$3.6 Billion Reasons to Up Cryptocurrency Compliance: FBI Cracking Down on Crypto Criminals

Alerts / February 16, 2022

Key Takeaways

  • Banks and cryptocurrency exchanges need to update their BSA programs to account for the unique aspects of cryptocurrencies, detect and report related suspicious activity, and minimize the risk of cryptocurrency-related money laundering occurring through their businesses.
  • If cryptocurrency-related money laundering does occur, financial institutions must be able to defend their BSA programs as upholding a “reasonable risk-based approach” to address cryptocurrency risks.
  • Financial institutions must have policies and procedures in place that specifically address cryptocurrency-focused requests from law enforcement.
  • All service providers must consider criminal patterns and whether their platforms are at risk for use by criminals.


Ilya Lichtenstein, 34, and his wife, Heather Morgan, 31, were arrested last week for an alleged conspiracy to launder 119,754 bitcoin (valued at approximately $4.5 billion) emanating from the 2016 hack of cryptocurrency exchange Bitfinex. Law enforcement has seized around $3.6 billion in value connected to the hack. The couple has been charged with conspiring to commit money laundering and defraud the United States.


In or around August 2016, a hacker breached Bitfinex’s security systems and infiltrated its infrastructure, and then funneled 119,745 bitcoin out of the exchange, through a series of fraudulent transactions, to an external unhosted wallet allegedly controlled by Lichtenstein and Morgan. The bitcoin was valued at approximately $71 million at the time of the hack.

U.S. authorities were able to trace the stolen funds on the Bitcoin blockchain after they observed the funds being transferred across multiple accounts and platforms through a large number of transactions apparently designed to conceal the stolen bitcoin’s origination and launder the funds.[1] Multiple cryptocurrency exchanges were used as part of this elaborate scheme to obfuscate the flow of the stolen funds. Despite these efforts, law enforcement was able to trace the fund transfers to accounts controlled by Lichtenstein and Morgan.

The remainder of the stolen funds, however, lingered in the external unhosted wallet allegedly controlled by the couple. In early 2022, law enforcement executed a search warrant and as a result gained access to a cloud storage account maintained in Lichtenstein’s name. From within this account, law enforcement located and decrypted a file that contained 2,000 cryptocurrency addresses or public keys and their corresponding private keys.[2] Thereafter, law enforcement was able to use the private keys found in the encrypted file to take control of around 94,636 bitcoin, currently valued at approximately $3.629 billion.

Lichtenstein and Morgan purportedly used the following money laundering tactics to facilitate their crimes: (1) creating accounts with fictitious identities at various types of service providers; (2) moving small amounts of stolen funds over the course of thousands of transactions, rather than moving funds in larger chunks or all at once; (3) automating transactions through computer programs, a technique that facilitates many transactions over a short period of time; (4) depositing stolen funds into accounts at a variety of cryptocurrency exchanges and darkweb markets before withdrawing the funds, which muddies the transaction history by disrupting the funds flow; (5) converting bitcoin to other forms of cryptocurrency, including anonymity-enhanced cryptocurrency (“chain-hopping”); and (6) using accounts associated with U.S.-based business entities to create the impression of legitimate activity.

Banks and Cryptocurrency Exchanges Need Adequate AML Programs

This case serves as a warning to banks and cryptocurrency exchanges that they must ensure their anti-money laundering (AML) programs are adequate. The Bank Secrecy Act (BSA) and the regulations promulgated thereunder are the primary tools the U.S. government uses to fight money laundering. The BSA and regulations issued by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) require businesses to develop, implement and maintain an ongoing AML compliance program that includes the following components: (1) written policies, procedures and internal controls designed to comply with BSA requirements including verifying customer identities, detecting and reporting suspicious activity, retaining certain records, and responding to law enforcement requests; (2) a designated AML compliance officer; (3) an ongoing training program for appropriate personnel; (4) periodic independent reviews of the AML compliance program; and (5) for covered financial institutions, procedures to identify and verify the identity of the natural persons (known as beneficial owners) of legal entity customers who own, control and profit from companies when those companies open accounts.[3]

Even BSA-compliant organizations, however, can get stuck in the crosshairs of U.S. law enforcement investigations. Here, for example, Lichtenstein and Morgan used multiple cryptocurrency exchanges to funnel stolen funds in an attempt to prevent tracing of these funds by law enforcement. As part of this elaborate scheme, Lichtenstein and Morgan allegedly lied to exchanges about the source of their funds with the goal of preventing the exchanges from filing suspicious activity reports (SARS), thereby eluding the enforcement of any BSA policies and procedures the exchanges may have implemented.

As the cryptocurrency markets continue to expand, the potential for financial services businesses and other service providers, such as cloud storage platforms, to be used by bad actors for criminal purposes will likely increase. Therefore, financial institutions, including cryptocurrency exchanges, must both maintain and regularly update their AML programs to account for evolving criminal tactics and strategies. As law enforcement cryptocurrency capabilities continue to improve, and as the cryptocurrency markets become a higher priority for the DOJ, cryptocurrency-related crimes that previously went undetected will increasingly be discovered. The BakerHostetler Blockchain Technologies and Digital Currencies team and White Collar, Investigations, and Securities Enforcement and Litigation team are comprised of dozens of experienced individuals, including attorneys who have served in the DOJ and SEC. Our attorneys include former United States Attorneys, Branch Chiefs, and Unit Chiefs as well as partners who have served in the SEC’s Division of Enforcement and the SEC’s Office of the General Counsel, and attorneys with extensive experience across all sectors of the blockchain and cryptocurrency markets, including investigations, BSA/AML compliance, tax, privacy, transactions, intellectual property and technology design. Please feel free to contact any of our experienced professionals if you have questions about this alert.

[1] U.S. v. Lichtenstein, et al., 1:22-mj-00022-RMM (D.C. Feb. 7, 2022),

[2] Cryptocurrency typically functions through public-key cryptography, whereby funds are transacted via public key and the transactions are authorized via a private key, which is typically possessed by only the public key address owner.

[3] See 31 C.F.R. § 1022.210; 31 C.F.R. § 1010.311; 31 C.F.R. § 1010.410(e); 31 C.F.R. § 1010.415; 31 C.F.R. § 1010.230.

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.