$72 000 000 USD

AUGUST 2016

HONG KONG

BITFINEX

DESCRIPTION OF EVENTS

"Bitfinex is a Hong Kong-based cryptocurrency exchange owned and operated by iFinex Inc., which is headquartered in Hong Kong and registered in the British Virgin Islands." "The Bitfinex exchange is a popular platform for exchanging cryptocurrencies, also hosting spot and derivatives trading as well as certain lending, borrowing and staking features. Bitfinex came into existence in 2012." "BitFinex offers three main functions - it is a pure bitcoin to fiat exchange, a margin trading exchange and a liquidity provider. The platform offers a number of features available that expand the financial positions you can take - for example, the ability to short Bitcoin via margin trading."

 

"Bitfinex also has its own utility crypto token called Unus Sed Leo (LEO). Because it restricts a number of regions, Bitfinex U.S. customers are not allowed. On Bitfinex, KYC and Anti-Money Laundering procedures are employed." "It serves all except few countries in the world (mentioned below) and supports both fiat-to-crypto and crypto-to-crypto trades. Other notable features include margin trading, limit and stop orders, over-the-counter (OTC) trades, and others. While there are many options available, everything is laid out in an impressively intuitive fashion, with easy-to-navigate dashboards and menus."

 

“In August 2016, nearly $72 million worth of BTC (almost 120,000 Bitcoins) was stolen from Bitfinex.” “Unknown people used a bug in the multisignature system, which was supported by BitGo's partner company. The hackers deceived the BitGo algorithms in an unknown way, forcing them to approve transactions and withdrew about 120,000 BTC from the hot wallet, worth the equivalent of $72 million at the exchange rate at that time.”

 

"In or around August 2016, a hacker breached Victim VCE’s security systems and infiltrated its infrastructure. While inside Victim VCE’s network, the hacker was able to initiate over 2,000 unauthorized BTC transactions, in which approximately 119,754 BTC was transferred from Victim VCE’s wallets to an outside wallet (Wallet 1CGA4s5)."

 

"According to court documents, Lichtenstein and Morgan allegedly conspired to launder the proceeds of 119,754 bitcoin that were stolen from Bitfinex’s platform after a hacker breached Bitfinex’s systems and initiated more than 2,000 unauthorized transactions. Those unauthorized transactions sent the stolen bitcoin to a digital wallet under Lichtenstein’s control."

 

"Zane Tackett, Director of Community & Product Development for Bitfinex, told Reuters on Wednesday that 119,756 bitcoins had been stolen from users’ accounts and that the exchange hadn’t yet decided how to address customer losses..."

 

“Due to the magnitude of the attack and the fact that Bitfinex did not publish the details of their internal investigation, the hack created a strange confusion in the crypto community at the time.” “If one had to take a blind guess, one would suspect that the hacker obtained the private keys held by Bitfinex, coupled with API access to BitGo to instruct BitGo to sign the withdrawals. Additional trickery would probably be required to circumvent BitGo's daily withdrawal limits.”

 

“the US government did interfere with, fine, and modify the operations of Bitfinex. But as far as [one researcher could] tell, the government's touch was incredibly gentle. First, they fined Bitfinex only $75K, a slap on the wrist, three months' salary for a valley dev, for not having spent the three months of a developer's time on some needed key management structure. Second, they made sure that Bitfinex kept its funds not in a master omnibus account, but in multisig accounts for each individual registered with bitfinex. Essentially, the regulators wanted to see that the coins were delivered to individuals, as opposed to held in one giant pool. This little accounting twist was all that was required to satisfy the regulators, who generally seem clueless and out of the picture as far as security measures go. All the relevant decisions about protecting the private keys, then, rest with Bitfinex.”

 

“There were a lot of reasons for why we went with this implementation with BitGo; one, a big one, was transparency,” said Tackett. “Everyone has their own wallet that they can watch on the blockchain. They can see their bitcoin at any time, and we settle it once per day.” ”Bitfinex subsequently decided to generalize the losses - “Upon logging into the platform, customers will see that they have experienced a generalised loss percentage of 36.067%." The rest was distributed as BFX tokens and “these tokens will eventually be exchanged either for repayment by Bitfinex or for shares in its parent company iFinex Inc.”

 

"[B]eginning in or around January 2017, a portion of the stolen BTC moved out of Wallet 1CGA4s in a series of small, complex transactions across multiple accounts and platforms. This shuffling, which created a voluminous number of transactions, appeared to be designed to conceal the path of the stolen BTC, making it difficult for law enforcement to trace the funds."

 

"The early movement of the stolen funds involved extensive layering activity that employed the peel chain technique. As part of this layering, a portion of the stolen funds were deposited gradually (an indication of peel chain activity) into AlphaBay accounts. The AlphaBay accounts were used as a pass-through for the stolen BTC. Depositing and withdrawing BTC at AlphaBay allowed LICHTENSTEIN and MORGAN to break up the stolen BTC trail on the blockchain. After being moved into accounts at AlphaBay, the stolen BTC was withdrawn, layered, and ultimately deposited into VCEs around the world, as described in pertinent part immediately below."

 

By April 3rd, 2017, "Bitfinex [was] pleased to announce redeeming 100% of all issued and outstanding BFX tokens. This [was] the final redemption of BFX tokens created in August 2016. After these redemptions, no BFX tokens [would] remain outstanding." "A combination of factors led to [that] seminal moment for Bitfinex, including a dramatic uptick in equity conversions; record operating results in March; and, the decision to reduce our reserves in favor of this opportunity. We are tremendously grateful to all of our customers and new shareholders for helping us get to this point." "The 2017 transfers notwithstanding, the majority of the stolen funds remained in Wallet 1CGA4s from August 2016 until January 31, 2022."

 

"Over the [subsequent] five years, approximately 25,000 of those stolen bitcoin were transferred out of Lichtenstein’s wallet via a complicated money laundering process that ended with some of the stolen funds being deposited into financial accounts controlled by Lichtenstein and Morgan. The remainder of the stolen funds, comprising more than 94,000 bitcoin, remained in the wallet used to receive and store the illegal proceeds from the hack."

 

In "July 2020 and April 2021 — linked addresses [made] several transactions worth hundreds of millions." On July 27th, 2020, "The market-tracking and market-moving Twitter account [Whale Alert] documented nine transactions that saw about 2,550 total bitcoin (~$27 million) move from wallets associated with the 2016 hack into new unknown addresses." On April 14th, 2021, "More than $760 million worth of Bitcoin, stolen from cryptocurrency exchange Bitfinex in 2016, were moved to new accounts."

 

"After the execution of court-authorized search warrants of online accounts controlled by Lichtenstein and Morgan, special agents obtained access to files within an online account controlled by Lichtenstein. Those files contained the private keys required to access the digital wallet that directly received the funds stolen from Bitfinex, and allowed special agents to lawfully seize and recover more than 94,000 bitcoin that had been stolen from Bitfinex. The recovered bitcoin was valued at over $3.6 billion at the time of seizure."

 

"On January 31, 2022, law enforcement gained access to Wallet 1CGA4s by decrypting a file saved to LICHTENSTEIN’s cloud storage account, which had been obtained pursuant to a search warrant. The file contained a list of 2,000 virtual currency addresses, along with corresponding private keys.9 Blockchain analysis confirmed that almost all10 of those addresses were directly linked to the hack. Between January 31, 2022, and February 1, 2022, law enforcement obtained approval to execute a lawful seizure supported by probable cause under exigent circumstances and used the private keys from LICHTENSTEIN’s file to seize Wallet 1CGA4’s remaining balance of approximately 94,636 BTC, [now] worth $3.629 billion."

 

On "February 1, 2022 these addresses [seized by law enforcement made] various transactions. A total of 94,643 BTC (approximately $3.6 billion) [was] transferred to a new address." "The U.S. government becomes the 5th largest holder of Bitcoin in a single address." "The LEO token reached a new all-time high after the U.S. government seized the stolen funds, but before it was public information."

 

On "February 8, 2022 the U.S. Department of Justice announces they have obtained over 94,000 Bitcoin and arrested a couple laundering funds from the Bitfinex hack."

 

"Two individuals were arrested this morning in Manhattan for an alleged conspiracy to launder cryptocurrency that was stolen during the 2016 hack of Bitfinex, a virtual currency exchange, presently valued at approximately $4.5 billion. Thus far, law enforcement has seized over $3.6 billion in cryptocurrency linked to that hack."

 

“Today, federal law enforcement demonstrates once again that we can follow money through the blockchain, and that we will not allow cryptocurrency to be a safe haven for money laundering or a zone of lawlessness within our financial system,” said Assistant Attorney General Kenneth A. Polite Jr. of the Justice Department’s Criminal Division. “The arrests today show that we will take a firm stand against those who allegedly try to use virtual currencies for criminal purposes.”

 

"Ilya Lichtenstein, 34, and his wife, Heather Morgan, 31, both of New York, New York, are scheduled to make their initial appearances in federal court today at 3:00 p.m. in Manhattan." "Lichtenstein and Morgan are charged with conspiracy to commit money laundering, which carries a maximum sentence of 20 years in prison, and conspiracy to defraud the United States, which carries a maximum sentence of five years in prison. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors."

 

Bitfinex announced that they were "pleased that the U.S. Department of Justice has today announced that it has recovered a significant portion of the bitcoin stolen during the August 2016 security breach. We have been cooperating extensively with the DOJ since its investigation began and will continue to do so."

 

"Bitfinex will work with the DOJ and follow appropriate legal processes to establish our rights to a return of the stolen bitcoin. Bitfinex intends to provide further updates on its efforts to obtain a return of the stolen bitcoin as and when those updates are available."

 

"If Bitfinex receives a recovery of the stolen bitcoin, as described in the UNUS SED LEO token white paper, Bitfinex will, within 18 months of the date it receives that recovery use an amount equal to 80% of the recovered net funds to repurchase and burn outstanding UNUS SED LEO tokens. These token repurchases can be accomplished in open market transactions or by acquiring UNUS SED LEO in over-the-counter trades, including directly trading bitcoin for UNUS SED LEO."

 

"David Silver, a lawyer who specializes in financial and cryptocurrency-related fraud, said since the seizure was announced Tuesday he has received dozens of calls from individuals saying they lost money in the 2016 online heist and they want to get their coins back. Twitter has been whipped into a frenzy as well, with posters asking how to claim lost crypto. Justice Department officials said they plan to establish a court process for victims to reclaim the stolen digital assets, which have since surged in value."

 

"Figuring out to whom the crypto belongs may not be simple, however. Bitfinex considers that it has made investors whole, and said in a statement Tuesday that it will “follow appropriate legal processes to establish our rights to a return of the stolen bitcoin.” If Bitfinex and users start off on a collision course, the legal battle probably would be protracted."

In August 2016, Bitfinex was the largest cryptocurrency exchange platform at the time of the attack. This breach affected a significant portion of the bitcoin on the platform, which were stored in a new and supposedly more secure way. While multiple others exchanges utilize BitGo (including BitStamp and Kraken), Bitfinex was the only one doing so without the majority of funds in cold storage. This is notable as the first attack that is known to target a multi-sig wallet scheme. Bitfinex was using a new scheme which gave each customer a 2 of 3 multi-sig wallet, with a unique key stored in a database. Bitfinex held one of the keys offline, and a third key was held with third party BitGo.

 

In response to the hack, Bitfinex removed a portion of the balance on every customer’s account, and replaced it with Bitfinex (BFX) Tokens. Over time, the exchange continued to operate, and was able to recover the sum lost to customers within a year. Bitfinex continues to operate today as one of the largest exchanges in the world, having officially paid all customers back. As part of the process, 0.023% of the bitcoin was also returned by government and law enforcement.

 

The theft remained officially unsolved for 6 years. Finally, at the end of January 2022, the FBI announced that they had seized the funds, now worth $3.5b. It is yet unclear what will happen to those seized funds.

HOW COULD THIS HAVE BEEN PREVENTED?

While more secure than a traditional single-signature wallet would have been, two of the signatures were “online” and therefore, this can effectively be considered to be a form of hot wallet. The damage was limited because Bitfinex noticed the issue quickly. Had the new storage scheme been more widely used or Bitfinex failed to notice as quickly, the situation could have been much worse.

 

Platforms, in general, should consider all hot wallets breachable, and have insurance. This could be a self insurance treasury, a third party with a comprehensive policy that adequately covers all loss in the hot wallet, or an industry insurance fund as we propose in our framework.

 

Check Our Framework For Safe Secure Exchange Platforms

Infographic: An Overview of Compromised Bitcoin Exchange Events (Jan 29)
Bitfinex users to share 36% of bitcoin losses after hack - BBC News (Feb 2)
100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents (Jan 24)
Lessons Learned from the Biggest Crypto Hacks in History (Feb 25)
A Look Back on Some of the Most Devastating Crypto Hacks | Fintech Singapore  (Feb 26)
Crypto Exchange Hacks in Review: Proactive Steps and Expert Advice (Mar 1)
How the Bitfinex Heist Could Have Been Avoided (Mar 2)
nukumu comments on Bitfinex down due to bitcoin security breach (Mar 1)
After the Bitfinex Hack, Here’s Why Bitstamp Is Sticking With BitGo (Mar 1)
Bitstamp exchange hacked, $5M worth of bitcoin stolen | ZDNet (Mar 1)
Top 6 Biggest Bitcoin Hacks Ever (Mar 1)
Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Mar 4)
SlowMist Hacked - SlowMist Zone (Jun 25)
To Recover Stolen Bitcoin, Bitfinex Offers Hackers a Hefty Cut of the Funds | PCMag (Jun 25)
Over 10,000 blacklisted BTC from 2016 Bitfinex hack on the move  (Aug 6)
Bitfinex | Latest Bitfinex News by Cointelegraph (Aug 6)
Bitfinex Review (2021) - Is It Trustworthy? (Aug 6)
No Title? (Aug 6)
Bitfinex Exchange: User Review Guide - Master The Crypto (Aug 6)
Couple arrested in $3.5B Bitcoin laundering scheme - YouTube (Feb 12)
DOJ Arrests New York Couple In $3.6 Billion Bitcoin Laundering Scheme - YouTube (Feb 12)
The Crypto Couple Charged For Laundering $3.6 Billion in Bitcoin | Forbes Investigates - YouTube (Feb 12)
Married Couple Steals $4.5 Billion in Bitcoin Heist [Bitfinex] - YouTube (Feb 12)
DOJ recovers $3.6B from 2016 Bitfinex hack (Feb 12)
No Title? (Feb 12)
Meet the ‘Crocodile of Wall Street' - YouTube (Feb 13)
Millennial couple CAUGHT for attempting to launder billions in Bitcoin | Exactly HOW they did it - YouTube (Feb 16)
No Title? (Feb 19)
Who will get bitcoin back after arrests in Bitfinex hack? - Los Angeles Times (Feb 19)
No Title? (Feb 19)
Behind The 3 6b Recovery Of Bitfinex Hack Funds (Feb 19)
No Title? (Feb 19)
No Title? (Feb 19)
Whale Alert: $27M From 2016 Bitfinex Hack Is on the Move - CoinDesk (Feb 19)
Hackers move $760 million from the 2016 Bitfinex hack - The Record by Recorded Future (Feb 19)
Bitfinex cryptocurrency seizure won't deter cybercriminals - Tech Monitor (Feb 19)
@TheJusticeDept Twitter (Feb 19)
No Title? (Feb 19)
No Title? (Feb 19)
No Title? (Apr 23)
Razzlekahn Part 1 Establishing Some Background (Jun 5)

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.