Bitfinex Hack: What Happened, Who Did it and What’s the Latest?
Ah 2016: seems like a long time ago, doesn’t it? After the trauma and turmoil of the last few months, it’s easy to forget that the world started going crazy long before Covid-19 pitched up. In some future rundown of ‘The Most Batshit-Crazy Years of the 21st Century,’ 2016 and 2020 will surely be pretty close in the rankings.
In retrospect, it seems as though 2016 had it all bar a worldwide pandemic and economic meltdown. There was political upheaval with the US electing a mentally dysfunctional reality TV star to the White House and Britain voting to leave the European Union.
There was the seemingly endless stream of musical icons taking their swansongs: Bowie, Prince, Leonard Cohen and George Michael to name but a few. North Korea. Isis. The Chicago Bears breaking the curse of the billy goat (a huge deal if you’re American and into baseball.) Yes, it all seemed to be kicking off big time.
It’s no surprise that amidst such uncertainty cryptocurrencies began to come into their own, as peoples’ faith in the established order of things was shaken. The word ‘bitcoin’ began to be heard more frequently. Something was afoot.
We all know what happened next, of course. But, before the heady days of the bull-run the following year, the crypto space suffered a shock of its own. The Bitfinex hack of August 2016 may have passed under the radar of most people but, like Trump and Brexit, its effects are still with us four years on. The ripples it caused continue to reverberate through the crypto waters to this day and, as recent events have shown, the story still hasn’t reached its end.
It’s the sort of thing no crypto holder wants to read over their cornflakes:
The stolen bitcoins numbered 119,756, or $72 million. If that sounds bad, then remember that was before bitcoin and crypto in general went crazy. At today’s prices, we’re talking more than $1 billion. Bitfinex was one of the largest crypto exchanges in the world at that time, meaning the hack potentially affected hundreds of thousands of users.
Bitfinex held its customers’ funds in multisig wallets whereby withdrawals had to be agreed by BitGo, Bitfinex’s custodian. The hackers not only managed to access a number of wallets but they also figured out how to get around the withdrawal limits imposed by BitGo. It was a sophisticated and carefully plotted attack. For their part, BitGo denied any responsibility for what had happened.
In the wake of the hack, Bitfinex’s security procedures naturally came under scrutiny and questions were raised as to why the company had foregone using cold storage (where private keys are kept off-line) as an adjunct to its multisig protocols. Some suggested that the breach must have been facilitated by someone on the inside. Trading was suspended on the platform while staff tried to figure out what had happened.
Although not as catastrophic as the Mt. Gox disaster two years previously, the hack sent shockwaves throughout the crypto space. What use was bitcoin, or any other cryptocurrency for that matter, if hackers were seemingly able to rob big exchanges with impunity? Such sentiment was reflected in the markets: the news caused the price of bitcoin to slump 20%.
Four days after the hack was reported, Bitfinex published another blog post to update users on what had happened in the interim. In this, they stated that:
‘After much thought, analysis, and consultation, we have arrived at the conclusion that losses must be generalized across all accounts and assets.’
The company had decided to soften the impact of the blow on those account holders affected by sharing out the losses incurred across all accounts. The result was that all customers lost in the region of 36% of their assets held on the exchange.
On top of this, customers were issued with BFX tokens by way of compensation at a rate of one BFX for every dollar lost. These tokens could be redeemed on the exchange or used to buy shares in Bitfinex’s parent company, iFinex. If users chose the latter option they were issued with Recovery Right Tokens (RRT). These could be redeemed against any of the missing funds that might be recovered.
There were, inevitably, dissenting voices raised at this news. As more light was shed on what had happened it became clear that only a handful of accounts had been affected. Perhaps understandably, many of those whose accounts were untouched, and especially those who held assets other than bitcoin, protested at being forced to endure a haircut along with everyone else. In justifying the policy, Bitfinex argued that this would have been standard practice if the company had been forced into liquidation.
Despite the unease that many felt, the measures taken proved successful and within less than a year all the BFX tokens issued had been redeemed for their full value or traded for RRT. Perhaps most impressively of all, Bitfinex managed to stay in business and continue trying to make good their users’ losses.
Bitfinex’s reaction to and handling of the crisis was an important moment for the crypto community. If the exchange had folded - like Mt. Gox had done - or tried to downplay or otherwise obscure the extent of its losses, then confidence in the sector would have plummeted still further.
Yet another security breach was bad enough, but if the platform affected was found to have acted shadily then the public image of cryptocurrencies would have suffered an even more serious blow. If crypto was to challenge mainstream finance, then it had to be seen to face up to its setbacks responsibly. On the 10th August, a blog post announced that the platform was back up and running. It ended on a note of contrition:
‘We are aware that many questions remain and we intend to discuss the theft, the distribution of losses, and our recovery plan in follow-up announcements. We are trying to be as transparent as we can be while we continue to try to make the best of a terrible situation. We regret the loss that took place, but we continue to remain confident in Bitcoin, the trading community, and our plan to compensate our customers. As always, we remain open to constructive commentary and suggestions from all sides.’
Bitfinex now had three priorities. They needed to compensate their customers for the losses they had suffered; they needed to track down the missing funds and they needed to find out who was responsible.
From the day of the hack itself, they had begun working closely with law enforcement agencies across the world to try and locate the missing bitcoins and identify the hackers. Sadly, progress was slow. In 2018 it was announced that US authorities had managed to recover around 27 of the missing bitcoins, which Bitfinex promised to distribute amongst its users who had lost out. It was better than nothing but only a tiny fraction (0.023% in fact) of what had gone missing.
The trail then appeared to have gone cold, although some of the stolen funds had been tracked to several wallets which were lying dormant. Then in June 2019, the Twitter handle Whale Alert reported that around 172 BTC had been moved from one of those wallets to another unknown address. This was followed a few days later by the dramatic news that two Israeli brothers, Eli and Assaf Gigi had been arrested in Jerusalem suspicion of being involved in the hack.
When police raided the home of Eli Gigi they allegedly seized two luxury cars, along with a hardware wallet. This wallet however did not contain the same amount of funds stolen in the hack. The brothers were detained on suspicion of being involved in the Bitfinex hack, as well as a number of phishing schemes, where Reddit and Telegram users were lured onto fake websites that were designed to look like real crypto exchanges.
Their login and wallet details were then recorded and used to transfer funds from the real exchanges at a later date. It appears that the pair had been involved in crypto scams for some time before they were eventually arrested.
Not much is known about Assaf Gigi, who is reported to have kept quiet during his interrogation. However his older brother Eli certainly appears to have the expertise necessary to have carried out the hack.
A graduate of the Hebrew university of Jerusalem, he then allegedly enlisted in an elite computer science unit of the Israeli Defence Force (IDF). This is the unit that created the infamous Stuxnet worm, which was uncovered in 2010, having already paralysed the budding Iranian nuclear program.
The consensus among experts is that military training is not strictly necessary in order to perpetrate the sort of crimes the brothers are accused of. Despite this, there can be no doubt that Eli Gigi had more than the required level of skill needed for the job. At his hearing, Eli confessed to his involvement in the crimes he stands accused of, adding: ‘I was wrong, I came from a bad place. I’m a good boy, and I’m sorry. I’m willing to cooperate.’
The Plot Thickens
If those affected by the Bitfinex hack thought that the arrest of the Gigi brothers would bring the whole sorry saga to a close, they were disappointed. Little has been heard of them since their arrest, presumably as Israeli and other law enforcement agencies put together a case against them for trial. The wallets thought to contain more of the missing funds remained dormant and no further arrests were made.
In May of this year a small amount was detected as having been moved from one of the suspect wallets. Then in June it was reported that some of the bitcoins were moving again, with some allegedly ending up back at Bitfinex. In July came the news that some of the wallets had become active again, with over 3,500 of the stolen bitcoins ($39 million worth) being moved in a series of transactions. Some of the hackers were evidently still out there and trying to offload their haul.
It is thought that, as security has tightened across the crypto sphere, it has become increasingly difficult and less profitable for the hackers to offload their stolen funds. This is despite the fact that the price of the bitcoins stolen back in 2016 has rocketed since then.
Then, earlier this month, Bitfinex themselves raised the stakes still further. An announcement was posted on Tuesday 4th August stating that the exchange was offering a reward for any information regarding the hackers. It didn’t stop there, however. The post went on to say that the hackers themselves would be rewarded if they returned the stolen funds. The statement went on to confirm the details of the reward, saying:
The aggregate rewards available under this program could be worth up to approximately US$400 million at the current BTC price if all bitcoins are fully recovered. The bitcoins stolen minus recoveries in 2019 are worth $1.344 billion today, with 30 per cent of that amount equal to $403,288,427.’
The hackers were instructed to transfer one satoshi from the wallet address connected with the hack to a wallet address controlled and specified by Bitfinex. It does not appear that the hackers have yet done so.
Conclusion: Unfinished Business
There are different ways of looking at Bitfinex’s decision to offer such a huge reward to those who hacked them four years ago. Some may see this as a positive step, which shows that the exchange is serious about recovering the funds and bringing the whole episode to a close once and for all. This is the spin Bitfinex themselves are trying to put on the announcement, citing it as ‘further evidence of our determination to obtain the lost property.’
You can forgive Bitfinex for being desperate to move on from the events of 2016. The exchange’s reputation was badly damaged by the scandal, despite the successful efforts taken to compensate their users. At the time it was one of the largest crypto exchanges in the world, but since then it has - perhaps inevitably - slipped down the rankings.
Other more recent scandals haven’t helped matters on this front, but the stain of having been hacked for such a massive sum is arguably the toughest of all to wash out. Hard lessons have been learnt, security has improved, let’s move forward.
Another view of the announcement is to see it as a surrender, and one that risks setting a dangerous precedent. Bitfinex’s critics will paint this as a desperate last throw of the dice and a tacit encouragement to hackers everywhere.
A 25% share of the stolen bitcoin is a hefty sum and, given the ever-tightening security around exchanges, should be a tempting inducement for the hackers to cash out. After all, $403 million dollars is arguably enough for anyone to be getting on with. Whether or not this payoff will put law enforcement agencies off their tail is another matter.
Many will also argue that offering thieves a slice of their swag if they return the rest is a worryingly unconventional way of doing business. Would we be likely to see a bank or other mainstream financial institution take such a step in similar circumstances? Why should people put their faith in cryptocurrencies if such crimes are ultimately rewarded? What’s to stop the hackers using the money to fund further crimes? Bitfinex’s statement throws up more questions than it answers.
If the Gigi brothers are brought to trial then more information regarding the hack and the stolen funds should come to light. It seems clear that they were not alone in orchestrating the heist, though they may be unwilling or unable to identify their co-conspirators. It will be intriguing to see whether they are convicted or not and, if they are, what sort of sentences will be handed down to them.
Until then, we will have to wait and see what happens next. If the whole saga tells us anything, it’s that crypto platforms and their users will always need to have security at the forefront of their minds. We have come a long way since 2016 and security protocols have improved immeasurably.
Yet the past has a funny way of sneaking up on you when you least expect it. Whatever your views on the reward being offered and its potential consequences, there can be no disagreeing with one aspect of Bitfinex’s statement: ‘No-one in our community can afford to be complacent about the ingenuity of criminal gangs to perpetuate new types of fraud.’
Disclaimer: These are the writer’s opinions and should not be considered investment advice. Readers should do their own research.