Bitfinex Heist 2016: What We Learned and Why it Matters to You

It’s summer, the sun is shining — and here’s what I’m thinking about today:

A cyber theft that happened 7 years ago.

Trio of dogs (minus the pink): Unsplash. Left to right: amie Street, Sarah G., Dex Ezekiel

Yes… 7 years ago 😂. There is a reason — keep reading 😃.

Here’s a quick rundown, with details from the Wired³ article linked below:

  • In 2016 Bitfinex was breached and $72M (the value in 2016) worth of bitcoin was stolen
  • Arrests were made in 2022 for possession of the stolen bitcoins (now worth $4B)

BUT

Here are a few things we do know:

  • A confidential report from the investigation was produced by Ledger Labs (a Canadian cryptocurrency consultancy and development firm)
  • This report was never made public.
  • Bitfinex generalized the losses from the theft: every customer account was reduced by 36% of its assets¹ — every customer, every asset — not just bitcoin and not just bitcoin customers. (see Note below)

And a few things we don’t know:

Since Bitfinex has never provided a public report, current and potential clients don’t know which parts of security were breached, what was done to fix them, and if this breach could have been avoided.

And a few things we may know, but can’t officially confirm:

Internal Report Suggests Security Lapses at Hacked Crypto Exchange Bitfinex” — Wired²

According to Wired²:

the Organized Crime and Corruption Reporting Project has obtained a version of the [Ledger] report, which contains detailed findings, conclusions and recommendations.

BUT

OCCRP was unable to independently corroborate the findings but, in communications with reporters, Bitfinex did not dispute the report was authentic.

With the above facts in mind, here are some details that Wired included from the OCCRP-obtained report:

  • The Bitfinex security system used 3 security keys
  • 2 of these keys were required for an admin to move bitcoin
  • 2 of these keys were stored on the same device.
  • The criminal(s) covered their tracks when leaving, so — there is no way to know if the device with 2 keys was the one used, or if the keys accessed were from separate devices.

And a final quote from the article:

Bitfinex told OCCRP the analysis was “incomplete’ and ‘incorrect” and that there was “evidence of negligence…on the part of other counterparties that led to the hack.”

Ok… back to speaking in my own voice 😃👍!

We will likely never know if the 2-key device was the weakness that gave the thieves admin access — or if 2 keys were stored on the same device.

AND — MOST IMPORTANT:

In terms of cybersecurity, how can we — on the outside — know what is real?

What actually happened? Where were the weaknesses? What security changes have been implemented? What were the legal findings? What were the legal penalties, required changes, and compliance timelines? If any of this information is publicly accessible — how easy is it to find?

Basically — how can a current or potential client assess the facts before using the system?

And it isn’t just Bitfinex, of course. This is just one example out of many.

Which is my point.

Using a cryptocurrency exchange — or not — is currently a CHOICE — but what if this was your bank? Your Employer? Your health care provider?

Todays question:

How can we make informed decisions within this level of required disclosure?

NOTE:

I wrote this article as a way to discuss accountability and required disclosure — across MANY business and investment sectors today — AND to encourage discussion on these topics. A similar post could be created for many businesses today. There is also much more to each story — such as additional breaches, compensation for losses, market reaction. Each of these is another big subject to tackle, perhaps in a future article.

(I do try to remember that this is an article… not a book! 😉)


Let’s keep the conversation going!

 

📣 Share this with your network or a friend! 

✅ Leave a comment - Send a DM! 

 

Let’s Keep Cyber Criminals Unemployed!


⭐️ Stay safe! ⭐️


¹ Bitfinex: Interim Update (2016)

² Wired: Internal Report Suggests Security Lapses at Hacked Crypto Exchange

Originally published at https://www.linkedin.com.