Bitfinex Hid a Report that Flagged Security Flaws: OCCRP

Cryptocurrency exchange Bitfinex never published a confidential report that found its vulnerabilities responsible for the theft of more than 119,000 bitcoins from the platform in August 2016, Organized Crime and Corruption Reporting Project (OCCRP) mentioned Thursday. The stolen BTCs, worth about $3.2 billion in today’s market, were priced at $71 million at the time.

OCCRP, a global network of investigative journalists, said it had obtained a copy of the confidential report stating that Bitfinex failed to implement operational, financial and technological controls recommended by its digital security partner Bitgo. The network said the report was commissioned by iFinex, owner and operator of Bitfinex, and produced by Ledger Labs, a Canadian-based blockchain services company.

OCCRP provided more details, saying that the report claims that Bitfinex deployed a security system that placed two of its three security keys with an administrator. The keys were needed to carry out a major operation on the exchange, including the transfer of bitcoins.

Further, the OCCRP document notes, Bitfinex made the mistake of storing two of the three keys on a single machine. However, he added that while it is not known whether the device was compromised during the hack, accessing it would give the hacker full access to the cryptocurrency exchange’s internal system and “security tokens.”

“(The confidential report also stated) that other basic security measures were also absent, including logging of server activity outside the server itself,” OCCRP wrote in its report, adding that a “withdrawal whitelist,” a security component that enables cryptocurrency transfers to addresses, has been implemented. Check them out, it wasn’t available either.

In addition, the Press Network said the confidential report indicated that the hack may have been orchestrated from Poland, through a detailed examination of the source IP address.

As reported, Bitfinex told OCCRP that Ledger Labs’ analysis in the report was “incomplete” and “incorrect.” The network also quoted Bitfinex as saying there was “evidence of negligence … on the part of the third parties that led to the hack.”

In an undated statement published On its website, Bitfinex also reiterated these points, stating that “the assertions made by OCCRP are not factually correct.”
Wired Which journalist worked on the report with OCCRP.

“Bitfinex refutes the OCCRP findings,” said the digital exchange operator. “As is well known, there is an investigation by the authorities into the 2016 hack, with which Bitfinex has been cooperating and sharing information over many years.”

In addition, Bitfinex said that it will provide full details of the case when investigations are completed, noting that “providing any comments prior to completion of the breach investigation would be inappropriate.”

The United States charges two suspects

Meanwhile, while the Bitfinex hacker is still at large, in February of last year US prosecutors charged an American pair with attempting to launder about $4.5 billion in cryptocurrency linked to the 2016 hack. The US Department of Justice (DOJ) in a permit He said the government seized more than 94,000 bitcoins linked to the attack from the couple, Elijah Lichtenstein and Heather Morgan. Bitcoins were worth over $3.6 billion at the time.

Moreover, the attorney general indicated that the BTC stolen from Bitfinex through more than 2,000 unauthorized transactions were sent to a crypto wallet under Lichtenstein’s control. The OCCRP stated that the couple have denied guilt and are awaiting trial.

“Over the past five years, approximately 25,000 stolen bitcoins were diverted from Liechtenstein’s wallet through a complex money laundering operation that ended with some of the stolen funds being deposited into financial accounts controlled by Liechtenstein and Morgan,” the DOJ explained. “The remainder of the stolen funds, which includes more than 94,000 bitcoins, remained in the wallet used to receive and store the illegal proceeds from the hack,” it added.

Cryptocurrency exchange Bitfinex never published a confidential report that found its vulnerabilities responsible for the theft of more than 119,000 bitcoins from the platform in August 2016, Organized Crime and Corruption Reporting Project (OCCRP) mentioned Thursday. The stolen BTCs, worth about $3.2 billion in today’s market, were priced at $71 million at the time.

OCCRP, a global network of investigative journalists, said it had obtained a copy of the confidential report stating that Bitfinex failed to implement operational, financial and technological controls recommended by its digital security partner Bitgo. The network said the report was commissioned by iFinex, owner and operator of Bitfinex, and produced by Ledger Labs, a Canadian-based blockchain services company.

OCCRP provided more details, saying that the report claims that Bitfinex deployed a security system that placed two of its three security keys with an administrator. The keys were needed to carry out a major operation on the exchange, including the transfer of bitcoins.

Furthermore, OCCRP points out in the document, Bitfinex made the mistake of storing two of the three keys on a single machine. However, he added that while it is not known if the device was compromised during the hack, accessing it would give the hacker full access to the cryptocurrency exchange’s internal system and “security tokens.”

“(The confidential report also stated) that other basic security measures were also absent, including logging of server activity outside the server itself,” OCCRP wrote in its report, adding that a “withdrawal whitelist,” a security component that enables cryptocurrency transfers to addresses, has been implemented. Check them out, it wasn’t available either.

In addition, the Press Network said the confidential report indicated that the hack may have been orchestrated from Poland, through a detailed examination of the source IP address.

As reported, Bitfinex told OCCRP that Ledger Labs’ analysis in the report was “incomplete” and “incorrect.” The network also quoted Bitfinex as saying there was “evidence of negligence … on the part of the third parties that led to the hack.”

In an undated statement published On its website, Bitfinex also reiterated these points, stating that “the assertions made by OCCRP are not factually correct.”
Wired Which journalist worked on the report with OCCRP.

“Bitfinex refutes the OCCRP findings,” said the digital exchange operator. “As is well known, there is an investigation by the authorities into the 2016 hack, with which Bitfinex has been cooperating and sharing information over many years.”

In addition, Bitfinex said that it will provide full details of the case when investigations are completed, noting that “providing any comments prior to completion of the breach investigation would be inappropriate.”

The United States charges two suspects

Meanwhile, while the Bitfinex hacker is still at large, in February of last year US prosecutors charged an American pair with attempting to launder about $4.5 billion in cryptocurrency linked to the 2016 hack. The US Department of Justice (DOJ) in a permit He said the government seized more than 94,000 bitcoins linked to the attack from married couple Elijah Lichtenstein and Heather Morgan. Bitcoins were worth more than $3.6 billion at the time.

Moreover, the attorney general indicated that the BTC stolen from Bitfinex through more than 2,000 unauthorized transactions were sent to a crypto wallet under Lichtenstein’s control. The OCCRP reports that the couple have denied guilt and are awaiting trial.

“Over the past five years, approximately 25,000 stolen bitcoins were diverted from Lichtenstein’s wallet through a complex money laundering operation that ended with some of the stolen funds being deposited into financial accounts controlled by Liechtenstein and Morgan,” the DOJ explained. “The remainder of the stolen funds, which includes more than 94,000 bitcoins, remained in the wallet used to receive and store the illegal proceeds from the hack,” it added.

BitfinexFlaggedFlawsHidOCCRPReportsecurity
Comments (0)
Add Comment