{"id":21860,"date":"2022-02-12T18:38:28","date_gmt":"2022-02-12T18:38:28","guid":{"rendered":"https:\/\/davidgerard.co.uk\/blockchain\/?p=21860"},"modified":"2022-06-18T12:58:47","modified_gmt":"2022-06-18T12:58:47","slug":"could-morgan-and-lichtenstein-have-done-the-2016-bitfinex-hack-im-not-ruling-it-out","status":"publish","type":"post","link":"https:\/\/davidgerard.co.uk\/blockchain\/2022\/02\/12\/could-morgan-and-lichtenstein-have-done-the-2016-bitfinex-hack-im-not-ruling-it-out\/","title":{"rendered":"Could Morgan and Lichtenstein have done the 2016 Bitfinex hack? I\u2019m not ruling it out"},"content":{"rendered":"

New York crypto scenesters Ilya “Dutch” Lichtenstein and his wife Heather Morgan have been arrested for money laundering. They’re alleged to have tried to cash out the proceeds of the 2016 hack of the Bitfinex crypto exchange. [Department of Justice<\/i><\/a>]<\/p>\n

This hack hit crypto like a bombshell. 120,000 BTC was stolen from customer addresses. Bitfinex gave all<\/i> its customers \u2014 hacked or not \u2014 a 36% \u201chaircut.\u201d The exchange eventually made up the \u201chaircut\u201d with Bitfinex’s stablecoin Tether in mid-2017.<\/p>\n

This is also when the issuance of Tether started going through the roof \u2014 even as they had no banking. This launched the 2017 crypto bubble. I detail the process in Attack of the 50 Foot Blockchain<\/i>,<\/a> chapter 8.<\/p>\n

Lichtenstein and Morgan were charged with money laundering \u2014 but not with doing the hack itself.<\/p>\n

(I\u2019m not sure the US would even have jurisdiction for the hack itself. But the US most certainly has jurisdiction for the money laundering.)<\/p>\n

Lichtenstein and Morgan are absolutely standard crypto bros who think they\u2019re startup geniuses. They\u2019re loud, brash and nowhere near as smart as they think they are.<\/p>\n

But the Bitfinex hack reeks of social engineering for insider information, not sophisticated computer science brilliance. This is cryptocurrency \u2014 standards are low.<\/p>\n

Could Morgan have been that social engineer? I’m not ruling it out.<\/p>\n

How the hack was done<\/h3>\n

In 2016, Bitfinex kept customers’ bitcoins segregated \u2014 each customer’s holding was in its own separate multi-signature blockchain address.<\/p>\n

You needed two of the three keys to the address to move bitcoins out of it. One key was held by Bitfinex, one by BitGo, and one by the customer.<\/p>\n

BitGo had built an API for Bitfinex to use. This was not a public interface \u2014 only the two companies knew about it.<\/p>\n

Bitfinex would pass transactions to BitGo via the private API. BitGo checked the transaction against their policy for that address, and signed if it was OK.<\/p>\n

The API allowed policy changes \u2014 but a bug in the API meant you could set global<\/i> limits, that applied to\u00a0all<\/em> customer addresses, without it being flagged for human review.<\/p>\n

The hacker somehow got into Bitfinex\u2019s systems, got access to an account that could change global limits, set the limit very high … and drained 2000 customer addresses into a single address.<\/p>\n

This was how the hack was described to me by Phil Potter of Bitfinex\/Tether, when I spoke to him for Attack.<\/i> Tether principals have been caught in many, many lies \u2014 see the New York<\/a> and CFTC<\/a> settlements \u2014 so you may or may not want to take this with a grain of salt. However, Potter’s description largely matches the version I’d heard from others before this. [Reddit<\/em><\/a>]<\/p>\n

The hacker had information you’d need to be a Bitfinex or BitGo insider to know:<\/p>\n