Who was hacked?
In August 2016, Bitfinex announced it had suffered a security breach. In it, $72 million in bitcoin (nearly 120,000 BTC) was stolen from the company’s customer’s accounts. Immediately thereafter, bitcoin’s trading price plunged by 20%.
Nearly 5 years after one of the largest bitcoin hacks, over $623 million worth of bitcoin (12,230 BTC) stolen from Bitfinex in 2016 was moved on Wednesday, April 14th the same day when the entire market celebrated a milestone in crypto history: Coinbase’s direct listing on Nasdaq. The movement was first noticed by Whale Alert, a Twitter account known for tracking the movement of funds from unknown wallets.
What do we know so far?
Upon coming to know about the massive transfer of funds from the 2016 Bitfinex hack, we started to track the movement of funds. According to our estimates, over 10% of the total 119,756 BTC stolen from Bitfinex in 2016’s hack was moved last Wednesday. However, this was not the first movement of the stolen funds: over 5,000 BTC of the same stolen funds were moved on Nov 30, 2020.
“Previous assumptions that the stolen funds can never be cashed out is incorrect. While the bitcoins stolen from Bitfinex in 2016 are some of the most tracked cryptocurrency funds ever, there are still ways in which the hackers will be able to cash out the funds. Exchanges and OTC desks with insufficient blockchain monitoring will be able to process them. It is likely that the hacker is already aware which exchanges these are and will be laundering money through them,” says Nirmal AK, Chief Technology Officer at Merkle Science. “Since the majority of transaction monitoring tools depend on the use of blacklists and historical data, the hacker is looking to move funds into as many addresses as they can to obfuscate the addresses. With new privacy technologies such as Bitcoin’s Taproot coming down the pipeline, it is imperative that monitoring tools need to move beyond blacklists in order to maintain their effectiveness — using predictive intelligence and looking at transaction behaviors to gain greater insight and financial safeguards.
“Laundering 120,000 BTC will take a really long time, and the hacker will look for inventive ways to move these stolen funds. The challenge of regulators, law enforcement agencies, and transaction monitoring tools will be to keep in pace with technological developments and make sure we are adaptive enough to cover our blind spots.”
Summary of stolen fund movements so far:
- A total of 12,230 BTC of stolen funds (more than USD 770 million) was moved from 36 addresses. This equates to more than 10% of the original stolen funds (119,756 BTC).
- Of the 36 addresses, funds from two addresses belonging to the hackers were traced to some well-known exchanges. The remaining funds were moved to unknown addresses and from there, funds have not moved yet.
- Our analysis shows that the two addresses moved nearly 8 BTC to Remitano, Binance, and Poloniex: Remitano: 0.01 BTC ($821.96), Binance: 1.6411 BTC ($50,980.13), Poloniex: 6.51 BTC ($412,312.90)
- Of the three exchanges, Binance has previously received 1.28 BTC from the hackers’ wallet long before this publicized event of April 14th.
Analysis of the traces funds to known entities
Address A: 13jE999Hssm2GFf6Yob7zGCJtf1xnPPjHd
- The address has had a total of 22 transactions (21 incomings and 1 outgoing), receiving the entire value of its funds (433,468 BTC) from Bitfinex as a result of the August 2016 hack.
- Since then, all the funds have been moved out of the address and the final balance of the address is zero.
- After tracing the outgoing funds through a multi-hop analysis, we found that some of the funds had been transferred to various exchanges such as Binance and Remitano. Prior to April 14th, 2021, Binance had already received 1.28 BTC from this address.
- Funds received by exchanges:
1. Remitano: 0.01 BTC (USD 821.96)
2. Binance: 1.6411 BTC (USD 50,980.13)
Address B: 1J2Tem6ZSHnpppVhBpSq5pAZYmfjENqoD3
- The address has had a total of 6 transactions (5 incomings and 1 outgoing), receiving the entire value of its funds (259.74 BTC) from Bitfinex as a result of the August 2016 hack.
- On April 14th, 2021, 6.51 BTC (USD 412,317.90) was directly transferred to Poloniex. The remaining funds moved to three unidentified addresses, from which the funds have not moved since. The final balance of Address B is zero.
What does this mean for crypto businesses?
For cryptocurrency exchanges and businesses that have received stolen funds, those who have verified the authenticity of the data can stop withdrawals from happening and notify the relevant authorities. Most exchanges globally share information on stolen fund addresses to deal with such risks and collaborate with law enforcement agencies and blockchain analysis firms such as Merkle Science for additional data and investigative services. As the FATF member jurisdictions continue to roll out regulations to combat money laundering and the illicit use of funds, crypto businesses that are proactive and have transactional risk policies in place will be at a clear advantage.
Approximately 2000 addresses associated with the Bitfinex hack have been updated on Merkle Science. All our partners and customers also receive immediate information if any funds they receive are from the hackers’ wallets.
No further movement has been noted on the stolen cryptocurrencies at the time of publishing this report. As the hacker has been moving the stolen funds through thousands of addresses, our team is in the process of completing a thorough analysis of the April 14th fund movements. We will provide a follow-up with a comprehensive analysis as soon as it is available.