Hack Track: Bitfinex Hack (2016) Recent Fund Movement Analysis

[Update 2022.02.02]

According to Merkle Science’s on-chain analysis, on February 2, 2022, more than 94, 643.38  stolen BTC   amounting to $3.6 billion were moved from the wallet addresses associated with the Bitfinex hack (2016) and consolidated into a new wallet. 

The new wallet address is bc1qazcm763858nkj2dj986etajv6wquslv8uxwczt. The Data shows that the 94,643.38 BTC represent 79.03% of the 119,756 BTC stolen on August 2, 2016. The funds haven’t moved out of the new wallet address yet.

The BTC was moved in 23 transactions. These transactions were broken down into smaller fragments. Additionally, out of the 23 transactions done by the hacker, one of the transactions had 592 inputs. Input refers to the address from which the BTC is sent, if a transaction has multiple inputs this means that the BTC being sent is coming from multiple BTC addresses. Out of these 592 inputs, the hacker reused some of the addresses in the same transaction.

Merkle Science has added wallet address bc1qazcm763858nkj2dj986etajv6wquslv8uxwczt to the list of 2000 blacklisted wallet addresses 8i-mp .that are associated with the Bitfinex Hack(2016). Since the majority of the wallets associated with the Bitfinex hack have already been blacklisted the hacker may have a tough time cashing them out on prominent centralized exchanges. Even though the hacker may take time to cash out the funds that have been moved to the new address, there is a high likelihood that when the hacker does decide to launder these funds — it will be done in small fragments using anonymization technologies such as mixers and tumblers and privacy wallets like Wasabi.

In a note sent to Bitcoin.com News, Bitifinex stated that it is still working with authorities to track and monitor stolen funds.  “Bitfinex continues to work globally with law enforcement agencies, digital token exchanges, and wallet providers to recover the bitcoin stolen in the 2016 hack,” the note sent to Bitcoin.com’s newsdesk said.

Merkle Science Hack Track provides digestible insights on the movement of stolen funds from the latest cryptocurrency heists.

Who was hacked?

In August 2016, Bitfinex announced it had suffered a security breach. In it, $72 million in bitcoin (nearly 120,000 BTC) was stolen from the company's customer's accounts. Immediately thereafter, bitcoin's trading price plunged by 20%.

Nearly 5 years after one of the largest bitcoin hacks, over $623 million worth of bitcoin (12,230 BTC) stolen from Bitfinex in 2016 was moved on Wednesday, April 14^th the same day when the entire market celebrated a milestone in crypto history: Coinbase’s direct listing on Nasdaq. The movement was first noticed by Whale Alert, a Twitter account known for tracking the movement of funds from unknown wallets.

What do we know so far?

Upon coming to know about the massive transfer of funds from the 2016 Bitfinex hack, we started to track the movement of funds. According to our estimates, over 10% of the total 119,756 BTC stolen from Bitfinex in 2016's hack was moved last Wednesday. However, this was not the first movement of the stolen funds: over 5,000 BTC of the same stolen funds were moved on Nov 30, 2020. 

“Previous assumptions that the stolen funds can never be cashed out are incorrect. While the bitcoins stolen from Bitfinex in 2016 are some of the most tracked cryptocurrency funds ever, there are still a few ways in which the hackers will be able to cash out the funds. Exchanges and OTC desks with insufficient blockchain monitoring will be able to process them. It is likely that the hacker is already aware which exchanges these are and will be laundering money through them,” says Nirmal AK, Chief Technology Officer at Merkle Science. “Since the majority of transaction monitoring tools depend on the use of blacklists and historical data, the hacker is looking to move funds into as many addresses as they can to obfuscate the addresses. The hackers may, over a period of time, use anonymization technologies such as mixers and tumblers and privacy wallets such as Wasabi to launder the stolen BTC  therefore, is imperative that monitoring tools move beyond blacklists in order to maintain their effectiveness — using predictive intelligence and looking at transaction behaviors to gain greater insight and financial safeguards.

“Laundering bitcoins will take a really long time, and the hacker will look for inventive ways to move these stolen funds. The challenge of regulators, law enforcement agencies, and transaction monitoring tools will be to keep in pace with technological developments and make sure we are adaptive enough to cover our blind spots.”

Summary of stolen fund movements so far:

• A total of 12,230 BTC of stolen funds (more than USD 770 million) was moved from 36 addresses. This equates to more than 10% of the original stolen funds (119,756 BTC).
• Of the 36 addresses, funds from two addresses belonging to the hackers were traced to some well-known exchanges. The remaining funds were moved to unknown addresses and from there, funds have not been moved yet.
• Our analysis shows that the two addresses moved nearly 8 BTC to some of the most prominent exchanges. 
• One of the exchanges (Exchange A) had previously received 1.28 BTC from the hackers’ wallet long before this publicized event of April 14^th.

Analysis of the traces funds to known entities

Address A:  13jE999Hssm2GFf6Yob7zGCJtf1xnPPjHd

1. The address has had a total of 22 transactions (21 incomings and 1 outgoing), receiving the entire value of its funds (433,468 BTC) from Bitfinex as a result of the August 2016 hack. 
2. Since then, all the funds have been moved out of the address and the final balance of the address is zero.
3. After tracing the outgoing funds through a multi-hop analysis, we found that some of the funds had been transferred to various exchanges Prior to April 14^th, 2021, Exchange A had already received 1.28 BTC from this address.
4. Funds received by exchanges:

1. Exchange B: 0.01 BTC (USD 821.96)
2. Exchange A:1.6411 BTC (USD 50,980.13)

                                                       Image 1: Analysis of the movement of funds from Address A

Address B: 1J2Tem6ZSHnpppVhBpSq5pAZYmfjENqoD3

1. The address has had a total of 6 transactions (5 incomings and 1 outgoing), receiving the entire value of its funds (259.74 BTC) from Bitfinex as a result of the August 2016 hack. 
2. On April 14^th, 2021, 6.51 BTC (USD 412,317.90) was directly transferred to a famous crypto exchange. The remaining funds moved to three unidentified addresses, from which the funds have not moved since. The final balance of Address B is zero.

                                     Image 2: Analysis of the movements of funds from Address B

What does this mean for crypto businesses?

For cryptocurrency exchanges and businesses that have received stolen funds, those who have verified the authenticity of the data can stop withdrawals from happening and notify the relevant authorities. Most exchanges globally share information on stolen fund addresses to deal with such risks and collaborate with law enforcement agencies and blockchain analysis firms such as Merkle Science for additional data and investigative services. As the FATF member jurisdictions continue to roll out regulations to combat money laundering and the illicit use of funds, crypto businesses that are proactive and have transactional risk policies in place will be at a clear advantage.

Approximately 2000 addresses associated with the Bitfinex hack have been updated on Merkle Science. All our partners and customers also receive immediate information if any funds they receive are from the hackers’ wallets. 

No further movement has been noted on the stolen cryptocurrencies at the time of publishing this report. As the hacker has been moving the stolen funds through thousands of addresses, our team is in the process of completing a thorough analysis of the fund movements. We will provide a follow-up with a comprehensive analysis as soon as it is available.