No Prison Time for FTX’s Gary Wang

Every week, ISMG rounds up cybersecurity incidents in digital assets. This week, sentences in the FTX, Bitfinex and Helix cases were passed, a $25.5M Thala hack was uncovered, Delhi police arrested a suspect in the WazirX hack and South Korea probed Upbit for AML violations. U.S. Democratic lawmakers pushed for a tougher crackdown on the Tornado mixer and the U.S. Attorney for the Southern District of New York will reportedly scale back on cryptocurrency cases. BIT Mining paid a $10 million fine to settle bribery allegations and the Communist Party of China expelled a key figure in China’s blockchain industry.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

A U.S. federal judge sentenced FTX Co-Founder and Former CTO Gary Wang to time served and three years of supervised release for all of the four counts he earlier submitted a guilty plea. Wang is the final former executive of the collapsed crypto exchange to face sentencing. He also forfeited $11 billion. Wang cooperated extensively with prosecutors, earning praise for his crucial role in deciphering FTX’s complex code and uncovering the scheme involving customer funds.

Wang’s relatively lenient sentence contrasts with those of other FTX executives. Founder Sam Bankman-Fried received 25 years in prison, while Alameda Research’s Former CEO Caroline Ellison and Executive Ryan Salame received two years and seven-and-a-half years in prison, respectively.

Heather “Razzlekhan” Morgan received an 18-month prison sentence for her involvement in laundering cryptocurrency from the 2016 Bitfinex hack, currently valued at $10.84 billion. Morgan, who pleaded guilty to money laundering and conspiracy to defraud the U.S., expressed regret for her actions during sentencing. U.S. District Court for the District of Columbia Judge Colleen Kollar-Kotelly mentioned the severity of the crime, stating that Morgan’s participation was deliberate and ceased only after her arrest. Morgan has until January to report to prison and will serve three years of supervised release after her sentence. The government recommended the sentence due to her cooperation, while her attorneys pushed for time served.

Her husband and co-conspirator, Ilya “Dutch” Lichtenstein, received a five-year sentence for hacking Bitfinex to steal 120,000 bitcoins. Prosecutors said that although Morgan only learned of the hack three years later, she willingly helped launder funds, amounting to $14 million at 2016 prices. Law enforcement seized the remaining funds, valued at over $6 billion today.

Morgan, who called herself the “Crocodile of Wall Street” in addition to going by the online handle of “Razzlekhan” while posting now mostly-deleted rap videos about cryptocurrency, remains free on recognizance until her reporting date. Amazon MGM Studios is reportedly producing a movie about her life, as she plans to share her story publicly.

Forty-one-year-old Ohio man Larry Dean Harmon is set to be sentenced to three years in federal prison for operating darknet cryptomixer Helix, which laundered over $300 million worth of bitcoin between 2014 and 2017. The site was popular with online drug, which was used to obscure illicit proceeds. Helix, linked to Harmon’s darknet search engine Grams, processed at least 354,468 bitcoins, valued at approximately $311 million at the time, much of which was tied to darknet drug markets. Harmon earned commissions and fees for facilitating these transactions, while integrating Helix into major darknet markets through a custom API.

Harmon pleaded guilty in 2021 to conspiracy to commit money laundering. Along with his prison sentence, he was ordered to forfeit over $311 million, in addition to cryptocurrencies, real estate and assets valued at more than $400 million. He also faces a $60 million civil monetary penalty from the Financial Crimes Enforcement Network.

Hackers exploited a smart contract to drain $25.5 million from the decentralized protocol Thala, but later, returned the assets in exchange for a $300,000 “bug bounty.” Thala told users that they would be fully compensated, though all relevant contracts and the protocol’s frontend remain paused for security audits.

Delhi police reportedly arrested a suspect linked to the theft of $230 million in cryptocurrency from WazirX, one of India’s largest crypto exchanges. Masud Alam from West Bengal allegedly created a WazirX account under a false identity and sold it on Telegram, which was later used to breach the platform. The attackers reportedly drained WazirX’s hot wallet and attempted to compromise its more secure cold wallet.

Efforts to trace the stolen funds are reportedly hindered by the refusal of Singapore-based Liminal Custody, the firm securing WazirX wallets, to cooperate with the investigation or share requested data. Despite this, Liminal Custody maintains that its systems and customer assets remain secure and unaffected by the breach.

WazirX said in July that the attackers breached its security measures despite efforts to protect customer assets. Police are also investigating potential misuse of the exchange’s multi-signature wallets. Reports suggest the breach resulted from external access through deceptive practices rather than vulnerabilities in WazirX’s systems.

South Korean cryptocurrency exchange Upbit is reportedly facing scrutiny for allegedly violating KYC procedures, putting its business license renewal in jeopardy. South Korea’s Financial Intelligence Unit said that Upbit may have committed between 500,000 and 600,000 KYC breaches, including accepting IDs with blurred personal data, which prevented proper user identification. If confirmed, the exchange could face fines of 100 million Korean won or $71,500 per violation and additional regulatory penalties.

KYC and anti-money laundering compliance are mandatory for South Korean virtual asset service providers. The alleged violations surfaced during Upbit’s business license review, intensifying scrutiny on the platform. This comes shortly after an investigation by the Financial Services Commission into potential anti-monopoly practices related to Upbit’s relationship with K-Bank, which has 70% of its deposits linked to crypto exchanges.

U.S. Democratic lawmakers urged the Department of Treasury to intensify enforcement against Tornado Cash, a decentralized cryptocurrency mixing service sanctioned in 2022 for facilitating over $7 billion in illicit transactions. Despite these sanctions, Tornado Cash remains active, processing $1.8 billion in deposits in the first half of 2024, a 45% increase compared to the previous year. The lawmakers criticized its ongoing use by rogue states, terrorists and cybercriminals. They requested updates on illicit activity facilitated through the platform, enforcement actions against its users and associated exchanges, and plans for secondary sanctions on non-U.S. entities involved with mixed funds. They also sought a timeline for a proposed Financial Crimes Enforcement Network regulation mandating transaction record-keeping for mixers.

The U.S. Attorney’s Office for the Southern District of New York plans to scale back its focus on cryptocurrency-related cases, Reuters reported, citing Scott Hartman, co-chief of SDNY’s securities and commodities fraud task force. While the SDNY will continue prosecuting significant crypto cases, Hartman said that fewer resources would be devoted to the sector compared to its activity in 2022. The office has been pivotal in high-profile prosecutions, including those of former FTX CEO Sam Bankman-Fried and Celsius Founder Alexander Mashinsky. Hartman’s remarks follow President-elect Donald Trump’s planned nomination of former SEC Chair Jay Clayton as attorney for SDNY. Clayton previously led the SEC during the 2017-18 initial coin offering boom, filing several high-profile crypto cases, including the ongoing lawsuit against Ripple over XRP’s alleged status as an unregistered security.

BIT Mining agreed to pay $10 million in penalties to settle U.S. Department of Justice and the Securities and Exchange Commission investigations into its role in a bribery scheme targeting Japanese government officials. Between 2017 and 2019, the company admitted to paying $1.9 million in bribes through consultants to secure a casino resort bid, which it did not win. The firm entered a three-year deferred prosecution agreement for violating the Foreign Corrupt Practices Act, with former CEO Zhengming Pan also facing charges.

The publicly traded company, formerly called 500.com, transitioned into cryptocurrency mining and rebranded as BIT Mining in April 2021.

Though U.S. sentencing guidelines suggested a $54 million penalty, the DOJ reduced it to $10 million due to BIT Mining’s financial constraints. The SEC also imposed a $4 million civil penalty, credited against the DOJ’s total. Investigators found deficient controls at the company fostered an environment for corruption. BIT Mining has pledged ongoing cooperation, compliance improvements and regular remediation updates during the DPA period.

The Communist Party of China expelled Yao Qian, a former key figure in China’s blockchain industry and ex-head of the central bank’s digital currency institute, for alleged corruption involving cryptocurrency. The country’s anti-graft authorities said that Yao violated discipline and law, misrepresenting himself as a financial technology expert and using his regulatory position to benefit specific tech providers for personal gain. Yao is accused of accepting a large sum of illegal funds and assets, although the exact amount was not disclosed. His case has been referred to prosecutorial authorities for further investigation. Yao served as head of the central bank’s digital currency research institute from 2017 to 2018 before moving to the China Securities Regulatory Commission.