Bitfinex Hack — August 2016
Attackers extracted 119,756 BTC from Bitfinex segregated hot wallets, worth $72M at the time. In February 2022 the US government seized $4.7B of the proceeds and arrested the two-person laundering operation.
Bitfinex was the largest USD-denominated Bitcoin exchange in 2016. It used a segregated multi-signature custody architecture provided by BitGo, in which each customer balance had its own multi-sig wallet rather than a pooled hot wallet — an architecture marketed as safer than the alternative.
On 2 August 2016 an attacker exploited the integration between Bitfinex's order-entry system and the BitGo signing infrastructure to authorise approximately 2,000 separate withdrawals totalling 119,756 BTC. The architectural choice that was supposed to compartmentalise loss produced the opposite outcome: BitGo's signing was authorised by Bitfinex API calls, so a compromise of Bitfinex's authentication tokens compromised all wallets simultaneously.
Bitfinex socialised losses across all customers — including those who had not been withdrawing — at a uniform 36% haircut, issuing BFX tokens as IOU claims. The BFX tokens were redeemed in full through subsequent operations and a 2017 share issuance.
The stolen BTC remained mostly dormant on-chain for over five years. In February 2022 the US Department of Justice seized 94,643 BTC and arrested Ilya Lichtenstein and Heather Morgan — Lichtenstein being the proven operator of the laundering operation. Lichtenstein pleaded guilty and was sentenced to five years federal prison in November 2024.
Timeline
- ~2,000 withdrawals totalling 119,756 BTC authorised
Attacker exploits Bitfinex order-entry / BitGo signing integration. Multi-sig segregated architecture fails because Bitfinex API auth was the single trust root.
- Bitfinex socialises losses 36% across all customers
All accounts haircut by 36%; BFX tokens issued as claims against future recovery.
- BFX tokens fully redeemed
Through a combination of operating profits and a 2017 share issuance.
- DOJ seizes 94,643 BTC worth $4.7B
Lichtenstein and Morgan arrested in New York. Largest financial seizure in DOJ history at the time.
- Lichtenstein pleads guilty to money laundering conspiracy
Admits to operating the laundering chain that obscured the proceeds for nearly six years.
- Lichtenstein sentenced to 5 years federal prison
Morgan separately sentenced to 18 months.
Who was involved
- Bitfinexexchangevictim$72.0M
Legal record
- Doj Seizure Btc
- 94643
- Doj Seizure Date
- 2022-02-08
- Lichtenstein Sentence
- 5 years federal prison
- Lichtenstein Sentenced
- 2024-11-14