2016 Crypto Hack: Bitfinex Hid a Report that Flagged Security Flaws: OCCRP

by Solomon Oladipupo
  • Bitfinex allegedly failed to implement recommended technological controls.
  • Reacting, the crypto exchange criticized OCCRP's report as "incomplete" and "incorrect."
Bitfinex 880x400
Join our Crypto Telegram channel

Cryptocurrency exchange Bitfinex never made public a confidential report that found its security lapses responsible for over 119,000 bitcoins stolen from the platform in August 2016, the Organized Crime and Corruption Reporting Project (OCCRP) reported on Thursday. The stolen BTCs, worth about $3.2 billion in today’s market, were priced at $71 million at the time.

OCCRP, a global network of investigative journalists, said it obtained a version of the secret report that says Bitfinex failed to execute operational, financial and technological controls recommended by its digital security partner Bitgo. The network said the report was commissioned by iFinex, the owner and operator of Bitfinex, and was produced by Canada-based blockchain services firm, Ledger Labs.

Giving further details, OCCRP said the report claims that Bitfinex deployed a security system that placed two of its three security keys with an administrator. The keys were required to conduct a significant operation on the exchange, including transferring bitcoins.

In addition, OCCRP noted that Bitfinex made the mistake of storing two of the three keys on a single device. However, it added that while it is not known if the device was compromised during the hack, access to it would give a hacker complete access to the crypto exchange’s internal system and ‘security tokens’.

"Other basic security measures were also absent, including the logging of server activity outside of the server itself," OCCRP wrote in its report, adding that the 'withdrawal whitelist', a security component that enables cryptocurrency transfers to verified addresses, was also unavailable.

Additionally, the journalism network said the confidential report suggested that the hack was probably organized from Poland, going by a detailed examination of the source Internet Protocol address.

Bitfinex Slams OCCRP Report

As reported, Bitfinex told OCCRP that Ledger Labs’ analysis in the report was “incomplete" and “incorrect.” On top of that, the network quoted Bitfinex as saying there was “evidence of negligence…on the part of other counterparties that led to the hack.”

In an undated statement published on its website, Bitfinex also reiterated these points, noting that “assertions made by the OCCRP are factually incorrect." Moreover, the crypto exchange criticised a report on the issue published by Wired whose journalist worked on the report with the OCCRP.

“Bitfinex refutes the findings of the OCCRP,” said the digital exchange operator. “As is well known, there is an investigation being conducted by authorities into the 2016 hack, with which Bitfinex has collaborated and shared information over many years.”

Also, Bitfinex said it will provide full details on the case when investigations are completed, noting that: “to make any comments before the investigation into the breach is concluded would be inappropriate.”

United States Charges Two Suspects

Meanwhile, while the Bitfinex hacker remains at large, US prosecutors in February last year charged an American couple for trying to launder roughly $4.5 billion in cryptocurrency linked to the 2016 hack. The US Department of Justice (DOJ) in a statement said the government seized more than 94,000 bitcoins connected to the attack from the couple, Ilya Lichtenstein and Heather Morgan. The bitcoins were worth over $3.6 billion at the time.

Furthermore, the prosecutor noted that the BTCs stolen from Bitfinex through over 2,000 unauthorized transactions were sent to a crypto wallet under Lichtenstein’s control. The OCCRP reported that the couple pleaded not guilty and is awaiting trial.

“Over the last five years, approximately 25,000 of those stolen bitcoins were transferred out of Lichtenstein’s wallet via a complicated money laundering process that ended with some of the stolen funds being deposited into financial accounts controlled by Lichtenstein and Morgan,” the DOJ explained. “The remainder of the stolen funds, comprising more than 94,000 bitcoins, remained in the wallet used to receive and store the illegal proceeds from the hack,” it added.

Cryptocurrency exchange Bitfinex never made public a confidential report that found its security lapses responsible for over 119,000 bitcoins stolen from the platform in August 2016, the Organized Crime and Corruption Reporting Project (OCCRP) reported on Thursday. The stolen BTCs, worth about $3.2 billion in today’s market, were priced at $71 million at the time.

OCCRP, a global network of investigative journalists, said it obtained a version of the secret report that says Bitfinex failed to execute operational, financial and technological controls recommended by its digital security partner Bitgo. The network said the report was commissioned by iFinex, the owner and operator of Bitfinex, and was produced by Canada-based blockchain services firm, Ledger Labs.

Giving further details, OCCRP said the report claims that Bitfinex deployed a security system that placed two of its three security keys with an administrator. The keys were required to conduct a significant operation on the exchange, including transferring bitcoins.

In addition, OCCRP noted that Bitfinex made the mistake of storing two of the three keys on a single device. However, it added that while it is not known if the device was compromised during the hack, access to it would give a hacker complete access to the crypto exchange’s internal system and ‘security tokens’.

"Other basic security measures were also absent, including the logging of server activity outside of the server itself," OCCRP wrote in its report, adding that the 'withdrawal whitelist', a security component that enables cryptocurrency transfers to verified addresses, was also unavailable.

Additionally, the journalism network said the confidential report suggested that the hack was probably organized from Poland, going by a detailed examination of the source Internet Protocol address.

Bitfinex Slams OCCRP Report

As reported, Bitfinex told OCCRP that Ledger Labs’ analysis in the report was “incomplete" and “incorrect.” On top of that, the network quoted Bitfinex as saying there was “evidence of negligence…on the part of other counterparties that led to the hack.”

In an undated statement published on its website, Bitfinex also reiterated these points, noting that “assertions made by the OCCRP are factually incorrect." Moreover, the crypto exchange criticised a report on the issue published by Wired whose journalist worked on the report with the OCCRP.

“Bitfinex refutes the findings of the OCCRP,” said the digital exchange operator. “As is well known, there is an investigation being conducted by authorities into the 2016 hack, with which Bitfinex has collaborated and shared information over many years.”

Also, Bitfinex said it will provide full details on the case when investigations are completed, noting that: “to make any comments before the investigation into the breach is concluded would be inappropriate.”

United States Charges Two Suspects

Meanwhile, while the Bitfinex hacker remains at large, US prosecutors in February last year charged an American couple for trying to launder roughly $4.5 billion in cryptocurrency linked to the 2016 hack. The US Department of Justice (DOJ) in a statement said the government seized more than 94,000 bitcoins connected to the attack from the couple, Ilya Lichtenstein and Heather Morgan. The bitcoins were worth over $3.6 billion at the time.

Furthermore, the prosecutor noted that the BTCs stolen from Bitfinex through over 2,000 unauthorized transactions were sent to a crypto wallet under Lichtenstein’s control. The OCCRP reported that the couple pleaded not guilty and is awaiting trial.

“Over the last five years, approximately 25,000 of those stolen bitcoins were transferred out of Lichtenstein’s wallet via a complicated money laundering process that ended with some of the stolen funds being deposited into financial accounts controlled by Lichtenstein and Morgan,” the DOJ explained. “The remainder of the stolen funds, comprising more than 94,000 bitcoins, remained in the wallet used to receive and store the illegal proceeds from the hack,” it added.

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}