Pierluigi Paganini
January 05, 2026
Ilya Lichtenstein (38), convicted for the hack of the cryptocurrency stock exchange Bitfinex in 2016, has been released from prison early.
A Trump administration official told CNBC that Lichtenstein served significant prison time and is now on home confinement. Morgan celebrated his return after four years apart.
The cyber criminal credited his early release to Trump’s 2018 First Step Act, and he is scheduled for release from prison on January 25, 2026, according to the Federal Bureau of Prisons.
The First Step Act is a U.S. federal law passed in 2018 under President Trump that aims to reform the criminal justice system. It seeks to reduce the federal prison population, improve rehabilitation through education and training programs, revise sentencing laws for certain offenses, and uses a risk and needs assessment system to determine eligibility for early release and other programs. The law allows inmates to earn credits for good behavior and rehabilitation, potentially shortening their prison terms and supporting reintegration into society.
In November 2024, Ilya Lichtenstein was sentenced to five years in prison for his involvement in a money laundering conspiracy arising from the hack and theft of approximately 120,000 bitcoin from Bitfinex.
Over 96% of the stolen funds have been recovered, with most remaining unspent, according to defense attorney Samson Enzer and with assistance from Lichtenstein.
In February 2022, Ilya Lichtenstein (35) and his wife, Heather Morgan (32), were arrested for alleged conspiracy to launder $4.5 Billion in stolen cryptocurrency stolen during the 2016 hack of Bitfinex. Law enforcement also seized over $3.6 billion in cryptocurrency (roughly 95,000 of the stolen crypto assets) linked to that hack.
In August 2023 the married couple from New York pleaded guilty to money laundering charges in connection with the hack of the cryptocurrency stock exchange Bitfinex in 2016.
The hackers stole 120,000 Bitcoin, and the Bitcoin value significantly dropped after the discovery of the security breach.
Since the arrest of the couple, the government has seized another approximately $475 million tied to the cyber heist.
Lichtenstein used a number of advanced hacking tools and techniques to breach Bitfinex’s network and once gained access to its infrastructure fraudulently authorized more than 2,000 transactions in which 119,754 bitcoin was transferred from Bitfinex to a cryptocurrency wallet in his control.
Lichtenstein also managed to cover his tracks by deleting access credentials and other log files. Lichtenstein’s wife, Morgan, helped the man in laundering the stolen funds.
The duo used fake identities to set up online accounts and software to automate transactions, exchanged part of stolen funds into gold coins and other crypto assets, and used mixing services like ChipMixer.
Morgan was sentenced to 18 months in prison, but she was released about a month earlier.
My question is, are we sure that all the stolen funds have been fully recovered? Did the two really compensate for all the damage caused by their actions? Let’s remember the collapse in Bitcoin’s value following the hack. How many investors were irreparably harmed at the time? In any case, justice has been quite lenient with them considering the damage caused.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Bitfinex hack)
