Confidential Report Flags Bitfinex Security Lapses in Huge 2016 Hack

It was one of the largest bitcoin heists in history, but it happened fast: In the space of barely more than three hours in August 2016, over 119,000 bitcoins were quietly siphoned out of wallets on the Bitfinex cryptocurrency exchange. Before anyone had noticed, the crypto — worth $71 million at the time — was gone.

Authorities have never tracked down the thief, although last year an American couple was arrested for laundering some of the stolen bitcoins — which by that time were worth $4.5 billion. But an investigation carried out in the wake of the hack has highlighted security flaws in the Bitfinex platform’s systems that allowed the theft to happen.

The confidential report from the investigation, commissioned by one of Bitfinex’s owners, iFinex, and produced by Canadian cryptocurrency consultancy and development firm Ledger Labs, was never made public, but a version of it was obtained by OCCRP. The document, which contains detailed findings, conclusions and recommendations, said that Bitfinex failed to implement operational, financial, and technological controls proposed by its digital security partner Bitgo.

OCCRP was unable to independently corroborate the findings but, in communications with reporters, Bitfinex did not dispute the report was authentic. Bitgo declined to comment but did not specifically dispute the report’s existence or its findings. Ledger Labs did not respond to a request for comment, and the report’s author, Michael Perklin, said he could not comment because his work on the iFinex report was covered by a non-disclosure agreement.

Tight digital security is crucial for cryptocurrency platforms, because slip-ups cost customers real money.

“When you’re dealing with the internet of money, the stakes are that much higher,” said Hugh Brooks, director of security operations at blockchain security firm CertiK. “If you get breached or make a mistake, it’s not just some usernames and passwords, it’s someone’s life savings or potentially a massive amount of funds.”

The Ledger Labs report obtained by OCCRP said Bitfinex employed a security system that required an administrator to have two out of three security keys in order to carry out any significant operations on the exchange, including moving bitcoin.

But it found that Bitfinex made a critical error by placing two of these three keys on the same device. Hacking that single device would give an attacker full access to Bitfinex’s internal systems, and to “security tokens” that allowed the attacker to manipulate Bitfinex’s operating system. “The hacker was able to take two…security tokens,” the document said, and in less than a minute was able to raise the daily limit on the number of transactions permitted in order to quickly drain as much bitcoin as possible.

The Ledger Labs document said the tokens accessed by the hacker were associated with a generic “admin” email address and another linked to “giancarlo,” belonging to Bitfinex CFO and shareholder Giancarlo Devasini, a former Italian plastic surgeon with a checkered business history. The document did not lay blame for the hack with Devasini.

Devasini did not respond to multiple requests for comment.

The document said that storing multiple keys and tokens on a single device was “a violation of the CryptoCurrency Security Standard,” referring to an industry-led best-practice initiative, though it is unclear whether this specific device was the one compromised in the hack. It said other basic security measures were also absent, including the logging of server activity outside of the server itself, and a “withdrawal whitelist” — a security feature that only permits cryptocurrency transfers to verified or approved addresses.

The Ledger Labs document concluded that the hack probably originated in Poland, based on a detailed analysis of source IP addresses.

Bitfinex told OCCRP the Ledger Labs analysis was “incomplete” and “incorrect,” and that there was “evidence of negligence…on the part of other counterparties that led to the hack.”

Karen A. Greenaway, a retired FBI Supervisory Special Agent who specializes in anti-money laundering, was critical of Bitfinex’s response to the hack.

“The fact that [Bitfinex] has not provided a [public] report accepting responsibility and remedying the security failures that led to the hack says more than any admission or denial on their part ever would,” Greenaway said.

Although the hacker remains at large, U.S. investigators last year arrested dual Russian-American citizen Ilya Lichtenstein and his wife, Heather Morgan, for allegedly laundering the stolen bitcoins. Both pleaded not guilty and are awaiting trial.

Lichtenstein is a self-described tech entrepreneur and investor who developed some small apps, while Morgan, an economist by training and Forbes.com contributor, became the CEO of some of Lichtenstein’s tech projects. Morgan has a colorful back story including a rapping alter ego known as “Razzlekhan.” Yet U.S. investigators noted in an official Department of Justice document that Morgan used her real name to cash out some of the online purchases made with the stolen cryptocurrency.

Burner phones, SIM cards, and assorted electronics were found under the couple’s bed in their New York apartment, according to court filings. Special agents also obtained access to files within an online account controlled by Lichtenstein which contained the private keys required to access the digital wallet holding $3.6 billion worth of bitcoin at the time of seizure. U.S. authorities described it as the biggest cryptocurrency seizure in U.S. history.

IFinex also owns Tether, the largest so-called “stablecoin” in the world. A stablecoin is a cryptocurrency whose value is pegged to a currency, a financial instrument or a commodity like gold. Tether is pegged to the U.S. dollar, and there are $82 billion worth of Tether tokens in circulation. Its security is crucial: stablecoins are designed to offer the stability sorely lacking in other cryptocurrencies, and help anchor the value of those currencies like a central bank does with fiat money.

Massive hacks or failures of cryptocurrency exchanges — the most recent and famous being FTX — threaten the stability of any cryptocurrency: Following the Bitfinex hack, bitcoin’s value plummeted 20 percent.