Tracking Bitfinex’s 119,754 Stolen BTC and LEO’s Pre-Tweet Rise


Bitfinex was launched in 2012, just a few short years after the creation of Bitcoin itself.

Originally based out of the crypto hotspot Hong Kong, but now operating out of the British Virgin Islands, the exchange is part of the history and fabric of crypto and its markets. The exchange has faced a number of regulatory actions, DDoS cyberattacks and hacks as is not uncommon for an exchange that has been a staple of the crypto-asset industry since close to its infancy.

Bitfinex’s Notorious 2016 Exploit

One attack on Bitfinex was notable for its size, as it was the second-largest crypto exchange hack at the time, and thus made it into Bitcoin’s hall of infamy. This was the hack in 2016 of 119,754 BTC (worth USD 72 million at the time of the exploit). Notably, the exploit occurred despite Bitfinex securing funds through crypto custodian giant BitGo.

The Bitfinex hack rocked crypto markets at the time, with the spot price of BTC tumbling 20% a few hours after the news.

Launderers’ Arrests, a Family Affair

On Tuesday, the Department of Justice announced that it had apprehended married couple Ilya Lichtenstein and Heather Morgan on charges of money laundering and conspiracy to defraud the United States, carrying maximum sentences of 20 and 5 years, respectively.

The arrest of Ilya Lichtenstein and Heather Morgan and the recuperation of 94,000 bitcoins (USD 3.6 billion of the illicit funds) by the U.S. authorities demonstrates that money launderers of historic hacks are indeed held to account, as in the case of the 30 arrested by Japanese authorities in 2021 for the processing of suspect transactions amounting to a ~third of the USD 530 million hacked from the 2018 Coincheck hack.

The 94k BTC recovered by U.S. federal law enforcement was done so through a court-order warrant. As per the DoJ’s announcement, “After the execution of court-authorized search warrants of online accounts controlled by Lichtenstein and Morgan, special agents obtained access to files within an online account controlled by Lichtenstein. Those files contained the private keys required to access the digital wallet that directly received the funds stolen from Bitfinex, and allowed special agents to lawfully seize and recover more than 94,000 bitcoin.”

Lichtenstein and Morgan utilised many blockchain ecosystem entities – both licit and illicit – to launder the stolen Bitfinex funds, with the illicit transactions totaling 2,072. As well as passing funds through a number of reputable VASPs (virtual asset service providers), the hacked funds also passed through notorious entities for crypto crime such as the Hydra darknet market (DNM), sites that have been abused by criminals such as the P2P marketplace LocalBitcoins and 3rd party exchange API MorphToken (priorly facilitating DNM payment gateways).

The couple also deployed crypto-unique money laundering techniques such as CoinJoin transactions, Wasabi wallets and chain-hopped portions of BTC to anonymity-enhanced cryptocurrencies.

Snapshot of a Crypto Laundering Op

A key method that forensic blockchain investigators use is that of ‘clustering’, whereby analytics tools can identify addresses as having the same owners with transaction behaviour patterns.

Coinfirm’s C-live is used to prove the specific (stolen) crypto flow with various accounting methods to prove that the stolen coins are the same that were deposited to the destination addresses despite thousands of transactions in between/mixers etc. The tool also presents whether addresses on the path are in the same cluster and whether any IP addresses may be connected with this cluster.

An example of the power of Coinfirm’s proprietary tracing analysis technology that utilises multiple forensic accountancy techniques can be seen below with multiple Bitfinex hacked addresses fed through a complex series of transactions to one of the larger centralised VASPs in a typical initial layering scheme.

In the diagram above, red lines denote transactions between addresses that Coinfirm’s 5 tracing methodologies are certain that the funds originate from the exploit, whilst green lines denote that stolen funds are being mixed with BTC from different sources and eventually end up in the VASP deposit address.

Note the ‘green’ fund flows towards the end wallet. In just one of these transactions to the hacked funds destination at the top of the diagram, 86 input addresses were used in a process designed to obfuscate the provenance of funds for the audience of the receiving VASP’s compliance department. In addition, the money laundering couple utilised “fictitious identities to set up online accounts” as a further hurdle of obfuscation. Coinfirm’s tool confirmed dozens of VASPs receiving Bitfinex BTC after similar layering scheme as presented above.

While most forensic blockchain investigation tools use ‘clustering’ only (identification addresses as having the same owners with transaction behaviour patterns), Coinfirm’s C-Live is not only collecting clustering data but also is able to monitor thousands of wallets in real-time and triggers the tracking of the stolen crypto flow using professional forensic accounting methods – fully automatically preparing the undisputable Destination of Funds evidence despite thousands of transactions and mixers being used. In this manner, Coinfirm has monitored the stolen Bitfinex funds and identified VASP addresses receiving funds.

LEO’s Pre-tweet Rise

The price of Bitfinex’s LEO token began to rise shortly after the DoJ made the great news public.

However, Coinfirm’s Investigations Team picked up on the fact that the token’s trading volume had begun to rise before Bitfinex announced the news on Twitter.

The DoJ announcement was published at 10.49am Eastern Standard Time.

The tweet in question below was made at 54 minutes 11am EST, but the price of LEO began to increase 14 minutes before the news hit the twittersphere.

Lost crypto to a hack or fraud? Contact Coinfirm to leverage C-Live, the blockchain analytics industry’s No.1 real-time illicit asset tracing solution.