Cryptocurrency exchange Bitfinex never made public
a confidential report that found its security lapses responsible for over 119,000
bitcoins stolen from the platform in August 2016, the Organized Crime and
Corruption Reporting Project (OCCRP) reported on Thursday. The stolen BTCs, worth about $3.2 billion in today’s market,
were priced at $71 million at the time.
OCCRP, a global network of investigative
journalists, said it obtained a version of the secret report that says Bitfinex failed to execute operational,
financial and technological controls recommended by its digital security partner Bitgo. The network said the report was commissioned by iFinex, the owner and
operator of Bitfinex, and was produced by Canada-based blockchain services
firm, Ledger Labs.
Giving further details, OCCRP said the report
claims that Bitfinex deployed a security system that placed two of its three
security keys with an administrator. The keys were required to conduct a
significant operation on the exchange, including transferring bitcoins.
Furthermore, OCCRP citing the document, noted that
Bitfinex made the mistake of storing two of the three keys on a single device.
It, however, added that while it is not known if the device was compromised
during the hack, access to it would give a hacker complete access to the crypto
exchange’s internal system and ‘security tokens’.
“[the confidential report also said] other basic security measures were also absent, including the logging of server activity outside of the server itself,’’ OCCRP wrote in its report, adding that the ‘withdrawal whitelist,’ a security component that enables cryptocurrency transfers to verified addresses, was also not available.
Additionally, the journalism network said the
confidential report suggested that the hack was probably organized from Poland,
going by a detailed examination of the source Internet Protocol address.
Bitfinex Slams OCCRP Report
As reported, Bitfinex told OCCRP that Ledger
Labs’ analysis in the report was “incomplete” and “incorrect.” The network
also quoted Bitfinex as saying that there was “evidence of negligence…on the
part of other counterparties that led to the hack.”
In an undated statement published on its website,
Bitfinex also reiterated these points, noting that “assertions made by the OCCRP are factually
incorrect.” The crypto exchange also bashed a report on the issue published by
Wired whose journalist worked on the report with the OCCRP.
“Bitfinex refutes the findings of the OCCRP,” said the
digital exchange operator. “As is well known, there is an investigation
being conducted by authorities into the 2016 hack, with which Bitfinex has
collaborated and shared information over many years.”
In addition, Bitfinex said it will provide full
details on the case when investigations are completed, noting that “to make any
comments before the investigation into the breach is concluded would be
inappropriate.”
United States Charges Two Suspects
Meanwhile, while the Bitfinex hacker remains at
large, US prosecutors in February last year charged an American couple for trying to launder about $4.5 billion in cryptocurrency linked to the 2016
hack. The US Department of Justice (DOJ) in a statement said
the government seized more than 94,000 bitcoins connected to the attack from the couple, Ilya Lichtenstein and Heather Morgan. The bitcoins were worth over $3.6 billion at the time.
Furthermore, the prosecutor noted that the BTCs stolen from
Bitfinex through over 2,000 unauthorized transactions were sent to a crypto
wallet under Lichtenstein’s control. OCCRP reported that the couple pleaded not guilty and are awaiting trial.
“Over the last five years, approximately 25,000 of
those stolen bitcoins were transferred out of Lichtenstein’s wallet via a
complicated money laundering process that ended with some of the stolen funds
being deposited into financial accounts controlled by Lichtenstein and Morgan,” DOJ explained. “The remainder of the stolen funds, comprising more
than 94,000 bitcoins, remained in the wallet used to receive and store the
illegal proceeds from the hack,” it added.
This article was written by Solomon Oladipupo at www.financemagnates.com.
