Bitfinex Security Breach

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

BitFinex Logo/Chart

In August 2016, Hong Kong-based Bitfinex was the largest cryptocurrency exchange platform in the world. They had just completed an upgrade to customer wallets to implement a new multi-signature security setup which gave each customer a 2 of 3 multi-sig wallet, with a unique key stored in a database, one key held by Bitfinex supposedly offline, and a third key held with third party BitGo. While great in theory, it didn't actually require multiple signatures or any offline signing to initiate the withdrawals themselves. This became apparent when a single system was able to initiate and complete a large number of withdrawals, using both the BitGo signature authorization and the database signature. The complexity of the system and the number of wallets did act to slow down the theft somewhat, as each wallet withdrawal required a separate blockchain transaction, however by the time the Bitfinex team was able to intervene and stop the drainage, $72m worth of customer bitcoin had already been drained and Bitfinex did not have funds to cover a loss of this scale. Bitfinex ended up removing a portion of the balance on every customer’s account, and replaced it with new Bitfinex (BFX) Tokens. Over the next year, the exchange continued to operate, and was reportedly able to recover the sum lost, though many customers bear resentment and do not feel that they have been made whole. As part of the process, 0.023% of the bitcoin was also returned by government and law enforcement. The theft remained officially unsolved for 6 years. Finally, at the end of January 2022, the FBI announced that they had seized the funds, now worth $3.5b. The private keys had been stored in an online cloud service account. It is yet unclear what will happen to those seized funds which presently remain under civil asset forfeiture.

[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28][29][30][31][32][33][34][35][36][37][38][39][40][41][42]

Potential duplicates: [19][27]

About BitFinex

"Bitfinex is a Hong Kong-based cryptocurrency exchange owned and operated by iFinex Inc., which is headquartered in Hong Kong and registered in the British Virgin Islands." "The Bitfinex exchange is a popular platform for exchanging cryptocurrencies, also hosting spot and derivatives trading as well as certain lending, borrowing and staking features. Bitfinex came into existence in 2012." "BitFinex offers three main functions - it is a pure bitcoin to fiat exchange, a margin trading exchange and a liquidity provider. The platform offers a number of features available that expand the financial positions you can take - for example, the ability to short Bitcoin via margin trading."

"Bitfinex also has its own utility crypto token called Unus Sed Leo (LEO). Because it restricts a number of regions, Bitfinex U.S. customers are not allowed. On Bitfinex, KYC and Anti-Money Laundering procedures are employed." "It serves all except few countries in the world (mentioned below) and supports both fiat-to-crypto and crypto-to-crypto trades. Other notable features include margin trading, limit and stop orders, over-the-counter (OTC) trades, and others. While there are many options available, everything is laid out in an impressively intuitive fashion, with easy-to-navigate dashboards and menus.

The Reality

While multiple others exchanges utilize BitGo (including BitStamp and Kraken), this was typically employed only for a small portion of funds in a hot wallet. Bitfinex was instead using Bitfinex for the vast majority of customer funds. While Bitfinex had set up a multi-signature wallet, it was apparent through the hack that the keys and withdrawal mechanism were not as offline as anyone had originally promised. Unfortunately the Bitfinex platform was using a vulnerable BitGo implementation.

“There were a lot of reasons for why we went with this implementation with BitGo; one, a big one, was transparency,” said Tackett. “Everyone has their own wallet that they can watch on the blockchain. They can see their bitcoin at any time, and we settle it once per day.”

Government Regulation Failure

Initial government regulation was focused on ensuring that all assets were stored in separate account for each customer.

“the US government did interfere with, fine, and modify the operations of Bitfinex. But as far as [one researcher could] tell, the government's touch was incredibly gentle. First, they fined Bitfinex only $75K, a slap on the wrist, three months' salary for a valley dev, for not having spent the three months of a developer's time on some needed key management structure. Second, they made sure that Bitfinex kept its funds not in a master omnibus account, but in multisig accounts for each individual registered with bitfinex. Essentially, the regulators wanted to see that the coins were delivered to individuals, as opposed to held in one giant pool. This little accounting twist was all that was required to satisfy the regulators, who generally seem clueless and out of the picture as far as security measures go. All the relevant decisions about protecting the private keys, then, rest with Bitfinex.”

What Happened

The hackers managed to deceive the BitGo algorithms, forcing them to approve transactions and allowing the withdrawal of about 120,000 BTC from the hot wallet, worth the equivalent of $72 million at the exchange rate at that time.

Key Event Timeline - Bitfinex Security Breach
Date Event Description
August 2nd, 2016 3:02:45 AM MDT First Withdrawal Transaction The first malicious withdrawal transaction from the Bitfinex exchange for a massive 2038.748721 bitcoin[43]. Transactions would continue rapidly, based on the size of the wallet, with the largest wallets being accessed and drained first[44].
August 2nd, 2016 12:07:04 PM MDT Reddit Discussion A discussion takes place on Reddit about the breach[45]. The post reveals that Bitfinex has experienced a security breach leading to a halt in all trading and digital token deposits/withdrawals. Some users' bitcoins have been stolen, and an investigation is underway. The platform aims to determine affected users, settle open positions, and normalize account balances before resuming operations. The breach is reported to law enforcement, and updates will be posted on their status page. Discussions among users reflect skepticism, suspicion of an inside job, concerns about losses, and debates on the fairness of a proposed 36.067% haircut on all accounts. Bitfinex's announcement of losses being generalized across all accounts using BFX tokens as placeholders is met with criticism and questions about legality. The situation is fluid, and users express frustration, uncertainty, and speculation about the platform's future[45].
August 8th, 2016 7:06:07 AM MDT BBC Article Published BBC news reports that users would collectively lose 36% of their assets due to the cyber-attack[1]. This loss-sharing approach, termed as "socialising" losses, means that all users of the platform will bear a portion of the impact[1]. Emin Gun Sirer, a Bitcoin expert at Cornell University, highlighted the significant implications of this move, emphasizing that users effectively become part of an insurance plan for others when holding assets on exchanges[1]. The event is compared with previous attacks on exchanges like Mt Gox in 2014, where numerous users experienced losses[1]. Dr. Sirer anticipates challenges ahead and suggests a shift towards models with better understood insurance mechanisms[1]. Prof. Alan Woodward from the University of Surrey likened the situation to a bank spreading losses across all customers, emphasizing the vulnerability of users who hold bitcoins in exchanges and online wallets[1].
April 14th, 2021 11:06:00 AM MDT Blockchain Transaction Bitcoin blockchain transaction[46][47].
December 22nd, 2021 7:42:00 AM MST Blockchain Transaction Bitcoin blockchain transaction[46][48].
December 22nd, 2021 10:07:00 AM MST Blockchain Transaction Bitcoin blockchain transaction[46][49].
January 31, 2022 Law Enforcement Wallet Access Law enforcement gained access to Wallet 1CGA4s by decrypting a file saved to LICHTENSTEIN’s cloud storage account, which had been obtained pursuant to a search warrant. The file contained a list of 2,000 virtual currency addresses, along with corresponding private keys. Blockchain analysis confirmed that almost all of those addresses were directly linked to the hack.
February 1, 2022 Law Enforcement Seizure Law enforcement seizes the funds in the Bitfinex theft addresses, transferring the funds to a new address. This activity is noted on the blockchain and causes the price of the LEO token to go on a massive rally.[50]
February 8th, 2022 1:08:00 PM MST ErgoBTC Post ErgoBTC posts to highlight to irony that the thief had previously laundered the funds carefully and methodically through a dark net marketplace, and subsequently changed to storing them on a cloud service provider[51].
February 8th, 2022 4:13:00 PM MST Comparison To Colonial Pipeline ErgoBTC shares his conclusions on the Colonial Pipeline ransomware attack, however this is deemed to be unrelated to the Bitfinex situation[52].
February 12th, 2022 10:07:00 AM MST The Verge Report Of Netflix Docu-Series The Verge reports that Netflix is starting to develop a docu-series to be entitled "Razzlekhan", documenting the adventures of Ilya and Heather Morgan[53].
February 13th, 2022 12:03:00 PM MST ErgoBTC Publishes Analysis The Twitter account ErgoBTC is actively investigating and discussing post-2019 spending from hack addresses related to the hack[54]. Unspent coins from the hack addresses are being analyzed based on the number of hops away they are from the source. The prosecutor's mention of "The Launderers" as a flight risk implies the Department of Justice's control over a separate "dirty" wallet. The crucial unanswered question is how "The Launderers" obtained control of the private keys for the hacked coins, with speculation about potential scenarios, including purchasing from the hackers or working remotely with a third party. The possibility of "The Launderers" being the actual hackers is raised, though they have not been charged under the Computer Fraud and Abuse Act (CFAA). The investigation is ongoing, and the focus is on off-chain aspects, hinting at a larger, yet-to-be-revealed story[54]. It is also noted that "The Complaint showed that tracking the early 2017 BTC spends was futile for passive observers thanks to AlphaBay’s coin control[55]." and that breaking funds into smaller wallets occurs naturally[56].
February 13th, 2022 2:03:00 PM MST ErgoBTC Poloniex Deposit Addresses ErgoBTC provides the Poloniex deposit addresses[57].
February 13th, 2022 3:48:00 PM MST ErgoBTC More Tweet ErgoBTC makes comments on the emptying of the Bitfinex hacker wallets of the final funds[58]. According to the Department of Justice, there is approximately 95,000 bitcoin seized at this time[59].
February 14th, 2022 5:25:00 PM MST One Wallet Left Behind ErgoBTC tweets about the DOJ not withdrawing from one of the wallet UTXOs, and speculates that is a strategy to determine whether there is still access to those wallets[60].
February 16th, 2022 8:33:00 AM MST Wall Street Journal Article The Wall Street Journal reports that federal investigators, after years of pursuing clues in the 2016 Bitfinex cryptocurrency exchange hack where thieves stole bitcoin now valued at $4.5 billion, tracked down suspects Ilya "Dutch" Lichtenstein and Heather R. Morgan using a $500 Walmart gift card linked to their emails and cloud service providers[61]. The Justice Department seized $3.6 billion in bitcoin allegedly controlled by the couple, marking its largest financial seizure. Lichtenstein and Morgan were charged with money laundering and fraud. The investigation exploited advanced forensic tools and efforts to combat crypto crime. The couple allegedly laundered stolen bitcoin through various accounts, and the case highlights the challenges of tracing cryptocurrency transactions despite its perceived anonymity. The public nature of blockchain ledgers played a crucial role in the investigation, revealing patterns and connections through cluster analysis[61]. The article was copied to Fox Business where it is available without a paywall[62]. Some users have criticized the title of the article, considering it "click-bait"[63].
February 18th, 2022 9:05:00 AM MST ErgoBTC More Tweet "The Regime dot Biz's compliance as a growth driver sales pitch runs contra to everything crypto means and stands for."[64]
July 6th, 2023 9:17:00 AM MDT Homeland Security Fund Recovery The Department of Homeland Security reports recovering $315,000 from the 2016 Bitfinex hack[65]. "Funds will be redistributed to Bitfinex recovery token holders"[65]
August 3rd, 2023 10:57:54 AM MDT Admission Of Guilt By Ilya The US Department of Justice issues a press release, in which they state that the couple has admitted to guilt in the hack of the Bitfinex exchange[59]. It's revealed that the government seized $3.6b at the time of their arrest, and another $475m subsequently through their cooperation, which included different forms of privacy-enhanced cryptocurrency, funds stored in business bank accounts, and gold coins buried underground[59][51]. This was later reported in the Washington Post, which calls it "a bombshell revelation"[50]. The penalties for Ilya are up to 20 years in prison, while Heather faces up to 5 years each on two separate charges[59][51].
August 4th, 2023 1:46:00 AM MDT Washington Post Article Washington Post publishes an article on the situation, with a photograph of Heather Morgan exiting a courtroom in Washington[66].
February 28th, 2024 11:39:20 AM MST Funds Moved By US Government In an initial 1 BTC transaction, the US government starts moving a portion of the funds seized from the Bitfinex hacking case to another unidentified wallet[67].
February 28th, 2024 12:11:03 PM MST Funds Moved By US Government In an initial 2818.19700389 BTC transaction, the US government moves the rest of the funds seized from the Bitfinex hacking case to another unidentified wallet[68].
February 28th, 2024 1:31:00 PM MST Bitcoin On The Move Again CoinDesk publishes an article about the movement of funds. "Two crypto wallets tagged as holding funds seized by the U.S. government related to the infamous Bitfinex hack have just transferred nearly $1 billion of bitcoin to unidentified addresses."[69][70]

Technical Details

“In August 2016, nearly $72 million worth of BTC (almost 120,000 Bitcoins) was stolen from Bitfinex.” “Unknown people used a bug in the multisignature system, which was supported by BitGo's partner company. The hackers deceived the BitGo algorithms in an unknown way, forcing them to approve transactions and withdrew about 120,000 BTC from the hot wallet, worth the equivalent of $72 million at the exchange rate at that time.”

"In or around August 2016, a hacker breached Victim VCE’s security systems and infiltrated its infrastructure. While inside Victim VCE’s network, the hacker was able to initiate over 2,000 unauthorized BTC transactions, in which approximately 119,754 BTC was transferred from Victim VCE’s wallets to an outside wallet (Wallet 1CGA4s5)."

“Due to the magnitude of the attack and the fact that Bitfinex did not publish the details of their internal investigation, the hack created a strange confusion in the crypto community at the time.” “If one had to take a blind guess, one would suspect that the hacker obtained the private keys held by Bitfinex, coupled with API access to BitGo to instruct BitGo to sign the withdrawals. Additional trickery would probably be required to circumvent BitGo's daily withdrawal limits.”

See analysis from ErgoBTC[54][55][56][71][72][73][74][46][75][76][77][78]. TBD more reviewing.

Blockchain Transactions: [47][48][49]

Blockchain Addresses: [79][80][81][82]

Poloniex Deposits: [57][83][84][85] TBD Add Poloniex deposits to the timeline.

Laundering Of Funds

Chainalysis provides a walkthrough of 5 rough phases of laundering which Ilya and Heather conducted throughout the 6 years the funds remained at large[38]:

Component 1: The theft

First, we see the initial theft: In a series of 2,075 transactions taking place in August 2016, the hacker moved 120,000 Bitcoin from Bitfinex to a wallet we labeled “Bitfinex.com Stolen Funds.” Most of the funds never left that wallet. Directly above the hacker’s wallet, we see that those funds were seized by law enforcement and moved to a new wallet nearly six years later in February 2022.

Component 2: Using a darknet market as a mixer

In January 2017, Lichtenstein and Morgan moved a large portion of the funds to the now-defunct darknet market AlphaBay, which the couple essentially used as a mixer by depositing the stolen Bitcoin and withdrawing equivalent amounts. Some funds moved to AlphaBay directly from the initial theft wallet, while others were moved there through intermediary wallets.

Component 3: Movements to VCEs and first cashouts

Soon after that, Lichtenstein and Morgan moved funds from AlphaBay to four cryptocurrency exchanges, which the indictment refers to as VCEs 1-4. The information provided in the indictment only allows us to show movements to VCEs 1 and 4 on the graph above, but the movements to VCEs 2 and 3 likely look similar. Lichtenstein and Morgan created several different accounts using fake identities at these exchanges to receive the Bitcoin laundered through AlphaBay — in at least some cases, compliance teams at the exchanges were able to detect that the accounts likely belonged to the same person, for instance due to similarities in the email addresses used to register them and overlaps in the IP addresses used to access the accounts. Some of the exchanges froze the accounts due to this suspicious activity, as well as Lichtenstein and Morgan’s inability to verify their identities or the source of the funds.

Component 4: Mixer usage and more VCEs

By 2019, AlphaBay had been taken down by law enforcement, so Lichtenstein and Morgan needed a new money laundering method. They began sending funds to a popular mixer, and then on to more VCEs (VCEs 5-10 in the indictment) where they swapped the Bitcoin for other assets, including Monero. Additionally, the pair sent some funds to a precious metals seller via a merchant services provider (labeled BTC PSP 1) in order to swap their cryptocurrency for gold. The indictment details how Lichtenstein and Morgan in some instances attempted to convince exchange representatives that their Bitcoin came from payment for advertising services, even creating a shell corporation to sell the story.

Component 5: Funds exchanged for cash at VCE 7

Finally, in 2020 and 2021, Lichtenstein and Morgan were able to convert more funds into fiat currency at VCE 7 and move them into a U.S. bank account. The pair was also able to buy gift cards for Walmart and other businesses at VCE 10 — a specialized service devoted to crypto-for-gift card trades rather than a conventional cryptocurrency exchange — using the Bitcoin they’d moved to VCE 10 previously.

Total Amount Lost

In total, 119,756 bitcoins were taken in the incident. The total amount lost has been estimated at $72,000,000 USD.

Immediate Reactions

In the immediate aftermath, the price of bitcoin dropped by roughly 20% before recovering.

Bitfinex made statements through Zane Tackett, Director of Community & Product Development. The incident was widely publicized and discussed in social media.

Reactions Within BitFinex

Initially, "Zane Tackett, Director of Community & Product Development for Bitfinex, told Reuters on Wednesday that 119,756 bitcoins had been stolen from users’ accounts and that the exchange hadn’t yet decided how to address customer losses..."

Bitcoin Price Drop

The news of Bitfinex's significant bitcoin loss led to a more than 20% drop in the cryptocurrency's price initially, although it showed some recovery fairly quickly[1].

Community Reactions

“Due to the magnitude of the attack and the fact that Bitfinex did not publish the details of their internal investigation, the hack created a strange confusion in the crypto community at the time.” “If one had to take a blind guess, one would suspect that the hacker obtained the private keys held by Bitfinex, coupled with API access to BitGo to instruct BitGo to sign the withdrawals. Additional trickery would probably be required to circumvent BitGo's daily withdrawal limits.”

Reddit[86].

"My entire life savings for last 12 years are/were in btc balance on bitfinex. Please no "don't keep coins on exchange" - I don't usually - but they were there today."

Ultimate Outcome

Bitfinex "socialized" the losses, deducting 36% of all assets from platform users.

Socialization Of Exchange Losses

Bitfinex later announced that users would collectively lose 36% of their assets due to a cyber-attack resulting in a loss of up to $65 million. This loss-sharing approach, termed as "socialising" losses, means that all users of the platform will bear a portion of the impact. Emin Gun Sirer, a Bitcoin expert at Cornell University, highlighted the significant implications of this move, emphasizing that users effectively become part of an insurance plan for others when holding assets on exchanges.

In response to the attack, Bitfinex informed customers that they would encounter a loss percentage of 36.067% upon logging into the platform and would receive "BFX tokens" equivalent to their individual losses, which could be redeemed for repayment or shares in the parent company, iFinex Inc. The exchange disclosed that hackers had stolen 119,756 bitcoins, marking a substantial setback. This incident mirrors previous attacks on exchanges like Mt Gox in 2014, where numerous users experienced losses.

Multi-Signature BitGo Wallets Set Up

”Bitfinex subsequently decided to generalize the losses - “Upon logging into the platform, customers will see that they have experienced a generalised loss percentage of 36.067%." The rest was distributed as BFX tokens and “these tokens will eventually be exchanged either for repayment by Bitfinex or for shares in its parent company iFinex Inc.”

Initial Fund Movement Through AlphaBay

"According to court documents, Lichtenstein and Morgan allegedly conspired to launder the proceeds of 119,754 bitcoin that were stolen from Bitfinex’s platform after a hacker breached Bitfinex’s systems and initiated more than 2,000 unauthorized transactions. Those unauthorized transactions sent the stolen bitcoin to a digital wallet under Lichtenstein’s control."

"[B]eginning in or around January 2017, a portion of the stolen BTC moved out of Wallet 1CGA4s in a series of small, complex transactions across multiple accounts and platforms. This shuffling, which created a voluminous number of transactions, appeared to be designed to conceal the path of the stolen BTC, making it difficult for law enforcement to trace the funds."

"The early movement of the stolen funds involved extensive layering activity that employed the peel chain technique. As part of this layering, a portion of the stolen funds were deposited gradually (an indication of peel chain activity) into AlphaBay accounts. The AlphaBay accounts were used as a pass-through for the stolen BTC. Depositing and withdrawing BTC at AlphaBay allowed LICHTENSTEIN and MORGAN to break up the stolen BTC trail on the blockchain. After being moved into accounts at AlphaBay, the stolen BTC was withdrawn, layered, and ultimately deposited into VCEs around the world, as described in pertinent part immediately below."

According to ErgoBTC, the AlphaBay strategies appear to have been effective to break the blockchain fund trail[55].

Bitfinex Redemption Program Completed

By April 3rd, 2017, "Bitfinex [was] pleased to announce redeeming 100% of all issued and outstanding BFX tokens. This [was] the final redemption of BFX tokens created in August 2016. After these redemptions, no BFX tokens [would] remain outstanding." "A combination of factors led to [that] seminal moment for Bitfinex, including a dramatic uptick in equity conversions; record operating results in March; and, the decision to reduce our reserves in favor of this opportunity. We are tremendously grateful to all of our customers and new shareholders for helping us get to this point." "The 2017 transfers notwithstanding, the majority of the stolen funds remained in Wallet 1CGA4s from August 2016 until January 31, 2022."

Minor Movements Of Stolen Funds

"Over the [subsequent] five years, approximately 25,000 of those stolen bitcoin were transferred out of Lichtenstein’s wallet via a complicated money laundering process that ended with some of the stolen funds being deposited into financial accounts controlled by Lichtenstein and Morgan. The remainder of the stolen funds, comprising more than 94,000 bitcoin, remained in the wallet used to receive and store the illegal proceeds from the hack."

Major Movement Of Stolen Funds

In "July 2020 and April 2021 — linked addresses [made] several transactions worth hundreds of millions." On July 27th, 2020, "The market-tracking and market-moving Twitter account [Whale Alert] documented nine transactions that saw about 2,550 total bitcoin (~$27 million) move from wallets associated with the 2016 hack into new unknown addresses." On April 14th, 2021, "More than $760 million worth of Bitcoin, stolen from cryptocurrency exchange Bitfinex in 2016, were moved to new accounts."

Seizure Of Bitfinex Stolen Funds

"After the execution of court-authorized search warrants of online accounts controlled by Lichtenstein and Morgan, special agents obtained access to files within an online account controlled by Lichtenstein. Those files contained the private keys required to access the digital wallet that directly received the funds stolen from Bitfinex, and allowed special agents to lawfully seize and recover more than 94,000 bitcoin that had been stolen from Bitfinex. The recovered bitcoin was valued at over $3.6 billion at the time of seizure."

"On January 31, 2022, law enforcement gained access to Wallet 1CGA4s by decrypting a file saved to LICHTENSTEIN’s cloud storage account, which had been obtained pursuant to a search warrant. The file contained a list of 2,000 virtual currency addresses, along with corresponding private keys. Blockchain analysis confirmed that almost all of those addresses were directly linked to the hack. Between January 31, 2022, and February 1, 2022, law enforcement obtained approval to execute a lawful seizure supported by probable cause under exigent circumstances and used the private keys from LICHTENSTEIN’s file to seize Wallet 1CGA4’s remaining balance of approximately 94,636 BTC, [now] worth $3.629 billion."

On "February 1, 2022 these addresses [which were seized by law enforcement made] various transactions. A total of 94,643 BTC (approximately $3.6 billion) [was] transferred to a new address." "The U.S. government becomes the 5th largest holder of Bitcoin in a single address." "The LEO token reached a new all-time high after the U.S. government seized the stolen funds, but before it was public information."

Arrests Of Ilya Lichtenstein and Heather Morgan

On "February 8, 2022 the U.S. Department of Justice announces they have obtained over 94,000 Bitcoin and arrested a couple laundering funds from the Bitfinex hack."

"Two individuals were arrested this morning in Manhattan for an alleged conspiracy to launder cryptocurrency that was stolen during the 2016 hack of Bitfinex, a virtual currency exchange, presently valued at approximately $4.5 billion. Thus far, law enforcement has seized over $3.6 billion in cryptocurrency linked to that hack."

“Today, federal law enforcement demonstrates once again that we can follow money through the blockchain, and that we will not allow cryptocurrency to be a safe haven for money laundering or a zone of lawlessness within our financial system,” said Assistant Attorney General Kenneth A. Polite Jr. of the Justice Department’s Criminal Division. “The arrests today show that we will take a firm stand against those who allegedly try to use virtual currencies for criminal purposes.”

"Ilya Lichtenstein, 34, and his wife, Heather Morgan, 31, both of New York, New York, are scheduled to make their initial appearances in federal court today at 3:00 p.m. in Manhattan." "Lichtenstein and Morgan are charged with conspiracy to commit money laundering, which carries a maximum sentence of 20 years in prison, and conspiracy to defraud the United States, which carries a maximum sentence of five years in prison. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors."

Bitfinex announced that they were "pleased that the U.S. Department of Justice has today announced that it has recovered a significant portion of the bitcoin stolen during the August 2016 security breach. We have been cooperating extensively with the DOJ since its investigation began and will continue to do so."

"Bitfinex will work with the DOJ and follow appropriate legal processes to establish our rights to a return of the stolen bitcoin. Bitfinex intends to provide further updates on its efforts to obtain a return of the stolen bitcoin as and when those updates are available."

"If Bitfinex receives a recovery of the stolen bitcoin, as described in the UNUS SED LEO token white paper, Bitfinex will, within 18 months of the date it receives that recovery use an amount equal to 80% of the recovered net funds to repurchase and burn outstanding UNUS SED LEO tokens. These token repurchases can be accomplished in open market transactions or by acquiring UNUS SED LEO in over-the-counter trades, including directly trading bitcoin for UNUS SED LEO."

"David Silver, a lawyer who specializes in financial and cryptocurrency-related fraud, said since the seizure was announced Tuesday he has received dozens of calls from individuals saying they lost money in the 2016 online heist and they want to get their coins back. Twitter has been whipped into a frenzy as well, with posters asking how to claim lost crypto. Justice Department officials said they plan to establish a court process for victims to reclaim the stolen digital assets, which have since surged in value."

"Figuring out to whom the crypto belongs may not be simple, however. Bitfinex considers that it has made investors whole, and said in a statement Tuesday that it will “follow appropriate legal processes to establish our rights to a return of the stolen bitcoin.” If Bitfinex and users start off on a collision course, the legal battle probably would be protracted."

Inclusion on Reference Lists

The Bitfinex case was widely cited on various lists, including Bitcoin Magazine[87], Kyle Gibson[88], the Bitcoin Exchange Guide[89], Slowmist[90].

Total Amount Recovered

The total amount recovered has been estimated at $72,000,000 USD.

Ongoing Developments

The recovered funds from Bitfinex remain under control of the government and are subject to civil forfeiture proceedings[51].

[91]

Individual Prevention Policies

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

While Bitfinex's unique setup was more secure than a traditional single-signature hot wallet, two of the signatures were still “online” and therefore, withdrawals could be initiated entirely using online "hot" signatures. It was possible for the entirety of the funds to be removed if the hot components had been fully compromised. The damage was limited only because Bitfinex noticed the issue quickly. While this was multi-signature, it was not the form of multi-signature recommended.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Platforms, in general, should consider all hot wallets breachable, and have insurance. This could be a self insurance treasury, a third party with a comprehensive policy that adequately covers all loss in the hot wallet, or an industry insurance fund as we propose in our framework.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 Bitfinex users to share 36% of bitcoin losses after hack - BBC News (Feb 3, 2020)
  2. Lessons Learned from the Biggest Crypto Hacks in History - CryptoPotato (Feb 26, 2020)
  3. A Look Back on Some of the Most Devastating Crypto Hacks - Fintech Singapore (Feb 27, 2020)
  4. Crypto Exchange Hacks in Review: Proactive Steps and Expert Advice - CoinTelegraph (Mar 2, 2020)
  5. How the Bitfinex Heist Could Have Been Avoided - Hacking Distributed (Mar 3, 2020)
  6. After the Bitfinex Hack, Here’s Why Bitstamp Is Sticking With BitGo - Bitcoin Magazine (Mar 2, 2020)
  7. Bitstamp exchange hacked, $5M worth of bitcoin stolen - ZDNet (Mar 2, 2020)
  8. Top 6 Biggest Bitcoin Hacks Ever - CoinSutra (Mar 2, 2020)
  9. To Recover Stolen Bitcoin, Bitfinex Offers Hackers a Hefty Cut of the Funds - PC Magazine (Jun 26, 2021)
  10. Over 10,000 blacklisted BTC from 2016 Bitfinex hack on the move - CoinTelegraph (Aug 7, 2021)
  11. Bitfinex Review (2021) - Is It Trustworthy? - CryptoNews (Aug 7, 2021)
  12. Bitfinex Exchange Reviews, Live Markets, Guides, Bitcoin charts - CryptoCompare (Aug 7, 2021)
  13. Bitfinex Exchange: User Review Guide - Master The Crypto (Aug 7, 2021)
  14. Breaking Buzz - Couple arrested in $3.5B Bitcoin laundering scheme - YouTube (Feb 12, 2022)
  15. NBC News - DOJ Arrests New York Couple In $3.6 Billion Bitcoin Laundering Scheme - YouTube (Feb 12, 2022)
  16. Forbes - The Crypto Couple Charged For Laundering $3.6 Billion in Bitcoin - YouTube (Feb 12, 2022)
  17. ColdFusion - Married Couple Steals $4.5 Billion in Bitcoin Heist [Bitfinex] - YouTube (Feb 12, 2022)
  18. DOJ recovers $3.6B from 2016 Bitfinex hack - TechTarget (Feb 12, 2022)
  19. 19.0 19.1 Statement of Facts - Department of Justice (Feb 12, 2022)
  20. Patrick Boyle - Meet the ‘Crocodile of Wall Street' - YouTube (Feb 13, 2022)
  21. Preet Banerjee - Millennial couple CAUGHT for attempting to launder billions in Bitcoin | Exactly HOW they did it - YouTube (Feb 16, 2022)
  22. 100% Redemption of Outstanding BFX Tokens - Bitfinex (Feb 19, 2022)
  23. Who will get bitcoin back after arrests in Bitfinex hack? - Los Angeles Times (Feb 19, 2022)
  24. U.S. Department of Justice Announcement Regarding Seizure of Bitcoin Linked to the August 2016 Security Breach - Bitfinex (Feb 19, 2022)
  25. Behind The $3.6b Recovery Of Bitfinex Hack Funds - IntoTheBlock Medium (Feb 19, 2022)
  26. Two Arrested for Alleged Conspiracy to Launder $4.5 Billion in Stolen Cryptocurrency - Department of Justice (Feb 19, 2022)
  27. 27.0 27.1 Statement of Facts - Department of Justice (Feb 19, 2022)
  28. Whale Alert: $27M From 2016 Bitfinex Hack Is on the Move - CoinDesk (Feb 19, 2022)
  29. Hackers move $760 million from the 2016 Bitfinex hack - The Record (Feb 19, 2022)
  30. Bitfinex cryptocurrency seizure won't deter cybercriminals - Tech Monitor (Feb 19, 2022)
  31. The Justice Department - "Two Arrested for Alleged Conspiracy to Launder $4.5 Billion in Stolen Cryptocurrency Government Seized $3.6 Billion in Stolen Cryptocurrency Directly Linked to 2016 Hack of Virtual Currency Exchange" - Twitter (Feb 19, 2022)
  32. Top 100 Richest Bitcoin Addresses and Bitcoin distribution - BitInfoChart (Feb 19, 2022)
  33. Feds charge couple with trying to launder billions in stolen bitcoins - NBC News (Feb 19, 2022)
  34. Bitcoin ‘heist’ suspect Heather Morgan lived in Hong Kong - Friday Everyday (Apr 23, 2022)
  35. Razzlekahn Part 1 Establishing Some Background - Jeffrey Mader Medium (Jun 5, 2022)
  36. Elliptic Follows the $7 Billion in Bitcoin stolen from Bitfinex in 2016 - Elliptic (Accessed Sep 20, 2024)
  37. PasteBin Of Transactions Sorted By Amount (Accessed Sep 20, 2024)
  38. 38.0 38.1 Bitfinex Hack Money Launderers Plead Guilty - Chainalysis (Accessed Sep 20, 2024)
  39. Pastebin Of Bitfinex Theft Transactions
  40. https://blog.merklescience.com/hacktrack/hack-track-bitfinex-hack-2016-recent-fund-movement-analysis
  41. https://old.reddit.com/r/Bitcoin/comments/4wizdn/txid_and_bitcoin_addresses_connected_to_the/
  42. https://publications.aaahq.org/jeta/article-abstract/21/1/43/12272/An-Exploration-of-the-Money-Laundering-Associated?redirectedFrom=fulltext
  43. First Malicious Withdrawal Of 2038.748721 From Bitfinex - Blockchain.info (Accessed Sep 20, 2024)
  44. viajero_loco - "the hacker withdrew in that order as well (obviously starting with highest amount first)" - Reddit (Accessed Sep 20, 2024)
  45. 45.0 45.1 FearTheCoin - Bitfinex down due to bitcoin security breach - Reddit (Jan 26, 2024)
  46. 46.0 46.1 46.2 46.3 ErgoBTC - "But what of the post-2019 spending from the hack addresses? Unspent coins sourced from the hack addresses range from 1 to many hops away." - Twitter (Mar 15, 2023)
  47. 47.0 47.1 https://oxt.me/transaction/34b76a3d94f9411e45d9a688503984544a038b3f6e4e4909f9c77c535b2c13cc (Jan 25, 2024)
  48. 48.0 48.1 https://oxt.me/transaction/34b76a3d94f9411e45d9a688503984544a038b3f6e4e4909f9c77c535b2c13cc (Jan 25, 2024)
  49. 49.0 49.1 https://oxt.me/transaction/ffedf444de6957333f092ad433f733f98b7194048147b2cf2f436370a4b998b8 (Jan 25, 2024)
  50. 50.0 50.1 ErgoBTC - "Previous spends of the BFX hack coins were methodically isolated, slowly mixed, or slowly sent to Hydra (DNM). The most recent spends were swept to a *SINGLE* address. The complete opposite in terms of privacy from previous activity." - Twitter (Jan 24, 2024)
  51. 51.0 51.1 51.2 51.3 ErgoBTC - "So let me get this straight. The guy that was using AlphaBay in 2017 to launder these coins was also keeping them in an encrypted file "in the cloud"?" - Twitter (Mar 15, 2023)
  52. ErgoBTC - "I think this is the thread you are referring to. FYI, I do not believe these conclusions are relevant to the BFX situation." - Twitter (Mar 15, 2023)
  53. Netflix orders docuseries on crypto laundering couple / Razzlekhan is coming to the small screen - The Verge (Accessed Sep 24, 2024)
  54. 54.0 54.1 54.2 ErgoBTC - "The BFX hack seizure. A mountain of evidence in an apparent straightforward analysis. Coins tracked across custodial entities sent to exchanges with the couples IDs. Some thoughts from following the followers." - Twitter (Accessed Mar 15, 2023) Cite error: Invalid <ref> tag; name ":0" defined multiple times with different content
  55. 55.0 55.1 55.2 ErgoBTC - "Most importantly, The Complaint showed that tracking the early 2017 BTC spends was futile for passive observers thanks to AlphaBay’s coin control." - Twitter (Jan 25, 2024)
  56. 56.0 56.1 ErgoBTC - "Speaking of the collaboration between regime dot gov and regime dot biz, there seems to be some miss-information around the implications of not spending the entirety of your wallet balance to a third party in a single tx." - Twitter (Mar 15, 2023)
  57. 57.0 57.1 ErgoBTC - "Forgot to Copy+Pasta the Poloniex Deposit TxIDs. Knowing volume, timing, and source/destination are usually easy enough to find the referenced txs." - Twitter (Mar 15, 2023)
  58. ErgoBTC - "Be sure to get the "early and wrong" hot takes from the dot govs corporate sponsors. Wouldn't want to get it right the first time!" - Twitter (Mar 15, 2023)
  59. 59.0 59.1 59.2 59.3 Bitfinex Hacker and Wife Plead Guilty to Money Laundering Conspiracy Involving Billions in Cryptocurrency - Department of Justice (Sep 24, 2024)
  60. ErgoBTC - "DOJ seizes thousands of UTXOs from the wallet, except for 1. Seems unlikely that there was the only one private key they could not access. Instead, this UTXO is left as bait to see if anyone else has access to the seized private keys. If it's spent, it gets tracked = more leads" - Twitter (Mar 15, 2023)
  61. 61.0 61.1 A Crucial Clue in the $4.5 Billion Bitcoin Heist: A $500 Walmart Gift Card - The Wall Street Journal (Jan 24, 2024)
  62. A crucial clue in the $4.5 billion Bitcoin heist: A $500 Walmart gift card - Fox Business (Jan 24, 2024)
  63. ErgoBTC - "Excellent clickbait headline. 10/10" - Twitter (Mar 15, 2023)
  64. ErgoBTC - "The Regime dot Biz's compliance as a growth driver sales pitch runs contra to everything crypto means and stands for." - Twitter (Mar 15, 2023)
  65. 65.0 65.1 Crypto Exchange Bitfinex Says $315,000 From 2016 Hack Recovered - Bloomberg (Accessed Sep 24, 2024)
  66. ‘Bitcoin Bonnie and Clyde’ plead guilty in ‘spy novel’-like laundering case - Washington Post (Accessed Sep 24, 2024)
  67. Transfer Of 1 BTC Between Government Wallets (Accessed Sep 24, 2024)
  68. Transfer Of 2818.19700389 BTC Between Government Wallets (Accessed Sep 24, 2024)
  69. U.S. Government Crypto Wallets Transfer Nearly $1B of Bitcoin Seized From Bitfinex Hacker - CoinDesk (Accessed Sep 24, 2024)
  70. Bitfinex Recover Address - US Government - Arkham Intelligence (Accessed Sep 24, 2024)
  71. ErgoBTC - "Regardless, the analysis is straight forward. >A combo of on-chain/links across multiple accounts/custodial entities >Similar account credentials and use noted at Poloniex and Bittrex >A spreadsheet including relevant account login info was found in The Launderers cloud storage" - Twitter (Mar 15, 2023)
  72. ErgoBTC - "The prosecutor’s rationale for calling “The Launderers” a flight risk, seems to hint that the DOJ is also in control of this separate "dirty" wallet. Encrypted? Fire up the GPUs." - Twitter (Mar 15, 2023)
  73. ErgoBTC - "First attributions central to the case. VCE1 and VCE4 as Poloniex and Bittrex, respectively. Attribution courtesy of the abbreviated BTC addresses in The Complaint flow diagrams." - Twitter (Mar 15, 2023)
  74. ErgoBTC - "We’ve had trouble finding any evidence of this missing cluster, and remained a bit of a mystery until The Complaint was issued. This diagram has enough details to explain where AB’s cluster went from Spring 2016 till shutdown." - Twitter (Mar 15, 2023)
  75. ErgoBTC - "AlphaBay among the largest DNMs (2nd only to Hydra?) started in 2015 and operated two known classic wallet clusters. One active through fall of 2015. The other active through spring 2016. But a gap betwen ABs shutdown in July 2017." - Twitter (Mar 15, 2023)
  76. ErgoBTC - "The deposit addresses on the left side of the diagram: And their spends. All single use addresses and single UTXO spends (no cluster)." - Twitter (Mar 15, 2023)
  77. ErgoBTC - "Working remotely with someone else? >Maybe a justified reason for keeping the private keys in cloud storage as this allows remote access to a third party. >> Does this make the last hack address with a BTC balance a trap? 1DTbSm28AJnePwzFXzCnNasVF1xi6XrVSQ" - Twitter (Mar 15, 2023)
  78. ErgoBTC - "With a bit of coin control and pseudonymity, a passive observer has no way of knowing he is seeing AB activity. (Sidenote: Anyone know of AB2’s coin control?) Of course this doesn’t apply to LEA’s and their corporate sponsors data sharing agreements." - Twitter (Mar 15, 2023)
  79. https://oxt.me/address/1HaQbNXKuad7FEj4Yuosho3ZxKGtroYehc (Jan 25, 2024)
  80. https://oxt.me/address/16UPkXBDP8jPiDd9iFjKwQ6BPouZh5MUTQ (Jan 25, 2024)
  81. https://oxt.me/address/19VEBJAbYHShSmAjmZh2RDX6s79cWZtL3Z (Jan 25, 2024)
  82. https://oxt.me/address/1g1RjLuos5kdgrBLxdfugTCy4zEsyErvk (Jan 25, 2024)
  83. https://oxt.me/transaction/e31e72548717fb67c0380fb48547f2bd731419e6086f6768e800b3043f525d17 (Jan 25, 2024)
  84. https://oxt.me/transaction/5b550175e1bd323a1c7b3577fc0bbae6caf4da749f1294d50fd8f5216e3a39db (Jan 25, 2024)
  85. https://oxt.me/transaction/6cc74341dd491e195ac7c234938279af4172079b12438d5439f43e3b6be2a610 (Jan 25, 2024)
  86. nukumu - "My entire life savings for last 12 years are/were in btc balance on bitfinex. Please no "don't keep coins on exchange" - I don't usually - but they were there today." - Reddit (Mar 2, 2020)
  87. Infographic: An Overview of Compromised Bitcoin Exchange Events - Bitcoin Magazine (Jan 30, 2020)
  88. 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents - Kyle Gibson Medium (Jan 25, 2020)
  89. Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide (Mar 5, 2020)
  90. SlowMist Hacked - SlowMist Zone (Jun 26, 2021)
  91. Latest Bitfinex News - CoinTelegraph (Aug 7, 2021)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Bitfinex_Security_Breach&oldid=6165"