WHEN A HACKER, or hackers, broke into the Bitfinex crypto exchange and stole 119,754 bitcoins in 2016, their haul was worth $72 million. By the time US authorities arrested rapper Heather Morgan and her husband, startup founder Ilya Lichtenstein, last year on suspicion of laundering the stolen coins, their value had soared to nearly $4 billion. It’s the largest single recovery in the history of the US Department of Justice. But the perpetrator of the hack is still at large.
The confidential report from the investigation, commissioned by one of Bitfinex’s owners, iFinex, and produced by Canadian cryptocurrency consultancy and development firm Ledger Labs, was never made public. But the Organized Crime and Corruption Reporting Project has obtained a version of the report, which contains detailed findings, conclusions and recommendations. The document, seen by WIRED, says that Bitfinex had systematically failed to implement the operational, financial, and technological controls proposed by its digital security partner Bitgo.
OCCRP was unable to independently corroborate the findings but, in communications with reporters, Bitfinex did not dispute the report was authentic. Bitgo declined to comment but did not specifically dispute the report’s existence or its findings. Ledger Labs did not respond to a request for comment.
The Ledger Lab investigation found that two security keys required for access to the exchange’s systems were stored on a single device. The keys gave access to “security tokens,” which allowed the attacker to manipulate Bitfinex’s operating system. “If a single entity controlled two of the three keys in the scheme, it would give the entity control over all of the bitcoins,” the document said.
The Ledger Labs report obtained by OCCRP said Bitfinex employed a security system that required an administrator to have two out of three security keys in order to carry out any significant operations on the exchange, including moving bitcoin.
But it found that Bitfinex made a critical error by placing two of these three keys on the same device. Hacking that single device would give an attacker full access to Bitfinex’s internal systems, and to “security tokens” that allowed the attacker to manipulate Bitfinex’s operating system. “The hacker was able to take two…security tokens,” the document said, and in less than a minute was able to raise the daily limit on the number of transactions permitted in order to quickly drain as much bitcoin as possible.
The Ledger Labs document said the tokens accessed by the hacker were associated with a generic “admin” email address and another linked to “giancarlo,” belonging to Bitfinex CFO and shareholder Giancarlo Devasini, a former Italian plastic surgeon with a checkered business history. The document did not lay blame for the hack with Devasini.
Devasini did not respond to multiple requests for comment.
The document said that storing multiple keys and tokens on a single device was “a violation of the CryptoCurrency Security Standard,” referring to an industry-led best-practice initiative, though it is unclear whether this specific device was the one compromised in the hack. It said other basic security measures were also absent, including the logging of server activity outside of the server itself and a “withdrawal whitelist”—a security feature that permits cryptocurrency transfers only to verified or approved addresses.