The Bonnie and Clyde of Crypto Laundering

Last week the Department of Justice arrested a husband and wife, Ilya “Dutch” Lichtenstein and Heather Morgan, and charged them in a massive cryptocurrency money laundering case. The government alleges the defendants were involved in laundering Bitcoin that was stolen in a 2016 hack of Bitfinex, a virtual currency exchange. At the time, the stolen Bitcoin was worth about $71 million; today it would be worth about $4.5 billion. DOJ also announced that law enforcement had seized about $3.6 billion of the stolen cryptocurrency, the largest financial seizure in the Department’s history.

Last October Deputy Attorney General Lisa Monaco announced the formation of the National Cryptocurrency Enforcement Team to strengthen DOJ’s ability to pursue and disrupt criminal activity in the crypto markets, including money laundering. This case is significant evidence of DOJ’s growing ability to trace illegal activities that use blockchain technology. Those who thought crypto markets and blockchain provide a safe haven for criminal activity may need to think again.

These defendants are not charged with the Bitfinex hack, only with the subsequent laundering of a portion of the stolen Bitcoin. Whether they were involved in the actual hack, and whether there are others involved in the attempted laundering, are just a couple of the questions left unanswered by the court filings thus far. It will be interesting to watch this one unfold.

Lichtenstein and Morgan
Lichtenstein and Morgan

Facts of the Case

Lichtenstein, 34, is a citizen of both Russia and the United States. He works as an entrepreneur and technology investor; one of his early companies was supported by the prestigious start-up funder Y-combinator. His wife Morgan, 31, is a U.S. citizen. She apparently wears many hats, promoting herself as an economist, entrepreneur, writer, rapper, artist, and social-media influencer. In a nice bit of irony, she once wrote an article for Forbes magazine about how to protect your business from cyber-criminals. At the time of their arrest the couple were living in Manhattan.

Bitfinex is a large virtual currency exchange, or VCE – a business that allows customers to buy, sell, and trade cryptocurrencies. In 2016, a hacker breached Bitfinex’s system and ultimately stole nearly 120,000 Bitcoin. The stolen Bitcoin were transferred to a digital wallet – basically a secure online account —  that, at least at the time of his arrest, was under Lichtenstein’s control. Starting in 2017, about 25,000 of the stolen Bitcoin were then transferred out of that wallet in a series of complicated transactions, with some of it ultimately ending up in accounts controlled by the defendants.

The criminal complaint alleges the defendants used a variety of methods to move the cryptocurrency around and ultimately have it end up under their control while trying to conceal its origins. These techniques included using computer programs to engage in thousands of transactions between multiple accounts; depositing and then withdrawing the funds at a variety of different VCEs and “dark web” markets; using accounts opened in the name of businesses and fictitious people; converting the Bitcoin to other cryptocurrencies that provide additional anonymity; and splitting large transactions into many smaller ones. Ultimately, according to the complaint, law enforcement traced the stolen funds through thousands of transactions to over a dozen different VCE accounts controlled by the defendants.

The complaint also recounts how on several occasions VCEs the defendants were using questioned them about the source of their funds, pursuant to various “know your customer” (KYC) and anti-money laundering (AML) obligations. The defendants allegedly lied, claiming the funds were the result of their legitimate investment and business activities or, in Morgan’s case, that the Bitcoin was a gift from her husband. On a few occasions, when the defendants could not provide satisfactory answers or when the true owners of accounts involved in the scheme could not be verified, the VCEs froze those accounts. This allowed law enforcement to later seize the funds, and likely directed their attention to these defendants.

In January of 2022, law enforcement officers used a search warrant to obtain access to Lichtenstein’s cloud storage account. They recovered an encrypted document that contained a list of 2,000 virtual currency addresses (basically online account numbers), along with the private keys to unlock those accounts. Virtually all of those accounts ended up being linked to the 2016 Bitfinex hack. In particular, the list included the information required to access the original wallet where the stolen Bitcoin was moved when the hack first took place. This allowed the government to seize that wallet and recover the $3.6 billion in Bitcoin that still remained there. The list also included accounts that different VCEs had frozen and that law enforcement has linked to the 2016 hack, with a notation “frozen” next to them.

The Charges

The complaint charges the defendants with one count of conspiracy to commit money laundering, in violation of 18 U.S.C. § 1956(h), and one count of conspiracy to defraud the United States, in violation of 18 U.S.C. § 371.  The money laundering charge carries a maximum penalty of twenty years in prison, and the 371 conspiracy charge carries a maximum penalty of five years.

These are just the charges in the complaint to support the arrest warrant. Once the case is indicted, it’s likely prosecutors will add additional charges.

The government chose to arrest the defendants based on a complaint, rather than waiting until the case was indicted and issuing arrest warrants at that time. That was likely due to a desire to have the defendants detained as soon as possible to ensure they did not flee the country. Under the Speedy Trial Act, the government will now have thirty days from the date of arrest to obtain an indictment.

Money Laundering Basics

I’ve written about the basics of money laundering before, including posts here and here. The crime takes different forms. But the activity alleged in this case is heartland money laundering: taking “dirty” money and trying to clean it up so you can spend it without arousing suspicion. The blockchain technology is relatively new, but the basic laundering techniques are familiar.

(And as my students will attest, I can’t talk about the basics of money laundering without linking to the classic explanation by noted expert Saul Goodman.)

This kind of laundering charge requires the government to prove four elements:

1) The defendant conducted a financial transaction;

2) The defendant knew that the property involved was proceeds of criminal activity, or “dirty money”;

3) The property being laundered was in fact proceeds of a “Specified Unlawful Activity” (which includes a long list of federal crimes); and

4) The defendant knew the transaction was designed, in whole or in part, to conceal the nature, location, source, ownership, or control of the illegal proceeds.

In this case, the various transfers of Bitcoin and other cryptocurrencies through different accounts would constitute financial transactions. It appears that, by tracing the transactions back through the blockchain, the government can prove that the Bitcoin involved in at least some of those transactions was in fact taken in the Bitfinex hack. That would make it proceeds of an SUA, in this case wire fraud or the computer fraud and abuse act. That takes care of elements one and three. This case is likely to hinge, as so many do, on the evidence of the defendant’s knowledge – elements two and four.

The nature of the transactions would be substantial circumstantial evidence of an intent to conceal the nature, origin, and ownership of the proceeds. Just as when traditional money launderers run their funds through multiple bank accounts in different countries owned by shell corporations, the unnecessarily complicated transactions demonstrate a desire to make it difficult to determine where the funds originated. There’s generally no legitimate reason for such convoluted transactions, and so the very fact that the defendant engages in them is circumstantial evidence of intent to conceal.

The one element where the complaint is a bit light is the evidence that these defendants knew the Bitcoin in question was criminal proceeds. The complaint doesn’t allege they were involved in the initial hack, which would of course give them the requisite knowledge. It says the stolen Bitcoin ended up in a wallet ultimately controlled by Lichtenstein, but doesn’t specify exactly how that happened. When it comes to Morgan in particular, the evidence of her knowledge is actually quite thin. She may be able to defend by basically blaming everything on her husband.

The government is going to have to prove the defendants knew they were dealing with stolen Bitcoin. Once again, the convoluted nature of the transactions themselves can be circumstantial evidence of that knowledge. And clearly they knew the Bitcoin did not just magically appear in their accounts. Their lies to various currency exchanges about the origin of the crypto would be further circumstantial evidence of their knowledge that the money was dirty. And if necessary the government can rely on willful blindness to argue that the defendants deliberately closed their eyes to the fact that the Bitcoin in question was criminal proceeds.

The Conspiracy to Defraud the United States

The second crime charged in the complaint is conspiracy to defraud the United States in violation of 18 U.S.C. § 371. There’s no allegation of a monetary loss to the United States, which would be required for a traditional fraud. But this charge is based on the legal doctrine that one can conspire to defraud the United States by conspiring to impair, obstruct, or defeat the government’s lawful functions. This is the theory that was used, for example, to charge the Russians who conspired to interfere with the 2016 presidential election through social media and other methods – they were charged with conspiring to defeat the lawful functions of DOJ, the State Department, and the Federal Election Commission.

The theory here is that by lying to various virtual currency exchanges, opening accounts in fake names, and through their other laundering activities, the defendants impeded the lawful functions of the Treasury Department to monitor and maintain the integrity of the nation’s financial system and combat criminal activity. Bringing this charge strikes me as a little odd, because it is basically redundant of the money laundering charge – all money laundering, by definition, is designed to defeat those lawful government functions. I’m not clear why the government thought it needed to add this charge.

I’ll be watching to see if prosecutors expand on this theory once the case is indicted, or if the charge ends up getting dropped.

Protect your Passwords!

One surprising aspect of this case is how the government finally cracked it open. When announcing the charges, the government rightly trumpeted its impressive ability to trace thousands of complex transactions on the blockchain. But their big break in the case came from an old-fashioned source: a screw-up by the defendant. A search warrant of Lichtenstein’s cloud storage account discovered his spreadsheet listing all the crypto account addresses and private keys. That was what ultimately allowed the government to link the defendants to most of these accounts, including the one that still held $3.6 billion of the stolen Bitcoin.

This document was a classic “smoking gun” and finding it was a lucky break for the government. Even I, with my limited Boomer-era knowledge of crypto and blockchain technology, know that you never leave your wallet and key information in a cloud document that someone else might be able to hack. This is sort of the digital equivalent of the masked bank robber who hands the teller a stick-up note written on the back of one of his own business cards.

Okay, true, the file was encrypted, so it’s not quite that bad. But still, for someone as tech-savvy as Lichtenstein, this can only be considered a serious security breach and a real bone-headed move – one that will end up being very costly for him and his wife.

The Crypto Launderer’s Dilemma

Deputy Attorney General Monaco, when announcing the arrests, highlighted another important aspect of this case. The VCEs the defendants used in their alleged laundering activities are financial institutions subject to federal regulations, including AML and KYC rules. The defendants could move cryptocurrency around freely on the dark web and between different unhosted wallets, but ultimately if they wanted to cash out and convert it to dollars or other more readily-usable currencies, they had to deal with one of these regulated VCEs. And it was those VCEs, seeing to comply with AML and KYC rules, that led to some of the accounts being frozen and ultimately led law enforcement to the defendants’ door. As Monaco noted, if the government and reputable financial institutions work together, they can defeat a lot of attempted laundering activity.

Despite the new technology, therefore, these defendants still faced the classic money launderer’s dilemma: you can just sit on your money, but what fun is that? If you want to actually spend and enjoy it, at some point your activity will be detected. Indeed, this is the entire point of the crime of money laundering: trying to figure out a way to do that without attracting attention. Even with the new cryptocurrency technologies, for now, at least, this problem remains for the potential launderer — at least unless and until a lot more online merchants start accepting cryptocurrency as payment.

One of the flowcharts from the criminal complaint showing the path of the proceeds

Things to Watch

There are several interesting things I’ll be keeping an eye on as this case progresses.

Were they involved in the hack? 

The complaint doesn’t allege these defendants were involved in the initial hack that stole the Bitcoin from Bitfinex. It will be interesting to see when more blanks get filled in about the connection between these defendants and the hack itself, and how Lichtenstein ended up getting access to the wallet with the stolen Bitcoin.

One relevant detail is that the hack took place in 2016, which is now outside the five-year statute of limitations. Whoever was involved in that hack – whether it was these defendants or someone else – it may no longer be possible to charge them with that offense.

Why so slow? 

I’m curious why so much of the Bitcoin remained in the original wallet to which it was first transferred, allowing the government to seize back $3.6 billion of it. If the defendants were really aggressively laundering all of the funds, it seems like they could have spread much more of it around into different accounts over the past six years.

The headlines you’ve seen may claim the couple is charged with laundering $4.6 billion in Bitcoin, but the amount they are actually accused of laundering is only a fraction of that. That they may have laundered less than 20% of the stolen Bitcoin is kind of curious. It makes me wonder whether something else was going on – were they working for someone else? Were they authorized to transfer only small portions at a time, perhaps in payment for other services?  There has to be more to this part of the story.

Where Did the Money Go?

Typically in a case like this, you might expect to see the government alleging all of the flashy, expensive things the defendants purchased with their laundered funds – the boats, the art, the fancy cars and homes. There is very little of that in this complaint. There are some references to Lichtenstein using some of the Bitcoin to buy gold and NFTs (non-fungible tokens, a very trendy kind of digital art), but there are few specifics.

The most detailed allegations of where the money went are almost comical: the complaint describe how the defendants used some of the accounts funded with stolen Bitcoin to purchase gift cards for Walmart, Uber, and Play Station worth a few hundred dollars. This is hardly “Wolf of Wall Street” stuff.

According to court papers, there are still hundreds of millions in the stolen Bitcoin that are unaccounted for. Will we learn where it is? Do these defendants have access? The government claims they do – part of the reason prosecutors wanted them detained prior to trial is their fear that, with access to those millions, the defendants might flee the country.

Connecting More Dots

The complaint does a painstaking job of demonstrating that at least some of the crypto stolen in the initial hack ended up in accounts controlled by these defendants. It provides a lot less detail on how that actually happened and who made some of the various transfers. I’ll be watching for the indictment and future court developments to shore up the government’s allegations on this point, including whether any others were involved.

Warren Beatty and Faye Dunaway in 1967’s “Bonnie And Clyde”


This will be an interesting case to watch. I’m struck by the fact that, despite the new technologies involved, the challenges for the aspiring money launderer – and for the government in proving allegations of money laundering — remain largely the same. New wine in old bottles, or something like that.

In the meantime, there’s a Netflix series about the couple already in the works — because of course there is.

Like this post? Click here to join the Sidebars mailing list

The McAfee Cryptocurrency Fraud Case

Tech celebrity John McAfee and his former bodyguard and business associate Jimmy Watson, Jr. were indicted last week on fraud and money laundering charges. The indictment alleges that in 2018 the two engaged in a series of fraudulent schemes related to investments in cryptocurrencies, taking in more than $13 million. The charges highlight the ability of alleged fraudsters to adapt old-school techniques to new technologies. As the McAfee fraud case demonstrates, when it comes to fraudulent schemes, the classics never grow old.

John McAfee
John McAfee

The Defendants

John D. McAfee is a 75-year-old American citizen who was born in the U.K. He is best known for creating the computer antivirus software and company that still bear his name. Since selling his company, McAfee has been a popular figure at tech industry conferences and on various media platforms such as YouTube and CNBC. He has cultivated an image as an expert in cryptocurrency and cybersecurity. Of particular relevance to the criminal case, at the time of his alleged crimes his official McAfee Twitter account had more than 750,000 followers.   

The co-defendant Jimmy G. Watson Jr. is forty years old and a former Navy Seal. At the end of 2017 he began working for McAfee as a private security guard, and later became his “Executive Advisor.” McAfee had a team of people working for him on cryptocurrency investments, and Watson ultimately became a leading member of that team.

Cryptocurrency: Bitcoin and Beyond

Cryptocurrencies, or digital currencies, are electronic representations of value that operate like traditional coin or paper currencies. They can be used as a medium of exchange to make purchases or investments, and may be traded back and forth among individuals. The issuance and exchanges of cryptocurrencies are tracked in digital ledgers known as blockchains. Unlike more traditional currencies, cryptocurrencies are not issued by, or backed by, any government. Ultimately they depend for their value on the agreement and faith among those who use them.

The best-known cryptocurrency is bitcoin, which has been extremely volatile and, for many of its investors, extremely lucrative. It has undergone a number of boom and bust cycles, but the overall trend is hard to ignore: a single bitcoin that was worth less than a dime in 2010 is worth more than $54,000 at this writing (of course, by the time you read this, it could be worth twice that – or half).

Returns like that inevitably attract attention. Many companies and individuals have launched their own cryptocurrencies, with varying degrees of success, and several thousand are now available on the market. Cryptocurrencies other than bitcoin are often referred to as “altcoins.” Startup companies use an “initial coin offering” or “ICO” – similar to an initial public offering or IPO – to raise funds by issuing and selling the digital tokens in their new altcoins.

Returns like that also inevitably attract the interest of government regulators and law enforcement. The government alleges in the indictment that certain uses and aspects of digital currencies qualify them as commodities under federal law, making trading in them subject to regulation by the Commodity Futures Trading Commission. The indictment also alleges that in some cases cryptocurrencies qualify as securities subject to federal securities law and regulation by the Securities Exchange Commission. More broadly, just last October the Attorney General’s Cyber-Digital Task Force released a detailed report, “Cryptocurrency Enforcement Framework,” analyzing multiple law enforcement issues related to the rise of cryptocurrencies.

McAfee Indictment

The Fraud Schemes

The indictment charges that McAfee, with the help of Watson and other unnamed co-conspirators, engaged in two different types of fraud schemes involving altcoins. The first was what is known as a “pump and dump” or “scalping” scheme. McAfee would direct his team members to purchase large quantities of a particular altcoin, either in his name or on his behalf. After the purchases, McAfee would endorse that altcoin on his official Twitter account and encourage others to invest in it (the “pump”) without disclosing that he owned large amounts of it himself. When the price rose based on the interest and activity created by his endorsements, McAfee and his team members would sell their holdings (the “dump”). This often left those who invested based on his recommendations holding the bag, as the value of the altcoin would drop significantly over time once McAfee stopped endorsing it.

McAfee allegedly pumped and dumped a number of altcoins this way, using his Twitter account to promote a “coin of the day” or “coin of the week”. McAfee’s Tweets allegedly contained false and misleading statements about the investments and did not disclose his true reason for the endorsement: to run up the price so he could sell. He also allegedly repeatedly lied when asked on Twitter and elsewhere whether he was pursuing his personal financial interests, and denied owning the altcoins he was promoting.

The indictment charges that in December 2017 and January 2018, the defendants and other McAfee team members earned more than $2 million through pump and dump schemes involving twelve different publicly-traded altcoins.

The indictment also charges a second, more lucrative scheme, the “IPO touting scheme.” It alleges that over about a three-month period in late 2017 and early 2018 the defendants and other McAfee team members promoted at least seven ICOs on Twitter. As compensation for these promotions, the McAfee team received more than $11 million worth of bitcoin and other cryptocurrencies from the ICO offerors. In each case, McAfee allegedly failed to disclose to the ICO investors that a substantial portion of the funds raised by the ICO he was promoting would be paid to McAfee. The indictment also alleges that the defendants took active steps to conceal their compensation arrangements from the ICO investors.

Criminal Charges in the McAfee Fraud Case

The indictment uses several different theories to charge the two schemes:

  • Count 1: Conspiracy to commit commodities and securities fraud (pump and dump scheme)
  • Count 2: Conspiracy to commit wire fraud (pump and dump)
  • Count 3: Wire fraud (pump and dump)
  • Count 4: Conspiracy to commit securities fraud (touting scheme)
  • Count 5: Conspiracy to commit wire fraud (touting)
  • Count 6: Wire fraud (touting).

Finally, Count 7 charges conspiracy to commit money laundering under 18 U.S.C. § 1957. Unlike money laundering charges under the more commonly charged section 1956, section 1957 does not require proof of any intent to disguise or conceal the nature and source of the funds or any other specific purpose for the laundering transaction. It may be violated simply by taking criminal proceeds and depositing them in the bank, so long as the transaction exceeds $10,000. The indictment alleges that the defendants did this with the proceeds of the touting wire fraud alleged in Count 6.

Most of the criminal charges carry a maximum penalty of 20 years in prison. The conspiracy charges in counts 1 and 5 carry a maximum penalty of 5 years, and the money laundering count carries a maximum penalty of 10 years.

The indictment also seeks forfeiture of the money earned through the schemes or of any assets whose purchase can be traced to those proceeds.

Possible Defenses

As in many white collar cases, it appears the facts of the case will be largely undisputed. There will be a substantial paper trail to prove the investments that McAfee and his team made, their Twitter endorsements, what was and was not disclosed, what they earned, and what they did with the money. So any defense likely will be not “we didn’t do it” but rather “it wasn’t a crime.”

A key legal issue will be whether these transactions were in fact subject to federal securities or commodities regulation. Watson’s attorney hinted at this kind of defense when the indictment was announced, suggesting there would be a dispute over whether cryptocurrencies are securities, commodities, or something else. If the court determines they do not legally qualify as securities or commodities, the criminal charges would fail.

The cryptocurrency craze erupted relatively quickly over the past decade and there has been considerable uncertainty over the regulatory status. Cryptocurrency markets have had a “wild west” feel to them and the government has been slow to respond. SEC leaders have said in recent speeches that they do not consider bitcoin itself to be a security. But the SEC has not been reluctant to pursue civil actions related to ICOs in new cryptocurrencies under specific factual circumstances. Suffice it to say that the legal status of cryptocurrencies is still somewhat up in the air, and that status may depend a great deal on the facts of a particular offering or transaction.

The McAfee indictment is full of hedges in this regard. It says that “certain uses and aspects of digital currencies qualify them as commodities” and that “in certain circumstances, digital assets can also qualify as securities.” Although the indictment confidently asserts that these particular transactions were subject to federal jurisdiction, the language of the indictment itself appears to recognize this is a gray area. This case may lead to a judicial determination concerning the status of cryptocurrencies that could have much wider implications.

Twitter logo

Twitter Cryptocurrency Fraud: Old Wine in New Bottles

At the press conference announcing the indictment, FBI Assistant Director William F. Sweeney, Jr. said the case involved an “age old pump-and-dump scheme.” It’s true that, despite the glitzy new technologies involved, the alleged schemes in the McAfee fraud case involve old, tried-and-true fraud techniques. And there are several characteristics of the cryptocurrency markets that make them prime candidates for these kinds of classic schemes.

The first is the complex and confusing nature of the product. Many, if not most, people probably don’t have a clear understanding of what exactly a cryptocurrency is, how it works, or why it has any value at all. That makes the area ripe for fraud. One hundred years ago, when pioneering the type of fraud scheme that still bears his name, Charles Ponzi relied on obscure instruments known as postal reply coupons and claims about international variations in currency and postal rates – difficult things for the typical 1920s investor to understand or verify. If an investment is difficult to understand, it makes it easier for potential fraudsters to deceive people about that investment.

Related to the obscure nature of the investment is the ability of a celebrity or other well-known figure to attract investors – or in this case, victims. Many watching the frenzy in cryptocurrencies likely wanted to get in on the action but felt uncertain about which altcoins might be good investments. If a tech leader with McAfee’s stature throws his name behind a particular coin, that will attract many who feel unqualified to evaluate the investment for themselves. That, of course, is why some of the IPO issuers were willing to pay McAfee such huge sums of money for his endorsement.

Another “high tech” feature that makes this case interesting is the role of Twitter. Virtually all of McAfee’s promotions and endorsements in furtherance of the alleged schemes took place on Twitter. We’ve seen how that social media platform transformed political communications in the hands of former president Trump and other users with large numbers of followers. The same characteristics that make it so easy to spread “fake news” when it comes to politics also make it easier to tout fraudulent investments. Twitter has a massive reach but is largely unregulated, making it easy to spread phony information to millions.

Something like a pump-and-dump scheme operates much more efficiently in the age of Twitter. In the days before digital communications, those engaging in such a scheme might have to print a newsletter or other document touting the stock in question and deliver it by mail. That involves printing and postage expenses and takes much more time.  In the digital age a potential fraudster can reach hundreds of thousands of people in an instant. Technology makes everyone’s job easier – including criminals’.

The final characteristic of cryptocurrencies that McAfee apparently was able to exploit is the investment frenzy surrounding them. When people see the astounding returns in something like bitcoin they want to get in before they miss out – and that can cause people to let down their guard. Some have compared the frenzy surrounding bitcoin to the famous Dutch tulip mania in the 1700s, the first great investment bubble. If you read some of the online commentary about altcoins on sites like Reddit or Twitter, much of it has almost an evangelical tone. This is not only a warning sign of a potential bubble – it also creates an environment where criminals can prey on those caught up in the frenzy.

What to Watch

McAfee is currently in custody in Spain, awaiting extradition. He was arrested there several months ago on federal tax evasion charges filed in a separate case in Tennessee.  In the meantime, he continues to take to Twitter, now to defend his conduct and attack the government’s case.

McAfee Tweet

Watson has been arrested on the criminal charges. In addition to the criminal indictment, both men are also facing civil charges from the CFTC and SEC.

The McAfee fraud case should be a cautionary tale for investors eager to jump on the latest hot bandwagon based on celebrity endorsements. And it could be a sign of things to come as the federal government, under the Biden administration, seeks to flex its muscles when it comes to policing the cryptocurrency markets.

Like this post? Click here to join the Sidebars mailing list