Key Takeaways

• Banks and cryptocurrency exchanges need to update their BSA programs to account for the unique aspects of cryptocurrencies, detect and report related suspicious activity, and minimize the risk of cryptocurrency-related money laundering occurring through their businesses.
• If cryptocurrency-related money laundering does occur, financial institutions must be able to defend their BSA programs as upholding a “reasonable risk-based approach” to address cryptocurrency risks.
• Financial institutions must have policies and procedures in place that specifically address cryptocurrency-focused requests from law enforcement.
• All service providers must consider criminal patterns and whether their platforms are at risk for use by criminals.

Overview

Ilya Lichtenstein, 34, and his wife, Heather Morgan, 31, were arrested last week for an alleged conspiracy to launder 119,754 bitcoin (valued at approximately $4.5 billion) emanating from the 2016 hack of cryptocurrency exchange Bitfinex. Law enforcement has seized around $3.6 billion in value connected to the hack. The couple has been charged with conspiring to commit money laundering and defraud the United States.

Background

In or around August 2016, a hacker breached Bitfinex’s security systems and infiltrated its infrastructure, and then funneled 119,745 bitcoin out of the exchange, through a series of fraudulent transactions, to an external unhosted wallet allegedly controlled by Lichtenstein and Morgan. The bitcoin was valued at approximately $71 million at the time of the hack.

U.S. authorities were able to trace the stolen funds on the Bitcoin blockchain after they observed the funds being transferred across multiple accounts and platforms through a large number of transactions apparently designed to conceal the stolen bitcoin’s origination and launder the funds.[1] Multiple cryptocurrency exchanges were used as part of this elaborate scheme to obfuscate the flow of the stolen funds. Despite these efforts, law enforcement was able to trace the fund transfers to accounts controlled by Lichtenstein and Morgan.

The remainder of the stolen funds, however, lingered in the external unhosted wallet allegedly controlled by the couple. In early 2022, law enforcement executed a search warrant and as a result gained access to a cloud storage account maintained in Lichtenstein’s name. From within this account, law enforcement located and decrypted a file that contained 2,000 cryptocurrency addresses or public keys and their corresponding private keys.[2] Thereafter, law enforcement was able to use the private keys found in the encrypted file to take control of around 94,636 bitcoin, currently valued at approximately $3.629 billion.

Lichtenstein and Morgan purportedly used the following money laundering tactics to facilitate their crimes: (1) creating accounts with fictitious identities at various types of service providers; (2) moving small amounts of stolen funds over the course of thousands of transactions, rather than moving funds in larger chunks or all at once; (3) automating transactions through computer programs, a technique that facilitates many transactions over a short period of time; (4) depositing stolen funds into accounts at a variety of cryptocurrency exchanges and darkweb markets before withdrawing the funds, which muddies the transaction history by disrupting the funds flow; (5) converting bitcoin to other forms of cryptocurrency, including anonymity-enhanced cryptocurrency (“chain-hopping”); and (6) using accounts associated with U.S.-based business entities to create the impression of legitimate activity.

Banks and Cryptocurrency Exchanges Need Adequate AML Programs

This case serves as a warning to banks and cryptocurrency exchanges that they must ensure their anti-money laundering (AML) programs are adequate. The Bank Secrecy Act (BSA) and the regulations promulgated thereunder are the primary tools the U.S. government uses to fight money laundering. The BSA and regulations issued by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) require businesses to develop, implement and maintain an ongoing AML compliance program that includes the following components: (1) written policies, procedures and internal controls designed to comply with BSA requirements including verifying customer identities, detecting and reporting suspicious activity, retaining certain records, and responding to law enforcement requests; (2) a designated AML compliance officer; (3) an ongoing training program for appropriate personnel; (4) periodic independent reviews of the AML compliance program; and (5) for covered financial institutions, procedures to identify and verify the identity of the natural persons (known as beneficial owners) of legal entity customers who own, control and profit from companies when those companies open accounts.[3]

Even BSA-compliant organizations, however, can get stuck in the crosshairs of U.S. law enforcement investigations. Here, for example, Lichtenstein and Morgan used multiple cryptocurrency exchanges to funnel stolen funds in an attempt to prevent tracing of these funds by law enforcement. As part of this elaborate scheme, Lichtenstein and Morgan allegedly lied to exchanges about the source of their funds with the goal of preventing the exchanges from filing suspicious activity reports (SARS), thereby eluding the enforcement of any BSA policies and procedures the exchanges may have implemented.

As the cryptocurrency markets continue to expand, the potential for financial services businesses and other service providers, such as cloud storage platforms, to be used by bad actors for criminal purposes will likely increase. Therefore, financial institutions, including cryptocurrency exchanges, must both maintain and regularly update their AML programs to account for evolving criminal tactics and strategies. As law enforcement cryptocurrency capabilities continue to improve, and as the cryptocurrency markets become a higher priority for the DOJ, cryptocurrency-related crimes that previously went undetected will increasingly be discovered. 

[1] U.S. v. Lichtenstein, et al., 1:22-mj-00022-RMM (D.C. Feb. 7, 2022), https://www.justice.gov/opa/press-release/file/1470211/download.

[2] Cryptocurrency typically functions through public-key cryptography, whereby funds are transacted via public key and the transactions are authorized via a private key, which is typically possessed by only the public key address owner.

[3] See 31 C.F.R. § 1022.210; 31 C.F.R. § 1010.311; 31 C.F.R. § 1010.410(e); 31 C.F.R. § 1010.415; 31 C.F.R. § 1010.230.

[View source.]