Fairyproof ‘s Review on the Bitcoin Stolen in Bitfinex Hack
A piece of big news was reported on Feb 8, 2022, US EST that the US Department of Justice announced that it had “recovered a significant…
A piece of big news was reported on Feb 8, 2022, US EST that the US Department of Justice announced that it had “recovered a significant portion of the Bitcoin stolen during the August 2016 security breach”.
This is a pretty positive outcome both for Bitfinex’s users, and its LEO token holders.
Newbies that just entered the crypto industry in recent years may have never heard of this incident but OG players who traded Bitcoins in Bitfinex before 2016 may still have a good memory of it.
Although it happened “long” ago, the lessons drawn from this incident are still worth being learned.
That was a massive incident in Bitcoin’s early history.
On August 2, 2016, 119,756 Bitcoins worth about $72 million were stolen from Bitfinex which was the largest cryptocurrency exchange at that time. The stolen Bitcoins accounted for more than one-third of the total assets Bitfinex held at that time. It caused the second-largest loss in Bitcoin’s history at the time.
Right after this incident, Bitcoin’s price plummeted 20% and Bitfinex temporarily shut down its Bitcoin exchange.
This incident shocked the whole crypto industry at that time and also gained the attention of the US government.
In this DOJ released document, details about where the stolen Bitcoins eventually went and how the stolen Bitcoins that were laundered were released.
Here are some noteworthy details Fairyproof extracted from DOJ’s documents:
Point 1: Part of the stolen Bitcoins were sent to 7 AlphaBay (darknet) accounts as a pass-through to break up the stolen Bitcoins’ trail.
Point 2: After the stolen coins were sent to AlphaBay and layered, they were withdrawn and sent to multiple conventional centralized exchanges.
Point 3: In some of the centralized exchanges the suspects did KYC and left their social identities including names and even their delivery addresses.
Points 1 and 2 were the popular techniques hackers used to launder money at that time and Point 3 leaked the actors’ identifies.
If we compare these three points with what hackers do things today, we can find huge differences as follows:
1. Nowadays hackers have much better utilities and tools to launder money without leaking their social identities. Today hackers greatly prefer to use anonymous tools such as Tornado.Cash to break up stolen cryptos’ trail instead of sending stolen cryptos to conventional CEXs especially those with KYC requirements.
These anonymous tools are decentralized and censorship-resistant. Hackers will not leak their personal information by using these tools. Therefore, it is much “safer” for hackers to launder money today.
2. Increasingly more decentralized and anonymous tools are emerging such as layer 1 blockchains that have built-in anonymity, DAPPs that are dedicated to hiding transaction information, etc.
3. Today hackers would use decentralized exchanges instead of conventional CEXs to swap cryptos to fiat-pegged stable coins and run away. This is a much safer way for hackers to cash out stolen cryptos.
These “new norms” pose both an increasingly huge threat to the crypto industry and a great challenge to security companies.
Get back to the incident itself and something is still missing.
One year prior to the incident, Bitfinex and BitGo, a crypto wallet developer, announced that they jointly developed and deployed a system using multi-sig technologies to secure users’ crypto assets and allow users to withdraw crypto assets fast.
After this incident, a lot of users cast serious doubts on this system and doubted the system had vulnerabilities.
However, BitGo declined this doubt and stated that no breach was found in its servers in its Twitter.
Some rumors or so-called inside stories circulated but no clear reports or details about this have ever been publicly released.
Hence, one thing is still a myth: what on earth was the root cause of this incident? Who should be responsible for this? These are still unknown even today.
But one thing is clear: the Bitcoin network was functioning, and it was some vulnerability either in the exchange’s daily operations or in its exchange system being exploited by the hackers. And this vulnerability can eventually be traced to either a leak of private keys or abuse of private keys.
This sounds like an old story but not an obsolete story.
The compromise of private keys has long been a big threat to the whole crypto industry. It is still today.
Based on the report Review of Blockchain Security in Year 2021 released by Fairyproof’s research team, in 2021 among the publicly reported incidents in which a DAPP’s front-end or server-side got attacked, compromise of private keys was still the biggest threat. And conventional centralized exchanges were still the biggest victims. For example, BitMEX loss $150 million, Liquid loss $91 million, AscendEX loss $77 million, HitBtc loss $40 million and Bilaxy loss $21.70 million.
To prevent this issue from happening and to safeguard one’s crypto assets, we would suggest some practices as follows:
For entities where crypto assets are in custody, multi-sig technologies must be implemented and deployed.
For users, it would be better to keep crypto assets that are not for frequent trading in cold wallets and if one has to do crypto trading in a centralized exchange it would be better to do it in a well-established one with a good reputation.
About the author:
Yuefei TAN, CEO of Fairyproof
About Fairyproof:
Fairyproof Tech is a blockchain security company, established in Jan 2021.
It was founded by a team with rich experience in smart contract programming and network security. The team members participated in initiating a number of draft standards in the Ethereum field, including ERC-1646, ERC-2569, ERC-2794, and EIP-3712, of which ERC-2569 was officially accepted by the Ethereum team.
The team participated in the launch and development of various Ethereum projects, including blockchain platforms, DAO organizations, on-chain data storage, decentralized exchanges, and conducted security audits of multiple projects which have been deployed on Ethereum. Based on its strong R&D capability and deep understanding of smart contract security, Fairyproof has developed comprehensive vulnerability tracking and security systems and tools.
Fairyproof Tech serves and works closely with customers by providing systematic solutions covering both “code vulnerabilities” and “logic vulnerabilities” and aims to provide customers with the best and most professional services.