Internal Report Suggests Security Flaws in Hacked Crypto Exchange Bitfinex

Featured Sponsor

Store	Link	Sample Product
UK Artful Impressions	Premiere Etsy Store

Bitfinex told OCCRP that the analysis was “incomplete” and “incorrect” and that there was “evidence of negligence… by other counterparties that led to the attack.” Bitgo declined to comment. Ledger Lab did not respond to a request for comment.

The hacker covered their tracks with a data destruction tool, used to permanently delete logs and other digital artifacts that could have identified the initial point of entry into Bitfinex’s systems, meaning it’s unclear how they got into the exchange’s systems, just the security weaknesses they discovered. He was taken advantage of once inside. The transfer of more than 119,000 bitcoins from more than 2,000 user accounts to wallets under the thief’s control took just over three hours. The cryptocurrency sat there for months until, starting in January 2017, someone started sending small amounts zigzagging through other accounts. The money was eventually withdrawn or used to make small purchases online.

Investigators managed to follow the money trail and, six years after the hack, they arrested the couple on charges of laundering stolen bitcoins. Under the couple’s bed in their New York apartment were found disposable phones, fake passports and USB sticks containing electronic wallet security keys worth $3.9 billion in bitcoin. Both have pleaded not guilty and are awaiting trial.

It is not clear if the lessons of the Bitfinex hack have led to changes in the company’s procedures. The company told OCCRP that the report was “incorrect” and that there was “evidence of negligence… on the part of other counterparties that led to the attack.” Bitgo declined to comment.

Karen A. Greenaway, a former FBI agent and cryptocurrency specialist, says she thought Bitfinex’s security flaws stemmed from its desire to “get more transactions done faster” and thus increase profits. “The fact that [Bitfinex] have not provided a [public] the report accepting responsibility and remedying the security flaws that led to the hack says more than any admission or denial on their part would,” the agent said.

Security experts say that the crypto industry is generally less vulnerable to the kind of relatively simple attacks that were happening at the time of the Bitfinex leak, but that the size and complexity of the industry has grown dramatically since then. .

“The surface area that needs to be protected for Web3 is much larger than you might expect,” says Max Galka, founder and CEO of blockchain analytics company Elementus. “In some cases, what might appear to be a smart contract hack could actually have occurred several degrees apart.”

Just as bitcoin stolen from Bitfinex skyrocketed in value, the crypto industry is now massive, but the companies that provide its infrastructure are often more focused on moving quickly and executing new ideas.

“A lot of cryptocurrency companies have great ideas, but they don’t think about security,” says Hugh Brooks, director of security operations at blockchain security firm CertiK. “They go ahead with building a Web3 application until they hack it. Only a handful of apps get past even the most basic checks.”

While there has been progress, Brooks says, crypto companies need to invest much more in security. “If you get breached or you make a mistake, it’s not just a few usernames and passwords, it’s someone’s life savings or a potentially huge amount of funds,” he says. “When it comes to the Internet of Money, the stakes are much higher.”

This article was prepared in association with the Organized Crime and Corruption Reporting Project, an investigative reporting platform for a global network of independent media centers and journalists.