Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 003Centralized Exchange Failure

Bitfinex 2016 Heist

Hackers stole 119,754 BTC ($71M then, $9B+ at recovery) from Bitfinex multi-sig hot wallets, recovered six years later via DOJ wallet-file decryption.

Date
Victim
Bitfinex
Chain(s)
Bitcoin
Status
Recovered
Attribution
Ilya Lichtenstein

On August 2, 2016, 119,754 BTC — about $71 million at the time — was drained from Bitfinex in 2,072 unauthorised transactions. Six years later the U.S. Department of Justice recovered the vast majority of the stolen coins and indicted the launderers, including Heather "Razzlekhan" Morgan, an ill-advised rapper and her husband Ilya Lichtenstein.

What happened

Bitfinex held the bulk of customer Bitcoin reserves in a BitGo-operated multi-signature scheme. The exchange's specific configuration — including how withdrawal limits and approval flows were implemented — was confidential, but the breach showed that the operational controls around BitGo's co-signing service were not as tight as the multi-sig math suggested.

The attacker compromised Bitfinex's internal systems and obtained the credentials needed to submit valid withdrawal requests at scale. BitGo's co-signing API authorised them without raising the alerts that should have flagged the volume. By the time the dust settled the attacker had moved 119,754 BTC into a self-controlled wallet.

The thief — Lichtenstein — then sat on the funds for years, slowly attempting to launder them through chain-hopping, mixers and dark markets. He kept the wallet's seed in an encrypted file.

Aftermath

  • Bitfinex initially socialised the loss across customer accounts (a controversial "haircut" of all balances by ~36%) and issued BFX debt tokens, later LEO tokens, to represent the unpaid balance.
  • In February 2022, the DOJ unsealed the indictment: agents had decrypted Lichtenstein's wallet file (allegedly via a cloud-storage seizure) and recovered 94,000+ of the stolen BTC — worth roughly $3.6 billion at seizure time and over $9 billion by 2024 sentencing.
  • Lichtenstein pled guilty and was sentenced to 5 years in federal prison; Morgan received 18 months.
  • The DOJ has ruled the recovered funds should be returned "in-kind" (as BTC) to Bitfinex. Bitfinex has committed to using 80% of recovered funds to repurchase and burn its outstanding LEO tokens, distributing value to the customers who absorbed the original loss.

Why it matters

Bitfinex is the only major crypto hack whose recovery exceeded the original loss by two orders of magnitude — a consequence of an attacker who couldn't launder the proceeds before Bitcoin's price ran up. It is also the single most successful forensic cryptocurrency recovery operation in the DOJ's history, and the template for how on-chain forensics + targeted seizures of off-chain key material can crack even multi-year laundering operations.

Sources & on-chain evidence

  1. [01]en.wikipedia.orghttps://en.wikipedia.org/wiki/2016_Bitfinex_hack
  2. [02]trmlabs.comhttps://www.trmlabs.com/resources/blog/ilya-lichtenstein-sentenced-for-role-in-bitfinex-hack-in-razzlekhan-case-as-government-recovers-about-10-billion-in-stolen-funds
  3. [03]chainalysis.comhttps://www.chainalysis.com/blog/bitfinex-hack-plea-july-2023/

Related filings