Random Image Display on Page Reload

Internal Report Suggests Security Lapses at Hacked Crypto Exchange Bitfinex

dollar disintegrating into code

Photograph: Getty Images

Internal Report Suggests Security Lapses at Hacked Crypto Exchange Bitfinex

A security review describes how attackers exploited mistakes to steal millions of dollars worth of bitcoin.

When a hacker, or hackers, broke into the Bitfinex crypto exchange and stole 119,754 bitcoins in 2016, their haul was worth $72 million. By the time US authorities arrested rapper Heather Morgan and her husband, startup founder Ilya Lichtenstein, last year on suspicion of laundering the stolen coins, their value had soared to nearly $4 billion. It’s the largest single recovery in the history of the US Department of Justice. But the perpetrator of the hack is still at large.

The confidential report from the investigation, commissioned by one of Bitfinex’s owners, iFinex, and produced by Canadian cryptocurrency consultancy and development firm Ledger Labs, was never made public. But the Organized Crime and Corruption Reporting Project has obtained a version of the report, which contains detailed findings, conclusions and recommendations. The document, seen by WIRED, says that Bitfinex had systematically failed to implement the operational, financial, and technological controls proposed by its digital security partner Bitgo.

OCCRP was unable to independently corroborate the findings but, in communications with reporters, Bitfinex did not dispute the report was authentic. Bitgo declined to comment but did not specifically dispute the report’s existence or its findings. Ledger Labs did not respond to a request for comment.

The Ledger Lab investigation found that two security keys required for access to the exchange’s systems were stored on a single device. The keys gave access to “security tokens,” which allowed the attacker to manipulate Bitfinex’s operating system. “If a single entity controlled two of the three keys in the scheme, it would give the entity control over all of the bitcoins,” the document said.

The Ledger Labs report obtained by OCCRP said Bitfinex employed a security system that required an administrator to have two out of three security keys in order to carry out any significant operations on the exchange, including moving bitcoin.

But it found that Bitfinex made a critical error by placing two of these three keys on the same device. Hacking that single device would give an attacker full access to Bitfinex’s internal systems, and to “security tokens” that allowed the attacker to manipulate Bitfinex’s operating system. “The hacker was able to take two…security tokens,” the document said, and in less than a minute was able to raise the daily limit on the number of transactions permitted in order to quickly drain as much bitcoin as possible.

Most Popular

The Ledger Labs document said the tokens accessed by the hacker were associated with a generic “admin” email address and another linked to “giancarlo,” belonging to Bitfinex CFO and shareholder Giancarlo Devasini, a former Italian plastic surgeon with a checkered business history. The document did not lay blame for the hack with Devasini.

Devasini did not respond to multiple requests for comment.

The document said that storing multiple keys and tokens on a single device was “a violation of the CryptoCurrency Security Standard,” referring to an industry-led best-practice initiative, though it is unclear whether this specific device was the one compromised in the hack. It said other basic security measures were also absent, including the logging of server activity outside of the server itself and a “withdrawal whitelist”—a security feature that permits cryptocurrency transfers only to verified or approved addresses.

Bitfinex told OCCRP the analysis was “incomplete” and “incorrect” and that there was “evidence of negligence…on the part of other counterparties that led to the hack.” Bitgo declined to comment. Ledger Lab did not respond to a request for comment.

The hacker covered their tracks with a data destruction tool, used to permanently delete logs and other digital artifacts that might have identified the initial entry point into Bitfinex systems, meaning it’s not clear how they got into the exchange’s systems, only the security weaknesses that they took advantage of once inside. The transfer of the more than 119,000 bitcoins from over 2,000 users’ accounts to wallets under the thief’s control took just over three hours. The cryptocurrency sat there for months until, starting in January 2017, someone started sending small amounts zig-zagging through other accounts. The money was eventually cashed out or used to make small online purchases.

Investigators managed to follow the money and, six years after the hack, arrested the couple on charges of laundering the stolen bitcoins. Burner phones, fake passports, and USB sticks containing the electronic security keys to the wallet holding $3.9 billion worth of bitcoin were found under the couple’s bed in their New York apartment. Both have pleaded not guilty, and are awaiting trial.

It is unclear whether the lessons from the Bitfinex hack have led to changes in the company’s procedures. The company told OCCRP that the report was “incorrect” and that there was “evidence of negligence…on the part of other counterparties that led to the hack.” Bitgo declined to comment.

Karen A. Greenaway, a former FBI agent and cryptocurrency specialist, says she thought Bitfinex’s security lapses were due to its desire to “put through more transactions more quickly” and thereby raise profits. “The fact that [Bitfinex] have not provided a [public] report accepting responsibility and remedying the security failures that led to the hack says more than any admission or denial on their part ever would,” the agent said.

Security experts say that the crypto industry is in general less vulnerable to the kind of relatively straightforward hacks that were happening around the time of the Bitfinex breach, but that the size and complexity of the industry has grown dramatically since then.

Most Popular

“The surface that needs to be protected for Web3 is much larger than you might expect,” says Max Galka, founder and CEO of blockchain analytics company Elementus. “In some cases, what might appear as a smart contract hack might actually have occurred several degrees of separation away.”

Just as the stolen bitcoin from Bitfinex ballooned in value, the crypto industry is itself now massive, but the companies that provide its infrastructure are often more focused on moving quickly and executing new ideas.

“A lot of crypto companies have great ideas but just don’t think about security,” says Hugh Brooks, director of security operations at blockchain security firm CertiK. “They push ahead with building a Web3 application until it gets hacked. Only a handful of apps pass even the most basic checks.”

While there has been progress, Brooks says, crypto companies need to be investing a lot more in security. “If you get breached or make a mistake, it’s not just some usernames and passwords, it’s somebody’s life savings or potentially a massive amount of funds,” he says. “When you’re dealing with the internet of money, the stakes are that much higher.”

This article was prepared in partnership with the Organized Crime and Corruption Reporting Project, an investigative reporting platform for a worldwide network of independent media centers and journalists.

Get More From WIRED

Written by WIRED Staff
More from WIRED

Meta’s $1.3B Fine Is a Strike Against Surveillance Capitalism

The record-breaking GDPR penalty for data transfers to the US could upend Meta's business and spur regulators to finalize a new data-sharing agreement.

Matt Burgess

Twitter Encrypted DMs Are Deeply Inferior to Signal and WhatsApp

The social network's new privacy feature is technically flawed, opt-in, and limited in its functionality. All this for just $8 a month.

Andy Greenberg

Spooked by ChatGPT, US Lawmakers Want to Create an AI Regulator

At a congressional hearing, senators from both parties and OpenAI CEO Sam Altman said a new federal agency was needed to protect people from AI gone bad.

Khari Johnson

Joe Biden Wants Hackers’ Help to Keep AI Chatbots in Check

The White House will support an event at the Defcon security conference this summer that challenges experts to uncover flaws in generative AI systems.

Khari Johnson

Europe’s Moral Crusader Lays Down the Law on Encryption

Ylva Johansson is on a personal mission to make the internet safer for children. Her opponents say her plans would wreck online privacy.

Morgan Meaker

You Trained the Chatbot to Do Your Job. Why Didn’t You Get Paid?

Data from top-performing employees can create AI helpers that boost everyone’s productivity—but also create new concerns over fair pay.

Caitlin Harrington

More Penguins Than Europeans Can Use Google Bard

Nobody in the EU can access Google’s Bard chatbot. But the 50,000 penguins who live on a dormant volcano in the South Atlantic can sign up right now.

Morgan Meaker

Shocking Leaked Tesla Documents Hint at Cybertruck Problems

The EV giant is under pressure to launch new products, but a huge dump of confidential files in Germany details a litany of technical failings.

Chris Stokel-Walker

Credit belongs to : www.wired.com

Check Also

Metal Prices Are Soaring. So Is Metal Theft

It’s a multi-billion-dollar global problem, and in a rapidly electrifying world, the profits—and ease—of stealing …