Bitfinex Hack Led To 119,756 Bitcoin Stolen

Summary

On the 2nd of August 2016, Bitfinex, a prominent cryptocurrency exchange, experienced a security breach resulting in the theft of approximately 120,000 bitcoins (US$72 million at the time). This incident led to a 20% decline in the trading price of Bitcoin — from US$600 to US$400, reducing the value of the stolen bitcoins to nearly US$58 million. In response to the breach, Bitfinex immediately halted all Bitcoin withdrawals and trading activities. The exchange collaborated with law enforcement agencies and other entities to investigate and apprehend the hackers. As a result of the breach, all Bitfinex customers experienced a 36% reduction in their account balances and were compensated with BFX tokens proportional to their losses. Despite employing BitGo’s multi-signature security system, the hack still occurred.

In February 2022, the US government achieved a successful recovery and seizure of a portion of the stolen bitcoins. These bitcoins were valued at US$3.6 billion at the time. The recovery was made possible by decrypting a file that contained the addresses and private keys associated with the stolen funds.

Attackers

The file containing addresses and private keys involved in the attack was associated with Ilya Lichtenstein. Both Lichtenstein and his wife, Heather R. Morgan, were charged with conspiracy to launder money by the U.S. Department of Justice (DOJ). However, the identity of the actual thief remains unknown.

The stolen funds were consolidated into a single wallet address, bc1qazcm763858nkj2dj986etajv6wquslv8uxwczt, on February 2, 2022. Presently, these funds are under the custody of the US government.

Losses

Within three hours, the hackers successfully stole approximately 119,756 BTC, equivalent to around US$72 million. This amount accounted for roughly 0.75% of the total bitcoins in circulation at that time.

Timeline

  • August 2, 2016: Bitfinex reports a security breach, resulting in a temporary halt to all trading. Users’ Bitcoins are reported stolen.
  • August 6, 2016, 3:51 PM UTC: Bitfinex announces compensation for customers’ losses through the issuance of BFX tokens.
  • August 10, 2016, 2:01 PM UTC: Bitfinex resumes trading and restores services, implementing additional security measures.
  • April 3, 2017: Bitfinex announces full recovery from the hack, redeeming all issued BFX tokens.
  • August 4, 2020: Bitfinex offers a US$400 million reward for information leading to the identification of the hackers, including the possibility of a reward for the return of stolen property.
  • February 1, 2022: 94,643.29 BTC, over 79% of the stolen funds, are consolidated into a single wallet.
  • February 7, 2022: The U.S. Department of Justice recovers approximately 94,636 stolen BTC, valued at US$3.629 billion at that time.

Security Failure Causes

Violation of the Security Protocol: Bitfinex neglected to incorporate recommended operational, financial, and technological controls proposed by its digital security partner, Bitgo, as revealed by an OCCRP report. This lapse resulted in critical errors, including the storage of two security keys on a single device, granting unrestricted access to Bitfinex’s systems and security tokens. Exploiting this vulnerability, hackers successfully circumvented BitGo’s withdrawal limits and swiftly depleted the wallet.