Bitfinex told OCCRP the analysis was “incomplete” and “incorrect” and that there was “evidence of negligence…on the part of other counterparties that led to the hack.” Bitgo declined to comment. Ledger Lab did not respond to a request for comment.
The hacker covered their tracks with a data destruction tool, used to permanently delete logs and other digital artifacts that might have identified the initial entry point into Bitfinex systems, meaning it’s not clear how they got into the exchange’s systems, only the security weaknesses that they took advantage of once inside. The transfer of the more than 119,000 bitcoins from over 2,000 users’ accounts to wallets under the thief’s control took just over three hours. The cryptocurrency sat there for months until, starting in January 2017, someone started sending small amounts zig-zagging through other accounts. The money was eventually cashed out or used to make small online purchases.
Investigators managed to follow the money and, six years after the hack, arrested the couple on charges of laundering the stolen bitcoins. Burner phones, fake passports, and USB sticks containing the electronic security keys to the wallet holding $3.9 billion worth of bitcoin were found under the couple’s bed in their New York apartment. Both have pleaded not guilty, and are awaiting trial.
It is unclear whether the lessons from the Bitfinex hack have led to changes in the company’s procedures. The company told OCCRP that the report was “incorrect” and that there was “evidence of negligence…on the part of other counterparties that led to the hack.” Bitgo declined to comment.
Karen A. Greenaway, a former FBI agent and cryptocurrency specialist, says she thought Bitfinex’s security lapses were due to its desire to “put through more transactions more quickly” and thereby raise profits. “The fact that [Bitfinex] have not provided a [public] report accepting responsibility and remedying the security failures that led to the hack says more than any admission or denial on their part ever would,” the agent said.
Security experts say that the crypto industry is in general less vulnerable to the kind of relatively straightforward hacks that were happening around the time of the Bitfinex breach, but that the size and complexity of the industry has grown dramatically since then.
“The surface that needs to be protected for Web3 is much larger than you might expect,” says Max Galka, founder and CEO of blockchain analytics company Elementus. “In some cases, what might appear as a smart contract hack might actually have occurred several degrees of separation away.”
Just as the stolen bitcoin from Bitfinex ballooned in value, the crypto industry is itself now massive, but the companies that provide its infrastructure are often more focused on moving quickly and executing new ideas.
“A lot of crypto companies have great ideas but just don’t think about security,” says Hugh Brooks, director of security operations at blockchain security firm CertiK. “They push ahead with building a Web3 application until it gets hacked. Only a handful of apps pass even the most basic checks.”
While there has been progress, Brooks says, crypto companies need to be investing a lot more in security. “If you get breached or make a mistake, it’s not just some usernames and passwords, it’s somebody’s life savings or potentially a massive amount of funds,” he says. “When you’re dealing with the internet of money, the stakes are that much higher.”
This article was prepared in partnership with the Organized Crime and Corruption Reporting Project, an investigative reporting platform for a worldwide network of independent media centers and journalists.