Bitfinex’s Chief Technology Officer, Paolo Ardoino, expressed skepticism regarding reports of a potential user data breach at the cryptocurrency exchange.
Everyone panicking for a potential database breach on bitfinex.
Tldr: seems fake.The alleged hackers have posted 2 mega links with sample data contains 22.5k records of email and passwords.
— we don’t store plaintext passwords, nor 2FA secrets in clear text.
— only 5k of 22.5k…— Paolo Ardoino ? (@paoloardoino) May 4, 2024
On April 26, hackers from FSOCIETY claimed to have breached Bitfinex, obtaining 2.5 TB of information and personal data of 400,000 users. They demanded a “significant sum” within a week to prevent a “catastrophic leak” of this data.
“The alleged hackers published two links with sample data containing 22,500 records of emails and passwords. We do not store passwords and 2FA in plain text. Only 5,000 of the 22,500 email addresses match Bitfinex users. If this were part of our database, we would expect a 100% match,” Ardoino wrote.
According to him, the alleged hackers have not contacted the exchange with a ransom demand.
“The hackers compiled a database of emails and passwords, likely from various crypto breaches. Unfortunately, most users use the same email addresses and passwords across multiple sites. We are conducting a thorough analysis of our systems, and no leaks have been detected so far,” added the Bitfinex CTO.
Ardoino also shared a message from an unnamed cybersecurity researcher, who claims that the alleged hackers are using this method to advertise a hacking tool.
Here a message from a security researcher (that instead of panicking, trying to dig a bit more into it).
“I believe I start to understand what is happening and why they are sending these messages claiming you were hacked.
The message in the screenshot in the ticket came from a… pic.twitter.com/YjwG2eeXw2— Paolo Ardoino ? (@paoloardoino) May 4, 2024
“Creating hype about successfully hacking well-known companies advertises how good their tool is, prompting others to buy it and earn millions of dollars by hacking companies with it,” the specialist explained.
The Bitfinex CTO doubted that hackers who breached a cryptocurrency exchange would sell tools for $299. He also posed a question to the audience:
“If someone compiles a database of 100,000 emails clearly belonging to people in crypto (collected from all previous crypto hacks), how likely is it that 20% of those are valid emails on some crypto exchange?”
Question for the CT community: if someone compiles a database of 100k emails clearly belonging to people in crypto (collected from all previous crypto hacks), how likely is that 20% of those are valid emails on some crypto exchange?
— Paolo Ardoino ? (@paoloardoino) May 4, 2024
Back in August 2016, Bitfinex lost nearly 120,000 BTC ($71.8 million at the time, over $7.6 billion at current prices) due to a hack and temporarily suspended operations.
On February 1, 2022, 94,643 BTC were moved. In the same month, U.S. authorities arrested 34-year-old Ilya Lichtenstein and 31-year-old Heather Morgan on charges of laundering 119,754 BTC stolen from Bitfinex. In August 2023, they pleaded guilty.