The Organized Crime and Corruption Reporting Project (OCCRP) has reportedly obtained the security report created by Ledger Labs that was commissioned by Bitfinex after its 2016 hack. The report details numerous failures to follow industry best practice, failure to practice adequate logging, and failure to implement a whitelist.
The Bitfinex hack backstory
On August 2, 2016, Bitfinex was hacked in what was then the second-largest Bitcoins hack ever recorded. Indeed, 120,00 coins — then valued at around $70 million but today worth over $3 billion — were withdrawn from the platform forcing it to disable all deposits, trading, and withdrawals in response.
In the wake of the attack, Bitfinex announced that “We have arrived at the conclusion that losses must be generalized across all accounts and assets.” The company also claimed that every single account would receive a 36.067% haircut, and for each dollar that represented, users would receive a BFX token, valued at $1, that Bitfinex would try to repay.
Nathaniel Popper would later report that the haircut was not equally applied to all accounts and assets, insisting that Coinbase didn’t receive the same haircut.
They actually did pay, just not the 36%, and what they paid ended up being higher than if they just took the 36% haircut, got their BFX and sold it shortly thereafter.
— Zane Tackett (@tackettzane) January 20, 2022
Read more: ‘Bitcoin Willy Wonka’ Max Keiser now works for El Salvador gov’t
Former Bitfinex Director Zane Tackett claimed that Coinbase did receive a haircut, but revealed that it was smaller than other clients, undercutting the previous Bitfinex claim that “losses must be generalized across all accounts and assets.”
A few days later on August 17, Bitfinex would announce that it had retained Ledger Labs “to determine exactly how the security breach occurred and to make our system’s design better going forward,” and “to perform an audit of our complete balance sheet for both cryptocurrency and fiat assets and liabilities.”
Several months later, Bitfinex announced that “Ledger Labs has not been engaged to perform a financial audit of Bitfinex.” Eventually, in May 2017, Bitfinex announced that it had hired Friedman LLP to perform an audit. No update has ever been provided on the status of that audit but Friedman was unable to provide an audit for sister company Tether.
After the hack, Bitfinex promised to provide details on how it occurred but this never happened. It also reiterated that everyone received the same haircut and detailed the steps that should be taken by unverified users who the system “mistakenly” believed were US-based.
The report
While Bitfinex never released the security report that had been commissioned by Ledger Labs, the reporting by OCCRP does provide more insight into how the hack occurred.
The report details how Bitfinex’s system, which was an implementation of BitGo’s multi-signature wallet, needed two of three keys in order to withdraw. The report claims that Bitfinex irresponsibly had both keys on the same device, and so by compromising that single device, hackers were able to immediately bypass the BitGo withdrawal limits and drain the wallet.
The keys were supposedly linked to two separate emails, one labeled “giancarlo” used by Bitfinex chief financial officer Giancarlo Devasini, and another “admin” email address.
The report also details lapses including the lack of a whitelist for withdrawals and an absence of server logging. The report also suggested that the hack occurred in Poland, based on an analysis of IP addresses.
Dutch and Razzlekhan
The Bitfinex hacker has never been arrested, but early last year Heather Morgan and Ilya Lichtenstein were arrested for allegedly trying to launder the bitcoins stolen in this hack.
Razzlekhan: These are ‘Bitcoin launderer’ Heather Morgan’s greatest hits
Read more: Crypto rapper Razzlekhan lands new job despite facing 25 years in prison
When they were arrested, authorities were able to seize the vast majority of the bitcoin that was originally hacked from Bitfinex, however, neither has been accused of the hack. Among their other possessions that were seized were a variety of burner phones and spreadsheets that detailed their efforts to successfully clean the coins.
Bitfinex hasn’t disclosed any additional breaches since 2016, but its sister company Tether was hacked in November 2017.
Bitfinex, in its statement to OCCRP, said that the Ledger Labs report was “incomplete” and “incorrect” but has so far failed to provide its own post-mortem explaining how the hack occurred. It is also yet to provide an update on the promised financial audit from over half a decade ago.