In 2016, a hacker or hackers gained access to the Bitfinex cryptocurrency exchange and took 119,754 bitcoins worth a total of $72 million. The stolen coins' worth had risen to almost $4 billion by the time US police detained rapper Heather Morgan and her husband, startup founder Ilya Lichtenstein, last year on suspicion of laundering them. The US Department of Justice's single greatest recovery in its history. However, the hack's culprit is still at large.
Ledger Labs, a Canadian cryptocurrency consulting and development company, was hired by one of Bitfinex's owners, iFinex, to conduct an investigation. The secret report from that inquiry was never made public. However, a copy of the study with specific conclusions has been obtained by the Organised Crime and Corruption Reporting Project.
According to the document's in-depth findings, conclusions, and suggestions, Bitfinex failed to put the operational, financial, and technological controls recommended by its partner in cyber security, Bitgo, into place.
Although Bitfinex did not question the legitimacy of the report in contacts with journalists, OCCRP was unable to independently confirm the facts. Bitgo opted out of commenting but did not expressly deny the report's existence or its conclusions. Requests for response from Ledger Labs went unanswered, and the study's author, Michael Perklin, stated that he was unable to do so because his work on the iFinex report was subject to a non-disclosure agreement.
OCCRP was unable to independently verify the results, however in interactions with journalists, Bitfinex did not contest the validity of the study. Bitgo declined to comment, but did not expressly contest the report's validity or conclusions. An inquiry for response was not answered by Ledger Labs, and the study's author, Michael Perklin, declined to speak because his work on the iFinex research was subject to a non-disclosure agreement.
For cryptocurrency sites, strict digital security is essential since mistakes cost users real money.
“When you’re dealing with the internet of money, the stakes are that much higher,” stated Hugh Brooks, director of security operations at blockchain security firm CertiK. “If you get breached or make a mistake, it’s not just some usernames and passwords, it’s someone’s life savings or potentially a massive amount of funds.”
According to the Ledger Labs report that OCCRP was able to receive, Bitfinex used a security mechanism that required an administrator to possess two out of the three security keys in order to do any substantial exchange activities, including moving bitcoin.
However, it discovered that Bitfinex made a crucial mistake by putting two of these three keys on the same piece of hardware. An attacker who managed to hack that one device would have complete access to Bitfinex's internal systems and to "security tokens" that gave them control over the operating system. According to the paper, "the hacker was able to take two...security tokens," and in less than a minute, he was able to increase the daily cap on the number of transactions that were allowed in order to fast drain as much bitcoin as possible.
According to the Ledger Labs report, the hacker obtained tokens associated with a generic "admin" email account and another tied to "giancarlo," which belonged to Bitfinex CFO and shareholder Giancarlo Devasini, a former Italian plastic surgeon with a shady business past. The document did not assign blame for the hack to Devasini.
The paper stated that holding numerous keys and tokens on a single device constituted "a violation of the CryptoCurrency Security Standard," alluding to an industry-led best-practice initiative, however it is unclear whether this particular device was compromised in the hack. It also claimed that other fundamental security precautions, such as monitoring server activities outside of the server, and a "withdrawal whitelist" - a security feature that only allows cryptocurrency transfers to confirmed or approved addresses — were missing.
Based on a rigorous study of source IP addresses, the Ledger Labs document found that the attack most likely started in Poland.
Although the hacker is still at large, US authorities detained dual Russian-American citizen Ilya Lichtenstein and his wife, Heather Morgan, last year for allegedly laundering stolen bitcoins. Both have pled not guilty and await trial.
Lichtenstein is a self-described digital entrepreneur and investor who has created a few tiny apps, while Morgan, a trained economist and Forbes.com contributor, has taken over as CEO of some of Lichtenstein's software initiatives. Morgan has an interesting backstory that includes a rapping alter ego known as "Razzlekhan." Nonetheless, US authorities highlighted in an official Department of Justice document that Morgan used her own name to cash out some of the stolen cryptocurrency's online purchases.