a publicly traded, like massive company for less than that.
Like what's GMEs?
Let's talk about meme stocks to go along with our meme coins.
Yeah, sure.
Let's get meme stock.
Yeah, so GameStop corporations market capitalization as of recording, and it's up 10% today, which is shocking, is $8.6 billion.
So literally these people stole GameStop.
Incredible.
We know we could just spend like all day looking up company valuations that they could have converted their Bitcoin into and bought like these massive companies that we all know.
I mean, we could just spend all day doing that.
And it would be a pretty fun way to spend a day.
My God, I'm not going to do this, but I'm looking at some companies that are evaluated around.
They stole one password.
They stole all of the company one password.
They stole a vice media and a half.
Elon Musk's boring company, they stole that with plenty of change left over.
If they had liquidated it at the top of its value, I'm just looking for ones that I recognize.
because there's like, I don't know what Konto is, but they're worth $5 billion.
Snapchat's $16 billion.
So half a Snapchat.
They would have overpaid.
Yeah.
Well, what did Elon just pay for Twitter?
$45 million?
$45 million or something like that.
Oh, Falcon X.
Sorry, $45 billion.
Sorry, not a million.
Yeah, you got a deal.
Yeah, I got a great deal.
The only information that Bidfinex had was the 34-carriage.
like addresses on the blockchain where the hackers sent all of that stolen money.
And BitFenix posted those addresses on Reddit for everyone in the world to see.
Try and get more eyes on it.
For years, those coins just sat there.
And in the years following 2016, as we have said, the value goes absolutely crazy.
But the coins couldn't really go anywhere.
They could just become worth more and more in value.
which for the hackers, there's really nothing to be done about it.
Because the trouble with stealing crypto, as with stealing money, is like, well, how do you spend it?
And with real money, you can, like, I don't know, open a bunch of laundromats and try and, like, just sort of start laundering that money type thing.
But with crypto, it's visible. It's on the blockchain. Everyone can see where it goes.
And now that those addresses were being very, very closely watched, there aren't many people in the world who would accept any kind of payment from,
those implied addresses. Not many people, but not nobody. Which brings us to Alpha Bay.
Alpha Bay is a dark web market. We've talked about them on the show before, kind of place where you can
buy drugs, stolen credit cards, where you can get scammed trying to hire an assassin.
We've got a whole episode about that. And on its website, Alpha Bay said that it wanted to be the
largest eBay-style underworld marketplace. On January 2017, about 22,000, about 22,000,
thousand dollars worth of the hacked bitcoins from those addresses were moved over to
Alfa Bay in a much of teeny tiny little transactions.
And all the Bitcoins that are getting sent to Alpha Bay are then mixed together, making
them harder to connect to wherever they'd come from and then could be sent off to some
new address. Essentially Alpha Bay was acting as like a laundering service, sort of a Bitcoin
Tumblr.
Meaning that if a user withdrew their funds from a new address, their bitcoins could
be traced only as far back as Alfa Bay.
And while the big exchanges are unwilling to accept Bitcoins that had come from addresses associated from the hack,
some of the smaller exchanges would take coins that came from accounts associated with a dark web drug den.
It's just a little bit easier to get that money back out.
So the crypto goes into Alfa Bay and then those hacked Bitcoins kind of freshly cleaned,
starts getting sent off to different crypto exchange.
It makes sense so far?
Yeah, well, I know there's like a whole industry of crypto laundry, like mixing services
or tumblers, I think they're called.
Yeah.
I don't know.
Alpha Bay was acting as one of those.
Gotcha.
So they were taking payments and then tumbling them and then passing them out to the people
who on the other side of the transaction, I'm assuming.
Exactly.
And they get sent off to some crypto exchange that would accept the payment from Alpha Bay, where
they could then get sent off to some increasingly, you know, legitimate crypto exchange.
What it looks like was happening was the hackers were trying to figure out a pipeline for laundering all this money.
Yeah, like if I wanted, like that's the classic, like, you know, I open a laundromat or a nail salon or a cash business.
And I, you know, book more revenue than I actually made and like use that cash as part of that revenue to clean it and laundered for myself.
I'm assuming
whoever sold the money
set up accounts on Alfa Bay
and then sold to themselves
just to launder the money
out the back door.
Exactly.
Smart.
Bingo.
Yeah.
But not perfect.
Because say this person
is trying to get
the laundered crypto
out of Alfa Bay
into a legitimate exchange.
Even if they bounce it around
a couple times,
the end goal is to get it
somewhere where they can actually use it
and presumably live off it.
Wherever that sequence,
ends, the legitimate exchange on the far receiving end, to be legitimate would need their real name
and information for tax purposes. That's where this all terminates basically.
It's going to make a prediction that their greed is what costs them here. I'm assuming
they tried to get all of the money or most of it to themselves. To me, the real mixing
service is you buy everything from everybody on Alfa Bay with this money and you get yourself
out a few hundred million.
Instead of being like, I'm going to transfer all $8 billion to myself and then try and move
that out.
Of course they're going to see that.
But if you tumble it, just giving it out to everybody, then how are they ever going to,
there's going to be no way to trace it back to you.
Or like, not no way, but like very substantially less significant ways to trace it back
to you.
Yeah.
So I'm assuming greed.
greed is what gets them here.
So prove me wrong or prove me right.
There would be one way.
There would be one way with even a tiny little
transaction you could work it back.
It's just extraordinarily convoluted and difficult.
If you paid it out to hundreds of vendors,
there would be nothing suspicious about any one of those single vendors
unless you made it suspicious.
Like if you gave $100 to 700 vendors
and then $7 billion to one vendor, obviously that's you.
but like if you were to try and take out
maybe you pick 50 vendors
and you give all $8 billion to 50 people
knowing that you're only going to get
you're only going to get one 50th of it
but at least you're going to get some of it
yeah you would
but to even build out that system
you've got to do this little test right
this little teeny tiny $22,000
test where you send some money
to Alfa Bay and then Alfa Bay
tumbles it and sends it off to some new address
and even if you bounce it around
you need to just make sure
that that works, right?
Of course.
Before you could do any of these other plans.
But what that means is that Alpha Bay knows where the crypto came from,
which is the stolen addresses,
and it knows where it's sent off to,
which means that Alpha Bay doesn't know who you are,
but they know where those illegitimate coins
ended up in a presumably legitimate address
of course.
That you had to sign up for using your real identity to make it legitimate.
Alpha Bay doesn't know who you are.
They only know where it's sent.
But in that, between the legitimate exchange knowing who you are
and Alpha Bay knowing what legitimate address it was sent to,
there theoretically is a vulnerability.
Someone with enough time and resources
could connect that account to you using a court order
and then all they would have to do is, I don't know,
do a raid on the complex in Thailand where the guy who runs Alpha Bay lives,
get his computer, and figure out your identity.
Hypothetically.
It's a very hypothetical vulnerability that's contingent on the person
username Alpha O2 who runs Alpha Bay, you know, getting caught.
let's just hang there for a second.
You're alpha 02.
Put yourself in this person's shoes.
Yeah.
You own a CD Darknet marketplace that has replaced previous CD Darknet
marketplaces when they've been shut down.
What do you do if somebody transfers $8 billion with a crypto into your accounts?
Fun question.
I assume you just steal it.
Because everybody else is doing it.
So why wouldn't you do it?
Yeah.
What do you care about repeat business?
when someone just sent you $8 billion anything.
Like, I don't need you to come back to this.
I don't need anything ever again.
I have $8 billion.
Yeah, Alpha Bay is down.
Goodbye.
Best of luck in the future.
Have fun.
I'm out.
I'm out.
I'm out.
I'm outskonding to a new country.
Exactly.
We have no evidence that $8 billion was ever transferred.
This all hinges on the $22,000 test that was run.
Right.
Because if you're following the money on the blockchain, you can see it go into Alpha Bay.
And you go, well, Alpha Bay must know.
where that goes next. So if we're trying to follow it, that's the next breadcrumb.
The breadcrumb's name is Alpha O2, a 25-year-old Canadian named Alexander Cassas. And Alexander
had moved to Thailand and bought, in I don't know what order, a bunch of houses, a Lamborghini,
and a Porsche with all of his dark web profits. Not the most original, but on some early messages,
way back when you started Alpha Bay,
used an email address.
Years and years and years prior,
Pimp underscore Alex underscore 91 at hotmail.com.
Beauty, beauty.
Tragically, Pimp Alex 91 had also used
his real name when signing up for that email address.
So on July 5th, 2017,
the investigators kicked off Operation Bayonet.
The Royal Thai police drove a car
through the front of the gate of the giant compound in Bangkok,
where Cassez was living.
He was lured outside by the sound of a car crashing through his house.
And while the cops grabbed him, agents inside found a laptop, which was open and logged
into his admin portal on Alpha Bay.
That back end contained the addresses where he had sent the Bitfinex hackers laundered funds,
which was run by a legitimate crypto exchange, which meant that the identity of the hacker,
allegedly, was now just a court order away.
So this sort of unfolded over years and years and years.
On January 5th, 2022, federal agents entered the apartment at 75 Wall Street
belonging to a rap mogul slash entrepreneur slash proclaimed social engineering expert
and her ad tech turned angel investor partner, Rosal Khan, and Dutch.
You mean the crocodile of Wall Street?
their story and what those agents found after the break.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora superintelligence platform with fully agentic system power.
by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs,
this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions
and keep everything trustworthy,
and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events
every week and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training.
data. And the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design. You get agents that coordinate, agents that
investigate, agents that respond at machine speed, and hundreds more that automate the
repetitive work that normally buries human analysts. Arctic Wolf didn't try and bolt AI onto an
old model. They rebuilt the model entirely. What makes it even more effective is how it
works with Arctic Wolf's concierge experience. The team brings customer-specific context directly
into the platform so every AI-driven decision reflects your environment instead of generic
assumptions. The automation frees your concierge security team to focus on higher value strategy
and proactive risk reductions while the agents handle the grind. If you want to see what
trustworthy, production-ready AI and security operations actually looks like, go to arcticwolf.com
slash hacked. Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks to turn defenses on their head.
Organizations around the world saw headlines they never expected,
and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving to the most impactful breaches of 2025.
Their field CTO and security leaders are going to unforeforeforefore.
pack not just what happened, but why these attacks succeeded, and most importantly, what
businesses can do to fortify their defenses for it's too late. You're going to walk away with
real insights and how threat actors are evolving, how defenders are responding, and what strategies
can help you stay ahead of the next big breach. It's not fearmongering. It's practical, actionable,
intelligence from experts in the trenches. Register now at arcticwolf.com slash hacked.
Razzle-dazzle.
Dutch. Ilya Dutch, Lichtenstein, and Heather Rer
Rosal Khan Morgan. Let's get into these folks. Morgan, 31 at the time, was the founder of a small
kind of little company called Salesfolk. It was a copywriting business. She was living with Lichtenstein
in a $6,500 a month apartment on Wall Street, a big, nice, beautiful high-rise. She wrote a column for
Forbes in which her author bio read, when she's not reverse engineering black markets to think of
better ways to combat fraud and cybercrime, she enjoys rapping and designing streetways. She enjoys rapping,
fashion. Wow. And then there's Ilya. Born in Russia, he'd grown up in Chicago, where his parents
had moved when he was a kid. I don't know if we can say he ends up in crypto, but he ends up implied
in all of this story. Do you want to take a wild guess at how he made his fortune? Malware.
Lateral. While he was at the University of Wisconsin, he discovered a very cool process
called affiliate marketing. Oh, lovely. Yeah, which is where people buy, you know, just a ton of
ads in bulk on Facebook and Google. And they...
put together some incredible, iconic, creative for things like diet pills and offshore gambling
sites and pills to make your brain work better.
That's the, that's the, that's the, that's the, that's the, that's the, that's the
doing it now.
The way of doing it is fabricating reviews and fabricating content around it and then
driving those to paid affiliate links, which is why you just essentially can't trust anything
on the internet anymore, as everybody's just trying to get some.
percentage of whatever you're buying.
You put your coins into the Facebook ad
like, I don't know, casino machine
and see if you can churn out a little bit of profit,
drop shipping socks or some shit.
Exactly.
Lichtenstein claimed in some posts on forums over the years
that he'd made a $100,000 a year doing this
when he was a student.
He took that money.
He goes on to co-found an ad tech company
that obviously went pretty well
because he left it right around 2016 to become a, quote, angel investor.
Keene-eared listeners would note that he left that endeavor in 2016,
which is right around the time some other stuff happens.
Bringing us back to the arrest.
In January 5th, 2022, those IRS agents burst into that apartment on 75 Wall Street.
The agents are like rummaging around looking for phones and computers.
Morgan and Liechtenstein said that they wanted to, they weren't under arrest.
They wanted to leave the apartment.
This was all stressing out their cat.
At which point, Morgan, Razzal Khan herself, Versace Bedouin, decides to create a distraction.
She says that the cat is hiding under the bed.
She sort of like gets down there, crouches down, reaches under the bed to get the cat.
While she's down there, she reaches up.
and grabs a phone off the nightstand.
It starts frantically hitting the lock button.
One of the agents rips it out of her hand, and they grab her,
and then they look under the bed.
They find a plastic bin.
You want to guess what was inside that plastic bin?
Not a cat?
In no particular order.
A Ziploc bag labeled burner phone,
a red and white striped toiletries bag holding nine more burner phones.
Four hardware wallets,
little thumb drives.
Yeah.
And a pocketbook with $40,000 in cash.
Nice.
Like her go bag?
Yeah, her go bag, essentially.
I don't do crimes, but I even like the idea of having a go bag.
Yeah, yeah.
I don't begrudge someone for having one of those.
Over in Lichtenstein's office, they found two books that had been like,
this is old school, hollowed out to create like a little secret chamber cavity type thing.
Beautiful.
It contained, I think, a couple more of those little thumb drives.
Hardware wallets.
But while this is all going on, yeah, Morgan and Lichtenstein had a brief conversation in Russian,
which Morgan had been learning.
None of the agents spoke Russian.
We will never know what was said between the two of them.
But after that initial search of their electronic devices, the agents hadn't found the private keys to all those stolen bitcoins.
So while a bag of burner phones and hardware wallets, while this is all incredibly incriminating,
it is not enough to arrest someone.
It's not illegal to have a go bag.
So they leave.
Five days after that search, Morgan puts out a new song.
It's called Moon and Stars.
It's a bob.
It's a bob.
Maybe we'll play it in the background here.
And in the song, she kind of just raps about her relationship with Lichtenstein.
It's quite complimentary.
But she says a couple lines in it that are pretty interesting.
talks about not wanting to have a regular job,
talks about taking risks to feel alive,
talks about how you should never forget an exit plan.
She says she's going to be with Lichtenstein until the end.
She puts out that song.
The agents has also gotten warrants
to search Lichtenstein's cloud storage account.
And in one of those, they found a bunch of stuff.
They found a bunch of fake IDs, both male and female.
They found notes kind of suggesting that the couple
had traveled to Kiev in 2019
to buy debit cards under some of them.
pseudonyms. It really started to look to the agents as though Rosalconn and Dutch had been
sort of getting ready for that exit plan that she's rapping about in that song.
The Go Bag Day.
The Go Bag Day. On January 31st, they managed to bust through the encryption on one of Lichtenstein's
files, and they find a smoking gun. The private keys to nearly 2,000 Bitcoin addresses
tied to the original Bitfinex hack. A discovery in his cloud files,
at the time, $3 billion worth of Bitcoin.
The same coin is stolen in the next.
That's a hard day.
That's a hard day for old Dutchie.
When the FBI finally cracks the encryption
in your passcode on something
and finds out that you've got $3 billion
rotting on the blockchain.
It must have been like,
that must have been a weird week.
Because on one hand, you've been rated by the FBI,
but on the other hand,
they couldn't find anything.
And you're kind of just wondering if the encryption's going to hold at that point.
Yeah.
We don't really know how they busted it open,
but you've got to wonder if they're sitting there thinking,
maybe we're going to get away with this.
Maybe the spotlight will be off us long enough that we can get on a plane
and pull off this escape plan that we've cooked up.
They're probably pretty hopeful in that week.
I assume the second the FBI comes through the door,
even though they don't have enough to arrest you in that moment,
it's go bag time.
Like if it's go bag time
Like I wouldn't even
I don't even know why you'd stay a week
Like it would be and release another song
Like it seems like you should just be go begging
You know
Always be go begging
Always always always
Always be go begging
Always be closing ABC
Yeah exactly
Always be go begging
Yeah
A BGB
I'm pretty shocked
And we'll get back to the story
But like
I'm pretty floored that
by 2022 they hadn't left
there was such a big window of time when they were
and we'll learn a little bit more about what they did to like
allegedly prepare this escape hatch
but they took a really long time
you know planning their exit
four years I think at my count
wow
it's just not how you go bag man
you need to be ready to go back what's the
what's the TV show
the guy go bags and he like punches a wall in like his office and pull this is my favorite clip
and pulls a go bag as parks and recreation yeah that's what it was everyone go watch that we show yeah
we should definitely that's a great clip just like walks into a room punches a hole in the wall pulls a
bag out and like runs out or something i think the full context is someone tells him his ex-wife is coming
he sprints out of his chair, rips a doorknob off, uses it to punch.
He punches a hole in the wall with the doorknob so he can stand on it, reaches up, punches a hole,
grabs the go bag out of a thing, and then sprints off down the hallway.
And I don't know if it's like a one shot or it just happens really fast.
Yes.
That scene, go watch that scene.
Parks and Rec.
Go watch it.
It's worth it.
And if you're ever stealing somewhere between $60 million and $8 billion in cryptocurrency,
and see. Have that bag ready to go day one. Just have it ready. Have it, have it sitting by the door. Oh my God, we got the money. Book it. Like, just be ready. Maybe not the same day, but within the calendar year. I get not wanting to be on a plane the day after a giant heist. But come on. Four or five years, this is your dawdling. It's called a go bag, not a slow bag.
Good. Good, good, good. A week later, with the smoking gun in hand, the agent. The agent is a good. The agent's
The agents return to the couple's apartment and they arrest them.
Lichtenstown and Morgan are charged with conspiracy to commit money laundering.
And I found this really interesting.
The charge actually has to do with the fact that they lied to the exchanges to move the funds.
The charges regarding the actual hack couldn't be, haven't been proven yet because the data was deleted on the way out.
It might never actually be.
They did commit money laundering, allegedly, and that's what they've been charged with.
That's a pretty mild charge to take when you've stolen.
When you're single-handedly the largest heister in the world.
And all you get, it's like all the organized crime guys that get taken down for like tax evasion.
I feel like this is the equivalent of that.
A hundred percent.
It's like, yeah, you stole $8 billion.
But like, you're going to jail because you like, you know, cleaned it.
You lied to this imaginary cyberbucks bank.
Totally.
Exactly.
The arrest was national news.
It was, I think, in addition to being what, I think the largest haist ever, it was also the largest seizure of stolen funds.
Both Lichtenstein and Morgan have pleaded not guilty.
Lichtenstein held without bail and Morgan was released on a $3 million bond.
To date, a fifth of that missing Bitcoin is still unaccounted for.
But is a funny little addendum.
Roughly, $70 million worth of crypto.
currency from those accounts that had all the stolen funds was sent to something called
Hydra Market, which is a Russian dark website.
And while no one knows where the money went from there, this is a fun little piece of
trivia about the Russian dark website Hydra.
There's a type of vendor called Treasure Men who offer to exchange crypto for shrink-wrapped
packets of rubles that they then bury in some secret location.
And it's really fun to imagine little shrink-wrapped bundles of cash buried all over Russia,
just waiting for Rosal Khan and Dutch to dig them up.
I like that.
That's go-bag territory right there.
That's the real go-bag shit right there.
That's what I want to hear about.
We hired someone on the dark web to bury rubles in the Russian countryside,
and we have the GPS coordinates.
I'm like, yes, that's what I'm looking for.
Well, that's straight out of who's the big Colombian drug kingpin?
Didn't he have money buried?
And they still think there's like billions of dollars
buried in like rubber tubs all over Columbia.
Like that's the move.
That's the move.
That's the real move.
Yeah.
Burying your wealth in the woods is timeless.
So that brings us to today.
To the much kind of less wacky set of questions
that now faces the victims in all of this.
the exchange and the people whose bitcoins were actually stolen.
Now that the Department of Justice has gotten back control of all these coins,
what happens to them?
So when this initially happened, BitFinex was panicking
because half of all the wealth on their platform had been drained out.
But it's also 2016, which is like truly the wild west of all this stuff.
So they start making some very strange wild calls.
they decide to just say every user on our platform lost 36% of their holdings.
They sort of generalize the losses across the entire user base.
So some folks probably had more hacked, some folks had less hacked.
They just said everyone 36%.
To make everybody whole, according to them, they decided to issue a token.
They created something called the BFX token, and customers got one BFX token for every
dollar that they had lost, dollars in the value of the Bitcoin at the time of the heist.
The idea is you could sell the BFX token that they'd issue you for a buck.
One issue that customers brought up to CNBC is that when they decided to sell those tokens
that were supposed to be worth a dollar, immediately following their issuance, their value
plunged to pennies on the dollar.
I'd probably plunge to nothing.
Quote, they pegged them to $1 for BFX token.
a user named Cavatso said,
and they put them on the open market
and the value plunged from a dollar to like 20 cents.
And they were, I love how he puts this,
essentially allowed to fomo everyone out of their debt.
Well, the reality is to have a functional market.
You need supply and demand.
And when you create a random token
to essentially pay off nothing,
you invent a way to pay off something
and claim it has a value,
and then hand it out to a bunch of people who were out billions of dollars,
what other thing, they're all going to sell them at the exact same time.
And if there's no demand to buy them, because this token is, well, I guess there's a million
useless tokens and people tend to buy those.
So maybe somebody would buy it.
Maybe that's why it didn't go to completely valueless.
But the, but yeah, it's like you see this with companies when like,
a new company gets acquired or something,
and all of the existing staff, stock options mature at the same point,
those maturity deadlines,
you see the selling volume go way up
because all of these people are liquidating the capital
that they've been kind of accruing and unable to sell.
So the same thing that would happen here,
everybody's given billions of dollars in, you know, tokens.
Lots of error quoting going on on my side of the phone.
Yeah, a lot of air quoting.
But what else are they going to do besides,
sell them and move them into tokens and assets that they perceive to have value because this new
token doesn't really have a basis of value besides what they've just declared it to be.
So anyway, the economics of light fraud.
I obviously owe you millions of dollars personally, Scott.
My many debts to you.
I would like to, I don't have those dollars, though.
I would like to give you Jordan Bucks.
new currency I have made just now
and I'm writing you a check for the many millions of dollars I owe you in Jordan bucks
Yeah, I've declared that Jordan bucks are worth
Jordan bucks are worth exactly
You know, one Jordan buck is worth exactly one U.S. dollar right now
And I guarantee nothing in the future.
I'm there now, and I just gave them to you
And whatever happens from this point forward, say their value plunging immediately
is simply not my business.
And buyer beware.
I have made you whole.
I didn't buy these.
You gave them to me after my shit was stolen.
Yeah, I got to hear the wrap up of this because it's going to make my stomach hurt.
Yeah, no, that's all bad.
Rafael B. Elenia, who had 91 bitcoins on the platform at the time of the heist,
said, quote, I sold those tokens as fast as possible and immediately when they became available,
and I only got about 25% of their original value.
There was no point in time that they refunded me, not in dollar terms and not a
in Bitcoin terms.
So a little bit of time passes, and for everyone that didn't sell those tokens for pennies
on the dollar as fast as humanly possible, the company later gave a new token that they
made called BFX, which was the chance to convert those BFX tokens into equity shares
of IFNX, the corporate entity that owned BitFinex.
Using a third and fourth token, they also created called RRT and Leo.
So I think that puts us at, they issued five tokens, none of which represented the dollar
value of the original cryptocurrency.
This is just a tear down of the entire crypto space because you're just showing that these
tokens take nothing to create and the only value they have is perceived value.
The wild part, Scott, is I didn't even set out to do that.
I wanted it to be a fun story about a wrapping heist, but you just, you keep bumping into
the, and you're like, and then they did what?
Then what did they do?
And that was the, God damn it.
Like it's, you can't escape it.
Bitfinex feels that customers have already been, you know, fairly compensated for their loss.
If they chose to sell those tokens before their value, went back up to a dollar.
That was their choice.
They say, quote, upon receipt of the Bitcoins recovered from the 2016 security breach,
Bitfinex has pledged to use 80% of the proceeds to buy back and burn the Leo tokens.
I think the fifth token in this shell game they issued.
after all of the RRT tokens are redeemed.
Essentially, Bitfinex wants the Bitfix
that were stolen in the hackback.
They say they're going to give some portion of them back to customers.
It is unclear at this time what that actually materially means.
Oh, oh my God.
This is inevitably going to go to court.
Well, like, if you're Bitfinex, how can you not want $8 billion?
What is today $2.4 billion in,
assets given to you. Like, who doesn't want that?
Who doesn't? I do. I'll take them.
And in the completely unregulated world, you can say, in air quotes, we've made everybody
whole from this. And therefore, the assets have just been returned to us. But, you know,
you've been made whole. So, you know, it's like similar to an insurance payout.
We're just going to keep this. Yeah, sure. And then, and then you just disappear into the sun.
like everybody else.
We made you whole,
whether it was with the token we issued
that plunged to 20 cents on the dollar,
the other token we issued
that was convertible into
stocks of a company
that was just hacked for $3 billion.
We think we've paid our debt.
Can we just start a crypto show?
I don't know if I have it in me.
I don't know if I have it in me.
Just like mocks crypto.
We make a weekly episode
that's like 25 minutes
that we have to be like half drunk to record.
And we just like Google CryptoCon
and just like talk about the articles that pop up from the week.
Half drunk sounds conservative
for where I would have to be psychologically to do that.
This was even tough.
Like it makes me sad that the people who have the ability
to control and stop all this bullshit
haven't done anything.
And it's like I'm looking at you,
federal reserve chair.
I'm looking at you like president.
I'm looking at people in power.
who should have been like,
we have to nip this in the bud
before it gets out of control
because it's going to really hurt people.
And now it's really hurting people.
And people are still not doing anything about it.
And it's shocking to me.
Shocking to me.
Like the SEC's been talking about regulating it.
And it's like, what's the point?
Like, just, I don't know.
Anyway, is what it is.
the depression sets in crypto depression
I have more to say but I almost want to play the music
I want to play the like outro music
as you just sort of mumble your way into depression
at the current state of affairs in the crypto ecosystem
I'm totally okay with that
so there is an unanswered question here
if we go back to this hack
and we can end there
it's actually how that first
way back at the start of this thing had that first remote
Texas Trojan, the one that kicked off the whole heist,
ended up on that BitFinex executives computer.
Presumably, someone had social engineered it onto there.
Sure, fished it.
Exactly.
But for a sense of how that might have worked,
I'm actually going to defer to Rosal Khan herself.
And a 2019 talk that she gave called
How to Social Engineer Your Way Into Anything.
In a promotional flyer for the speech,
She's wearing a Rosalcon outfit and holding a big cartoon-sized wrench.
I don't know what the thing with the wrenches is.
Anyway, she starts the speech with some bars from that song for Ashi Bedouin.
It is unclear if this succeeds in warming up the crowd.
She goes on to say, quote.
My favorite line from this podcast, by the way, was that clip.
It is unclear as to whether this warmed up the crowd.
She goes on to say, quote, I hate the term manipulating.
Social engineering involves, quote, getting someone to share information
or take an action that they otherwise would not.
So maybe this is how, whoever the hacker is,
got the Trojan onto the Bidfinex executive system.
They got them to reveal something,
inadvertently sort of show their hand a little too much.
But that line is funny taken in a different context.
Because on the day of the original hack,
in what the LA Times called either an unfortunate coincidence,
or a stunning act of hubris.
Rosal Khan posted a photo on Instagram,
and it's a photo of her and her partner
and alleged crime Dutch sitting on a couch.
It's the day of the hack.
It says, quote,
I will always love getting into trouble
with this crazy guy.
Thanks for listening, everybody,
and thank you to our new patrons
since the last episode,
patreon.com slash hacked podcast.
Keith Horton.
Thanks very much.
Really appreciate your support.
Ben Pike. Thank you, Michael Ellert. Thank you very much. Your support means the world. If you want to support the show,
patreon.com slash hacked podcast. Thank you very much for listening. Thanks for making it to the end of our
kind of second one hour episode in a row. They're getting longer. Who knows where it's going next.
Thanks for listening. We'll catch you in the next one.