How Hacks Happen
Hacks, scams, cyber crimes, and other shenanigans explored and explained. Presented by cyber security teacher and digital forensics specialist Michele Bousquet.
How Hacks Happen
Social Media Smoke: Razzlekhan, Dutch, and the $4 Billion Heist
When over 100,000 Bitcoin went missing in 2016, no one suspected the culprits: a quiet, mild-mannered developer and his ostentatious entrepreneur/rapper wife with a wacky social media presence. Meet Razzlekhan and Dutch, the most unlikely thieves in the history of crime.
Resources:
- Razzlekhan and husband guilty of $4.5bn Bitcoin launder
- Bitcoin Plunges After Hacking of Exchange in Hong Kong
- Bitfinex Hacker Sentenced in Money Laundering Conspiracy Involving Billions in Stolen Cryptocurrency
.
Can't keep up with AI? We've got you. Everyday AI helps you keep up and get ahead.
Listen on: Apple Podcasts Spotify
Join our Patreon to listen ad-free!
Social Media Smoke: Razzlekahn & Dutch
A little warning: this episode contains some spicy language. Not mine, but from some of the clips I’m going to play.
Welcome to How Hacks Happen, the podcast that dives into real life stories of scams, cyber crimes, and the sometimes strange stuff that goes on. I'm your host, Michele Bousquet. Today's story isn't just a hack, and it's not just about social media. It's about the biggest digital theft ever to take place, one worth $4.5 billion, and the couple who perpetrated it. We're not exactly talking about Bonnie and Clyde here, though. It was more like Mr. Robot and Angelica from the cartoon series Rugrats, if Angelica had decided to be a rapper.
This is easily the strangest story I've ever covered, and I tell you I am here for it. So let's take a little trip into the world of Ilya Lichtenstein and Heather Morgan, he a smart, quiet guy, and she a smart, loud, and quirky woman, and how they pulled off the crime of the century, and the missteps that helped lead authorities right to their doorstep, landing them both in jail.
Before we get to the heist itself, let's talk about Ilya and Heather. We start our story in Silicon Valley, one of the most romantic places in the world, where the two met. Heather always called Ilya "Dutch", so that's what we'll call him here. Dutch had immigrated from Russia to the United States when he was a kid, and Heather grew up in California.
Dutch was a successful software developer with a startup called MixRank, which aggregated ad data from multiple sources and sold it. MixRank was successful, but Dutch left it behind to pursue other projects. Heather Morgan was, according to herself, an economist, a journalist, an entrepreneur. She had a cold email business called Sales Folk which helped companies get better responses from their emails.
She wrote for Forbes Magazine, she presented at conferences, and she speaks a bunch of languages. Ironically, she sometimes wrote about cybersecurity, calling out companies for their lax methods that could leave security holes worth billions of dollars. You don't say.
Around 2013, Morgan and Dutch meet through the Silicon Valley startup scene, and after a while they become a couple and they move in together. Eventually in 2016, Dutch finds a way to get into where there is a bunch of Bitcoin and steal a lot of it, like a lot.
So how does a hack like this happen? I would not be How Hacks Happen if I could not explain, so I shall.
To understand how Bitcoin can get stolen in the sense that most of us think of stealing, you first need to understand a little bit more about how cryptocurrency works.
Cryptocurrency is considered currency in the kind of way that Dollars and Euros and other currencies are, because technically, you can use crypto to buy things. The catch is, you can buy stuff with it only if the seller is actually willing to accept it, and there's not many places that do. Because of that, cryptocurrency is more like an investment, kind of more like the stock market. Like you invest in it, in the hopes that its value will go up in comparison to the currency you're using, and then you can cash it out in the real currency of your choice so you can spend the money.
It's also like the stock market in the way that if more people are buying than selling, the value goes up. And if more people are selling than buying, the value goes down.
You might hear people talking about buying and selling cryptocurrency as opposed to saying they're investing or trading in it, but it's all the same thing, just a difference in words, just so you know.
And Bitcoin is one of the cryptocurrencies that has had one crazy ride. It's gone up and down, but mostly up. If you bought a hundred dollars worth of Bitcoin in 2010, that investment would now be worth tens of millions of dollars, like from a hundred bucks to 40 or 50 million. And Bitcoin has held its higher value for quite some time. Most other cryptocurrencies, we can't say the same thing about them.
I actually did a whole episode on Bitcoin in season one. It's called Blockchain and Bitcoin, and if you want a deeper dive, you can go have a listen. But for the purposes of talking about this insane hack, just what I've told you so far is enough to follow along with this story.
So now we're gonna talk about crypto exchanges. A crypto exchange is kind of like a combination bank and trading platform for cryptocurrency.
You sign up, then you transfer in some official real currency from your real bank account, like US dollars or Euros or whatever, and you transfer that into a cash account on the exchange. And then you use that money to buy different kinds of cryptocurrency.
Any cryptocurrency you own is put in a virtual wallet for safekeeping.
Something else to know about cryptocurrency is that transactions are stored in public on the internet in a big chain of anonymous transactions called the Blockchain. Transactions are tracked not by a person's name or social security number or whatever, but by a long string of letters and numbers called an address.
For your own cryptocurrency, you are the only one who knows that address that's associated with you unless you choose to make it public. This makes the transactions themselves anonymous.
So there's two things going on here: say you buy and sell crypto for a while with your address and all those publicly visible transactions are out there, but no one knows that the address on those transactions is connected to you. Then when you go to cash out through the exchange, the trail of cash is linked to you personally because it goes through your account on the exchange. This distinction, the anonymous transactions versus the cashing out to your identity, this will become important when we talk about this $4 billion hack and how the hackers got caught.
So let's talk about the hack.
In 2016, our two main characters here, Heather Morgan and Ilya Lichtenstein, aka Dutch, somehow managed to hack the Bitfinex Cryptocurrency Exchange. Bitfinex, which calls itself the world's leading digital asset exchange, is a lot like other exchanges. You can buy and sell Bitcoin and other cryptocurrency like Ethereum and a whole bunch of other ones.
No one knows for sure how the hackers got in, but there's a few theories, and one is that Morgan used her social engineering skills to somehow get an administrative password for the Bitfinex system. Remember, she's a master of emails, so maybe she sent a really good phishing email to the right person, got them to click on a link and enter their login and password.
If that's the case, then after that, Dutch got to work. He altered some of the code in the system to send him users' passwords as they logged in.
However he got the information, he created around 2000 individual transactions that sent Bitcoin out from the accounts on Bitfinex to a variety of wallets that he owned, and he apparently was inside Bitfinex for months, dribbling out little bits of Bitcoin here and there.
Now, some Bitfinex users noticed that their Bitcoin was missing, and of course they reported it to the platform, but Bitfinex couldn't figure out what was going on. It probably looked like some kind of computer glitch or something.
Eventually, Dutch transferred a total of 119,754 Bitcoins out of customer wallets. That's almost 120,000 Bitcoin, and that amount of Bitcoin was worth about $70 million at the time.
Bitfinex eventually figured out that they were being hacked and they shut it down and they called the Feds, but there was no way to know who was behind it. They could see the wallet addresses that the Bitcoin went to, but who did those wallets belong to?
As for Morgan and Dutch, it looked like they had gotten away with it, and for them the fun had just begun.
Imagine that you just got $70 million. What would you do with it? For Morgan, this was an easy question to answer. She was going to fulfill her dream, and that dream was becoming a famous rapper.
Razzlekhan: “Razzlekhan, the Versace Bedouin, come real far but don’t where I’m heading. Motherfuckin’ Crocodile…”
Who knew that under that professional exterior talking about Silicon Valley tech, that there was a rapper hidden underneath? No one did, not until a few years after the hack, when Morgan rebranded herself as Razzlekhan and started making rap videos.
Razzlekhan: “Love to be contrary but I’m sly like a gator, I’ve got pilot blood, a real risk-taker, pirate riding the flood, badass money maker…”
I'm going to give some commentary here about the rapping.
I do listen to a little rap, and some of it can be quite moving. The best is like slam poetry where the passionate delivery and the message give great meaning to whatever struggles the rapper is trying to communicate to you. The worst of rap, though, is when someone randomly rhymes words while flailing around and throwing gang signs when it's obvious they have never been within a mile of an actual gang. And that pretty much describes Razzlekhan's rapping.
Razzlekhan: “Better than most writers, creepier than most girls, weirder than most rappers, but I still rock pearls…”
Now I don't diss the girl for following her dream. She went for it and you know, good for her. As a sign of respect for that, I'm gonna call Heather Morgan “Razzlekhan” from now on in this episode.
But Razzlekhan's rap videos, they don't quite get the traction that she was hoping for. She gets a few hundred views, not the millions that she wanted. So she turned to other kinds of content, you know, slice of life stuff with Dutch about cat food, and unboxing videos and DIY projects, and interspersed with these weird skits where she's dressed up like a lion, I think, it's hard to tell. And another one with a raccoon face saying, "I like trash. I like cash, I like my potatoes mashed." Every face filter you've ever seen, and then some more after that, and one of them, she's dancing around with pasties on her boobs, doing housework. Just dozens and dozens of videos, all this crazy stuff.
The most popular ones, they get a few thousand views, but not the viral success that Razzlekhan seemed to crave. It just didn't happen.
Razzlekhan: “I’m many things, a rapper, an economist, a journalist, a writer, a CEO, and a dirty, dirty, dirty, dirty hoe.”
You might think that with $70 million, the couple was set for life and would go around buying sports cars and designer clothes. Besides, in the years between the heist in 2016 and six years later in 2022, the value of Bitcoin had skyrocketed and their Bitcoins were now worth over $4 billion. Yep, that's right. Billion with a B.
But they had a serious problem. They couldn't safely cash out the money without it being traced back to them.
The feds could see the addresses of the wallets that the Bitcoin had gone to, but they had no way of knowing who they belonged to. But if Razzlekhan and Dutch cashed it out at an exchange, the feds would know immediately that it was them.
Now, there are ways to cash out without an exchange, but almost all of them require some form of ID. Like you could go to a Bitcoin ATM, but you have to show ID plus they have cameras there. And any method that doesn't require ID, these are super risky. Like you can meet some broker in a dark alley and exchange the wallet information for a big bag of cash, but you just might get clocked over the head in the process.
So cashing out without getting caught, that was a huge problem. What Razzlekhan and Dutch did to solve that problem is launder the money, then trickle it out in bits and pieces, staying under the radar as much as possible. For this, they used a technique called crypto tumbling.
Here's how it works. First thing you do is shop around on the dark web for a service that does crypto tumbling. Let's say you find one called CryptoBumbler.
You give CryptoBumbler one of your Bitcoin, and you also give them an address to a new Bitcoin wallet, one you just created for yourself anonymously on the web.
At the same time, a hundred other people do the same thing. They give CryptoBumbler one Bitcoin. All these individual bitcoins go into this one giant wallet, this tumbler controlled by CryptoBumbler. Then CryptoBumbler distributes each Bitcoin out to these new anonymous wallets provided to them, and off they go, those Bitcoins, off to a hundred different wallets.
If there's illegal money mixed in there, it's impossible to know which of the new wallets it went to. This is crypto mixing or crypto tumbling.
So back to the hacked Bitcoin from Bitfinex. The Feds watching those original wallets where the stolen Bitcoin went, they could trace a Bitcoin transaction to this big crypto tumbler, but then it became harder to track, especially if you tumble the crypto over and over again.
So anyone watching would have to follow thousands of addresses to see who was cashing out Bitcoin that was maybe connected to the original hack.
As for Razzlekhan and Dutch, they tumble the crypto a few times and cash out some of the money at the other end. Not a huge amount, but some, for example, they get married and they pay for the wedding in Bitcoin. They buy gift cards and new phones and PlayStations for their friends, and they pay for Uber rides, and they also set up some fake companies and pay these fake invoices with Bitcoin.
What they didn't know was that the Feds were creating these big graphs and chasing up all the addresses from all the crypto tumblers that the stolen funds had participated in. And eventually they found the gift cards and the shell companies, and they started to see this pattern pointing to a couple in New York City, Heather Morgan and Ilya Lichtenstein.
But the Feds had to be sure before they swooped in and arrested them. So they did a little research and what they found kind of knocked them sideways.
Razzlekhan: “I’m a motherfuckin’ bad bitch, go on and make me a sammich, you annoying like vag itch, so lame, it’s fuckin’ tragic…”
The first thing they come across as Razzlekhan's goofy YouTube videos, and they can't believe what they're seeing. They think they have to have gotten it wrong. Like how could these strange people making intentionally weird videos and living in this little modest apartment in New York City, how could they be the masterminds behind the biggest crypto heist in history?
In the words of Nick Bilton, the author of the American Kingpin book about the Silk Road website, here's what he says. "When you talk about the arrest of people involved in a $4.5 billion heist, you think that the criminals behind it are going to be these serious hardened people. But in reality, the people in this particular case, they are these wacky, cringey individuals who are posting these totally insane videos on social media while they're trying to pull off this incredible crime."
Razzlekhan: “Bad bitch, bad bitch, motherfuckin’ bad bitch…”
The two of them, Dutch and Razzlekhan, they weren't like ostentatious on social media. Their friends called them generous, but they weren't showing off like at the Hushpuppi level. But there were some clues. Razzlekhan's videos had lyrics like, “social engineer, meet me at the pier” and “spearfish your password, all your funds transferred.” Hmm. Interesting. In the end, so many Bitcoin transactions pointed right to them, and the feds made their move.
In 2022, 6 years after the hack, the Feds get a search warrant for the couple's apartment and they find a treasure trove of information, one of them being a spreadsheet pointing them to over 94,000 of the stolen Bitcoins. At the time, these were worth $3.6 billion.
Every cryptocurrency wallet is protected by a key, a really, really long string of letters and numbers. And while your address is publicly visible, your key is private only to you. Now Dutch and Razzlekhan, they had many, many wallets, and Dutch stored the keys to them in a spreadsheet called wallets.xlsx. You know, it's a little bit like robbing a bank and then you have a suitcase full of money and you label it “Stolen money. Do not open.”
Oh, and the Feds also found a bag in a drawer labeled “burner phones.” It was full of, you know, can you guess? It was full of burner phones. Those criminal masterminds, man.
And so after six years of living, you know, comfortably but not largely, and agonizing over how to launder this enormously huge pile of Bitcoin, Razzlekhan and Dutch were busted. The arrest made headlines, not just because of the size of the seizure, but because of who got arrested.
When I first saw an article about this bust, I thought it was from The Onion, which is this satirical comedy news site that makes up stories. But no, it was real. And Razzlekhan, she was suddenly all over the news.
They would have a clip of her rapping and then there would be a headline, like “Billion dollar Bitcoin Bust”. And there's a scam buster on YouTube called Coffee Zilla. He famously said that Razzlekhan should be sentenced to 25 years in prison simply on the basis of how cringey her videos are. Ouch.
And, Heather Morgan, aka Razzlekhan, finally got the fame that she wanted. Her flagship wrapping video called, Versace Bedouin, currently has over half a million views. I think mostly from people who watch the Netflix documentary about the theft, it's called The Biggest Heist ever.
Razzlekhan: “Razzlekhan, the Versace Bedouin, come real far but don’t where I’m heading. Motherfuckin’ Crocodile of Wall Street. Silver on my fingers and boots on my feet.”
In November, 2024, Razzlekhan and Dutch were sentenced for their crimes: five years for Dutch, and 18 months for Razzlekhan. Bitfinex has since upgraded their security and they haven't had a similar problem since.
And that, girls and boys, is the story of the biggest crypto heist in history and the couple behind it.
I watched a lot of Razzlekhan’s rap videos to prepare for this episode, and I gotta say, she’s kind of grown on me. Just a girl working in the sometimes very dry field of technology, wanting to express herself in the arts. She chose rapping, I chose podcasting. So I can relate!
Razzlekhan is out of jail now and back on social media with a few thousand followers, making videos about stuff like her ankle monitor. And Dutch, he's still behind bars.
This is Michele Bousquet from How Hacks Happen, signing off. Remember kids, launder your crypto carefully, or better yet, don't steal it to begin with.