Journalists reveal details of Bitfinex hack report

The bitcoin exchange Bitfinex failed to implement ‘operational, financial and technological controls’, which made the 2016 hack possible. The report, as stated on the OCCRP website.

OCCRP brings together media outlets and investigative reporters conducting journalism in Eastern Europe, Central Asia, Latin America and Africa. The main funding comes from USAID.

The centre claims to have obtained access to a confidential incident-investigation report. It was prepared by the Canadian firm Ledger Labs at the request of iFinex, the parent company of Bitfinex.

According to the document, the trading platform did not implement the measures proposed by its partner BitGo. The investigation states that Bitfinex used a system that requires an administrator to hold two of three security keys to execute any major operation. The company ‘made a critical error’ by keeping two keys on a single device.

The document also states that the exchange lacked other basic security measures, including server activity logging and a ‘withdrawal whitelist’.

Journalists stressed that they could not independently verify the report’s findings. According to them, Bitfinex did not challenge the document’s veracity, and its author Michael Perklin cited a non-disclosure agreement.

Meanwhile, representatives of the exchange told OCCRP that Ledger Labs’ analysis was ‘incomplete’ and ‘incorrect’. They said there was ‘evidence of negligence’ by other counterparties that led to the hack.

Ledger Labs did not respond to journalists’ requests. BitGo declined to comment, but did not dispute the existence of the document.

As a result of the hack in early August 2016, Bitfinex lost nearly 120,000 BTC (about $71.8 million at the time, over $3.3 billion at current prices) and suspended trading for a time.

In May 2020, unknown actors moved 30.667192 BTC to anonymous addresses. Later, 4571 BTC and 473.3183 BTC moved.

In August 2020, Bitfinex announced a $400 million reward for help in recovering the stolen funds. In October, the attackers moved bitcoins worth more than $30 million, and in December — in total 7,045.48 BTC.

On February 1, 2022, 94,643 BTC moved. In the same month, U.S. authorities arrested 34-year-old Ilya Lichtenstein and 31-year-old Heather Morgan on charges of laundering 119,754 BTC stolen from Bitfinex.

Representatives of the U.S. Department of Justice also announced the largest seizure of digital assets in the department’s history — 94,636 BTC ($3.6 billion at the time).

Morgan was released on $3 million bail. The court found that there was no substantial evidence against her beyond the assertion that she allegedly received funds related to the case.

The streaming service Netflix announced a documentary series about Morgan and Lichtenstein.