Slow Fog: Analysis of the Details of the 2016 Bitfinex Hacking Case Uncovered by U.S. Law Enforcement

Author: Slow Mist Technology

On Tuesday (February 8) local time, the U.S. Department of Justice (DOJ) announced that it has seized $3.6 billion worth of Bitcoin related to the 2016 hacking incident of the cryptocurrency exchange Bitfinex. 34-year-old Ilya Lichtenstein and his 31-year-old wife Heather Morgan were arrested in New York, and both are charged with conspiracy to commit money laundering and fraud.

The DOJ announcement stated that this is the largest financial seizure in the department's history. The investigation was led by the Cyber Crime Unit of the IRS-CI Washington D.C. office, the FBI's Chicago office, and the HSI New York office, with assistance from the Ansbach Police Department in Germany during the investigation.

Background of the Incident

According to intelligence data analysis from Slow Mist AML, Bitfinex suffered a cyber attack in August 2016, resulting in 2,072 Bitcoin transactions being transferred out of Bitfinex without authorization, with the funds subsequently dispersed and stored in 2,072 wallet addresses. Statistics show that Bitfinex lost a total of 119,754.8121 BTC. At the time, this was worth approximately $60 million, and today, the total stolen amount is estimated to be around $4.5 billion.

Slow Mist AML detected large movements of the stolen funds from Bitfinex on February 1, which were later confirmed to be the 94,643.2984 BTC seized by the DOJ, accounting for about 79% of the total stolen amount. These funds are currently held in the U.S. government's wallet address

bc1qazcm763858nkj2dj986etajv6wquslv8uxwczt.

Incident Overview

Slow Mist AML organized the key points and details of the case based on the statementoffacts.pdf released by the DOJ, sharing them as follows:

1. U.S. law enforcement obtained a file containing over 2,000 wallet addresses and corresponding private keys by accessing Lichtenstein's cloud storage account. The addresses in this file should correspond to the 2,072 hacker wallet addresses mentioned above, enabling the DOJ to seize and consolidate the Bitcoin into

bc1qazcm763858nkj2dj986etajv6wquslv8uxwczt.

2. The stolen funds began to be transferred starting in January 2017, using a peel chain technique to continuously split and scatter the stolen funds, which then entered seven independent AlphaBay (a dark web marketplace shut down by law enforcement in July 2017) platform accounts for mixing, making it difficult to trace the BTC. The results show that approximately 25,000 BTC were mixed using AlphaBay.

3. After mixing, most of the funds were transferred to eight accounts registered on Exchange-1 (VCE 1), all of which used the same Indian email service provider. Additionally, these eight accounts shared the same login IP and were registered around August 2016.

More critically, there was an Excel spreadsheet in Lichtenstein's cloud storage that recorded various information about these eight accounts, with six of them marked as FROZEN. The DOJ found that the eight accounts on Exchange-1 (VCE 1) held assets worth approximately $186,000.

4. After mixing, some funds were also transferred to Exchange-2 (VCE 2) and a U.S. exchange (VCE 4), where some accounts were also registered using the aforementioned Indian email service provider. This information was also found in the Excel spreadsheet in Lichtenstein's cloud storage.

Through VCE 2 and VCE 4, the Lichtenstein couple successfully converted the stolen BTC from Bitfinex into fiat currency. However, they had two accounts registered with Russian emails on VCE 4, which were banned by the platform due to frequent deposits of XMR (Monero) without being able to explain the source of funds. The DOJ found that approximately $155,000 worth of assets were frozen in those accounts.

5. Before the accounts were frozen, most of the funds withdrawn from Exchange-1 (VCE 1) went to another U.S. exchange (VCE 5). On January 13, 2015, before the Bitfinex hack, Lichtenstein registered an account on VCE 5 using his real identity and personal email, completing KYC verification. On VCE 5, Lichtenstein purchased gold with BTC from merchants on the platform and had it shipped to his real home address.

6. In addition to the aforementioned exchanges VCE 1, VCE 2, VCE 4, and VCE 5 used for money laundering, the Lichtenstein couple also registered VCE 7, VCE 8, VCE 9, VCE 10, and other exchanges (all codenamed) for laundering purposes. The funds primarily came from withdrawals from VCE 1, but the accounts registered on VCE 7 - 10 were all verified using the real identities of the Lichtenstein couple and their companies (Endpass, Inc and SalesFolk LLC) for KYC.

The DOJ found that from March 2017 to October 2021, the three accounts of the Lichtenstein couple on VCE 7 received a total of approximately $2.9 million worth of Bitcoin. On these exchanges, Lichtenstein further laundered money by trading altcoins, NFTs, etc., and cashed out through Bitcoin ATM machines.

Money Laundering Chain

Doubts About the Incident

Since the Bitfinex hack in August 2016, about six years have passed, and we do not know how U.S. law enforcement conducted an in-depth investigation during this time. From the content of the released statementoffacts.pdf, we can see that Lichtenstein's cloud storage contained a large number of accounts and details related to money laundering, essentially serving as a perfect "ledger," providing strong support for law enforcement to establish criminal facts.

However, looking at the overall picture, how did law enforcement identify Lichtenstein as a suspect?

Another detail is that the DOJ did not accuse the Lichtenstein couple of illegally attacking Bitfinex and stealing funds.

The final question is, what happened during the five months from the Bitfinex hack in August 2016 to the transfer of the stolen funds beginning in January 2017? Who were the actual hackers that attacked Bitfinex?