Even though Lichtenstein’s private keys were kept in cloud storage, according to the DOJ they were encrypted with a password so long that even sophisticated attackers would probably not have been able to crack it in their lifetime. The DOJ did not respond to a request for comment on how it was able to decrypt the file and access the private keys.

The most likely case of the three is arguably that law enforcement didn’t need to decrypt the file in the first place, which makes sense, especially given the DOJ comments above. Special agent Janczewski and his team could have gained access to the password somehow and wouldn’t need to brute force its way through the cloud storage’s files.

An alternative reason for keeping the private keys online would be simple lack of care. The hacker could simply have thought their password was secure enough and fell for the convenience of having it on a cloud service that can be accessed anywhere with an internet connection. But this scenario still doesn’t answer the question of how the couple got access to the private keys related to the hack.

First, all of the Poloniex accounts used the same email provider based in India and had “similarly styled” email addresses. Second, they were accessed by the same IP address — a major red flag that makes it trivial to assume the accounts were controlled by the same entity. Third, the accounts were created around the same time, close to the Bitfinex hack. Additionally, all accounts were abandoned following the exchange’s requests for additional personal information.

Lichtenstein joined multiple bitcoin withdrawals together from different Poloniex accounts into a single Bitcoin wallet cluster, after which he deposited into an account at a bitcoin exchange (Coinbase, according to Ergo),

Lichtenstein also kept a spreadsheet in his cloud storage containing detailed information about all eight Poloniex accounts.

Five different accounts at the same exchange used the same IP address, hosted by a cloud provider in New York. As the provider handed its records to law enforcement, it was identified that that IP was leased by an account in the name of Lichtenstein and tied to his personal email address.

Lichtenstein and Morgan maintained sensitive documents online, in a cloud storage service susceptible to seizure and subpoenas. This practice increases the chances that the setup could be compromised, as it makes such files remotely accessible and deposits trust in a centralized company

Trust compromised most of the couple’s efforts in moving the bitcoin funds. The first service they trusted was the huge darknet market AlphaBay

Another red flag in the couple’s handling of bitcoin relates to clustering together funds from different sources, which enables chain analysis companies and law enforcement to plausibly assume the same person controlled those funds

Lichtenstein and Morgan did attempt to do chain hopping as an alternative for obtaining spending privacy, a technique that attempts to break on-chain fingerprints and thus, heuristic links. However, they performed it through custodial services — mostly bitcoin exchanges — which undermine the practice and introduce an unnecessary trusted third party that can be subpoenaed.